GroupStudy.com GroupStudy.com - A virtual community of network engineers
 Home  BookStore  StudyNotes  Links  Archives  StudyRooms  HelpWanted  Discounts  Login
Re: Denying telnet to port 23 on VTY posted 11/07/2006
[Chronological Index] [Thread Index] [Top] [Date Prev][Date Next] [Thread Prev][Thread Next]


Hmm
maybe something like this:

access-list 100 deny tcp any any eq 23
access-list 100 permit tcp any any eq 3003

line vty 0 4
  login local
  access-class 100 in
  rotary 3

I wonder what's the original solution :)

HTH

2006/11/7, Renato Garcia Teixeira <resnef@xxxxxxxxxxx>:
>
> Hello,
>
> Looking into this question, please do not laugh at me, but the only way I
> can see to enable telnet on vty port 3003 and deny telnet without using
> ACL
> is using the rotary command to enable telnet on port 3003 as you suggested
> and using NBAR, matching the protocol telnet and droping it with CAR(MQoS
> config).
> Funny and Strange solution, who knows ;-)...
>
> class-map match-any NBAR
>   match protocol telnet
> !
> !
> policy-map NBAR
>   class NBAR
>      police 8000 1500 1500 conform-action drop exceed-action drop
> !
>
>
> >From: "Kal Han" <calikali2006@xxxxxxxxx>
> >Reply-To: "Kal Han" <calikali2006@xxxxxxxxx>
> >To: "Rodrigo Paes" <rpaes@xxxxxxxxx>
> >CC: secondie <secondie@xxxxxxxxx>, security@xxxxxxxxxxxxxx,
> >ccielab@xxxxxxxxxxxxxx
> >Subject: Re: Denying telnet to port 23 on VTY
> >Date: Mon, 6 Nov 2006 20:05:42 -0800
> >
> >I dont know how to do this.
> >You can disable VTY telnet access by using "transport input ssh"
> >You can use the rotary 3 so that the telnets are accepted on 3003 also.
> >But I dont know if you can disable all vty lines for telnet and
> >still be able to telnet on 3003. I am not sure if its possible.
> >
> >and if you DONT disable telnet input by using
> >transport input telnet
> >
> >you can telnet to the box on standard 23 port and also on 3003.
> >Both are accessible for me.
> >
> >With the following config
> >line vty 0
> >  password cisco
> >  login
> >  rotary 3
> >  transport input telnet
> >line vty 1 4
> >   login
> >   transport input none
> >   transport output none
> >
> >I can telnet on port 23 and also on 3003
> >
> >R5#telnet 195.1.135.3
> >Trying 195.1.135.3 ... Open
> >
> >
> >User Access Verification
> >
> >Password:
> >
> >[Connection to 195.1.135.3 closed by foreign host]
> >
> >R5#telnet 195.1.135.3 3003
> >Trying 195.1.135.3, 3003 ... Open
> >
> >
> >User Access Verification
> >
> >Password:
> >
> >So I dont know the solution.
> >
> >Thanks
> >Kal
> >On 11/6/06, Rodrigo Paes <rpaes@xxxxxxxxx> wrote:
> > >
> > > On Mon, 06 Nov 2006 21:04:32 -0500
> > > secondie <secondie@xxxxxxxxx> wrote:
> > >
> > > > Question asks for: Enable VTY to accept telnet on port 3003  and
> deny
> > > > all telnet access to VTY. ACL not allowed.
> > > >
> > > > 3003 part is easy, use rotary but can port 23 be disabled on VTY
> line
> >so
> > > > that telnet is not accepted on the VTY line?
> > > >
> > > > For those that have trinet security lab workbook, (Trinet
> superlab-1,
> > > > section 8.5, task#1)
> > > >
> > >
> > > how about disabling the other VTY ? "transport input none"
> > >
> > >
> > > []s
> > > rodrigo
> > >
> > > --
> > > =========================================
> > > \     .-.     +++ Rodrigo Paes +++       \
> > > /     /v\    CCIE #14054 (R&S and SP)    /
> > > \    // \\   LPIC2 #19753                \
> > > /   /(   )\  Linux User #324449          /
> > > \    ^^-^^                               \
> > > /   jabber: panfleto@xxxxxxxxxx          /
> > > \   gtalk : rodp43s@xxxxxxxxx            \
> > > ==========================================
> >
>
> _________________________________________________________________
> MSN Messenger: converse com os seus amigos online.
> http://messenger.msn.com.br
>
>


-- 
Petr Lapukhov, CCIE #16379
petr@xxxxxxxxxxxxxxxxxxxxxx

Internetwork Expert, Inc.
http://www.InternetworkExpert.com
Toll Free: 877-224-8987
Outside US: 775-826-4344