Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
388
Views
0
Helpful
2
Replies

Secure Login in Router

Go to solution
ravinder.bora
Level 1
Level 1

‎12-06-2014 11:53 PM - edited ‎03-05-2019 12:18 AM

Hi ,

Please help ....how can i secure to my Internet router [connected with ISP-Edge Router-Cisco 2900] as when i check that who are login in my router then showing maximum china IP's login in my router. 

I am also login in this router from remotely so I Cant block telnet or SSH so how can i protect with unwanted login.

 

Regards,

Ravinder Bora

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
ghostinthenet
Level 7
Level 7

‎12-07-2014 07:09 AM

There are a few ways to go about this. The simplest is to cut off all telnet access and secure SSH access so that it can only be accessed from your location. Something like this will work:

ip access-list extended ACL_WAN
 permit tcp host x.x.x.x any eq 22
 deny tcp any any range 22 23
 permit ip any any
!
interface GigabitEthernet0/0 (or whichever your WAN is)
 no ip unreachables
 no ip redirects
 ip access-group ACL_WAN in

Replace x.x.x.x with the address that you're managing this from and everyone else will be locked out.

View solution in original post

0 Helpful
2 Replies 2

Go to solution
ghostinthenet
Level 7
Level 7

‎12-07-2014 07:09 AM

There are a few ways to go about this. The simplest is to cut off all telnet access and secure SSH access so that it can only be accessed from your location. Something like this will work:

ip access-list extended ACL_WAN
 permit tcp host x.x.x.x any eq 22
 deny tcp any any range 22 23
 permit ip any any
!
interface GigabitEthernet0/0 (or whichever your WAN is)
 no ip unreachables
 no ip redirects
 ip access-group ACL_WAN in

Replace x.x.x.x with the address that you're managing this from and everyone else will be locked out.

0 Helpful

Go to solution
Karsten Iwen
VIP
VIP

‎12-07-2014 11:02 AM

If you really need to login from outside random IPs, then you can:

  1. Disable Telnet and only use SSH.
  2. Strengthen the used crypto.
  3. Deploy strong AAA, possibly with a central radius-server.
  4. Configure local authentication and make sure that all passwords are extremely strong and change your login to rsa-based login.
  5. If there are also many bots that fill up your logs with login attempts, then change the SSH-port to something unusual.
  6. For local AAA, configure Login-Block.
0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card