Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
3263
Views
0
Helpful
1
Replies

Prevent Router from "LISTEN" to Telnet Port

Sakher Al-Bawab
Level 1
Level 1

‎04-10-2011 06:54 AM - last edited on ‎03-25-2019 04:14 PM by Community Manager

I have a router with IOS version 12.4 (22). why the telnet is still listening at the router even I disable it in the "Line" configuration:

line vty 0 1

access-class 23 in

exec-timeout 15 0

password cisco

logging synchronous

transport input ssh

line vty 2 4

access-class 23 in

exec-timeout 15 0

privilege level 15

password cisco

logging synchronous

transport input ssh

line vty 5 15

access-class 23 in

exec-timeout 15 0

password cisco

logging synchronous

transport input ssh

When I issue the command "show control-plane host open-ports" , the result be like this:

Prot               Local Address             Foreign Address           Service                 State

tcp                        *:22                         *:0                        SSH-Server            LISTEN

tcp                        *:23                         *:0                         Telnet                  LISTEN

tcp                        *:22         X.X.X.X:53964                       SSH-Server            ESTABLIS

tcp                       *:443                         *:0                     HTTP CORE             LISTEN

tcp                       *:443                         *:0                     HTTP CORE              LISTEN

udp                     *:58357           Y.Y.Y.Y:162                IOS host service         ESTABLIS

udp                       *:123                         *:0                           NTP                   LISTEN

udp                      *:4500                         *:0                        ISAKMP               LISTEN

udp                       *:161                         *:0                       IP SNMP                LISTEN

udp                       *:162                         *:0                       IP SNMP                 LISTEN

I used also the Port-filter Policy feature of the Control Plane Protection as below:

!

class-map type port-filter match-all Telnet_Port

match  port tcp 23

!

!

policy-map type port-filter Block_Telnet

class Telnet_Port

   drop

!

!

control-plane host

service-policy type port-filter input Block_Telnet

!

but the result still the same!
Note: By doing all above, the telnet is not allowed on the router, but in addition, the company's policy states that the listening to the telnet port is not allowed!!
Please I need your help to prevent the router from "LISTEN" to the Telnet Port (23).
Thanks in advance

1 person had this problem
Labels:
0 Helpful
1 Reply 1

Collin Clark
VIP Alumni
VIP Alumni

‎04-10-2011 08:24 AM

I searched around a ton and it looks like it isn't possible to stop the telnet daemon (some can do it, Nexus and XR). I understand your security policy is to not even have telnet running, however do your auditors actually check this? If so, and they expect to not see telnet running, they should be able to tell you how to stop it (please post if they do). We were audited by the government and if ever ran into anything we couldn't figure out, they would give us a guidance. They're there to help secure your network, not just poke holes in your configurations :-) If they can't help then they probably don't know what they are doing and have very little practical experience. I realize that doesn't help your situation, but maybe you can move up their ladder until someone understands that not everything can be black and white, especially in the security world. There were times when we said something can't be done, it's not our configurations, it's something Cisco has not provided the ability to configure. In those cases we contacted our Cisco SE and they usually contacted the BU and got an official response stating that a particular feature is not configurable or the default behavior is X.

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card