06-13-2014 10:51 AM - edited 02-21-2020 05:12 AM
When we run the 'show control-plane host open-ports' command on any of our routers (but specifically a CGR 2010) we are seeing port 23 in a listening state.
Active internet connections (servers and established)
Prot Local Address Foreign Address Service State
tcp *:22 *:0 SSH-Server LISTEN
tcp *:23 *:0 Telnet LISTEN
udp *:123 *:0 NTP LISTEN
Our auditors are leery of this even though we have shown that we do not have telnet enabled on the VTY lines, only SSH, and there is an ACL in place for further protection. Is there ANY way to completely disable port 23 to keep it from running AT ALL upon startup? I have been scouring the internet for a solution to this and have come up dry. I feel that there has to be a way to do this, but can't figure it out. Is it possible to do at all? And if not I would really like to find some official documentation from Cisco stating that the ports are on by default and cannot be disabled so that I have something to give to our auditors.
Thanks!
Solved! Go to Solution.
06-14-2014 11:15 AM
You cannot shut off the telnet service completely on an IOS router, including the CGR 2010. This can be done on NX-OS ("no service telnet").
As Leo notes and as you mentioned you're already doing, securing the vty lines is considered a good practice. You might also add control plane policing. I've seen that configuration pass NERC audits used in nuclear plants here in the US.
As far as getting something official from Cisco, you'd have to open a TAC case or work with your reseller to get something from the business unit.
06-13-2014 08:17 PM
I've never tried CGR before but TCP port 23 is Telnet. And you can "harden" your router by ensuring that the only way to remote into your CGR is via SSH. And this is done by doing this:
config t line vty 0 15 transport input ssh end
06-14-2014 11:15 AM
You cannot shut off the telnet service completely on an IOS router, including the CGR 2010. This can be done on NX-OS ("no service telnet").
As Leo notes and as you mentioned you're already doing, securing the vty lines is considered a good practice. You might also add control plane policing. I've seen that configuration pass NERC audits used in nuclear plants here in the US.
As far as getting something official from Cisco, you'd have to open a TAC case or work with your reseller to get something from the business unit.
06-14-2014 11:15 AM
Excellent Marvin, thank you! This is exactly what I needed to know. It is for a NERC audit too, so that is good to hear. We already have an ACL to deny telnet traffic but I think adding the CP policing will certainly do the trick to assuaging their concerns. Much appreciated!
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide