Re: Cisco 2621

[Lincoln Yeoh <lyeoh () POP JARING MY>]

On cisco 2500 I believe aux 0 is tcp port 2001

It's often 2000+line number or something. It looks like aux 0 is line 65 on
your router and 1 on mine.

There are also corresponding ports for other "lines" especially access
servers - these are to allow you to control modems hooked to the router
remotely. Not sure if there is a port for console for various cisco routers.

I'm not sure if this is the best way to deal with it but in my cisco router
config I have:

access-list 102 deny   ip any any log

line aux 0
 access-class 102 in
 transport input all

This rejects and logs TCP connection attempts to the aux port of the router.

Btw if you telnet to the finger port (79) some access servers give you a
list of the accounts currently dialed into them. This sometimes helps get
info on people who are scanning your networks. Of course most savvy ISPs
disable this, but then savvy ISPs don't need help to track down people
scanning your stuff ;). Unfortunately not so savvy ISPs don't discipline
their customers for bad behaviour :(.

Have a nice day,

Link.

At 02:22 PM 07-09-2000 +0100, Ollie Whitehouse wrote:
> All,
>
> During a recent attack & penetration test the following was discovered,
> thought it might be interesting.
>
> Router : 2621
> Software : Version 11.3(2)XA4, RELEASE SOFTWARE (fc1)
>
> The router's AUX line had been configured as follows:
> line aux 0
> no exec
> password 7 **********
> login
> transport input all
>
> The NMAP scan of that network showed the following:
> Port       State       Service
> 23/tcp     open        telnet
> 2065/tcp   open        dlsrpn
>
> Doing a who on the router showed the following also (this is while a
> connection is open on port 2065):
> 2621router>who
>
>    Line      User       Host(s)              Idle Location
>  65 aux 0               incoming             00:00:32 192.168.0.1
> * 66 vty 0               idle                 00:00:00 192.168.11.87
>
> No exploitable, but just keep it in mind when you see port 2065 listening
> ;o).
>
> Rgds
>
> Ollie
> -----
> Ollie Whitehouse
> Security Team Leader
> Delphis Consulting
> tel: +44 (0)20 79160200
> mai: ollie () delphisplc com
>
> This e-mail and any files transmitted with it are intended solely for the
> addressee and are confidential. They may also be legally
> privileged.Copyright in them is reserved by Delphis Consulting PLC
> ["Delphis"] and they must not be disclosed to, or used by, anyone other than
> the addressee.If you have received this e-mail and any accompanying files in
> error, you may not copy, publish or use them in any way and you should
> delete them from your system and notify us immediately.E-mails are not
> secure.  Delphis does not accept responsibility for changes to e-mails that
> occur after they have been sent.  Any opinions expressed in this e-mail may
> be personal to the author and may not necessarily reflect the opinions of
> Delphis