Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations strongm on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

Need to limit telnet access from Internet

Status
Not open for further replies.
kmcferrin

kmcferrin

MIS
Jul 14, 2003
2,938
US
I have just discovered that the company that set up the routers for our Internet access left them open to telnet from the Internet side. It seems to me that this would be risky from a security standpoint. I need to know the best way to lock down the routers so that they can only be configured from the console.
 
Sort by date Sort by votes
I don't know what kind of routers you are using, but from a Cisco point of view, you should be able to "config t", then "no line vty 0 4" to remove your virtual terminals.

There may also be ACL's that grant this access. If you are making these changes on these routers, then I guess they are yours to do with what you want, so should be able to set some ACL's on the interface that is facing the internet to prevent access.

Hope that answers your question.
 
Upvote 0 Downvote
Sorry, I spaced on that. One is a Cisco 1720, the other is a Cisco 2600XM. So just a "no line vty 0 4" and then a "write mem" when I'm done?
 
Upvote 0 Downvote
Hmmm. It doesn't seem to like that:

1720-Admin>enable
Password:
Password:
1720-Admin#config t
Enter configuration commands, one per line. End with CNTL/Z.
1720-Admin(config)#no line vty 0 4
% Can't delete last 5 VTY lines
1720-Admin(config)#

Or do I have to put that on the various interfaces?
 
Upvote 0 Downvote
Just set the following on you router. In access-list just put the subnet lan subnet you want to have access for telnet.

line vty 0 4
access-class 12 in
password 7 xxxxxxxxxxxxxx
login

(Example)
access-list 12 permit 192.168.1.0 0.0.0.255
 
Upvote 0 Downvote
To prevent telnet access, you could use an ACL, or you could remove the password while keeping the "login" statement on the vty lines.
 
Upvote 0 Downvote
I can't remember...if you only set the access class on the VTY lines, does that allow the TCP session to be set up before it denies the connection, or does it drop the initial TCP SYN?

I seem to recall that it won't even allow a TCP connection unless the packet is coming from an allowed address. However, if that isn't the case then you should disallow incoming Telnet on an interface-level access list.

Heck, why not do that? Unless you have a really good reason to allow Telnet connections to your internal network, not just your border router, then I'd drop all incoming Telnet traffic, or any other management traffic like SNMP, SSH, etc.
 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

Luzbel
  • Locked
  • Question
Connecting HVAC controller to network
Replies
0
Views
150
Luzbel
Luzbel
Skip Rango
  • Locked
  • Question
how to backup cisco sg500-52p switch
Replies
1
Views
213
madwok
madwok
DTGMI
  • Locked
  • Question
Moving from Juniper SRX-240 to Cisco ??
Replies
0
Views
118
DTGMI
DTGMI
PThomp3344
  • Locked
  • Question
Trying to connect to Cisco Unified Controller web interface: UC520W-16U-4FXO-K9
Replies
1
Views
180
bdk76
bdk76
WinstonCH
  • Locked
  • Helpful tip
What is wrong with the diagram, there are people who will help to fix it? How do i do the configurat 1
Replies
1
Views
155
BIS
BIS

Part and Inventory Search

Sponsor

Back
Top