[prev in list] [next in list] [prev in thread] [next in thread]
List: bugtraq
Subject: Re: specifics on cisco DOS?
From: George Phillips <phillips () SPRINT ! NET>
Date: 1998-08-25 23:57:57
[Download RAW message or body]
Many providers have modems attached to the console port on their routers.
In that situation, access-lists will do you no good. There are modems out
there that can be setup to demand a password before they will connect you
to the console port. I would suggest looking into these. Its always a
bad idea to be able to dialup directly to your console port...
--George
On Mon, 17 Aug 1998, Jared Mauch wrote:
> On Mon, Aug 17, 1998 at 05:43:36PM +0000, Roger Books wrote:
> > Does anyone have specifics on the latest DoS on cisco routers?
> >
> > http://www.cisco.com/warp/public/770/ioslogin-pub.shtml
> >
> > I have been assigned the task of determining not only if
> > we are vulnerable, but how difficult it is to perform
>
> Vulnerability should be fairly easy to determine via
> "sh ver"
>
> A "good" way to cause this to no longer be an issue
> for you is to assign inbound-vty access-lists on your routers,
> such that you can only telnet to them from certain ip addresses,
> hosts, etc..
>
> Here's an example of your config you would need to insert
> to your cisco router.
>
> access-list 50 permit 10.20.128.0 0.0.63.255
> line vty 0 4
> access-class 50 in
> login
> !
>
> This will allow 10.20.128.0/18 to telnet into your router ONLY.
> This will also help prevent joe-blow user from the internet
> to determine your router vendor. (Unless you do
> something silly like use snmp-server community public, or don't
> acl your snmp-server community public).
>
> A "good thing(tm)" IMHO.
>
> For your reference, here's the various subnet masks
> from one of my cisco-acl programs, so you can do this without problems:
>
> Format: cidr, cidr+slash, mask, cisco inverted-mask
>
> char lookupnfo[][4][16] = { { "32", "/32", "255.255.255.255", "0.0.0.0" },
> {"31", "/31", "255.255.255.254", "0.0.0.1"},
> {"30", "/30", "255.255.255.252", "0.0.0.3"},
> {"29", "/29", "255.255.255.248", "0.0.0.7"},
> {"28", "/28", "255.255.255.240", "0.0.0.15"},
> {"27", "/27", "255.255.255.224", "0.0.0.31"},
> {"26", "/26", "255.255.255.192", "0.0.0.63"},
> {"25", "/25", "225.255.255.128", "0.0.0.127"},
> {"24", "/24", "255.255.255.0", "0.0.0.255"},
> {"23", "/23", "255.255.254.0", "0.0.1.255"},
> {"22", "/22", "255.255.252.0", "0.0.3.255"},
> {"21", "/21", "255.255.248.0", "0.0.7.255"},
> {"20", "/20", "255.255.240.0", "0.0.15.255"},
> {"19", "/19", "255.255.224.0", "0.0.31.255"},
> {"18", "/18", "255.255.192.0", "0.0.63.255"},
> {"17", "/17", "255.255.128.0", "0.0.127.255"},
> {"16", "/16", "255.255.0.0", "0.0.255.255"},
> {"15", "/15", "255.254.0.0", "0.1.255.255"},
> {"14", "/14", "255.252.0.0", "0.3.255.255"},
> {"13", "/13", "255.248.0.0", "0.7.255.255"},
> {"12", "/12", "255.240.0.0", "0.15.255.255"},
> {"11", "/11", "255.224.0.0", "0.31.255.255"},
> {"10", "/10", "255.192.0.0", "0.63.255.255"},
> { "9", "/9", "255.128.0.0", "0.127.255.255"},
> { "8", "/8", "255.0.0.0", "0.255.255.255"},
> { "7", "/7", "254.0.0.0", "1.255.255.255"},
> { "6", "/6", "252.0.0.0", "3.255.255.255"},
> { "5", "/5", "248.0.0.0", "7.255.255.255"},
> { "4", "/4", "240.0.0.0", "15.255.255.255"},
> { "3", "/3", "224.0.0.0", "31.255.255.255"},
> { "2", "/2", "192.0.0.0", "63.255.255.255"},
> { "1", "/1", "128.0.0.0", "127.255.255.255"},
> { "0", "/0", "0.0.0.0", "255.255.255.255" }
> } ;
>
> - jared
>
> --
> Jared Mauch | pgp key available via finger from jared@puck.nether.net
> | http://puck.nether.net/~jared/
>
=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
= George Phillips Sprintlink =
= email: phillips@sprint.net Operations Engineering =
= pager: george-pager@sprint.net 703 689 7781 =
=- - -=
= "Do not meddle in the affairs of troff, for it is subtle and quick =
= to anger." =
=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic