Re: Tracking Reverse Telnets

From: Erick B. (erickbe@xxxxxxxxx)
Date: Thu Aug 01 2002 - 01:36:53 GMT-3

• Next message: Khalid Siddiq: "RE: other way to monitor deleted route than dialer Watch"
• Previous message: Erick B.: "Re: EIGRP (Impossible design ....???)"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

   
The procedure below will only work if you're telneting
to the port # from another device directly (ie: telnet
x.x.x.x 20xx). If your on the term server one of the
router IP's will be used.

If you put a access-class ### in on the line
interfaces you can log the IP address to the log and
port #. Has to be an extended access-list though. Were
doing this on term servers of ours and I'm able to get
an initial connection logged but not a disconnect. If
anyone knows how to better log line (reverse telnet)
usage let me know. Maybe someone here runs one of the
VLABs and can chime in if they track usage this way.

access-list ### ... log

--- Peter Wodle <peter_wodle@hotmail.com> wrote:
> I get vty IP address but not TTY device address.
> Also tried WHO, same out
> put as sho user.
>
> How about debug, but not sure what type of traffic
> to debug?
>
>
> >From: Neil Moore <neil@droopy.com>
> >To: Peter Wodle <peter_wodle@hotmail.com>
> >CC: security@groupstudy.com,
> <ccielab@groupstudy.com>
> >Subject: Re: Tracking Reverse Telnets
> >Date: Wed, 31 Jul 2002 10:37:05 -0400 (EDT)
> >
> >Hmm that is strange on mine
> >TerminalServer#show users
> > Line User Host(s)
> Idle Location
> > 10 tty 10 incoming
> 00:04:02 frameswitch
> > 16 tty 16 incoming
> 00:00:19
> >light.internal.droopy.com
> >* 18 vty 0 frameswitch
> 00:03:52
> >light.internal.droopy.com
> >
> >and I have tty16 is 2016 and tty10 is my 2010 and
> location is where I came
> >from.
> >
> >-Neil
> >
> >On Wed, 31 Jul 2002, Peter Wodle wrote:
> >
> > > this does not list IP address
> > >
> > >
> > > >From: Neil Moore <neil@droopy.com>
> > > >To: Peter Wodle <peter_wodle@hotmail.com>
> > > >CC: security@groupstudy.com,
> <ccielab@groupstudy.com>
> > > >Subject: Re: Tracking Reverse Telnets
> > > >Date: Wed, 31 Jul 2002 10:26:45 -0400 (EDT)
> > > >
> > > >show users
> > > >-Neil
> > > >
> > > >On Wed, 31 Jul 2002, Peter Wodle wrote:
> > > >
> > > > > Is there any way to track which IP address
> host is reverse telneting
> >to
> > > >a
> > > > > port e.g. 2004 via my terminal server?
> > > > >
> > > > >
> > > > >
>

• Next message: Khalid Siddiq: "RE: other way to monitor deleted route than dialer Watch"
• Previous message: Erick B.: "Re: EIGRP (Impossible design ....???)"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.4 : Sat Sep 07 2002 - 19:48:13 GMT-3