[AHLA] Fwd: Telnet ot Hall IOCs
Anthony Cuffe
cuffe at jlab.org
Fri Oct 6 14:12:38 EDT 2017
Developers,
I came to our attention that several Hall IOCs permit password less logins via an unauthenticated (password less) telnet session. In addition, the documentation to access these is freely available via web browser to anyone on site. Upon discussions with support staff, this man take some time to address. In order to mitigate the risks associated with this situation, we have blocked telent at the Hall network boundaries. This means that if you wish to telnet to a IOC or device in the Hall network, you must be on one of the Hall login nodes.
Hall Login Nodes:
-----------------
hlal00 #RHEL 6WS i386 #PE_1950 #ops #None #None # HLA OPS Server
hlal01 #RHEL 6WS i386 #PE_R610 #ops #procServMgr #None # HLA Login Server for Soft Iocs
hlbl00 #RHEL 6WS i386 #PE_1950 #ops #procServMgr #None # Counting House
Hall Network Information:
-------------------------
name => habcnet
number => 129.57.240.0
mask => 255.255.252.0
cidr => 22
hexmask => 0Xfffffc00
broadcast => 129.57.243.255
gateway => 129.57.240.1
domain => acc.jlab.org
vlan => none
comment => Halls A B C
At one time there was a goal to enforce this block across all networks(i.e. you must log into opsl00 in order to telnet to an ops IOC). We would like to pursue this once again. This greatly reduces the risks of telent with a pretty minor (but maybe inconvenient) first hop. We will be researching this and discussing this with you so that we can effect this change without disrupting any systems or projects.
Thanks for you time.
--
+-------------------------+
| Anthony Cuffe |
| voice : 757 269-6213 |
| e-mail : cuffe at jlab.org |
+-------------------------+
More information about the AHLA
mailing list