Worried about security issues? Who isn’t? Automatically sign up for our free Security Solutions newsletter, delivered each Friday, and get hands-on advice for locking down your systems.

Telnet, a TCP/IP protocol for accessing
remote computers, remains one of the most dangerous services that
you can expose to the Internet. In fact, Cisco released
Cisco Security Advisory: Cisco Telnet Denial of Service
Vulnerability on Aug. 27, 2004.

This advisory stated that a remote attacker
could send packets to TCP 23 (Telnet port) or reverse Telnet ports
TCP 2001 to 2999, 3001 to 3099, 6001 to 6999, and 7001 to 7099.
These packets would cause a denial-of-service condition and cause
network devices to refuse any further connection attempts to the
Telnet, reverse Telnet, SSH, SCP, RSH, and HTTP remote management
services.

This would effectively deny an organization the
ability to remotely manage its network devices until someone
reloaded the devices or physically connected to the console to
clear the memory buffer and reset the connections. So, the router
or switch is up, but the organization doesn’t have the ability to
manage the device.

Having to restart a core router when it’s
passing business traffic is a sure sign that you’ll be looking for
a new job soon. While Cisco is working on a fix, don’t wait for
someone else to solve your security problem. Let’s look at how you
can better protect your network when using Telnet.

Telnet isn’t secure; it passes all data in
clear text. If you must use Telnet to manage network devices, then
you should at least add an access list to your router to restrict
access to the virtual terminal (vty) lines.

To define which IP addresses can connect to the
virtual terminal, create the following access list:

Router(config)# access-list 1 permit
your.ip.subnet.address your.ip.subnet.mask

You can also create individual lines for each
network administrator IP address, as shown below:

Router(config)# access-list 1 permit host
netaddmin1.host.ip.address
Router(config)# access-list 1 permit host
netaddmin2.host.ip.address

Next, apply the access list to your vty
connections, as shown below:

Router(config)# line vty 0 4
Router(config-line)# access-class 1 in

Keep in mind that access lists contain an
implicit deny any-any as a final statement on any access list. This
example limits Telnet service connections regardless of which
interface the connection request arrives on.

Verify your network device’s configuration to
establish the correct number of terminal lines. Then, change the
command syntax accordingly.

In addition, you should block all inbound
Telnet and reverse Telnet connection requests at the border router.
The following entry should be near the top of any inbound access
list on your border router. This example denies all inbound Telnet
and reverse Telnet connection requests, regardless of the source or
destination.

Router(config)# access-list 101 tcp any any eq
telnet
Router(config)# access-list 101 deny tcp any any range 2001
2999
Router(config)# access-list 101 deny tcp any any range 3001
3099
Router(config)# access-list 101 deny tcp any any range 6001
6999
Router(config)# access-list 101 deny tcp any any range 7001
7099

Next, apply the access list to block inbound
traffic on all external-facing interfaces, as shown below:

Router(config)# interface serial 0/1
Router(config-if)# ip access-group 101 in

This process implements a first layer of
defense on your network against Telnet-based attacks and intrusion
attempts against your network devices.

Final thoughts

Adding access list restrictions to your vty
lines and your inbound connections should be a temporary measure.
While it’s important that you add these restrictions now, you must
also take steps to transition your network devices so you can
manage them through a more secure means, such as secure shell
(SSH).