cisco, website

How to block telnet and SSH on outside interface on Cisco routers

By default, a lot of Cisco routers allow Telnet and SSH on the outside interface, this can cause a large security risk of being brute force attacked. Ideally Telnet should be blocked completely as it is an unsecure protocol and SSH should only be allowed from the inside interfaces or even better, certain IP addresses internally.

Before running this, make sure you actually have to deny Telnet and SSH from the outside!

The following commands assume the inside interface is “10.11.10.0” network with a 0.0.0.255 subnet, if not, change to your range. ¬†You can add all this to a different access list if you want, it doesn’t have to be on “10”.

All commands need to be run without the “#” in front

Log into router

#en
#configure terminal
#access-list 10 permit 10.11.10.0 0.0.0.255
#line vty 0 4
#access-class 10 in
#exit
#copy running-config startup-config

Test to see whether this took affect by trying to Telnet or SSH to your outside interface from a different internet connection.

One Response to “How to block telnet and SSH on outside interface on Cisco routers”

  1. Matthew Cantrell

    Very useful post! It may also be worth mentioning that if you are using VRF’s applying the access list to the vty lines will require the command to be “access-class 10 in vrf-also”

    Reply

Leave a Reply

Your email address will not be published. Required fields are marked *

Time limit is exhausted. Please reload CAPTCHA.