Re: Cisco 2621

["Erick B." <erickbe () yahoo com>]

Hi,

These ports are used for 'reverse telnet' on Cisco
routers. If you do a 'show line' then take the line #
and add 2000 to it you get the port # you can telnet
to to redirect out that port (aux port, line
interface, etc).

The best way to protect against this would be to add
ACLs to deny traffic to the routers IP address's on
the port #s you don't people accessing. Then if you
want to 'reverse telnet' you would need to telnet to
router directly and telnet from the router, or set up
a lock-n-key ACL to open up those port #s temp.

-Erick

--- Lincoln Yeoh <lyeoh () POP JARING MY> wrote:
> On cisco 2500 I believe aux 0 is tcp port 2001
>
> It's often 2000+line number or something. It looks
> like aux 0 is line 65 on
> your router and 1 on mine.
>
> There are also corresponding ports for other "lines"
> especially access
> servers - these are to allow you to control modems
> hooked to the router
> remotely. Not sure if there is a port for console
> for various cisco routers.
>
> I'm not sure if this is the best way to deal with it
> but in my cisco router
> config I have:
>
> access-list 102 deny   ip any any log
>
> line aux 0
>  access-class 102 in
>  transport input all
>
> This rejects and logs TCP connection attempts to the
> aux port of the router.
>
> Btw if you telnet to the finger port (79) some
> access servers give you a
> list of the accounts currently dialed into them.
> This sometimes helps get
> info on people who are scanning your networks. Of
> course most savvy ISPs
> disable this, but then savvy ISPs don't need help to
> track down people
> scanning your stuff ;). Unfortunately not so savvy
> ISPs don't discipline
> their customers for bad behaviour :(.
>
> Have a nice day,
>
> Link.
>
> At 02:22 PM 07-09-2000 +0100, Ollie Whitehouse
> wrote:
> > All,
> >
> > During a recent attack & penetration test the
> following was discovered,
> > thought it might be interesting.
> >
> > Router : 2621
> > Software : Version 11.3(2)XA4, RELEASE SOFTWARE
> (fc1)
> > The router's AUX line had been configured as
> follows:
> > line aux 0
> > no exec
> > password 7 **********
> > login
> > transport input all
> >
> > The NMAP scan of that network showed the following:
> > Port       State       Service
> > 23/tcp     open        telnet
> > 2065/tcp   open        dlsrpn
> >
> > Doing a who on the router showed the following also
> (this is while a
> > connection is open on port 2065):
> > 2621router>who
> >
> >    Line      User       Host(s)              Idle
> Location
> >  65 aux 0               incoming
> 00:00:32 192.168.0.1
> > * 66 vty 0               idle
> 00:00:00 192.168.11.87
> > No exploitable, but just keep it in mind when you
> see port 2065 listening
> > ;o).
> >
> > Rgds
> >
> > Ollie
> > -----
> > Ollie Whitehouse
> > Security Team Leader
> > Delphis Consulting
> > tel: +44 (0)20 79160200
> > mai: ollie () delphisplc com
> >
> > This e-mail and any files transmitted with it are
> intended solely for the
> > addressee and are confidential. They may also be
> legally
> > privileged.Copyright in them is reserved by Delphis
> Consulting PLC
> > ["Delphis"] and they must not be disclosed to, or
> used by, anyone other than
> > the addressee.If you have received this e-mail and
> any accompanying files in
> > error, you may not copy, publish or use them in any
> way and you should
> > delete them from your system and notify us
> immediately.E-mails are not
> > secure.  Delphis does not accept responsibility for
> changes to e-mails that
> > occur after they have been sent.  Any opinions
> expressed in this e-mail may
> > be personal to the author and may not necessarily
> reflect the opinions of
> > Delphis


__________________________________________________
Do You Yahoo!?
Yahoo! Mail - Free email you can access from anywhere!
http://mail.yahoo.com/