Cisco 2621 - Forced Newbie :(

[meanrabbit]

Hello All,
I'm having to get the network passed on a Security audit. Our router (cisco 2620) keeps failing on the scan because Telnet is enabled. I'm new to our routers, (my friend/coworker handled these things and he passed away recently) and I've been forced into learning these things now.

I was able to figure out how to login with the console cable and 'enable' the connection. I did the following and copied it to the notepad.

# show run

Now that I made a backup (i think). I need to figure out how to disable telnet so we can only access the router via the console cable. Below is the bottom of the config file. I assume my answer lies here somewhere?
------------------------------
!
!
line con 0
password 1stg3n!
login
transport preferred none
speed 115200
line aux 0
line vty 0 4
password 1stg3n!
login
!
!
end
------------------

I dont suppose there is some 1 line command I can enter rather then panicking over reloading the configurating?

Any help or link to a FAQ would be appreciated greatly.

Thanks Much
ed

 

[KiscoKid]

Hi

To disable telnet, you can modify your config as below:

router#conf t
router(config)#line vty 0 4
router(config-line)#no login

I personally think it's a little strange they're failing your device on a security audit because telnet is enabled. It's an essential mode of administration.

Arguably better would've been for them to recommend a TACACS+ setup so you can better control who has access and what level of access that should be.

 

[xenolith]

To disable telnet, login to the router via console cable.
enable
config t
line vty 0 4
no login
<Ctrl+Z>
copy run start

Working from memory after a long week, but I think that will take care of you.

 

[vipergg]

They may be looking to have you use SSH as opposed to telnet as admin login . Your IOS has to support it though and you have to set it up in the config.

 

[jneiberger]

vipergg is probably right. Perhaps they want you to have secure administrative access on this router, which means SSH. Does your own internal security policy state that you have SSH on your network devices, or is this a requirement of your auditors?

 

[meanrabbit]

Its strickly a requirement coming from Qualys.com we use them for security scans.

We really never have reason to access the router so the quick way out would to just disable telnet and use the terminal cable anytime we needed access correct?

Really appreciate the feedback. I can handle alot but messing with our routers scares the heck out of me.

 

[lgarner]

Yes. SSH is more secure than Telnet, the absence of remote access is even more secure.

 

[meanrabbit]

Hmm I tried the changes but now I can telnet into the router without the password at all. (Its wide open) but I still have to use the Enable password. Cut/paste of what I entered. What did I miss?

---------------
COPO>en
Password:
COPO#config t
Enter configuration commands, one per line. End with CNTL/Z.
COPO (config)#line vty 0 4
COPO (config-line)#no login
COPO (config-line)#^Z
COPO#copy run start
Destination filename [startup-config]?
Building configuration...
[OK]
COPO#
----------------

 

[meanrabbit]

correction.. if I telnet in from a different terminal it no longer prompts me for a password. It still wants the password to connect via the console cable though.

while enabled.. i did a 'show run' after i made the change.. it reads as follows..

---------------
no cdp run
!
!
!
!
!
!
!
line con 0
password mypwisshownhere
login
transport preferred none
speed 115200
line aux 0
line vty 0 4
password mypwisshownhere
no login
!
!
end
------------------

 

[NetworkGhost]

Try the following:

line vty 0 4
transport input none
exit
wr mem

To bring it back:

line vty 0 4
transport input telnet
exit
wr mem

This should stop telnet.