A few days ago, I posted a short note about what I found when running
the TIS Toolkit 'portscan' against a Cisco router:
echo
discard
finger
1993
2006
4006
6006
9006
You can get some pretty unexpected behavior from your router if you don't
add an, as far as I know, undocumented configuration for vty 4. At least,
it sure surprised the daylights out of me. I was convinced I'd found a
pretty big security bug in Cisco routers there for a hour or two.
The reason the behavior is alarming is, like most folks I know, I set up
access-classes to define which IP addresses can connect to the router. Not
foolproof, of course, but (slightly) better than nothing. A typical config
might look like this:
rtr# config term
access-list 1 permit <valid_IP_1> <mask>
access-list 1 permit <valid_IP_2> <mask>
line 1 5
access-class 1 in
^Z
...and (unless you know about this already) you might think that a
connection attempt from IP_3 would get refused. Well it will -- unless
you pass {2,4,6,9}006 as argv[2] to the telnet command. In those cases,
the router will happily give a "password:" prompt to anybody.
To get the expected behavior, you must also:
rtr# config term
access-list 2 deny 0.0.0.0 255.255.255.255
line vty 4
access-class 2 in
^Z
...which still permits access-class 1 to access the router, but disables
the ability to connect on those {2,4,6,9}006 ports from IP addresses not
in that class. I'm still looking for something in the Cisco docs that
describes why vty 4 is special; if anyone knows, I'd appreciate hearing
about it.
I'd imagine there are other ways to get the desired behavior, as well.
I'd like to thank the engineer at Cisco who worked with me on this one
even though he was on vacation. One of the more esteemed members of this
list also patiently listened to a rant or two, as well. Domo arigato.
If you try to restrict the IP addresses which establish a tcp connection
to the cisco router, you may want to look into all of this. I'd be very
interested in learning a better way to achieve the same result.
Richard
Follow-Ups:
|
|
