Solved: Thank you very much, you're

chrissnop · ‎08-24-2016

Hello guys, i type this command to check open ports: show control-plane host open-ports

I notice that port 23, 22, 80 and 443 is open by default in the control-plane.

Just some few questions:

1. Is there a way to close port 23 and 22?

2. Is it needed by the router to operate normally?

3. What would happen if it is close?

Thank you for any inputs.

Mark Malone · ‎08-24-2016

Hi

23 and 22 are your remote access for vty , 23 is telnet and 22 is ssh , you need the ssh at least unless only using console to access your router, telnets not used anymore really as unsecure but you just disable it in cli rather than copp , 80 and 443 are http and https things like sdm,cp use them for GUI access or if the router has voice services may use GUI as well

I wouldn't make changes to your control plane unless you have a specific requirement too

block telnet in cli

line vty 0 4

transport input ssh

block telnet and ssh 22/23

line vty 0 4

transport input none

View solution in original post

Mark Malone · ‎08-25-2016

Hi Chris

did you check the ip who owns it , should only be ips off your network or that have access to the device like below im logged in off the 172 pc in the lan shows

Prot               Local Address             Foreign Address                  Service    State
tcp                        *:22                         *:0               SSH-Server   LISTEN
tcp                        *:23                         *:0                   Telnet   LISTEN
tcp                        *:22          172.21.7.135:34013               SSH-Server ESTABLIS

If you do a show users and show line you can see what they camre in on and then remove it with clear line x to close it

xxxxx#show users
Line User Host(s) Idle Location
* 2 vty 0 mmalone idle 00:00:00 xxxxxxxxxxxx

Interface User Mode Idle Peer Address

xxxxxxxxx#show line
   Tty Typ     Tx/Rx    A Modem Roty AccO AccI   Uses   Noise Overruns   Int
      0 CTY              -    -      -    -    -      0       0     0/0       -
      1 AUX   9600/9600 -    -      -    -    -      0       0     0/0       -
*     2 VTY              -    -      -    - 166 68667       0     0/0       -
      3 VTY              -    -      -    - 166   1971       0     0/0       -
      4 VTY              -    -      -    - 166    284       0     0/0       -
      5 VTY              -    -      -    - 166    222       0     0/0       -
      6 VTY              -    -      -    - 166    183       0     0/0       -
      7 VTY              -    -      -    - 166    144       0     0/0       -
      8 VTY              -    -      -    - 166    139       0     0/0       -
      9 VTY              -    -      -    - 166    103       0     0/0       -
     10 VTY              -    -      -    - 166     34       0     0/0       -
     11 VTY              -    -      -    - 166      9       0     0/0       -
     12 VTY              -    -      -    - 166      4       0     0/0       -
     13 VTY              -    -      -    - 166      3       0     0/0       -
     14 VTY              -    -      -    - 166      3       0     0/0       -
     15 VTY              -    -      -    - 166      3       0     0/0       -
     16 VTY              -    -      -    - 166      2       0     0/0       -
     17 VTY              -    -      -    - 166      2       0     0/0       -

View solution in original post

Mark Malone · ‎08-24-2016

Hi

23 and 22 are your remote access for vty , 23 is telnet and 22 is ssh , you need the ssh at least unless only using console to access your router, telnets not used anymore really as unsecure but you just disable it in cli rather than copp , 80 and 443 are http and https things like sdm,cp use them for GUI access or if the router has voice services may use GUI as well

I wouldn't make changes to your control plane unless you have a specific requirement too

block telnet in cli

line vty 0 4

transport input ssh

block telnet and ssh 22/23

line vty 0 4

transport input none

chrissnop · ‎08-25-2016

Hi Mark, your help is greatly appreciated.

I change to this:

line vty 0 4
privilege level 15
login local
transport input ssh

line vty 5 15
privilege level 15
login local
transport input ssh
!

I got another question, when I type this: show control-plane host open-ports

There are IP Addresses connected to SSH and it's not my IP, it shows established.

Is it something I should be alarmed of?

Thanks.

Mark Malone · ‎08-25-2016

Hi Chris

did you check the ip who owns it , should only be ips off your network or that have access to the device like below im logged in off the 172 pc in the lan shows

Prot               Local Address             Foreign Address                  Service    State
tcp                        *:22                         *:0               SSH-Server   LISTEN
tcp                        *:23                         *:0                   Telnet   LISTEN
tcp                        *:22          172.21.7.135:34013               SSH-Server ESTABLIS

If you do a show users and show line you can see what they camre in on and then remove it with clear line x to close it

xxxxx#show users
Line User Host(s) Idle Location
* 2 vty 0 mmalone idle 00:00:00 xxxxxxxxxxxx

Interface User Mode Idle Peer Address

xxxxxxxxx#show line
   Tty Typ     Tx/Rx    A Modem Roty AccO AccI   Uses   Noise Overruns   Int
      0 CTY              -    -      -    -    -      0       0     0/0       -
      1 AUX   9600/9600 -    -      -    -    -      0       0     0/0       -
*     2 VTY              -    -      -    - 166 68667       0     0/0       -
      3 VTY              -    -      -    - 166   1971       0     0/0       -
      4 VTY              -    -      -    - 166    284       0     0/0       -
      5 VTY              -    -      -    - 166    222       0     0/0       -
      6 VTY              -    -      -    - 166    183       0     0/0       -
      7 VTY              -    -      -    - 166    144       0     0/0       -
      8 VTY              -    -      -    - 166    139       0     0/0       -
      9 VTY              -    -      -    - 166    103       0     0/0       -
     10 VTY              -    -      -    - 166     34       0     0/0       -
     11 VTY              -    -      -    - 166      9       0     0/0       -
     12 VTY              -    -      -    - 166      4       0     0/0       -
     13 VTY              -    -      -    - 166      3       0     0/0       -
     14 VTY              -    -      -    - 166      3       0     0/0       -
     15 VTY              -    -      -    - 166      3       0     0/0       -
     16 VTY              -    -      -    - 166      2       0     0/0       -
     17 VTY              -    -      -    - 166      2       0     0/0       -

chrissnop · ‎08-25-2016

router_xxx#sh users
Line User Host(s) Idle Location
132 vty 0 idle 00:00:15 116.31.116.47
*133 vty 1 my_username idle 00:00:09 x.x.x.x --my ip address
134 vty 2 idle 00:00:17 116.31.116.47 -china address

Interface User Mode Idle Peer Address

router_xxx#sh line
Tty Line Typ Tx/Rx A Modem Roty AccO AccI Uses Noise Overruns Int
0 0 CTY - - - - - 0 0 0/0 -
1 1 AUX 9600/9600 - - - - - 0 0 0/0 -
2 2 TTY 9600/9600 - - - - - 0 0 0/0 -
* 132 132 VTY - - - - - 179506 0 0/0 -
* 133 133 VTY - - - - - 140687 0 0/0 -
* 134 134 VTY - - - - - 105559 0 0/0 -
135 135 VTY - - - - - 74636 0 0/0 -
136 136 VTY - - - - - 48781 0 0/0 -
137 137 VTY - - - - - 30240 0 0/0 -
138 138 VTY - - - - - 17666 0 0/0 -
139 139 VTY - - - - - 10189 0 0/0 -
140 140 VTY - - - - - 5753 0 0/0 -
141 141 VTY - - - - - 3259 0 0/0 -
142 142 VTY - - - - - 1869 0 0/0 -
143 143 VTY - - - - - 1001 0 0/0 -
144 144 VTY - - - - - 533 0 0/0 -
145 145 VTY - - - - - 214 0 0/0 -
146 146 VTY - - - - - 90 0 0/0 -
147 147 VTY - - - - - 41 0 0/0 -

It's a china IP address but no user name, anything I should do? Thank you in advance.

Mark Malone · ‎08-25-2016

yes get rid of it if your not sure

clear line 2

Also make sure your vty is locked down with an ACL so only you allow who you want in

access-class 100 in --as example

And for bit more for security you could add the below as well , it will slow down any automated attempts t login and set a log

login block-for 120 attempts 3 within 30
login on-failure log every 1
login on-success log every 1

chrissnop · ‎08-25-2016

Thank you very much, you're of great help.

I set this:

login block-for 120 attempts 3 within 30
login on-failure log every 1
login on-success log every 1

sorry, how do I view the logs?

chrissnop · ‎08-25-2016

Hi Mark,

Also make sure your vty is locked down with an ACL so only you allow who you want in

access-class 100 in --as example

I already have the standard access list for the incoming interface.

Do I need to remove it? and change to extended access list?

Thanks.

Mark Malone · ‎08-25-2016

Hi

you will only see the log when it blocks someone in show log, try 3 bogey attempts yourself to log in it should block and generate a log

and a standard acl is fine its just to make sure there's one there

chrissnop · ‎08-25-2016

How to configure to allow specific IP to access vty lines?

I'm following this link: http://www.cisco.com/c/en/us/td/docs/ios-xml/ios/sec_data_acl/configuration/12-4t/sec-data-acl-12-4t-book/sec-cntrl-acc-vtl.html

But I can only do from the command below:

Router(config)# access-list 1 permit 172.16.0.0 0.0.255.255
Router(config)# line vty 5 10

Is the above command sufficient enough to restrict vty access?

Thank you.

Mark Malone · ‎08-25-2016

Hi acl is fine if that's what you only want allowed in that subnet but must be applied to the vty too , then test it try come in from another subnet to taht switch that's not in the acl make sure its blocking you and you cant get in

line vty 0 4

access-class 1 in

line vty 5 15

access-class 1 in

Open ports