SAN Switch - Disabling the Telnet service on Brocade SAN switches
Disabling the Telnet protocol on Brocade SAN switches
By default, telnet is enabled on Brocade SAN switches. As part of security hardening of the devices it need to be disabled. In order to implement the change, you have to modify IP Filter policy to disable inbound connectivity to tcp port.
1. Login to your SAN switch
2. By default, IP filter policy can not be changed, so first clone the default policy.
> ipfilter --show
2 any tcp 23 permit
> ipfilter --clone Block_Telnet_ipv4 -from default_ipv4
> ipfilter --clone Block_Telnet_ipv6 -from default_ipv6
> ipfilter --show
3. Now, you have to remove the existing rule to permit connectivity on tcp service port 23.
Run ipfilter-show to find out the current rile number which permits the connectivity.
> ipfilter --delrule Block_Telnet_ipv4 -rule 2
> ipfilter --delrule Block_Telnet_ipv6 -rule 2
4. Now, add rule to deny inbound connectivity to the fabric switch on tcp service port 23
> ipfilter --addrule Block_Telnet_ipv4 -rule 2 -sip any -dp 23 -proto tcp -act deny
> ipfilter --addrule Block_Telnet_ipv6 -tule 2 -sip any -dp 23 -proto tecp -act deny
5. Now, save and apply the policy
> ipfilter --save Block_Telnet_ipv4
> ipfilter --save Block_Telnet_ipv6
> ipfilter --activate Block_Telnet_ipv4
> ipfilter --activate Block_Telnet_ipv6
> ipfilter --show
you should see
2 any tcp 23 deny
So, in summary
> ipfilter --show
> ipfilter -clone Block_telnet_23 -from default_ipv4
> ipfilter -delrule Block_telnet_23 -rule 2
> ipfilter -delrule Block_telnet_23 -rule 2 -sip any -dp 23 -protp tcp -act deny
> ipfilter -save Block_telnet_23
> ipfilter -activate Block_telnet_23
> ipfilter --show
By default, telnet is enabled on Brocade SAN switches. As part of security hardening of the devices it need to be disabled. In order to implement the change, you have to modify IP Filter policy to disable inbound connectivity to tcp port.
1. Login to your SAN switch
2. By default, IP filter policy can not be changed, so first clone the default policy.
> ipfilter --show
2 any tcp 23 permit
> ipfilter --clone Block_Telnet_ipv4 -from default_ipv4
> ipfilter --clone Block_Telnet_ipv6 -from default_ipv6
> ipfilter --show
3. Now, you have to remove the existing rule to permit connectivity on tcp service port 23.
Run ipfilter-show to find out the current rile number which permits the connectivity.
> ipfilter --delrule Block_Telnet_ipv4 -rule 2
> ipfilter --delrule Block_Telnet_ipv6 -rule 2
4. Now, add rule to deny inbound connectivity to the fabric switch on tcp service port 23
> ipfilter --addrule Block_Telnet_ipv4 -rule 2 -sip any -dp 23 -proto tcp -act deny
> ipfilter --addrule Block_Telnet_ipv6 -tule 2 -sip any -dp 23 -proto tecp -act deny
5. Now, save and apply the policy
> ipfilter --save Block_Telnet_ipv4
> ipfilter --save Block_Telnet_ipv6
> ipfilter --activate Block_Telnet_ipv4
> ipfilter --activate Block_Telnet_ipv6
> ipfilter --show
you should see
2 any tcp 23 deny
So, in summary
> ipfilter --show
> ipfilter -clone Block_telnet_23 -from default_ipv4
> ipfilter -delrule Block_telnet_23 -rule 2
> ipfilter -delrule Block_telnet_23 -rule 2 -sip any -dp 23 -protp tcp -act deny
> ipfilter -save Block_telnet_23
> ipfilter -activate Block_telnet_23
> ipfilter --show
No comments:
Post a Comment