Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1339
Views
0
Helpful
3
Replies

how to terminate a portscan and disable telnet

xymososx
Level 1
Level 1

‎10-16-2004 06:22 AM - edited ‎03-09-2019 09:07 AM

hi,

if i start a portscan with nmap on my ip it shows me all my open ports. what can i do to make it "stealth" ?

i will use telnet only in my LAN but not from WAN side. from outside is use SSH for more secure. can i disable with a acl the telnet function ?

thanks

regards

Labels:
0 Helpful
3 Replies 3

jmia
Level 7
Level 7

‎10-16-2004 01:19 PM

You can ‘stealth’ all ports by applying:

icmp deny any outside

For your question on telnet, please read the URL below (pix 6.3 command reference)

http://www.cisco.com/univercd/cc/td/doc/product/iaabu/pix/pix_sw/v_63/cmdref/tz.htm#wp1025921

You shouldn’t be able to telnet to the pix inside interface unless you have specifically setup telnet access for you inside clients (see URL above). I agree to manage the pix from any outside source or even inside your better of using SSH or VPN.

One more thing before I forget, scan your pix by going to: www.grc.com and choose ‘Shields Up’ then apply the icmp deny any outside command and check again, you should see all your ports in stealth mode.

Hope this helps and let me know how you get on.

Jay

0 Helpful

xymososx
Level 1
Level 1
In response to jmia

‎10-17-2004 04:09 AM

hi,

i´m not on a PIX. i use a C2621 with c2600-ik9o3s3-mz.123-6a.bin

i think i cant use the pix syntax. thanks for help.

vadim

Preview file
5 KB
0 Helpful

ddawson
Level 1
Level 1
In response to xymososx

‎10-18-2004 02:09 PM

1. In IOS use the "no ip unreachables" interface command to disable sending ICMP unreachable replies out the interface. Note that this will not disable the forwarding of those messages through the router from hosts on your network, so you may want to also block them with an access-list.

2. Telnet uses TCP port 23, and SSH uses TCP 22. You'd need to configure an access-list on the outside interface to permit TCP/22 to the router's address. If you don't put an access-list on the inside interface, you'll be able to use both telnet and ssh to the router from the inside. That access-list line would look something like this:

access-list 101 permit tcp any any eq 22

Since you're getting a dynamic address from your ISP, you have to use "any" as the router's address. You'd also have any other security policies you need in that access-list, and since there's a default deny at the end of all ACL's, if you leave out a line that permits telnet, telnet from the outside will not be allowed. You apply the ACL to the interface with this interface command:

access-group 101 in

I hope this helps.

0 Helpful
Customers Also Viewed These Support Documents