Protect VTYs with an Access List
telnet to your router, you connect to a VTY (virtual terminal). This
terminal lets you configure your router over the network, without a
physical connection to the console port. This capability is extremely
useful, but also dangerous: if you can configure your router over the
network, so can anyone else with the appropriate passwords. One way
to make the router more secure is to apply an access list to the VTY
ports. This list should allow connections only from certain hosts.
The following commands restrict telnet access to the 192.168.1.5
machine. We also apply an
disconnects idle connections:
! Define the access list access-list 5 permit 192.168.1.5 0.0.0.0 ! line vty 0 4 ! Only allow telnet tranport input telnet ! Apply our access list for incoming connections access-class 5 in ! Finally, apply an exec-timeout, which will disconnect an idle connection ! The timeout is 10 minutes and 0 seconds exec-timeout 10 0 Users and Authentication
Usernames are optional: many routers have a single password, which is given to everyone who needs access to the router. However, doing without usernames has obvious problems: you can never tell who is logged in, who just rebooted the router, or who is responsible for the configuration changes that broke your Internet connection. Usernames and passwords make it possible to trace who has done what; they add a sense of accountability and allow more fine-grained control over what individuals ...