Make sure you secure your network from Telnet-based attacks by creating a first line of defense. This tip tells you how to add an access list to your router.
Worried about security issues? Who isn't? Automatically sign up for our free Security Solutions newsletter, delivered each Friday, and get hands-on advice for locking down your systems.
Telnet, a TCP/IP protocol for accessing remote computers, remains one of the most dangerous services that you can expose to the Internet. In fact, Cisco released Cisco Security Advisory: Cisco Telnet Denial of Service Vulnerability on Aug. 27, 2004.
This advisory stated that a remote attacker could send packets to TCP 23 (Telnet port) or reverse Telnet ports TCP 2001 to 2999, 3001 to 3099, 6001 to 6999, and 7001 to 7099. These packets would cause a denial-of-service condition and cause network devices to refuse any further connection attempts to the Telnet, reverse Telnet, SSH, SCP, RSH, and HTTP remote management services.
This would effectively deny an organization the ability to remotely manage its network devices until someone reloaded the devices or physically connected to the console to clear the memory buffer and reset the connections. So, the router or switch is up, but the organization doesn't have the ability to manage the device.
Having to restart a core router when it's passing business traffic is a sure sign that you'll be looking for a new job soon. While Cisco is working on a fix, don't wait for someone else to solve your security problem. Let's look at how you can better protect your network when using Telnet.
Telnet isn't secure; it passes all data in clear text. If you must use Telnet to manage network devices, then you should at least add an access list to your router to restrict access to the virtual terminal (vty) lines.
To define which IP addresses can connect to the virtual terminal, create the following access list:
Router(config)# access-list 1 permit your.ip.subnet.address your.ip.subnet.mask
You can also create individual lines for each network administrator IP address, as shown below:
Router(config)# access-list 1 permit host
Router(config)# access-list 1 permit host netaddmin2.host.ip.address
Next, apply the access list to your vty connections, as shown below:
Router(config)# line vty 0 4
Router(config-line)# access-class 1 in
Keep in mind that access lists contain an implicit deny any-any as a final statement on any access list. This example limits Telnet service connections regardless of which interface the connection request arrives on.
Verify your network device's configuration to establish the correct number of terminal lines. Then, change the command syntax accordingly.
In addition, you should block all inbound Telnet and reverse Telnet connection requests at the border router. The following entry should be near the top of any inbound access list on your border router. This example denies all inbound Telnet and reverse Telnet connection requests, regardless of the source or destination.
Router(config)# access-list 101 tcp any any eq
Router(config)# access-list 101 deny tcp any any range 2001 2999
Router(config)# access-list 101 deny tcp any any range 3001 3099
Router(config)# access-list 101 deny tcp any any range 6001 6999
Router(config)# access-list 101 deny tcp any any range 7001 7099
Next, apply the access list to block inbound traffic on all external-facing interfaces, as shown below:
Router(config)# interface serial 0/1
Router(config-if)# ip access-group 101 in
This process implements a first layer of defense on your network against Telnet-based attacks and intrusion attempts against your network devices.
Adding access list restrictions to your vty lines and your inbound connections should be a temporary measure. While it's important that you add these restrictions now, you must also take steps to transition your network devices so you can manage them through a more secure means, such as secure shell (SSH).