cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
4826
Views
0
Helpful
3
Replies

Is it possible to completely disable port 23 on a Cisco device?

Jmeusel618
Level 1
Level 1

When we run the 'show control-plane host open-ports' command on any of our routers (but specifically a CGR 2010) we are seeing port 23 in a listening state.

Active internet connections (servers and established)
Prot               Local Address             Foreign Address                  Service    State
 tcp                        *:22                         *:0                                    SSH-Server   LISTEN
 tcp                        *:23                         *:0                                              Telnet   LISTEN
 udp                       *:123                       *:0                                                NTP   LISTEN

 

Our auditors are leery of this even though we have shown that we do not have telnet enabled on the VTY lines, only SSH, and there is an ACL in place for further protection. Is there ANY way to completely disable port 23 to keep it from running AT ALL upon startup? I have been scouring the internet for a solution to this and have come up dry. I feel that there has to be a way to do this, but can't figure it out. Is it possible to do at all? And if not I would really like to find some official documentation from Cisco stating that the ports are on by default and cannot be disabled so that I have something to give to our auditors.

Thanks!

1 Accepted Solution

Accepted Solutions

Marvin Rhoads
Hall of Fame
Hall of Fame

You cannot shut off the telnet service completely on an IOS router, including the CGR 2010. This can be done on NX-OS ("no service telnet").

As Leo notes and as you mentioned you're already doing, securing the vty lines is considered a good practice. You might also add control plane policing. I've seen that configuration pass NERC audits used in nuclear plants here in the US.

As far as getting something official from Cisco, you'd have to open a TAC case or work with your reseller to get something from the business unit.

View solution in original post

3 Replies 3

Leo Laohoo
Hall of Fame
Hall of Fame

I've never tried CGR before but TCP port 23 is Telnet.  And you can "harden" your router by ensuring that the only way to remote into your CGR is via SSH.  And this is done by doing this: 

 

config t
line vty 0 15
transport input ssh
end

Marvin Rhoads
Hall of Fame
Hall of Fame

You cannot shut off the telnet service completely on an IOS router, including the CGR 2010. This can be done on NX-OS ("no service telnet").

As Leo notes and as you mentioned you're already doing, securing the vty lines is considered a good practice. You might also add control plane policing. I've seen that configuration pass NERC audits used in nuclear plants here in the US.

As far as getting something official from Cisco, you'd have to open a TAC case or work with your reseller to get something from the business unit.

Excellent Marvin, thank you! This is exactly what I needed to know. It is for a NERC audit too, so that is good to hear. We already have an ACL to deny telnet traffic but I think adding the CP policing will certainly do the trick to assuaging their concerns. Much appreciated!

Review Cisco Networking for a $25 gift card