md110 telnet security

[velovooma]

Hi there, im using an ericsson md110 with bc12 and was wondering if there was any way to block who can and cant telnet into the system, or maybe change the default md user account, im relatively new at this, but know most of the basics
any other suggestions in terms of security would be appreciated

 

[TeleLion]

To change the default user value:

IOUAP; /* To print out the exissting accounts*/
IOUAC:NAME=----,PSW=--,AUTH=---; /* To change the account data, AUTH = 7 is the highest level */
IOUAP; /* to verify data had been changed?

 

[velovooma]

thanks, wasnt too sure if i could change the default password with that, i was wondering if there was a way to block the ports so the system only allows a certain IP to telnet into it?

 

[fouesnant]

Hi

AS far as I know, you don't have the possibility to block network port; but you can may be perfomr that on the switch/router where the NIU is connected?

 

[velovooma]

yes i can do that, but i thought there may be a way to do it directly from the system so it could also work over the dial - in modem

 

[TeleLion]

are you using AAU or NIU for access?
for AAU u can edit the \cnf\communit.cnf file
The definition of which community is allowed to manage the agent (Get, Get-Next, Set) is located in the file /cnf/communit.cnf . To enhance security, it is recommended to define a community for service provider for service purposes.

The file contains the user's community name, IP address and what permission the user has. This is the syntax:

<Community> <IP address> Read|Write

Observe the following:

The items in the line must be separated with one or more spaces.
The community string is case sensitive.
A zero in the IP address allows all numbers (0-255) in that position.
The read/write access is not case sensitive. Read will allow SNMP Get and Get-Next, and Write will also allow Set.
Up to 10 communities can be defined.
Examples:

public 0.0.0.0 READ

This allows any user with the community name public (name set in the SNMP manager) to do SNMP get on the agent, no matter what IP address the user has.

Florian 10.10.0.0 write

This allows any user with the community name Florian in the subnet 10.10.0.0 to do both SNMP Get and Set on the agent.

 

[doktor]

There is a way to select how many telnet I/O sessions you will allow simultaneously to one NIU board.
I will find the appropriate command for you tomorrow.
These "MML allowed" commands are initiated to allow more than one session of MML.
If only one of these commands are initiated, then omly one user can logon throuh telnet on port 23 and send MML commands.
It is done in the same ways as with serial ports, where it is possible disable ports.
/// doktor

 

[doktor]

I found the command to initiate one telnet MML session:
IOEQI:IODEV=TELNET1,EQU=x-x-xx-4,TYPE=NETWORK,USAGE=MML;
Next commands woul be:
IOEQI:IODEV=TELNET2,EQU=x-x-xx-4,TYPE=NETWORK,USAGE=MML;
IOEQI:IODEV=TELNET3,EQU=x-x-xx-4,TYPE=NETWORK,USAGE=MML;
...
IODDP; gives the printout.

If you have more than one "USAGE=MML" in your IODDP; printout, then you may limit the number of telnet sessions by: IOEQE:IODEV=TELNET1;

You must leave one telnet session in the MD110. )
///doktor

 

[velovooma]

i use ipu/niu to connect
thanks doktor thats exactly what i needed
any other advise or tips you might have on securing access to the system??

 

[doktor]

Only use level 7 passwords for both NIU and IPU.
Chnage passwords every second month.
Set the following commands to level 7:

IOCAC:COM=SACOP,AUTH=7;
IOCAC:COM=IOUAP,AUTH=7;
IOCAC:COM=SACOS,AUTH=7;
IOCAC:COM=IODDP,AUTH=7;
IOCAC:COM=LALRL,AUTH=7;
IOCAC:COM=LADAI,AUTH=7;

Switch off power to modems connected to external lines, when not in use.

These rules may seen very strict, (and they are!), but this should prevent you from intruders.

/// doktor

 

[velovooma]

modem power is off, and only use level 7 passwords allready
thanks for all the help