From: Rik Guyler (rik@guyler.net)
Date: Tue Nov 07 2006 - 15:17:20 ART
Cheater! ;-)
-----Original Message-----
From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On Behalf Of Petr
Lapukhov
Sent: Tuesday, November 07, 2006 3:44 AM
To: Renato Garcia Teixeira
Cc: calikali2006@gmail.com; rpaes@pobox.com; secondie@gmail.com;
security@groupstudy.com; ccielab@groupstudy.com
Subject: Re: Denying telnet to port 23 on VTY
ouch, skimmed that ACL part, sorry :(
2006/11/7, Renato Garcia Teixeira <resnef@hotmail.com>:
>
> Hello,
>
> Looking into this question, please do not laugh at me, but the only
> way I can see to enable telnet on vty port 3003 and deny telnet
> without using ACL is using the rotary command to enable telnet on port
> 3003 as you suggested and using NBAR, matching the protocol telnet and
> droping it with CAR(MQoS config).
> Funny and Strange solution, who knows ;-)...
>
> class-map match-any NBAR
> match protocol telnet
> !
> !
> policy-map NBAR
> class NBAR
> police 8000 1500 1500 conform-action drop exceed-action drop !
>
>
> >From: "Kal Han" <calikali2006@gmail.com>
> >Reply-To: "Kal Han" <calikali2006@gmail.com>
> >To: "Rodrigo Paes" <rpaes@pobox.com>
> >CC: secondie <secondie@gmail.com>, security@groupstudy.com,
> >ccielab@groupstudy.com
> >Subject: Re: Denying telnet to port 23 on VTY
> >Date: Mon, 6 Nov 2006 20:05:42 -0800
> >
> >I dont know how to do this.
> >You can disable VTY telnet access by using "transport input ssh"
> >You can use the rotary 3 so that the telnets are accepted on 3003 also.
> >But I dont know if you can disable all vty lines for telnet and
> >still be able to telnet on 3003. I am not sure if its possible.
> >
> >and if you DONT disable telnet input by using
> >transport input telnet
> >
> >you can telnet to the box on standard 23 port and also on 3003.
> >Both are accessible for me.
> >
> >With the following config
> >line vty 0
> > password cisco
> > login
> > rotary 3
> > transport input telnet
> >line vty 1 4
> > login
> > transport input none
> > transport output none
> >
> >I can telnet on port 23 and also on 3003
> >
> >R5#telnet 195.1.135.3
> >Trying 195.1.135.3 ... Open
> >
> >
> >User Access Verification
> >
> >Password:
> >
> >[Connection to 195.1.135.3 closed by foreign host]
> >
> >R5#telnet 195.1.135.3 3003
> >Trying 195.1.135.3, 3003 ... Open
> >
> >
> >User Access Verification
> >
> >Password:
> >
> >So I dont know the solution.
> >
> >Thanks
> >Kal
> >On 11/6/06, Rodrigo Paes <rpaes@pobox.com> wrote:
> > >
> > > On Mon, 06 Nov 2006 21:04:32 -0500
> > > secondie <secondie@gmail.com> wrote:
> > >
> > > > Question asks for: Enable VTY to accept telnet on port 3003 and
> deny
> > > > all telnet access to VTY. ACL not allowed.
> > > >
> > > > 3003 part is easy, use rotary but can port 23 be disabled on VTY
> line
> >so
> > > > that telnet is not accepted on the VTY line?
> > > >
> > > > For those that have trinet security lab workbook, (Trinet
> superlab-1,
> > > > section 8.5, task#1)
> > > >
> > >
> > > how about disabling the other VTY ? "transport input none"
> > >
> > >
> > > []s
> > > rodrigo
> > >
> > > --
> > > =========================================
> > > \ .-. +++ Rodrigo Paes +++ \
> > > / /v\ CCIE #14054 (R&S and SP) /
> > > \ // \\ LPIC2 #19753 \
> > > / /( )\ Linux User #324449 /
> > > \ ^^-^^ \
> > > / jabber: panfleto@jabber.org /
> > > \ gtalk : rodp43s@gmail.com \
> > > ==========================================
> >
>
> _________________________________________________________________
> MSN Messenger: converse com os seus amigos online.
> http://messenger.msn.com.br
>
>
-- Petr Lapukhov, CCIE #16379 petr@internetworkexpert.comInternetwork Expert, Inc. http://www.InternetworkExpert.com Toll Free: 877-224-8987 Outside US: 775-826-4344
This archive was generated by hypermail 2.1.4 : Fri Dec 01 2006 - 08:05:45 ART