From: Scott Morris (swm@emanon.com)
Date: Mon Aug 23 2004 - 16:44:56 GMT-3
The "service" is one of those built-in things. But you can control it. The
ACL listed is one way.
The other is turning off the input transport...
line vty 0 4
password cisco
login
transport input none
!
Works:
Emanon-R2#telnet 24.24.24.24
Trying 24.24.24.24 ... Open
Password required, but none set
[Connection to 24.24.24.24 closed by foreign host]
(Set the PW)
Emanon-R2#telnet 24.24.24.24
Trying 24.24.24.24 ... Open
User Access Verification
Password:
Emanon-R1>Test 1 works
^
% Invalid input detected at '^' marker.
Emanon-R1>exit
(did the transport input none command)
[Connection to 24.24.24.24 closed by foreign host]
Emanon-R2#telnet 24.24.24.24
Trying 24.24.24.24 ...
% Connection refused by remote host
Emanon-R2#
HTH,
Scott Morris, CCIE4 (R&S/ISP-Dial/Security/Service Provider) #4713, CISSP,
JNCIP, et al.
IPExpert CCIE Program Manager
IPExpert Sr. Technical Instructor
swm@emanon.com/smorris@ipexpert.net
http://www.ipexpert.net
-----Original Message-----
From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On Behalf Of
laurent.metzger@bt.com
Sent: Monday, August 23, 2004 1:06 PM
To: geert.nijs@simac.be; ccielab@groupstudy.com
Subject: RE: Stopping the telnet service
hi Geert,
we are doing:
line vty 0 16
access-class 1 in
access-list 1 deny any
This will not stop the telnet service but it will be impossible to telnet
the router.
Prettig avond verder, Laurent
-----Original Message-----
From: nobody@groupstudy.com on behalf of Geert Nijs
Sent: Mon 8/23/2004 5:14 PM
To: Group Study
Cc:
Subject: Stopping the telnet service
Hi group,
In configuring a router for SSH access only, i was wondering if you
can
stop the telnet service on a router.
Since, when you configure SSH access only with "transport input
ssh",
the telnet service still runs,
and, if you do a port scan on the router, you will notice that port
23
can still be "seen".
How can i configure the router not to respond to port 23 at all ?
The best solution would be to stop the telnet service all together,
if
possible.
I think that configuring an ACL on all interfaces, denying telnet,
would
also work. But i'll have to test that
in the lab.
Any other ideas ?
Regards,
Geert
############################################################################
#########
This e-mail and any attached files are confidential and may be
legally privileged.
If you are not the addressee, any disclosure, reproduction, copying,
distribution,
or other dissemination or use of this communication is strictly
prohibited.
If you have received this transmission in error please notify Simac
immediately
and then delete this e-mail.
Simac has taken all reasonable precautions to avoid virusses in this
email.
Simac does not accept liability for damage by virusses, for the
correct and complete
transmission of the information, nor for any delay or interruption
of the transmission,
nor for damages arising from the use of or reliance on the
information.
All e-mail messages addressed to, received or sent by Simac or Simac
employees
are deemed to be professional in nature. Accordingly, the sender or
recipient of
these messages agrees that they may be read by other Simac employees
than the official
recipient or sender in order to ensure the continuity of
work-related activities
and allow supervision thereof.
############################################################################
#########
This archive was generated by hypermail 2.1.4 : Fri Sep 03 2004 - 07:02:47 GMT-3