cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
526
Views
0
Helpful
2
Replies

Cannot Telnet to Sensor

bmunroe
Level 1
Level 1

We are running an IDS-4220 which is configured to communicate with Director. The sensor is running OS version 2.5. Another team within my group performed the original configuration, but then passed it on to me to finish things up. All the parameters within "sysconfig-sensor" appear to be good. I can ping the management interface on the sensor just fine, and I get a solid connection when I run "nronns"...

Connection Status for [SensorName] [DirectorName] Connection 1: [DirectorIP] 45000 1 [Established]

sto:0164 with Version 1

The Problem:

I cannot telnet to the management interface on the sensor either from the Director server, or even a host on the same segment. I have verified that the IP address of the Director and the host on the same segment that I'm attempting to telnet from are listed (#5) Network Access Control. I noticed that in sensor OS v3.0 there is a setting in (#9) Secure Communications that allows one to disable or enable Telnet access, but this feature does not appear to be in anywhere in menu options for v2.5.

I apologize for the length of this posting. Any help would be greatly appreciated. Thanks.

2 Replies 2

marcabal
Cisco Employee
Cisco Employee

Have you tried telneting from the sensor back to itself.

You may have to add the sensor to it's own access list before trying it.

If it doesn't work then your predecessor may have manually disabled the telnet service on the sensor. You can try looking into the /etc/inetd.conf if you are Unix savvy, or try re-imaging the sensor from the 2.5 CD if you are not Unix savvy.

If it works then are you connecting to the sensor through a FireWall. If so then the addresses being seen at the sensor may be the Nat'd address the telnet client instead of the actual address of the telnet client.

brok3n
Level 1
Level 1

Grep for telnet in /etc/inetd.conf while logged into the sensor in question.

Issue the following command (as netrangr):

grep telnet /etc/inetd.conf | grep stream

You will get few lines returned, the important one is the one that starts "telnet stream" -- If that line has a "#" in front of it, regardless of what the gui tells you, it is disabled.

If it is NOT present, then you are having an issue with the tcp wrappers being used as access control.

Tcp wrappers are what are launched prior to telnet being forked off, and do some checks based on src ip address (can do other things as well), they reference the file /etc/hosts.allow and /etc/hosts.deny -- the default cisco hosts.deny file states:

ALL:ALL

which implicitely denies access to the services under tcp wrapper control.

/etc/hosts.allow contains lines that look like this:

ALL:192.168.10.1

Which give access to all tcp wrappered services from the IP address listed. Make sure that the host you are trying to telnet TO the sensor FROM is listed in this file. If it is not, then you will not be able to telnet/ftp/etc to this box.

My .02.

-jm