# Telnet (not ssh) acting strange.

## Klainn

I've had problems with telnet for a while now and I'm finally gonna try to get it sorted out. I have emerged xinetd and netkit-telnetd.

After the first install of them both it worked exactly as it needed to. Then for some reason I get 

```

goldfinger etc # telnet localhost

Trying 127.0.0.1...

Connected to localhost.

Escape character is '^]'.

Connection closed by foreign host.

```

When I try to connect to localhost. Netstat -l shows "tcp        0      0 *:telnet                *:*                     LISTEN" and xinetd is started and running.

and when I try from a windows telnet session ... 

```

Connection to host lost.

Press any key to continue...

```

Instantly ... 

I finally removed completely xinetd and netkit-telnetd and then reinstalled and it worked perfectally for about 20 minutes then out of nowhere started doing the same thing again.

here is the working conf files I'm using, please let me know any suggestions you have.

/etc/xinetd.conf

```

defaults

{

        instances      = 60

        log_type       = SYSLOG authpriv info

        log_on_success = HOST PID

        log_on_failure = HOST

        cps            = 25 30

}

includedir /etc/xinetd.d

```

/etc/xinetd.d/telnetd

```

service telnet

{

        flags           = REUSE

        socket_type     = stream

        wait            = no

        user            = root

        server          = /usr/sbin/in.telnetd

        log_on_failure += USERID

        disable         = no

}

```

NOTE ... I know telnet isn't secure, I know ssh is better, I have ssh running too but for what I need to do Telnet HAS to be used as it comes naturally with windows.

----------

## speed_bump

 *Quote:*   

> NOTE ... I know telnet isn't secure, I know ssh is better, I have ssh running too but for what I need to do Telnet HAS to be used as it comes naturally with windows.
> 
> 

 

PuTTY is your friend, my friend.  :Smile: 

Having said that:

Have you checked your system logs to see if anything is complaining?

Do you have IP tables configured on your Gentoo machine? 

Is this system exposed to the internet (ie can any old IP address connect to this machine)?

It sounds like a strange problem, and my first hunch would be to check system logs to see if something is amiss.

----------

## Klainn

Thanks for responding, ya I use putty when I ssh but for this putty isn't possible. 

I checked the systems logs and there's nothing out of the ordinary. The logs show 

"Nov 12 06:25:33 [xinetd] START: telnet pid=### from=WAN address or Local address"

and then that's it .. nothing more.

As for the ip tables, I never configured anything except a static address to the gentoo box and opened up telnet port to the box. But I can't telnet in from outside my network or from within.

stumping me.

----------

## speed_bump

 *Quote:*   

> As for the ip tables, I never configured anything except a static address to the gentoo box and opened up telnet port to the box. But I can't telnet in from outside my network or from within.

 

Do you have a related/established rule in your iptables config? It sounds like you do, if it was working at one point.

Check the TCP wrappers stuff as well (/etc/hosts.allow and /etc/hosts.deny). Problems here frequently get logged in /var/log/secure, but that depends on your logging config.

If you can look at things on the Linux machine while you're testing, check to see if a telnetd has started on the machine after you've initiated the connection. I'd also use tcpdump/ethereal to capture the session and see if there's anything peculiar about the network layer stuff that might explain it.

----------

## Klainn

in my /var/log/telnetd/current I get every once in a while... 

```

Nov 12 09:24:35 [login] PAM pam_putenv: delete non-existent entry; XAUTHORITY
```

and for some reason it's working ... I have no clue why. I changed nothing. 

The only thing I did was kill the xinetd process and reboot the system.

I attempted to check things like /etc/hosts.allow, but the only think I have is /etc/hosts which looks about as good as it can heh. My logs show nothing unusual .. it's the strangest thing.

this is really strange heh

----------

## Klainn

Maybe some more relevent information :: 

```

Nov 12 09:33:08 [PAM-env] Unknown PAM_ITEM: <XAUTHORITY>

Nov 12 09:33:08 [login] PAM pam_putenv: delete non-existent entry; XAUTHORITY

Nov 12 09:47:59 [xinetd] START: telnet pid=6649 from=<ip>

Nov 12 09:48:38 [xinetd] START: telnet pid=6652 from=<ip>

Nov 12 09:49:15 [xinetd] Consistency check passed

Nov 12 09:49:25 [xinetd] generated state dump in file /var/run/xinetd.dump

Nov 12 09:49:28 [xinetd] START: telnet pid=6701 from=<ip>

Nov 12 09:49:33 [xinetd] Exiting...

Nov 12 09:49:34 [xinetd] xinetd Version 2.3.13 started with libwrap loadavg options compiled in.

Nov 12 09:49:34 [xinetd] Started working: 3 available services

Nov 12 09:49:36 [xinetd] START: telnet pid=6772 from=<ip>

```

and /var/run/xinetd.dump

```

INTERNAL STATE DUMP: xinetd Version 2.3.13

Current time: Fri Nov 12 10:00:41 2004

Services + defaults:

Service defaults

        Instances = 60

        CPS = max conn:25 wait:30

        Bind = All addresses.

        Only from: All sites

        No access: No blocked sites

        Logging to syslog. Facility = authpriv, level = info

        Log_on_success flags = HOST PID

        Log_on_failure flags = HOST

Service = telnet

        State = Active

        Service configuration: telnet

                id = telnet

                flags = REUSE IPv4

                socket_type = stream

                Protocol (name,number) = (tcp,6)

                port = 23

                wait = no

                user = 0

                Groups = no

                PER_SOURCE = -1

                Bind = All addresses.

                Server = /usr/sbin/in.telnetd

                Server argv = in.telnetd

                Only from: All sites

                No access: No blocked sites

                Logging to syslog. Facility = authpriv, level = info

                Log_on_success flags = HOST PID

                Log_on_failure flags = HOST USERID

        running servers = 0

        retry servers = 0

        attempts = 0

        service fd = 5

Server table dump:

Retry table dump:

Socket mask: 3 5

mask_max = 5

Open descriptors (not in socket mask): 0 1 2 4 6 7

active_services = 1

available_services = 1

descriptors_free = 1015

running_servers = 0

Logging service = enabled

max_descriptors = 1024

process_limit = 0

config_file = /etc/xinetd.conf

END OF DUMP
```

Shortly after the above post, telnet wouldn't accept any incoming requests but netstat -l  / netstat -nr showed that it was alive and well and waiting on requests.

Edit :: People that connected with telnet before it stopped working are still connected with no problems, but if they disconnect they can't reconnect.

----------

## Woody2143

 *Klainn wrote:*   

> Maybe some more relevent information :: 
> 
> ```
> 
> Nov 12 09:33:08 [PAM-env] Unknown PAM_ITEM: <XAUTHORITY>
> ...

 

Those error messages have been coming up in a few different posts round the forums as of late. It seems the lastest pam update b0rked a few things in terms of remote logins. Nobody has a good answer and a proper fix from what I have seen, but if you need to get in to the box do the following:

Edit /etc/security/pam_env.conf

Comment out the following lines:

```
# REMOTEHOST    DEFAULT= OVERRIDE=@{PAM_RHOST}

# DISPLAY               DEFAULT=${REMOTEHOST}:0.0 OVERRIDE=${DISPLAY}

# XAUTHORITY    DEFAULT= OVERRIDE=@{XAUTHORITY}
```

This may somehow be a very evil or Very Bad Thing to do security wise so use at your own risk; but I can say for sure that it solved my problem with logging in remotely.

----------

## speed_bump

Commenting those things out will not be a security problem. They are/were put in place as a convenient way to set certain environment variables. If you aren't using them, they have no relevance. At worst, if you do make use of them, you'll have to set them yourself.

One thing you may want to check is the number of incoming connections per second. In your original configuration, the configuration is 

```
cps = 25 30
```

which says if more than 25 connections per second are requested, disable the service for 30 seconds. This will not affect existing connections, but will keep new connections from being established for 30 seconds. If you have a large nuber of users, or you are in a situation where there could be a large number of connection attempts eg DoS attacks are likely, or it's directly exposed to the internet where every random scanner in the world can hit it, this may be a candidate for your problem.

I'd use ethereal to look at the traffic stream and rule out this possibility. Nothing in your logs looks out of line, and the xinetd.dump looks good. Given that connections can be established and basic connectivity is functional, this seems like the next most likely bet.

----------

