Feature Lab Friday #3 – Securing Telnet Access

Feature Lab Friday #3 – Securing Telnet Access

This coincides with the previous JNCIA Question of the Week regarding how to secure access via telnet. Our objective here is to limit telnet access to a router to only a specific subnet. We want to allow telnet access only from the router’s loopback address. To test this, we will make use of advanced pinging techniques available in the Junos software.

First, we will assume that you have two routers configured in the following way:

  • R1 – em0.0 172.16.0.1/30
  • R1 – em1.0 192.168.1.1/24
  • R1 – lo0.0 10.1.1.1
  • R2 – em0.0 172.16.0.2/30
  • R2 – em1.0 192.168.2.1/24
  • R2 – lo0.0 10.2.2.2

We will assume that you have the em0.0 interfaces directly connected to each other. We will also assume that we have routes to all subnets, whether they are statically or dynamically configured.

First, log into R2 and issue the following command:
telnet source 192.168.2.1 10.1.1.1
It should succeed. Now issue this command:
telnet source 10.2.2.2 10.1.1.1
This should also succeed. Right now, we can telnet to this device from anywhere in the world. We’re going to apply a firewall filter that allows us to restrict telnet access to R1 to only the 10.2.2.2 address. Obviously this isn’t very practical in the real world since you would only be able to access R1 by first being in R2, but this will give you an idea as to how to configure for a more practical situation.

The following commands will restrict telnet access to R1. Only the 10.2.2.2 IP address will be able to access the router remotely.

[edit]
root# edit firewall filter restrict-telnet term accept-telnet

[edit firewall filter restrict-telnet term accept-telnet]
root# set from source-prefix-list trusted-subnets

[edit firewall filter restrict-telnet term accept-telnet]
root# set from protocol tcp

[edit firewall filter restrict-telnet term accept-telnet]
root# set from destination-port telnet

[edit firewall filter restrict-telnet term accept-telnet]
root# set then accept

[edit firewall filter restrict-telnet term accept-telnet]
root# up

[edit firewall filter restrict-telnet]
root# edit term reject-telnet

[edit firewall filter restrict-telnet term reject-telnet]
root# set from protocol tcp

[edit firewall filter restrict-telnet term reject-telnet]
root# set from destination-port telnet

[edit firewall filter restrict-telnet term reject-telnet]
root# set then discard

[edit firewall filter restrict-telnet term reject-telnet]
root# up

[edit firewall filter restrict-telnet]
root# set term accept-other-traffic then accept

[edit firewall filter restrict-telnet]
root# top

[edit]
root# set policy-options prefix-list trusted-subnets 10.2.2.2

Now, if we try to telnet from our 192.168.2.0/24 subnet, telnet will simply hang.

root> telnet source 192.168.2.1 10.1.1.1
Trying 10.1.1.1…
^C
root>

But if we telnet from the 10.2.2.2 address, we will get our login prompt:

root> telnet source 10.2.2.2 10.1.1.1
Trying 10.1.1.1…
Connected to 10.1.1.1.
Escape character is ‘^]’.

(ttyp0)

login:

Advertisements
  1. January 16th, 2012

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: