cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
2565
Views
15
Helpful
10
Replies

Open ports

chrissnop
Level 1
Level 1

Hello guys, i type this command to check open ports: show control-plane host open-ports

I notice that port 23, 22, 80 and 443 is open by default in the control-plane.

Just some few questions:

1. Is there a way to close port 23 and 22?

2. Is it needed by the router to operate normally?

3. What would happen if it is close?

Thank you for any inputs.

2 Accepted Solutions

Accepted Solutions

Mark Malone
VIP Alumni
VIP Alumni

Hi

23 and 22 are your remote access for vty , 23 is telnet and 22 is ssh , you need the ssh at least unless only using console to access your router, telnets not used anymore really as unsecure but you just disable it in cli rather than copp , 80 and 443 are http and https things like sdm,cp use them for GUI access or if the router has voice services may use GUI as well

I wouldn't make changes to your control plane unless you have a specific requirement too

block telnet in cli

line vty 0 4

transport input ssh

block telnet and ssh 22/23

line vty 0 4

transport input none

View solution in original post

Hi Chris

did you check the ip who owns it , should only be ips off your network or that have access to the device like below im logged in off the 172 pc in the lan shows

Prot               Local Address             Foreign Address                  Service    State
 tcp                        *:22                         *:0               SSH-Server   LISTEN
 tcp                        *:23                         *:0                   Telnet   LISTEN
 tcp                        *:22          172.21.7.135:34013               SSH-Server ESTABLIS

If you do a show users and show line you can see what they camre in on and then remove it with clear line x to close it

xxxxx#show users
    Line       User       Host(s)              Idle       Location
*  2 vty 0     mmalone    idle                 00:00:00 xxxxxxxxxxxx

  Interface    User               Mode         Idle     Peer Address

xxxxxxxxx#show line
   Tty Typ     Tx/Rx    A Modem  Roty AccO AccI   Uses   Noise  Overruns   Int
      0 CTY              -    -      -    -    -      0       0     0/0       -
      1 AUX   9600/9600  -    -      -    -    -      0       0     0/0       -
*     2 VTY              -    -      -    -  166  68667       0     0/0       -
      3 VTY              -    -      -    -  166   1971       0     0/0       -
      4 VTY              -    -      -    -  166    284       0     0/0       -
      5 VTY              -    -      -    -  166    222       0     0/0       -
      6 VTY              -    -      -    -  166    183       0     0/0       -
      7 VTY              -    -      -    -  166    144       0     0/0       -
      8 VTY              -    -      -    -  166    139       0     0/0       -
      9 VTY              -    -      -    -  166    103       0     0/0       -
     10 VTY              -    -      -    -  166     34       0     0/0       -
     11 VTY              -    -      -    -  166      9       0     0/0       -
     12 VTY              -    -      -    -  166      4       0     0/0       -
     13 VTY              -    -      -    -  166      3       0     0/0       -
     14 VTY              -    -      -    -  166      3       0     0/0       -
     15 VTY              -    -      -    -  166      3       0     0/0       -
     16 VTY              -    -      -    -  166      2       0     0/0       -
     17 VTY              -    -      -    -  166      2       0     0/0       -

View solution in original post

10 Replies 10

Mark Malone
VIP Alumni
VIP Alumni

Hi

23 and 22 are your remote access for vty , 23 is telnet and 22 is ssh , you need the ssh at least unless only using console to access your router, telnets not used anymore really as unsecure but you just disable it in cli rather than copp , 80 and 443 are http and https things like sdm,cp use them for GUI access or if the router has voice services may use GUI as well

I wouldn't make changes to your control plane unless you have a specific requirement too

block telnet in cli

line vty 0 4

transport input ssh

block telnet and ssh 22/23

line vty 0 4

transport input none

Hi Mark, your help is greatly appreciated.

I change to this:

line vty 0 4
privilege level 15
login local
transport input ssh


line vty 5 15
privilege level 15
login local
transport input ssh
!

I got another question, when I type this: show control-plane host open-ports 

There are IP Addresses connected to SSH and it's not my IP, it shows established.

Is it something I should be alarmed of?

Thanks.

Hi Chris

did you check the ip who owns it , should only be ips off your network or that have access to the device like below im logged in off the 172 pc in the lan shows

Prot               Local Address             Foreign Address                  Service    State
 tcp                        *:22                         *:0               SSH-Server   LISTEN
 tcp                        *:23                         *:0                   Telnet   LISTEN
 tcp                        *:22          172.21.7.135:34013               SSH-Server ESTABLIS

If you do a show users and show line you can see what they camre in on and then remove it with clear line x to close it

xxxxx#show users
    Line       User       Host(s)              Idle       Location
*  2 vty 0     mmalone    idle                 00:00:00 xxxxxxxxxxxx

  Interface    User               Mode         Idle     Peer Address

xxxxxxxxx#show line
   Tty Typ     Tx/Rx    A Modem  Roty AccO AccI   Uses   Noise  Overruns   Int
      0 CTY              -    -      -    -    -      0       0     0/0       -
      1 AUX   9600/9600  -    -      -    -    -      0       0     0/0       -
*     2 VTY              -    -      -    -  166  68667       0     0/0       -
      3 VTY              -    -      -    -  166   1971       0     0/0       -
      4 VTY              -    -      -    -  166    284       0     0/0       -
      5 VTY              -    -      -    -  166    222       0     0/0       -
      6 VTY              -    -      -    -  166    183       0     0/0       -
      7 VTY              -    -      -    -  166    144       0     0/0       -
      8 VTY              -    -      -    -  166    139       0     0/0       -
      9 VTY              -    -      -    -  166    103       0     0/0       -
     10 VTY              -    -      -    -  166     34       0     0/0       -
     11 VTY              -    -      -    -  166      9       0     0/0       -
     12 VTY              -    -      -    -  166      4       0     0/0       -
     13 VTY              -    -      -    -  166      3       0     0/0       -
     14 VTY              -    -      -    -  166      3       0     0/0       -
     15 VTY              -    -      -    -  166      3       0     0/0       -
     16 VTY              -    -      -    -  166      2       0     0/0       -
     17 VTY              -    -      -    -  166      2       0     0/0       -

router_xxx#sh users
Line User Host(s) Idle Location
132 vty 0 idle 00:00:15 116.31.116.47
*133 vty 1 my_username idle 00:00:09 x.x.x.x --my ip address
134 vty 2 idle 00:00:17 116.31.116.47 -china address

Interface User Mode Idle Peer Address

router_xxx#sh line
Tty Line Typ Tx/Rx A Modem Roty AccO AccI Uses Noise Overruns Int
0 0 CTY - - - - - 0 0 0/0 -
1 1 AUX 9600/9600 - - - - - 0 0 0/0 -
2 2 TTY 9600/9600 - - - - - 0 0 0/0 -
* 132 132 VTY - - - - - 179506 0 0/0 -
* 133 133 VTY - - - - - 140687 0 0/0 -
* 134 134 VTY - - - - - 105559 0 0/0 -
135 135 VTY - - - - - 74636 0 0/0 -
136 136 VTY - - - - - 48781 0 0/0 -
137 137 VTY - - - - - 30240 0 0/0 -
138 138 VTY - - - - - 17666 0 0/0 -
139 139 VTY - - - - - 10189 0 0/0 -
140 140 VTY - - - - - 5753 0 0/0 -
141 141 VTY - - - - - 3259 0 0/0 -
142 142 VTY - - - - - 1869 0 0/0 -
143 143 VTY - - - - - 1001 0 0/0 -
144 144 VTY - - - - - 533 0 0/0 -
145 145 VTY - - - - - 214 0 0/0 -
146 146 VTY - - - - - 90 0 0/0 -
147 147 VTY - - - - - 41 0 0/0 -

It's a china IP address but no user name, anything I should do? Thank you in advance.

yes get rid of it if your not sure

clear line 2

Also make sure your vty is locked down with an ACL so only you allow who you want in

access-class 100 in --as example

And for bit more for security you could add the below as well , it  will slow down any automated attempts t login and set a log

login block-for 120 attempts 3 within 30
login on-failure log every 1
login on-success log every 1

Thank you very much, you're of great help.

I set this: 

login block-for 120 attempts 3 within 30
login on-failure log every 1
login on-success log every 1

sorry, how do I view the logs?

Hi Mark,

Also make sure your vty is locked down with an ACL so only you allow who you want in

access-class 100 in --as example

I already have the standard access list for the incoming interface.

Do I need to remove it? and change to extended access list? 

Thanks.

Hi

you will only see the log when it blocks someone in show log, try 3 bogey attempts yourself to log in it should block and generate a log

and a standard acl is fine its just to make sure there's one there

How to configure to allow specific IP to access vty lines?

I'm following this link: http://www.cisco.com/c/en/us/td/docs/ios-xml/ios/sec_data_acl/configuration/12-4t/sec-data-acl-12-4t-book/sec-cntrl-acc-vtl.html

But I can only do from the command below:

Router(config)# access-list 1 permit 172.16.0.0 0.0.255.255
Router(config)# line vty 5 10

Is the above command sufficient enough to restrict vty access?

Thank you.

Hi acl is fine if that's what you only want allowed in that subnet but must be applied to the vty too , then test it try come in from another subnet  to taht switch that's not in the acl make sure its blocking you and you cant get in

line vty 0 4

access-class 1 in

line vty 5 15

access-class 1 in

Review Cisco Networking for a $25 gift card