Restricting access to VTY (Virtual Terminal Lines)
One of the first and most important things to configure on any Cisco device after allowing telnet or SSH, is to restrict who is allowed to access the device. Of course having a password on the lines is the first step but if telnet is the method of communication, all passwords will be sent over the wire in clear-text. This means that if someone was to sniff the line while you logged onto a router using a telnet session, they would be able to see your password and hence gain access to the device.
As an additional method for securing your Cisco devices, it’s a good idea to bind an ACL (Access Control List) to the VTY’s (Virtual Terminal Lines). This will only allow IP addresses included in the ACL to create a connection to the device in addition to needing the password for the lines.
If we look at the diagram below, I might want to restrict telnet access into R1 so telnet will only be allowed to take place from AOIP.ORG and not from any other device or computer.
In order to achieve the above, the following commands would need to be configured.
R1# conf t
R1(config)# access-list 1 permit host 192.168.1.10 log
Create a standard access-list (only checks the source address) and include the ‘log’ command so I will be able to see how many times the ACL has been matched. I don’t have to include any deny statements since there is always a implicit deny any statement at the end of every ACL
R1(config)# line vty 0 4
Enter the Virtual lines
R1(config-line)# access-class 1 in
Attach the ACL to the virtual lines for traffic inbound to the router.
Below is the live demo.
Related posts:
- IP Address Spoofing Mitigation with Access Control Lists (ACL)
- Mitigating SubSeven attacks
- Configuring VTY Access
- Introduction to ACLs (Access Control List)
- Mitigating Smurf DoS Attacks
