Fibre Channel (SAN)

Reply
N/A
Posts: 1
Registered: ‎11-30-2009

Disabling Telnet on a Brocade 300

For security reasons, I need to disable telnet on a Brocade 300, but for the life of me can not find the CLI reference guides to do so.  Any help would be greatly appreciated.

Super Contributor
Posts: 260
Registered: ‎04-09-2008

Re: Disabling Telnet on a Brocade 300

Blocking Telnet


1. Connect to the switch and log in as admin.
Connect through some means other than Telnet: for example, through SSH.
2. Create a policy by typing the following command:
ipfilter --create <policyname> -type < ipv4 | ipv6 >
where <policyname> is the name of the new policy and -type specifies an IPv4 or IPv6
address.


Example of creating a policy

ipfilter --create block_telnet_v4 --type ipv4
3. Add a rule to the policy, by typing the following command:
ipfilter --addrule <policyname> -rule <rule_number> -sip <source_IP> -dp
<dest_port> -proto <protocol> -act <deny>
where -sip option can be given as any, dp is the port number for telnet (23), and -proto is tcp.
Example of adding a rule
ipfilter --addrule block_telnet_v4 -rule 2 -sip any -dp 23 -proto tcp -act
deny
4. Save the new ipfilter policy by typing the following command:
ipfilter --save
where is the name of the policy and is optional.
Example of saving a policy
ipfilter --save block_telnet_v4
5. Activate the new ipfilter policy by typing the following command:
ipfilter --activate <policyname>
where <policyname> is the name of the policy you created in step


Example of activating a policy

ipfilter --activate block_telnet_v4

Occasional Contributor
Posts: 5
Registered: ‎06-23-2010

Re: Disabling Telnet on a Brocade 300

The above only blocks telnet is there a command to actually turn off the service?

Super Contributor
Posts: 260
Registered: ‎04-09-2008

Re: Disabling Telnet on a Brocade 300

If you are using older FOS (5.3.x) then there is way to disable the service

Type

configure telnetd

and in response to the telnetd prompt type off

For newer (6.x) ones the only way is to use ipfilter. Download the admin guide for the FOS version you are running and you will find detailed notes on disabling telenet.

Hope this helps.

Occasional Contributor
Posts: 5
Registered: ‎06-23-2010

Re: Disabling Telnet on a Brocade 300

I've disabled telnet, using the above command excactly.

ipfilter --create block_telnetv4 -type ipv4
ipfilter --addrule block_telnetv4 -rule 1 -sip any -dp 23 -proto tcp -act deny
ipfilter --save block_telnetv4
ipfilter --activate block_telnetv4

However I've also now lost all access via HTTP, SSH.and my monitoring tool has also access..

Now need to visit the datacenter.

What happned!!

Super Contributor
Posts: 260
Registered: ‎04-09-2008

Re: Disabling Telnet on a Brocade 300

My mistake as well, apologies. The post I had was citing examples only to add ipfiler rules. In my previous post I did mention that you need to download the Admin Guide for your FOS version and follow instructions there. What has happened is that the rule now denies access to all the ports, you will have to visit the Data Center, connect using serial port and delete the new policy block_telnetv4 and activate the old policy.

ipfilter --delete block_telnetv4 -type ipv4

ipfilter --activate default_ipv4

Once done follow the Admin Guide for the FOS version installed on your switch for the appropriate method to disable telnet.

From the admin guide, ** Once again request download the Admin Guide and read all instructions. I'm posting excerpts here to help you narrow down to the right section in the guide. This is from the FOS 6.4 guide. You will find a section in your FOS guide with title Blocking Telner or Telnet protocol.

ATTENTION
Before blocking Telnet, make sure you have an alternate method of establishing a connection with
the switch.
Blocking Telnet
If you create a new policy using commands with just one rule, all the missing rules have an implicit
deny and you lose all IP access to the switch, including Telnet, SSH, and management ports.
1. Connect to the switch and log in as admin.
2. Clone the default policy by typing the ipFilter --clone command.
switch:admin> ipfilter --clone BlockTelnet -from default_ipv4
3. Save the new policy by typing the ipFilter --save command.
switch:admin> ipfilter --save BlockTelnet
4. Verify the new policy exists by typing the ipFilter --show command.
switch:admin> ipfilter --show
5. Add a rule to the policy, by typing the ipFilter --addrule command.
switch:admin> ipfilter --addrule BlockTelnet -rule 1 -sip any -dp 23 -proto
tcp -act deny

ATTENTION
The rule number assigned has to precede the default rule number for this protocol. For
example, in the defined policy, the Telnet rule number is 2, therefore to effectively block Telnet,
the rule number to assign must be 1.
If you choose not to use 1, you will need to delete the telnet rule number 2 after adding this
rule. Refer to “Deleting a rule to an IP Filter policy” on page 157 for more information on
deleting IP filter rules.
6. Save the new ipfilter policy by typing the ipfilter --save command.
7. Verify the new policy is correct by typing the ipFilter --show command.
8. Activate the new ipfilter policy by typing the ipfilter --activate command.
switch:admin> ipfilter --activate BlockTelnet

New Contributor
Posts: 4
Registered: ‎10-14-2011

Re: Disabling Telnet on a Brocade 300

Lost all the connection...

Reg.bateup : How did you manage to login to switch ?

External Moderator
Posts: 5,046
Registered: ‎02-23-2004

Re: Disabling Telnet on a Brocade 300

if you cannot longer access via telnet, then use Serial Management Port, and reset or reconfig "ipfilter" rule

TechHelp24

Join the Community

Get quick and easy access to valuable resource designed to help you manage your Brocade Network.

vADC is now Pulse Secure
Download FREE NVMe eBook