|
|
| larkspur 2004-08-24, 4:28 pm |
| I am trying to disable telnet on a router.
i did the no line vty 0 4 coomand but was giving an error. I have searched cisco but no answer has anyoine done this before? | |
|
| On your VTY ports try "transport input none" | |
| smrkdown 2004-08-24, 6:02 pm |
| Mat's solution is probably best, but you could also use "no password" and "no login" or you could use an ACL also. | |
| Sexy Lexy 2004-08-24, 7:02 pm |
| I am curious, why disable the telnet access?
The access class command in conjunction with an access list is a good security measure and you can limit the access to one specific host.
I can not see the benefit of disabling telnet all together, in a working environment anyway.
May I ask, is this just out of curiosity or just to see if it can be done?
 | |
| smrkdown 2004-08-24, 8:31 pm |
| Maybe using HTTP interface instead! | |
|
| In the environment I'm currently in we have barred telnet out of routers (using transport output none), so we can't telnet from router to router for troubleshooting.
I've never seen it before, they've also denied pings and CDP - troubleshooting is an absolute nightmare!
I asked the same question as Sexy Lexy - "why" | |
| Just Visiting 2004-08-25, 5:38 am |
| dang Matt.... sounds like Security runs your place. I hope it is a relatively small network, because I sure wouldn't want to be troubleshooting a routing or multicast problem on your network!
-JV | |
| bill.burns 2004-08-25, 12:02 pm |
| As smrkdown pointed out, maybe they are using SDM which standard on all new routers. | |
| Sexy Lexy 2004-08-25, 12:42 pm |
| quote:
Originally posted by Mat P
In the environment I'm currently in we have barred telnet out of routers (using transport output none), so we can't telnet from router to router for troubleshooting.
I've never seen it before, they've also denied pings and CDP - troubleshooting is an absolute nightmare!
I asked the same question as Sexy Lexy - "why"
It's not just me then!
Most of these measures are straight out of the SAFE design. I'm working through the CCDA and most of the aforementioned measures get a mention, especially disabling CDP.
You live and learn!
| |
| ZacDogg 2004-08-25, 5:54 pm |
| Some companies use terminal servers or out-of-band management to access all there routers and switches. One reason to deny telnet. Another is that telnet is passed clear text. At my company we disable telnet on all routers that have public IP's and only SSH is allowed.
Zac | |
| Sexy Lexy 2004-08-25, 6:03 pm |
| I guess this is the advantage of experience, learning is one thing but experience is the better teacher.
| |
| Warfare 2004-08-25, 7:57 pm |
| Does that mean that Cisco routers support SSH? I've never tried that or heard something SSHing to a router. Just Telnet! | |
| larkspur 2004-08-25, 10:35 pm |
| The reason I am asking is becasue do you really want your internet or border router just sitting out there. Some crack job could just be sitting there trying pasword combintions all day with out you knowing what is going on. I am not the security expert but thought better to be safe the sorry. I am using acl's to protect the router but telnet is still on, even though you can not get to it. I have acl's on both the serial and ethernet interfaces, not to mention i denied echo in my acl as well so now if my ip gets scanned then it will not reply and the unknown will hopefully move on. I read what, I think is a good pdf 8 steps to securing your router. let me know if you want to check it out and I will post it. let me ask this question, do you all turn off services on your internet router like no ip redirects or no ip cache. There are many more but I just curious. | |
| larkspur 2004-08-25, 10:40 pm |
| also instead of setting up telnet from a certain host we have connected a console to router and the designated computer, so if you need in the router than you go to that box. | |
| stnosc 2004-08-26, 8:12 am |
| quote:
Originally posted by Warfare
Does that mean that Cisco routers support SSH? I've never tried that or heard something SSHing to a router. Just Telnet!
A Cisco router will support SSH as long as you have an IOS loaded that will support it. | |
| stnosc 2004-08-26, 8:26 am |
| quote:
Originally posted by larkspur
Some crack job could just be sitting there trying pasword combintions all day with out you knowing what is going on.
Create an access-list and slap it on your vty lines as an access-class. Allow only selected IP hosts telnet access. Place log statements on the list and send your logs to a syslog daemon so you can monitor who (if anyone) is trying to telnet into your router.
quote:
....not to mention i denied echo in my acl as well so now if my ip gets scanned then it will not reply and the unknown will hopefully move on.
Sorry, but that alone will not prevent anyone from scanning your network. | |
| larkspur 2004-08-26, 9:39 am |
| you are right it won't but if the interface does not reply than that could hopefully avoid portscanning of that IP. Kind of like hide and seek! | |
| smrkdown 2004-08-26, 11:59 am |
| nmap -v -sS -P0 -O host
No ping reply needed.
But I guess it is a good security measure anyway. | |
| Tophat 2004-08-31, 7:05 pm |
| quote:
Originally posted by larkspur
you are right it won't but if the interface does not reply than that could hopefully avoid portscanning of that IP. Kind of like hide and seek!
security through obscurity does not work any more. Also, once a person has be able to access one router, have you taken the proper security measures to prevent the attacker from accessing telnetting to all the other routers? If available SSH should be the only access method to a cisco router. All the latest routers support SSH. ACLs are a very good measure if applied correctly, but all to often I see them applied in a way that gives the technician a false sense of security.
Also keep in mind that router security is only one part, in the grand schema. Syslog is a good proactive along with making sure you place and monitor IDS sensors on all critical network segment.
if you want to see a good starting template for a router config that has most of the current security features enabled follow the link.
http://www.cymru.com/Documents/secure-ios-template.html | |
| stnosc 2004-08-31, 7:15 pm |
| Agreed. SSH is the way to go if your IOS supports it! | |
| larkspur 2004-08-31, 10:22 pm |
| this has been a gret post and alot of information on a topic that does not get covered much here, atleast that I have seen.
There is alot of information provided here and I value everyone's input. I am still researching the best way to secure the border router and have acl's inplace until I can finish researching the best solution for my situation.
One question for you all about the console cable directly connected to the router for the meantime, a good idea or no? | |
| edmonds_robert 2004-09-01, 12:00 am |
| I don't see why that's a bad idea, especially since a lot termservers support SSH. In our environment, using an IOS that supports SSH is not an option at the moment, so a secure termserver to the console port is as good as sitting there with a laptop. |
|
|
|