Detecting Telnet Sessions Through Routers

G5 Cyber Security

2 weeks ago

TL;DR

Routers generally cannot reliably detect transitive or cascaded telnet sessions (where a user connects to one router, then uses that router to connect to another). Standard logging and monitoring features focus on direct connections. However, you can sometimes infer such activity by analysing connection times, source IPs, and looking for unusual patterns in your logs.

Understanding the Problem

Telnet is an unencrypted protocol. When a user telnets to a router (Router A), then from Router A telnets to another router (Router B), Router B only sees the connection originating from Router A’s IP address, not the original user’s IP.

Steps to Investigate and Potentially Detect Transitive Sessions

Check Router Logs: This is your first step. Look for telnet connections in your router logs. The specific commands vary by vendor (Cisco, Juniper, etc.).

Cisco IOS/IOS-XE: Use the show logging command to view logs. Filter for “telnet” or relevant IP addresses.
```
show logging | include telnet
```
Juniper Junos: Use the show log messages command, filtering by facility and severity.
```
show log messages | match telnet
```

Analyse Connection Timestamps: Look for connections originating from internal IPs connecting to external or other internal routers in quick succession. This might indicate a user bouncing through multiple devices.

Pay attention to the time difference between connections. A very short gap suggests a potential cascade.

Monitor Source IP Addresses: Track which IPs are connecting to your routers via telnet. If you see an internal IP consistently connecting to multiple routers, investigate further.

Enable Extended Logging (If Available): Some routers allow more detailed logging of connection information, including usernames and potentially session durations. This can help identify users who might be chaining connections.

Check your router’s documentation for extended logging options.

NetFlow/IPFIX Analysis: If you’re using NetFlow or IPFIX, analyse the flow data to see connection patterns. While it won’t directly show telnet sessions within a session, it can reveal unusual traffic from internal IPs.

Consider Security Implications of Telnet:

Disable Telnet: The best solution is often to disable telnet entirely and use SSH (Secure Shell) instead. SSH encrypts the connection, making it much more secure.
```
configure terminal
```
```
no ip telnet server
```
Restrict Access: If you must use telnet, restrict access to specific IPs only.

Intrusion Detection/Prevention Systems (IDS/IPS): An IDS/IPS might be able to detect unusual patterns of connections that could indicate transitive sessions, but this is not guaranteed.

Limitations

Keep in mind these limitations:

Encryption: Telnet’s unencrypted nature makes it difficult to inspect the contents of the session.
Log Rotation: Logs are often rotated, so you may not have historical data available.
Router Capabilities: Not all routers offer advanced logging features.