Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
4826
Views
0
Helpful
3
Replies

Is it possible to completely disable port 23 on a Cisco device?

Go to solution
Jmeusel618
Level 1
Level 1

‎06-13-2014 10:51 AM - edited ‎02-21-2020 05:12 AM

When we run the 'show control-plane host open-ports' command on any of our routers (but specifically a CGR 2010) we are seeing port 23 in a listening state.

Active internet connections (servers and established)
Prot               Local Address             Foreign Address                  Service    State
 tcp                        *:22                         *:0                                    SSH-Server   LISTEN
 tcp                        *:23                         *:0                                              Telnet   LISTEN
 udp                       *:123                       *:0                                                NTP   LISTEN

 

Our auditors are leery of this even though we have shown that we do not have telnet enabled on the VTY lines, only SSH, and there is an ACL in place for further protection. Is there ANY way to completely disable port 23 to keep it from running AT ALL upon startup? I have been scouring the internet for a solution to this and have come up dry. I feel that there has to be a way to do this, but can't figure it out. Is it possible to do at all? And if not I would really like to find some official documentation from Cisco stating that the ports are on by default and cannot be disabled so that I have something to give to our auditors.

Thanks!

0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Marvin Rhoads
Hall of Fame
Hall of Fame

‎06-14-2014 11:15 AM

You cannot shut off the telnet service completely on an IOS router, including the CGR 2010. This can be done on NX-OS ("no service telnet").

As Leo notes and as you mentioned you're already doing, securing the vty lines is considered a good practice. You might also add control plane policing. I've seen that configuration pass NERC audits used in nuclear plants here in the US.

As far as getting something official from Cisco, you'd have to open a TAC case or work with your reseller to get something from the business unit.

View solution in original post

0 Helpful
3 Replies 3

Go to solution
Leo Laohoo
Hall of Fame
Hall of Fame

‎06-13-2014 08:17 PM

I've never tried CGR before but TCP port 23 is Telnet.  And you can "harden" your router by ensuring that the only way to remote into your CGR is via SSH.  And this is done by doing this: 

 

config t
line vty 0 15
transport input ssh
end
0 Helpful

Go to solution
Marvin Rhoads
Hall of Fame
Hall of Fame

‎06-14-2014 11:15 AM

You cannot shut off the telnet service completely on an IOS router, including the CGR 2010. This can be done on NX-OS ("no service telnet").

As Leo notes and as you mentioned you're already doing, securing the vty lines is considered a good practice. You might also add control plane policing. I've seen that configuration pass NERC audits used in nuclear plants here in the US.

As far as getting something official from Cisco, you'd have to open a TAC case or work with your reseller to get something from the business unit.

0 Helpful

Go to solution
Jmeusel618
Level 1
Level 1
In response to Marvin Rhoads

‎06-14-2014 11:15 AM

Excellent Marvin, thank you! This is exactly what I needed to know. It is for a NERC audit too, so that is good to hear. We already have an ACL to deny telnet traffic but I think adding the CP policing will certainly do the trick to assuaging their concerns. Much appreciated!

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card