Previous section   Next section

Recipe 3.16 Restricting Inbound Telnet Access

3.16.1 Problem

You want to restrict Telnet access to the router to allow only particular workstations.

3.16.2 Solution

You can restrict which IP addresses can access the router:

Router1#configure terminal 
Enter configuration commands, one per line.  End with CNTL/Z.
Router1(config)#access-list 99 permit 172.25.1.0 0.0.0.255
Router1(config)#access-list 99 deny any log               
Router1(config)#line vty 0 4
Router1(config-line)#access-class 99 in
Router1(config-line)#end
Router1#

This example uses a standard access-list command. You can also use extended access lists in an access-class statement. But, because you already know the TCP port numbers, as well as the destination IP addresses, extended access lists don't provide much extra functionality.

3.16.3 Discussion

Telnet is an inherently insecure protocol because it sends passwords over the network in clear-text. We highly recommend using access-class statements to help ensure that only authorized users can access router VTYs. These access-class statements do not secure the Telnet protocol itself, but they will help to prevent unauthorized users from receiving a router login prompt. Even if someone manages to sniff your router passwords, this will make them virtually useless.

For increased security, limit the permitted hosts to a few network management servers. This will force legitimate users to follow a two-stage authentication process to access your routers. They will need to authenticate their session on a central device such as the network management server before they can log into the router. The logic is that it is much easier to secure a single server than a dozen workstations.

This feature provides a similar functionality to the Unix TCPWrapper tool set, which can restrict daemon access to a limited number of IP addresses. And, just like TCPWrapper, we can log the IP addresses of refused users by using the keyword log in the access list definition. This creates a log message for every unauthorized Telnet attempt, such as the following:

Router1#show logging | include list 99
Jun 27 14:14:25: %SEC-6-IPACCESSLOGS: list 99 denied 172.22.1.3 1 packet
Router1#

In the example, we have added an explicit deny any command to allow the router to count refused sessions:

Router1#show access-lists 99
Standard IP access list 99
    permit 172.25.1.0, wildcard bits 0.0.0.255 (4 matches) 
    deny   any log (1 match)
Router1#

This command shows you the running total of permitted and refused Telnet sessions. In this example, the access list has denied a single Telnet session from accessing a router VTY. A large number of access attempts might indicate that someone is trying to access your routers without authorization. The log messages capture the IP source address of each denied attempt, making it easy to investigate.

3.16.4 See Also

Recipe 3.15; Recipe 3.17


  Previous section   Next section
Top