Great Circle Associates Firewalls
(May 1994) 		 
Indexed By Date: [Previous] [Next] Indexed By Thread: [Previous] [Next]
Subject: Re: more on TIS portscan and Cisco routers
From: reh @ cs . UMD . EDU (Richard Huddleston)
Date: Mon, 9 May 1994 22:39:42 -0400
To: marty @ CERF . NET
Cc: firewalls @ greatcircle . com 
* Marty Lyons: s

* What version were you running that exhibited this behavior? 

A 4000 with 9.14(5).  Actually, I was able to track it to a misconfiguration
due to what appears to be an error in the manual (manuals for 8.2 9.0 and 9.1,
and perhaps others).  Example 1 in the manual(s) for Controlling Line Access 
(on Ch 13 P 27 of the 9.1 docs) says that you can prevent unwanted IP addresses
from attaching to the vty ports on the router if you:

" 
	access-list 12 permit 192.89.55.0 0.0.0.255
	line 1 5
	access-class 12 in
"  

...which, if you modify the IP addresses in the example appropriately,
but leave the line references at 1..5, shows {2,4,6,9}006 open for 
connections when I run TIS' portscan from an "unwelcomed" address.  When
I do the above, using "line 1 6", those open listeners disappear from
the portscan listing (from an unwelcomed address). 

Interestingly, when I run portscan from a "welcomed" address, I've got
ports galore:

23, {2,4,6,9}00{1,2,3,4,5,6} and 10000.

When I saw that, the true cause of the open ports was obvious. 

Given the number of folks who have sent me email on this saying "it got
us, too" I'd presume that the manual could be more specific and I could
just be more careful.  I have to be the resident expert on routers, IP,
Unix, etc., at my place of employment, and this one just plain got by me.
It's a pretty easy mistake to make, apparently. 

If the router's configured correctly to begin with, you *shouldn't* be
able to duplicate the behavior I reported, or even see those ports using 
portscan from an unwanted IP node.

Richard 


* From: Marty Lyons <marty @
 CERF .
 NET>
* Subject: Re: more on TIS portscan and Cisco routers
* To: firewalls @
 GreatCircle .
 COM
* Date: Mon, 9 May 1994 17:47:44 -0700 (PDT)
* 
* > Date: Mon, 9 May 1994 01:49:19 -0400
* > From: reh @
 cs .
 UMD .
 EDU (Richard Huddleston)
* > Message-Id: <199405090549 .
 BAA28759 @
 bedrock .
 cs .
 UMD .
 EDU>
* > Subject: more on TIS portscan and Cisco routers
* > 
* > 
* > [...]
* > 
* > ...and (unless you know about this already) you might think that a
* > connection attempt from IP_3 would get refused.  Well it will -- unless
* > you pass {2,4,6,9}006 as argv[2] to the telnet command.  In those cases,
* > the router will happily give a "password:" prompt to anybody.
* 
* I tried to duplicate this on two seperate Ciscos, with no success.
* One is a 3000 running 9.1(10), and the other a 4000 running 9.14(5).
* What versions were you running that exhibited this behavior?
* 
* /Marty
* 
*
Indexed By Date Previous: Wellfleet Routers as Firewalls
From: "Gregory J. Donaldson" <itsmgjd @ nebula . syscon . hii . com>
Next: Cisco Filtering
From: ken @ cameron . East . Sun . COM (Ken Harford - Network Architecture Consultant)
Indexed By Thread Previous: Re: more on TIS portscan and Cisco routers
From: Marty Lyons <marty @ CERF . NET>
Next: Re: more on TIS portscan and Cisco routers
From: jim @ Tadpole . COM (Jim Thompson)
Google
 
Search Internet Search www.greatcircle.com