It’s amazing how much rattling at the doors and attempted intrusions companies become accustomed to seeing on their networks. Here I show a simple way to block telnet/SSH access to your switch. First, you should never use telnet to manage your switch over the Internet because the traffic is sent unencrypted and it is therefore insecure; SSH is the better option. Perhaps you only want to manage the switch from an internal network or only want to allow or block some hosts from using telnet/ssh. Below, I block all telnet/ssh access to the switch. I’m using a Dell Force10 S50N switch [FTOS 8.4.2.6].
I’ve worked with tons of switches connected to the Internet and if telnet/ssh is not restricted via an access list, I usually see something like the below in the logs. The logs usually reveal botched attempts from all over the world – in this case Italy, China, and Peru.
Failed telnet login attempts on Dell Force10 S50N
In the above case the telnet server is running but no password is configured so it’s safe in that regard. However, I can cut the packets off before they even get that far and waste CPU cycles; I do this by placing an extended access list on the VTY lines. Some of you may argue that with an access list the CPU is still hit (I’ve actually read this in some networking books), but actually this has to do with the implementation of how access lists work with the specific hardware in question, which I will not get into here other than saying the access list will be effective in regards to our intention.
– enable
– conf
– ip access-list extended VTY_ACCESS
– remark 0 Deny telnet and ssh access to switch
– seq 10 deny tcp any any eq 22 count
– seq 11 deny tcp any any eq 23 count
– exit
– line vty 0 9
– access-class VTY_ACCESS
– end
– write
Twitter
LinkedIn
Youtube
RSS