line numbers

gojericho0gojericho0 Member Posts: 1,059 ■■■□□□□□□□
I have a question concerning the numbers in the command line vty 0 4

Does this mean that the router can have upto five telnet connections with each one being on a seperate line?

Comments

  • darkuserdarkuser Member Posts: 620 ■■■□□□□□□□
    yes

    http://www.cisco.com/warp/public/707/21.html

    Controlling VTYs and Ensuring VTY Availability
    Any VTY should be configured to accept connections only with the protocols actually needed. This is done with the transport input command. For example, a VTY that was expected to receive only Telnet sessions would be configured with transport input telnet, while a VTY permitting both Telnet and SSH sessions would have transport input telnet ssh. If your software supports an encrypted access protocol such as SSH, it may be wise to enable only that protocol, and to disable cleartext Telnet. It's also usually a good idea to use the ip access-class command to restrict the IP addresses from which the VTY will accept connections.

    A Cisco IOS device has a limited number of VTY lines (usually five). When all of the VTYs are in use, no more remote interactive connections can be established. This creates the opportunity for a denial-of-service attack; if an attacker can open remote sessions to all the VTYs on the system, the legitimate administrator may not be able to log in. The attacker doesn't have to log in to do this; the sessions can simply be left at the login prompt.

    One way of reducing this exposure is to configure a more restrictive ip access-class command on the last VTY in the system than on the other VTYs. The last VTY (usually VTY 4) might be restricted to accept connections only from a single, specific administrative workstation, whereas the other VTYs might accept connections from any address in a corporate network.

    Another useful tactic is to configure VTY timeouts using the exec-timeout command. This prevents an idle session from consuming a VTY indefinitely. Although its effectiveness against deliberate attacks is relatively limited, it also provides some protection against sessions accidentally left idle. Similarly, enabling TCP keepalives on incoming connections (with service tcp-keepalives-in) can help to guard against both malicious attacks and "orphaned" sessions caused by remote system crashes.

    Complete VTY protection can be provided by disabling all non-IP-based remote access protocols, and using IPSec encryption for all remote interactive connections to the router. IPSec is an extra-cost option, and its configuration is beyond the scope of this document.
    rm -rf /
  • gojericho0gojericho0 Member Posts: 1,059 ■■■□□□□□□□
    Thanks for the detailed response!!!
Sign In or Register to comment.