Disable telnet Service
An XCCDF Rule
Description
Make sure that the activation of the telnet
service on system boot is disabled.
The telnet
socket can be disabled with the following command:
$ sudo systemctl mask --now telnet.socket
warning alert: Warning
If the system relies on
xinetd
to manage telnet sessions, ensure the telnet service
is disabled by the following line: disable = yes
. Note that the xinetd file for
telnet is not created automatically, therefore it might have different names.Rationale
The telnet protocol uses unencrypted network communication, which means that data from the login session, including passwords and all other information transmitted during the session, can be stolen by eavesdroppers on the network. The telnet protocol is also subject to man-in-the-middle attacks.
- ID
- xccdf_org.ssgproject.content_rule_service_telnet_disabled
- Severity
- High
- References
- Updated
Remediation - OS Build Blueprint
[customizations.services]
disabled = ["telnet"]
Remediation - Ansible
- name: Gather the package facts
package_facts:
manager: auto
tags:
- NIST-800-171-3.1.13
- NIST-800-171-3.4.7
Remediation - Shell Script
# Remediation is applicable only in certain platforms
if ( [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ] && rpm --quiet -q telnet-server ); then
SYSTEMCTL_EXEC='/usr/bin/systemctl'
"$SYSTEMCTL_EXEC" stop 'telnet.service'
"$SYSTEMCTL_EXEC" disable 'telnet.service'
Remediation - Puppet
include disable_telnet
class disable_telnet {
service {'telnet':
enable => false,
ensure => 'stopped',