RE: Denying telnet to port 23 on VTY

From: dszarmach (dszarmach@comhs.org)
Date: Tue Nov 07 2006 - 01:57:21 ART

• Next message: Marran: "3550 vs 3560"
• Previous message: dszarmach: "RE: Denying telnet to port 23 on VTY"
• Maybe in reply to: secondie: "Denying telnet to port 23 on VTY"
• Next in thread: Petr Lapukhov: "Re: Denying telnet to port 23 on VTY"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

I thought of that also, but I link NBAR and ACL as same thing because of
similar function....using NBAR is not *technically* an ACL so this would
probably meet the requirement, but I figured they were looking for
another way of stopping telnet without 'matching' telnet in a access
list or route-map.

Doug Szarmach
Sr. Network Engineer
Community Foundation of Northwest Indiana, Inc.

-----Original Message-----
From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On Behalf Of
Rodrigo Paes
Sent: Monday, November 06, 2006 10:34 PM
To: ccielab@groupstudy.com; security@groupstudy.com
Subject: Re: Denying telnet to port 23 on VTY

On Mon, 6 Nov 2006 20:05:42 -0800
"Kal Han" <calikali2006@gmail.com> wrote:

> I dont know how to do this.
> You can disable VTY telnet access by using "transport input ssh"
> You can use the rotary 3 so that the telnets are accepted on 3003
also.
> But I dont know if you can disable all vty lines for telnet and
> still be able to telnet on 3003. I am not sure if its possible.
>
> and if you DONT disable telnet input by using
> transport input telnet
>
> you can telnet to the box on standard 23 port and also on 3003.
> Both are accessible for me.
>

Could be this ...

!
!
class-map match-any KILL_TELNET
 match protocol telnet
!
!
policy-map POLICY_IN
 class KILL_TELNET
   drop
!
!
interface Tunnel1245
service-policy input POLICY_IN
!
!
line vty 0 4
rotary 3
!
!

Rack1R2#
Rack1R2#telnet 100.4.4.4
Trying 100.4.4.4 ...
% Connection timed out; remote host not responding

Rack1R2#telnet 100.4.4.4 3003
Trying 100.4.4.4, 3003 ... Open

User Access Verification

Password:
Rack1R4>

But it seems like a _huge_ overkill to me :\ ... I'm guessing there
might be some other simpler way

[]s
rodrigo

-- 
=========================================
\     .-.     +++ Rodrigo Paes +++       \
/     /v\    CCIE #14054 (R&S and SP)    /
\    // \\   LPIC2 #19753                \ 
/   /(   )\  Linux User #324449          /
\    ^^-^^                               \
/   jabber: panfleto@jabber.org          /
\   gtalk : rodp43s@gmail.com            \
 ==========================================

• Next message: Marran: "3550 vs 3560"
• Previous message: dszarmach: "RE: Denying telnet to port 23 on VTY"
• Maybe in reply to: secondie: "Denying telnet to port 23 on VTY"
• Next in thread: Petr Lapukhov: "Re: Denying telnet to port 23 on VTY"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.4 : Fri Dec 01 2006 - 08:05:45 ART