«

We recently underwent a security scan of our network. One of the more
common hits was on TCP ports in the 2000 or 6000 range on our AS5300s..
All of them had telnet daemons listening on them and each of them
handed out the login banner upon connection.

I've seen this before when trying to set up a dialout server where you
could essentially do a reverse telnet to a specific modem. I don't
recall how to fix it though. These 5300s are on the public Internet in
the heart of our service provider so we don't want them listening on
these ports. Telnet is already shut down on the VTYs and SSH is
restricted by IP. Suggestions?

Thanks
J

router(config)#line 1 48
router(config-line)#transport input none

This disables reverse telnet (reverse ssh, etc.) to your lines. Btw this is the
default.

Aaron

---

~ We recently underwent a security scan of our network. One of the more
~ common hits was on TCP ports in the 2000 or 6000 range on our AS5300s..
~ All of them had telnet daemons listening on them and each of them
~ handed out the login banner upon connection.
~
~ I've seen this before when trying to set up a dialout server where you
~ could essentially do a reverse telnet to a specific modem. I don't
~ recall how to fix it though. These 5300s are on the public Internet in
~ the heart of our service provider so we don't want them listening on
~ these ports. Telnet is already shut down on the VTYs and SSH is
~ restricted by IP. Suggestions?
~
~ Thanks
~ J

On Jan 18, 11:18 am, Aaron Leonard <A...@Cisco.COM> wrote:
> router(config)#line 1 48
> router(config-line)#transport input none
>
> This disables reverse telnet (reverse ssh, etc.) to your lines. Btw this is the
> default.
>
> Aaron


Aaron,

Thank you very much! I figured it had to be something simple that I
was overlooking. My eyes completely glossed over the other line
statements. That fixed my problem. Thanks again

J