I have just discovered that the company that set up the routers for our Internet access left them open to telnet from the Internet side. It seems to me that this would be risky from a security standpoint. I need to know the best way to lock down the routers so that they can only be configured from the console.
Tek-Tips is the largest IT community on the Internet today!
Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!
-
Congratulations strongm on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!
Need to limit telnet access from Internet
- Thread starter kmcferrin
- Start date
Modeverything
MIS
- Apr 3, 2003
- 16
I don't know what kind of routers you are using, but from a Cisco point of view, you should be able to "config t", then "no line vty 0 4" to remove your virtual terminals.
There may also be ACL's that grant this access. If you are making these changes on these routers, then I guess they are yours to do with what you want, so should be able to set some ACL's on the interface that is facing the internet to prevent access.
Hope that answers your question.
There may also be ACL's that grant this access. If you are making these changes on these routers, then I guess they are yours to do with what you want, so should be able to set some ACL's on the interface that is facing the internet to prevent access.
Hope that answers your question.
- Thread starter
- #3
- Thread starter
- #4
Hmmm. It doesn't seem to like that:
1720-Admin>enable
Password:
Password:
1720-Admin#config t
Enter configuration commands, one per line. End with CNTL/Z.
1720-Admin(config)#no line vty 0 4
% Can't delete last 5 VTY lines
1720-Admin(config)#
Or do I have to put that on the various interfaces?
1720-Admin>enable
Password:
Password:
1720-Admin#config t
Enter configuration commands, one per line. End with CNTL/Z.
1720-Admin(config)#no line vty 0 4
% Can't delete last 5 VTY lines
1720-Admin(config)#
Or do I have to put that on the various interfaces?
Just set the following on you router. In access-list just put the subnet lan subnet you want to have access for telnet.
line vty 0 4
access-class 12 in
password 7 xxxxxxxxxxxxxx
login
(Example)
access-list 12 permit 192.168.1.0 0.0.0.255
line vty 0 4
access-class 12 in
password 7 xxxxxxxxxxxxxx
login
(Example)
access-list 12 permit 192.168.1.0 0.0.0.255
jneiberger
Technical User
I can't remember...if you only set the access class on the VTY lines, does that allow the TCP session to be set up before it denies the connection, or does it drop the initial TCP SYN?
I seem to recall that it won't even allow a TCP connection unless the packet is coming from an allowed address. However, if that isn't the case then you should disallow incoming Telnet on an interface-level access list.
Heck, why not do that? Unless you have a really good reason to allow Telnet connections to your internal network, not just your border router, then I'd drop all incoming Telnet traffic, or any other management traffic like SNMP, SSH, etc.
I seem to recall that it won't even allow a TCP connection unless the packet is coming from an allowed address. However, if that isn't the case then you should disallow incoming Telnet on an interface-level access list.
Heck, why not do that? Unless you have a really good reason to allow Telnet connections to your internal network, not just your border router, then I'd drop all incoming Telnet traffic, or any other management traffic like SNMP, SSH, etc.
- Status
Similar threads
- Locked
- Question