Monday, July 21, 2008

Allowing telnet to a non-standard port

I didn't have time for any of the security tasks in Mock Lab 1. There were 3 for a total of 9 points. Again, the lab sessions run 7:45 and I had to load initial configs and eat dinner! Had I been able to use the full 8 hours, I am sure I would have gotten 1 or 2 of these tasks.

Here is the gist of the first security task, 9.1:

R9 should accept telnet on port 3005.
It should not allow telnet on port 23.
Configure a local user cisco with password of cisco and privilege level 15.
Telnet should require a login, but console access should not

I am going to use R5 as an example since I already have it up in Dynamips. First, to allow telnet on port 3005 use the rotary command:

R5(config)#username cisco privilege 15 password cisco
R5(config-line)#line vty 5
R5(config-line)#rotary 5
R5(config-line)#login local


Next we create an ACL to block telnet to port 23:

R5(config)#access-list 101 deny tcp any any eq telnet
R5(config)#access-list 101 permit ip any any
R5(config)#line vty 0 ?
<1-935> Last Line number


R5(config)#line vty 0 935
R5(config-line)#access-class 101 in


Let's try from R4:

R4#telnet 141.141.45.5
Trying 141.141.45.5 ...
% Connection refused by remote host

R4#telnet 141.141.45.5 3005
Trying 141.141.45.5, 3005 ... Open


User Access Verification

Username: cisco
Password:
R5#


Now we have already satisfied the last requirement right? "Telnet should require a login, but console access should not." But for some reason the proctor guide goes a step further and creates an aaa method for VTY while console uses the default. Here's what they have:

R5(config)#aaa new-model
R5(config)#aaa authentication login VTY local
R5(config)#aaa authentication login default none
R5(config)#line vty 5
R5(config-line)#login authentication VTY


The first command tells the router to enable the aaa commands. The second command defines a login list called VTY. Note that this is not used anywhere until it is applied in the last command. The third command configures that default login method to be "none" or no authentication. This method is applied to the console by default.

9 comments:

  1. Hi, just came across this post while googling...

    shouldn't you use

    R5(config)#line con 0
    instead of
    R5(config)#line vty 5

    ReplyDelete
  2. You telnet to the VTY line, not the Console line.

    ReplyDelete
  3. Hi there, just a quick question, it seems that you have excellent understanding of Cisco IOS features, how did you manage to learn all this. What book(s) did you refer? BTW, Love your BLOG, it has helped me immensely.

    Thanks,

    Jit

    ReplyDelete
  4. Hello. I just read the doccd a lot, especially the application, addressing, system mgmt and configuration fundamentals guide. This is where a lot of the lesser known features reside. Also, I just played arounf the in the router a lot using ? to discover commands I didn't know a lot about.

    Good luck!

    ReplyDelete
  5. Just want to say THANK YOU! :)

    ReplyDelete
  6. hi, is there any other ways to telnet on the non standard port other than the rotary command(3000 to 3127 port)...?

    ReplyDelete
  7. This comment has been removed by the author.

    ReplyDelete
  8. how to user a non standard port such as 6187 to use telnet?
    we can use port map, but is there any other way to do it?

    ReplyDelete
  9. can we configure telnet on port 7200

    ReplyDelete

Note: Only a member of this blog may post a comment.