08-07-2012 01:49 PM - edited 03-07-2019 08:12 AM
hi ,
im just asking for umore secrity,
can i change the default port for telnet from being 23 to another port so as to prevent cracking tools and guessing programs ???
regards
08-07-2012 04:03 PM
There are 2 ways that you can do it. You can set up a rotary on the line, but this restricts you to 30xx or 70xx and doesn't allow 9000 as far as I know. The other way is to set up nat for destinations to tcp/23
ip nat inside source static tcp
The above would work whenever it sees port 9000 inbound to the public side interface (you'd want to obviously fix the direction that you'd need)
The other way is the rotary method. Say that you're okay with 7034 as a port. You'd create an acl and then apply it to the line:
access-list 123 permit tcp any any 7034
line vty 0 4
access-class 123 in
rotary 34
I would recommend disabling telnet if you can though. If not, use non-dictionary passwords, set login retries, set account lockouts, etc.
Also, moving a port from telnet won't hide from an attacker. Port scanners will still find it...
HTH,
John
** Please rate all useful posts **
08-08-2012 12:40 AM
hi ,
i thibk usign Acl will hurt my cpu ,
so wt about
set up a rotary ?????
im using cisco 7600 and 7200 .
regards
08-08-2012 03:30 PM
You can set up a rotary. Whatever number you choose for your rotary will be appended to ports 3000 and 7000. So, you can use 34 for 3034 and 7034, 56 for 3056 and 7056, etc. Then you would create and acl that permits only the port that you want to use. Creating an acl for this will not affect the cpu at all.
HTH,
John
** Please rate useful posts **
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide