Many providers have modems attached to the console port on their routers. In that situation, access-lists will do you no good. There are modems out there that can be setup to demand a password before they will connect you to the console port. I would suggest looking into these. Its always a bad idea to be able to dialup directly to your console port... --George On Mon, 17 Aug 1998, Jared Mauch wrote: > On Mon, Aug 17, 1998 at 05:43:36PM +0000, Roger Books wrote: > > Does anyone have specifics on the latest DoS on cisco routers? > > > > http://www.cisco.com/warp/public/770/ioslogin-pub.shtml > > > > I have been assigned the task of determining not only if > > we are vulnerable, but how difficult it is to perform > > Vulnerability should be fairly easy to determine via > "sh ver" > > A "good" way to cause this to no longer be an issue > for you is to assign inbound-vty access-lists on your routers, > such that you can only telnet to them from certain ip addresses, > hosts, etc.. > > Here's an example of your config you would need to insert > to your cisco router. > > access-list 50 permit 10.20.128.0 0.0.63.255 > line vty 0 4 > access-class 50 in > login > ! > > This will allow 10.20.128.0/18 to telnet into your router ONLY. > This will also help prevent joe-blow user from the internet > to determine your router vendor. (Unless you do > something silly like use snmp-server community public, or don't > acl your snmp-server community public). > > A "good thing(tm)" IMHO. > > For your reference, here's the various subnet masks > from one of my cisco-acl programs, so you can do this without problems: > > Format: cidr, cidr+slash, mask, cisco inverted-mask > > char lookupnfo[][4][16] = { { "32", "/32", "255.255.255.255", "0.0.0.0" }, > {"31", "/31", "255.255.255.254", "0.0.0.1"}, > {"30", "/30", "255.255.255.252", "0.0.0.3"}, > {"29", "/29", "255.255.255.248", "0.0.0.7"}, > {"28", "/28", "255.255.255.240", "0.0.0.15"}, > {"27", "/27", "255.255.255.224", "0.0.0.31"}, > {"26", "/26", "255.255.255.192", "0.0.0.63"}, > {"25", "/25", "225.255.255.128", "0.0.0.127"}, > {"24", "/24", "255.255.255.0", "0.0.0.255"}, > {"23", "/23", "255.255.254.0", "0.0.1.255"}, > {"22", "/22", "255.255.252.0", "0.0.3.255"}, > {"21", "/21", "255.255.248.0", "0.0.7.255"}, > {"20", "/20", "255.255.240.0", "0.0.15.255"}, > {"19", "/19", "255.255.224.0", "0.0.31.255"}, > {"18", "/18", "255.255.192.0", "0.0.63.255"}, > {"17", "/17", "255.255.128.0", "0.0.127.255"}, > {"16", "/16", "255.255.0.0", "0.0.255.255"}, > {"15", "/15", "255.254.0.0", "0.1.255.255"}, > {"14", "/14", "255.252.0.0", "0.3.255.255"}, > {"13", "/13", "255.248.0.0", "0.7.255.255"}, > {"12", "/12", "255.240.0.0", "0.15.255.255"}, > {"11", "/11", "255.224.0.0", "0.31.255.255"}, > {"10", "/10", "255.192.0.0", "0.63.255.255"}, > { "9", "/9", "255.128.0.0", "0.127.255.255"}, > { "8", "/8", "255.0.0.0", "0.255.255.255"}, > { "7", "/7", "254.0.0.0", "1.255.255.255"}, > { "6", "/6", "252.0.0.0", "3.255.255.255"}, > { "5", "/5", "248.0.0.0", "7.255.255.255"}, > { "4", "/4", "240.0.0.0", "15.255.255.255"}, > { "3", "/3", "224.0.0.0", "31.255.255.255"}, > { "2", "/2", "192.0.0.0", "63.255.255.255"}, > { "1", "/1", "128.0.0.0", "127.255.255.255"}, > { "0", "/0", "0.0.0.0", "255.255.255.255" } > } ; > > - jared > > -- > Jared Mauch | pgp key available via finger from jaredat_private > | http://puck.nether.net/~jared/ > =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= = George Phillips Sprintlink = = email: phillipsat_private Operations Engineering = = pager: george-pagerat_private 703 689 7781 = =- - -= = "Do not meddle in the affairs of troff, for it is subtle and quick = = to anger." = =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 14:13:32 PDT