Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1149
Views
5
Helpful
4
Replies

Nmap and Cisco 7406

Go to solution
demodog
Level 1
Level 1

‎03-02-2004 11:21 AM - edited ‎03-02-2019 01:58 PM

All:

Ran Nmap against e0, 7406.

PORT STATE SERVICE

23/tcp open telnet

80/tcp open http

2001/tcp open dc

6001/tcp open X11:1

I'd like to disable telnet and use SSH (tcp22).

I also don't like tcp2001 or 6001.

tcp2001 shows up in a port list as a trojan, and 6001 isn't listed.

2001 TCP dc Der Spaeher 3, TransScout, Trojan Cow, Der Späher / Der Spaeher, DIRT, TrojanCow

How do I open up 22, shutdown 23 and 2001,6001?

tia/rgds

S

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
adammurphy
Level 1
Level 1

‎03-03-2004 01:22 PM

I don't think the above anwser is what you wanted. Although that will work. To SSH to your router insted of Telnet you just need to install the IOS that has the SSH stuff in it. Such as the firewall/IPSEC/3DES. Then just fallow the steps found here http://www.cisco.com/warp/public/707/ssh.shtml and you'll be on your way. I'd set the VTY 0 15 to prefur ssh in bound This will not allow any telnet to your router.

One problem (if it can be called that) is that when you enable ssh on the router the longest time you can be with out activity is 60 sec. which kind of sucks. who wants to be kick out after of not doing soemthing for 1 minute. But i guess its a security thing.

you can disable the HTTP stuff by doing the command "no ip http server"

as for the other stuff i'd just build ACL's to stop them. If you just want to block them but allow them every thing else (not sure why you would but hey)

i'd do something like this:

access-list 150 deny tcp any any eq 2001

access-list 150 deny tcp any any eq 6001

access-list 150 permit ip any any

Note that i'm not sure why the router has 2001 and 6001 enabled and there maybe a vary good reason. But i can think of why they would need thoes ports.

Hope this helps

If not let me know and we'll get it worked out.

Good luck.

View solution in original post

4 Replies 4

Go to solution
ramesh.krishnan
Level 1
Level 1

‎03-02-2004 12:26 PM

the cisco router comes default with a telnet server. thats the only way the server can be remotely administered. if you want you can put an access list for the telnet on "line vty 0 4" and then use the console/hyperterminal for administering.

-ramesh

0 Helpful

Go to solution
adammurphy
Level 1
Level 1

‎03-03-2004 01:22 PM

I don't think the above anwser is what you wanted. Although that will work. To SSH to your router insted of Telnet you just need to install the IOS that has the SSH stuff in it. Such as the firewall/IPSEC/3DES. Then just fallow the steps found here http://www.cisco.com/warp/public/707/ssh.shtml and you'll be on your way. I'd set the VTY 0 15 to prefur ssh in bound This will not allow any telnet to your router.

One problem (if it can be called that) is that when you enable ssh on the router the longest time you can be with out activity is 60 sec. which kind of sucks. who wants to be kick out after of not doing soemthing for 1 minute. But i guess its a security thing.

you can disable the HTTP stuff by doing the command "no ip http server"

as for the other stuff i'd just build ACL's to stop them. If you just want to block them but allow them every thing else (not sure why you would but hey)

i'd do something like this:

access-list 150 deny tcp any any eq 2001

access-list 150 deny tcp any any eq 6001

access-list 150 permit ip any any

Note that i'm not sure why the router has 2001 and 6001 enabled and there maybe a vary good reason. But i can think of why they would need thoes ports.

Hope this helps

If not let me know and we'll get it worked out.

Good luck.

Go to solution
demodog
Level 1
Level 1
In response to adammurphy

‎03-04-2004 04:53 AM

Got it ... just what I needed.

h'mmm .. I wonder if anyone else has run nmap against their router?

S

0 Helpful

Go to solution
cdusio
Level 4
Level 4

‎03-04-2004 01:03 PM

You can also deny telnet altogether and manage the device with SSH.

See the following link

http://cisco.com/en/US/products/sw/iosswrel/ps1835/products_configuration_guide_chapter09186a00800ca7d5.html

0 Helpful
Customers Also Viewed These Support Documents

Review Cisco Networking for a $25 gift card