How to block telnet and SSH on outside interface on Cisco routers
By default, a lot of Cisco routers allow Telnet and SSH on the outside interface, this can cause a large security risk of being brute force attacked. Ideally Telnet should be blocked completely as it is an unsecure protocol and SSH should only be allowed from the inside interfaces or even better, certain IP addresses internally.
Before running this, make sure you actually have to deny Telnet and SSH from the outside!
The following commands assume the inside interface is “10.11.10.0” network with a 0.0.0.255 subnet, if not, change to your range. You can add all this to a different access list if you want, it doesn’t have to be on “10”.
All commands need to be run without the “#” in front
Log into router
#access-list 10 permit 10.11.10.0 0.0.0.255
#line vty 0 4
#access-class 10 in
#copy running-config startup-config
Test to see whether this took affect by trying to Telnet or SSH to your outside interface from a different internet connection.