Non root user using telnet refused

Support for security such as Firewalls and securing linux
rezashamdani
Posts: 8
Joined: 2019/04/11 03:39:19

Non root user using telnet refused

Post by rezashamdani » 2019/04/11 04:01:29

Hi,

I'm trying to send email but without using the root account, but failed as shown below;
Using root account

Code: Select all

[root@XXXXXX ~]# telnet XXXXXX.mail.protection.outlook.com 25
Trying XXX.XX.XXX.XX...
Connected to XXXXXX.mail.protection.outlook.com.
Escape character is '^]'.
220 XXXXXX.mail.protection.outlook.com Microsoft ESMTP MAIL Service ready at Thu, 11 Apr 2019 03:53:53 +0000
Using non root account

Code: Select all

[nonroot@XXXXXX ~]$ telnet XXXXXX.mail.protection.outlook.com 25
Trying XXX.XX.XXX.XX...
telnet: connect to address XXX.XX.XXX.XX: Connection refused
Trying XXX.XX.XXX.XX...
telnet: connect to address XXX.XX.XXX.XX: Connection refused
I have spent a week trying to figure it out, but still failed. We have another server with Centos6, but the non root account can use the telnet.
I have disabled the SElinux as others have suggest on similiar question, but still failed.
Please help, i have another 7 other Centos6 server need to be upgraded to Centos7 until next year, this issue might hold that back.

This is my server current configuration;
Linux howdensg2.howdensolutions.com 3.10.0-862.2.3.el7.x86_64 #1 SMP Wed May 9 18:05:47 UTC 2018 x86_64 x86_64 x86_64 GNU/Linux.
SElinux disabled.
firewalld.service inactive.
iptables -L -n --line-numbers. without the INPUT section.

Code: Select all

Chain FORWARD (policy ACCEPT)
num  target     prot opt source               destination

Chain OUTPUT (policy ACCEPT)
num  target     prot opt source               destination
1    cpanel-dovecot-solr  all  --  0.0.0.0/0            0.0.0.0/0

Chain cpanel-dovecot-solr (1 references)
num  target     prot opt source               destination
1    ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0            multiport sports 8984,7984 owner UID match 988
2    ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0            multiport sports 8984,7984 owner UID match 0
3    REJECT     tcp  --  0.0.0.0/0            0.0.0.0/0            multiport sports 8984,7984 reject-with icmp-port-unreachable

Chain cphulk (1 references)
num  target     prot opt source               destination

User avatar
avij
Forum Moderator
Posts: 2964
Joined: 2010/12/01 19:25:52
Location: Helsinki, Finland
Contact:

Re: Non root user using telnet refused

Post by avij » 2019/04/11 05:34:09

I see you have CPanel installed. Whatever restriction there may be has probably been configured through CPanel. So ask them, maybe?

hunter86_bg
Posts: 1789
Joined: 2015/02/17 15:14:33
Location: Bulgaria
Contact:

Re: Non root user using telnet refused

Post by hunter86_bg » 2019/04/15 03:47:10

SELINUX disabled ... That's like shooting a pigeon with a tank.
Just set it to permissive and if SELINUX is the problem - you will have the info in /var/log/audit/audit.log

User avatar
TrevorH
Forum Moderator
Posts: 25808
Joined: 2009/09/24 10:40:56
Location: Brighton, UK

Re: Non root user using telnet refused

Post by TrevorH » 2019/04/15 13:56:12

It isn't the problem. The problem is the output iptables lines that restrict output packets to only traffic that comes from source ports 8984 and 7984 for the root user or for uid 988.
CentOS 5 died in March 2017 - migrate NOW!
Full time Geek, part time moderator. Use the FAQ Luke

rezashamdani
Posts: 8
Joined: 2019/04/11 03:39:19

Re: Non root user using telnet refused

Post by rezashamdani » 2019/04/22 03:26:32

sorry for late reply

thanks @TrevorH, i have allowed the request before the reject line as seen below;

Code: Select all

Chain FORWARD (policy ACCEPT)
num  target     prot opt source               destination

Chain OUTPUT (policy ACCEPT)
num  target     prot opt source               destination
1    ACCEPT     tcp  --  0.0.0.0/0            xx.xxx.xx.xx        tcp dpt:25 state NEW,ESTABLISHED
2    cpanel-dovecot-solr  all  --  0.0.0.0/0            0.0.0.0/0

Chain cpanel-dovecot-solr (1 references)
num  target     prot opt source               destination
1    ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0            multiport sports 8984,7984 owner UID match 988
2    ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0            multiport sports 8984,7984 owner UID match 0
3    REJECT     tcp  --  0.0.0.0/0            0.0.0.0/0            multiport sports 8984,7984 reject-with icmp-port-unreachable
but the telnet with non root user still failed, please help

User avatar
TrevorH
Forum Moderator
Posts: 25808
Joined: 2009/09/24 10:40:56
Location: Brighton, UK

Re: Non root user using telnet refused

Post by TrevorH » 2019/04/22 11:25:08

If you mean you added the line to allow port 25 then that is for sending mail not for telnet. Telnet itself uses port 23 not 25.
CentOS 5 died in March 2017 - migrate NOW!
Full time Geek, part time moderator. Use the FAQ Luke

rezashamdani
Posts: 8
Joined: 2019/04/11 03:39:19

Re: Non root user using telnet refused

Post by rezashamdani » 2019/04/23 02:46:19

hi @TrevorH, i have added the port 23 as below output;

Code: Select all

Chain OUTPUT (policy ACCEPT)
num  target     prot opt source               destination
1    ACCEPT     tcp  --  0.0.0.0/0            xx.xxx.xx.xxx        tcp dpt:25 state NEW,ESTABLISHED
2    ACCEPT     tcp  --  0.0.0.0/0            xx.xxx.xx.xxx        tcp dpt:23 state NEW,ESTABLISHED
3    cpanel-dovecot-solr  all  --  0.0.0.0/0            0.0.0.0/0

Chain cpanel-dovecot-solr (1 references)
num  target     prot opt source               destination
1    ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0            multiport sports 8984,7984 owner UID match 988
2    ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0            multiport sports 8984,7984 owner UID match 0
3    REJECT     tcp  --  0.0.0.0/0            0.0.0.0/0            multiport sports 8984,7984 reject-with icmp-port-unreachable

Chain cphulk (1 references)
num  target     prot opt source               destination
[root@XXXXXX ~]# su nonroot
[nonroot@ XXXXXX ~]$ telnet XXXXXX.mail.protection.outlook.com 25
Trying xx.xxx.xx.xxx...
telnet: connect to address xx.xxx.xx.xxx: Connection refused
Trying xx.xxx.xx.xxx...
telnet: connect to address xx.xxx.xx.xxx: Connection refused
[nonroot@ XXXXXX ~]$ exit
exit
[root@ XXXXXX ~]# telnet XXXXXX.mail.protection.outlook.com 25
Trying xx.xxx.xx.xxx...
Connected to XXXXXX.mail.protection.outlook.com.
Escape character is '^]'.
220 XXXXXXXXXX.mail.protection.outlook.com Microsoft ESMTP MAIL Service ready at Tue, 23 Apr 2019 02:41:32 +0000

User avatar
TrevorH
Forum Moderator
Posts: 25808
Joined: 2009/09/24 10:40:56
Location: Brighton, UK

Re: Non root user using telnet refused

Post by TrevorH » 2019/04/23 10:26:01

You know that mail.protection.outlook.com is a dns entry that resolves to about 100 different ip addresses and that you're very likely to get a different one each time you do a lookup?
CentOS 5 died in March 2017 - migrate NOW!
Full time Geek, part time moderator. Use the FAQ Luke

rezashamdani
Posts: 8
Joined: 2019/04/11 03:39:19

Re: Non root user using telnet refused

Post by rezashamdani » 2019/04/25 04:45:14

it was not mail.protection.outlook.com, instead mycompany.mail.protection.outlook.com. everytime i check the ip via dig/ping it always return the same ip address. please help me to resolve this.

my other server the centos6 was not having this issue.

aks
Posts: 2731
Joined: 2014/09/20 11:22:14

Re: Non root user using telnet refused

Post by aks » 2019/04/25 18:41:31

everytime i check the ip via dig/ping it always return the same ip address
That's often called caching (or maybe not, you don't say).
please help me to resolve this.
Well there' are many stories that can get in the way, preserve I say.

Just switch off the firewall (assuming that's appropriate), at both ends (if possible). You are getting "connection denied - which suggests you are getting ICMP messages - classic/good citizen messages IMO. Does it work without the firewall(s)? If so, that's likely the firewall(s) are the problem (and no, don't do anything else, literally stop iptables/firewalld and that is all - I can't tell you how many times people do other things and "pretend" they've only one the one thing - be 100% sure.)

Packets (at the network and lower layer and below) do NOT carry the context of who did what. If the application involved does then, change the application(s).

Post Reply