Re: Telnet and Finger

burgessjt · ‎11-22-2005

Anyone know off-Hand how to remove Telnet and Finger services from a 1700 series router running IOS 12.1 or 12.2?

I figured it'd be as simple as 'no telnet service' or 'no telnet server' just like the 'no http server' command, but no such luck.

Also, I was poking around trying to find out if the 1700 series routers supported secure telnet or SSH, but haven't found a definitive answer.

spremkumar · ‎11-22-2005

Hi

you can disable finger service using no service finger command and u can block telnet connection and enable ssh by using transport input ssh.

for configuring SSH u can refer this link but do remember that you need to have 3des support in ur ios code to support the same..

http://www.cisco.com/warp/public/707/ssh.shtml

regds

burgessjt · ‎11-22-2005

Thank you for the info on SSH, I'll read up on it. From the sounds of it I'll need to aquire a new IOS version. Hopefully my company is up to date on our support contracts.

I tried the 'no service finger' command before, but it doesn't appear in my running config? or is it not supposed to? I see my 'no service password-encryption' and 'no ip http server' settings in 'sh run' but still do not see the 'no service finger'

sundar.palaniappan · ‎11-22-2005

no service finger appears to be the default setting in your case and that's the reason why it doesn't show up in the running config.

Before you upgrade the IOS and configure ssh if you are looking to block telnet access completely, apply an access list to vty ports to block telnet access. Here's an example.

Eg.

line vty 0 4

access-class 1 in

access-list 1 deny any

HTH,

Sundar

Richard Burts · ‎11-22-2005

Sundar

Your suggested solution will certainly block any telnet access and also will block EVERYTHING else that attempts remote access. I am not sure that is what the original post had in mind.

The access-class command controls any access (based only on source address) - no matter what protocol it is trying to use for access. My understanding of the original post was that he was interested in a secure remote access such as SSH. Your suggestion would prevent this.

HTH

Rick

HTH

Rick

sundar.palaniappan · ‎11-22-2005

Rick,

I suggested blocking telnet using access class as an INTERIM solution only before he can upgrade the IOS to enable SSH.

Cheers,

Sundar

burgessjt · ‎11-23-2005

I don't think No service finger is the default. A recent audit shows finger as open on these routers and they told us to shut it off.

I can't block Telnet altogether, so I'll need to implement the ssh as soon as I can. But still can not figure out how to turn finger off.

sundar.palaniappan · ‎11-23-2005

There are two commands to disable finger service on a router.

Newer command - no ip finger

Older command - no service finger

Cisco routers support both commands. Even after entering these commands if you suspect finger service is still enabled on a router, go ahead and add ip finger or service finger in the global config mode and see what happens. Router would add ip finger command to the configuration.

I don't know of a show command that tells you whether finger service is enabled. Hence, this probably is your best bet.

HTH,

Sundar