Restricting Inbound Telnet Access

Restricting Inbound Telnet Access

Problem

You want to restrict Telnet access to the router to allow only particular workstations.

Solution

You can restrict which IP addresses can access the router as follows:

Router1#configure terminal 
Enter configuration commands, one per line. End with CNTL/Z.
Router1(config)#access-list 99 permit 172.25.1.0 0.0.0.255
Router1(config)#access-list 99 deny any log
Router1(config)#line vty 0 4
Router1(config-line)#access-class 99 in
Router1(config-line)#exit
Router1(config)#end
Router1#

This example uses a standard access-list. You can also use extended access-lists in an access-class statement. But because you already know the TCP port numbers, as well as the source and destination IP addresses, extended access-lists don't give much extra functionality.

Discussion

Telnet is an inherently insecure protocol because it sends passwords over the network in clear text. We highly recommend using access-class statements to help to ensure that only authorized users can access router VTYs. These access-class statements do not secure the Telnet protocol itself, but they will prevent unauthorized users from receiving a router login prompt. Even if someone manages to sniff your router passwords, this will make them virtually useless.

For increased security, limit the permitted hosts to a few network management servers. This will force legitimate users to follow a two-stage authentication process to access your routers. They will need to authenticate their session on some central device such as the network management server before they can log into the router. The logic is that it is much easier to secure a single server than a dozen workstations.

This feature provides a similar functionality to the Unix TCPwrapper tool set, which can restrict daemon access to a limited number of IP addresses. And, just like TCPWrapper, we can log the IP addresses of refused users by using the keyword log in the access-list definition. This will create a log message for every unauthorized Telnet attempt, such as the following:

Router1#show logging | include list 99
Jun 27 14:14:25: %SEC-6-IPACCESSLOGS: list 99 denied 172.22.1.3 1 packet
Router1#

In the example, we have added an explicit deny any command to allow the router to count refused sessions:

Router1#show access-lists 99
Standard IP access list 99
permit 172.25.1.0, wildcard bits 0.0.0.255 (4 matches)
deny any log (1 match)
Router1#

This command shows you the running total of permitted and refused Telnet sessions. In this example, the access-list has denied a single Telnet session from accessing a router VTY. A large number of access attempts might indicate that someone is trying to access your routers. The log messages will capture the IP source address of each denied attempt, making it easy to investigate.

See Also