Results 1 to 10 of 10

Thread: Booting User on a Cisco Router?

  1. #1
    Junior Member
    Join Date
    Nov 2003
    Posts
    1

    Booting User on a Cisco Router?

    I have a newbie-ish question to toss out.

    If I am in my Cisco Router, and there are three users telnetting into the same router, one of which is causing problems by changing configurations, is there a way to boot that specific user selectively, and ban him from telnetting back into the router?

    -Thanks!
    Aphim
    The hopeless CCNA Student

  2. #2
    @ÞΜĮЙǐЅŦГǻţΩЯ D0pp139an93r's Avatar
    Join Date
    May 2003
    Location
    St. Petersburg, FL
    Posts
    1,705
    Uhhh... Change the password?


    There are other things you can do, since I am unsure of exactly what model etc., I can only give general ideas.

    1. Depending on your network configuration you can disable remote administration.


    2. Change the password
    Real security doesn't come with an installer.

  3. #3
    AO übergeek phishphreek's Avatar
    Join Date
    Jan 2002
    Posts
    4,325
    I would also restrict how many people can log into the router.
    I only allow one connection at a time.... and only through ssh, so they can't sniff UIDs and PWD.

    Also, you can use the disconnect command

    router#who
    Line User Host(s) Idle Location
    * 1 vty 0 username idle 00:00:00 somepc

    Interface User Mode Idle Peer Address
    Vi1 PPPoE 00:00:07 10.10.10.10

    router#disconnect vty 0
    Also, create ACLs that specify who can connect to it. You can do this by ip, subnet, network, etc.


    Quitmzilla is a firefox extension that gives you stats on how long you have quit smoking, how much money you\'ve saved, how much you haven\'t smoked and recent milestones. Very helpful for people who quit smoking and used to smoke at their computers... Helps out with the urges.

  4. #4
    Senior Member
    Join Date
    Oct 2001
    Posts
    748
    I'd change the password, and then create and ACL that does not let that users MAC address touch your router.

  5. #5
    Junior Member
    Join Date
    Mar 2004
    Posts
    8
    If you're at the console, how about creating an ACL to block port 25? If you're also telnetting in, then once you're in, disable the others.

  6. #6
    Senior Member
    Join Date
    Oct 2002
    Posts
    314
    Or go even further, connect the router to a TACACS server or RADIUS one and use that to authenticate users against the router, this will allow you to assign logins to each user, thus removing the need to all use the same account (which it sounds like you are doing) and also providing a secure login mechanism (as its encrypted).
    Quis custodiet ipsos custodes

  7. #7
    Junior Member
    Join Date
    Oct 2003
    Posts
    26

    Re: Booting User on a Cisco Router?

    Originally posted here by Aphim
    I have a newbie-ish question to toss out.

    If I am in my Cisco Router, and there are three users telnetting into the same router, one of which is causing problems by changing configurations, is there a way to boot that specific user selectively, and ban him from telnetting back into the router?

    -Thanks!
    Aphim
    The hopeless CCNA Student

    you can use this line as an example to block a particular IP from accessing your router via telnet

    access-class 51 deny 0.0.0.0 255.255.255.255
    access-class 52 permit (ip)
    line aux 0
    access-class 51 in
    line vty 0 4
    access-class 52 in


    i hope this helps

  8. #8
    Senior Member
    Join Date
    Oct 2002
    Posts
    314
    keep in mind though that if you only tie it down to an IP then all the user needs to do is spoof one of the valid IPs, which they can do easily if you are all on the same LAN, so some kind of password change is a better option.
    Quis custodiet ipsos custodes

  9. #9
    Senior Member
    Join Date
    Feb 2002
    Posts
    518
    If they are going in and "changing settings" etc, why even allow them the access to begin with?
    Remember -
    The ark was built by amatures...
    The Titanic was built by professionals.

  10. #10
    Just Another Geek
    Join Date
    Jul 2002
    Location
    Rotterdam, Netherlands
    Posts
    3,401
    Originally posted here by rufus47
    If you're at the console, how about creating an ACL to block port 25? If you're also telnetting in, then once you're in, disable the others.
    I'm sure you meant port 23. Port 25 is SMTP.

    But anywayz...How many routers/switches do you have? If you need to administer a couple of them have you looked at TACACS? That way you can give everybody (that needs it) his/her own account/password and regulate who can do what.
    Oliver's Law:
    Experience is something you don't get until just after you need it.

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •