2.3.4 Ensure telnet client is not installed (Scored)
Profile Applicability
Level 1 - Server Level 1 - Workstation
Description
The telnet
package contains the telnet
client, which allows users to start connections to other systems via the telnet protocol.
Rationale
The telnet
protocol is insecure and unencrypted. The use of an unencrypted transmission medium could allow an unauthorized user to steal credentials. The ssh
package provides an encrypted session and stronger security and is included in most Linux distributions.
Audit
Run the following commands to verify telnet
is not installed:
dpkg -s telnet
Remediation
Run the following command to uninstall telnet
:
apt-get remove telnet
Impact
Many insecure service clients are used as troubleshooting tools and in testing environments. Uninstalling them can inhibit capability to test and troubleshoot. If they are required it is advisable to remove the clients after use to prevent accidental or intentional misuse.