Hot Downloads

Welcome, Guest
Username: Password: Remember me

TOPIC: Disable telnet & ssh using ACL

Disable telnet & ssh using ACL 7 years 5 months ago #30776

  • apit
  • apit's Avatar
  • Offline
  • Senior Member
  • Posts: 227
  • Karma: 0
My campus network using 3 layer design which is core switch, distribution switch & access switches. All the routing is configured at core switch using static route & GLBP as redundancy protocol. To remote the switches, we are using telnet & http protocol.

Currently we found security issues ; user can sniff all telnet & http password using tools such as C&A , wireshark and others. Action that we have taken is to use ACL at core switch to disable http & telnet access. The configuration look something like this ::
Core 1
!
interface Vlan20
ip address 192.168.0.250 255.255.255.0
ip access-group Deny_HTTP in
glbp 20 ip 192.168.0.254
glbp 20 priority 110
glbp 20 preempt
!

Core 2
!
interface Vlan20
ip address 192.168.0.249 255.255.255.0
ip access-group Deny_HTTP in
glbp 20 ip 192.168.0.254
!

Access Switches
ip access-list extended Deny_Telnet
deny tcp any any eq telnet
permit ip any any

The problems are ::

1- Need to define Deny_HTTP in at every interface at core switch
2- Need to define Deny_Telnet at every access switches
3- If there any ACL short command? Recommendation website about ACL rules?

Tq
The administrator has disabled public write access.

Re: Disable telnet & ssh using ACL 7 years 5 months ago #30777

  • Perlhack
  • Perlhack's Avatar
  • Offline
  • Frequent Member
  • Posts: 49
  • Karma: 0
Turn off the telnet and http daemons as a solution.

no ip http server

line vty 0 - 15
transport input none
The administrator has disabled public write access.

Re: Disable telnet & ssh using ACL 7 years 5 months ago #30786

  • r0nni3
  • r0nni3's Avatar
  • Offline
  • Distinguished Member
  • Posts: 107
  • Karma: 0
I agree with turning off the http daemon but for administrative reasons i wouldnt reccomend to turn off the telnet/ssh daemon.

You can put an access-list wich permits or denies certain hosts/subnets to telnet/ssh to the router.

Example:
[code:1]
access-list 1 permit 192.168.9.0 0.0.0.255
access-list 1 permit 192.168.10.10 0.0.0.0
access-list 1 deny any
!
line vty 0 4
access-class 1 in[/code:1]

SSH is more secure as your passwords can't be sniffed so easily.

[code:1]
crypto key generate rsa modulus 1024
!
line vty 0 4
access-class 1 in
transport input ssh[/code:1]

You do need to define a hostname and a domain name first before you enable SSH.
Currently working as Cisco Engineer at Neon-Networking.

Certifications:
CCNA - Have it
CCNA Security - Have it
CCSP - Almost!!!!
CCIE Security - Not so far away dream
The administrator has disabled public write access.
Time to create page: 0.076 seconds

CCENT/CCNA

Cisco Routers

  • SSL WebVPN
  • Securing Routers
  • Policy Based Routing
  • Router on-a-Stick

VPN Security

  • Understand DMVPN
  • GRE/IPSec Configuration
  • Site-to-Site IPSec VPN
  • IPSec Modes

Cisco Help

  • VPN Client Windows 8
  • VPN Client Windows 7
  • CCP Display Problem
  • Cisco Support App.

Windows 2012

  • New Features
  • Licensing
  • Hyper-V / VDI
  • Install Hyper-V

Linux

  • File Permissions
  • Webmin
  • Groups - Users
  • Samba Setup