Sign in Subscribe
Security+

Restricting access to Telnet and SSH

Jay

2 min read
Restricting access to Telnet and SSH

By default, when you configure Telnet or SSH on a Cisco router or switch, any device that can reach the management IP address can attempt to connect. This poses a security risk, as unauthorized users could potentially gain access to your network equipment.

To enhance security, you can restrict which IP addresses or networks are allowed to connect to the VTY (Virtual Terminal) lines using access control lists (ACLs).

Understanding VTY Lines

VTY lines are virtual terminal lines that handle remote access connections like Telnet and SSH. Most Cisco devices have multiple VTY lines (typically 0-4 or 0-15) to allow concurrent remote sessions.

Configuring Access Restrictions

Here's how to restrict access to VTY lines:

Step 1: Create an Access Control List

First, create a standard ACL to define which IP addresses should be allowed access:

Router(config)# access-list 10 permit 192.168.1.100
Router(config)# access-list 10 permit 10.0.0.0 0.255.255.255
Router(config)# access-list 10 deny any

In this example:

  • Host 192.168.1.100 is allowed
  • The entire 10.0.0.0/8 network is allowed
  • All other traffic is explicitly denied

Step 2: Apply the ACL to VTY Lines

Next, apply the ACL to the VTY lines:

Router(config)# line vty 0 4
Router(config-line)# access-class 10 in
Router(config-line)# exit

The access-class command applies the ACL to the VTY lines. The in parameter means it applies to incoming connections.

Complete Configuration Example

Here's a complete example that restricts SSH access to specific management networks:

! Create ACL for management access
Router(config)# access-list 20 permit 192.168.100.0 0.0.0.255
Router(config)# access-list 20 permit host 10.1.1.50
Router(config)# access-list 20 deny any

! Configure VTY lines for SSH only with access restriction
Router(config)# line vty 0 15
Router(config-line)# transport input ssh
Router(config-line)# access-class 20 in
Router(config-line)# login local
Router(config-line)# exit

Verification Commands

Use these commands to verify your configuration:

Router# show access-lists
Router# show line vty 0 4
Router# show users

The show access-lists command displays your ACL configuration and hit counts. The show line command shows the VTY line configuration, and show users displays currently connected users.

Best Practices

  • Use specific networks: Only allow the management networks that actually need access
  • Combine with strong authentication: Use local usernames with strong passwords or AAA authentication
  • Disable unused services: If you only use SSH, disable Telnet with transport input ssh
  • Monitor access: Regularly check logs and use show users to monitor who's connected
  • Use named ACLs: For complex environments, consider using named ACLs for better documentation

Troubleshooting

If you're locked out after applying the ACL:

  1. Connect via console cable
  2. Remove the access-class from VTY lines: no access-class 20 in
  3. Modify your ACL to include your source IP
  4. Reapply the access-class

Always test your ACL configuration from the console before disconnecting your remote session to avoid being locked out.

Sign up for more like this.

Enter your email
Subscribe