Skip to content

Disable telnet Service

An XCCDF Rule

Description

Make sure that the activation of the telnet service on system boot is disabled. The telnet socket can be disabled with the following command:

$ sudo systemctl mask --now telnet.socket

warning alert: Warning

If the system relies on xinetd to manage telnet sessions, ensure the telnet service is disabled by the following line: disable = yes. Note that the xinetd file for telnet is not created automatically, therefore it might have different names.

Rationale

The telnet protocol uses unencrypted network communication, which means that data from the login session, including passwords and all other information transmitted during the session, can be stolen by eavesdroppers on the network. The telnet protocol is also subject to man-in-the-middle attacks.

ID
xccdf_org.ssgproject.content_rule_service_telnet_disabled
Severity
High
References
Updated



Remediation - OS Build Blueprint


[customizations.services]
disabled = ["telnet"]

Remediation - Puppet

include disable_telnet

class disable_telnet {
  service {'telnet':
    enable => false,
    ensure => 'stopped',

Remediation - Shell Script

# Remediation is applicable only in certain platforms
if ( [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ] && rpm --quiet -q telnet-server ); then

SYSTEMCTL_EXEC='/usr/bin/systemctl'
"$SYSTEMCTL_EXEC" stop 'telnet.service'
"$SYSTEMCTL_EXEC" disable 'telnet.service'

Remediation - Kubernetes Patch

apiVersion: machineconfiguration.openshift.io/v1
kind: MachineConfig
spec:
  config:
    ignition:
      version: 3.1.0

Remediation - Ansible

- name: Gather the package facts
  package_facts:
    manager: auto
  tags:
  - NIST-800-171-3.1.13
  - NIST-800-171-3.4.7