通过 Telnet 从 Internet 访问的无线 AP,在哪里阻止

网络工程 思科-ios
2022-02-20 23:46:56

我继承了一个带有 Wifi 模块的 Cisco 887VA,它充当我们的网关和防火墙。

昨天我对外部接口 [XX.XX.XX.XXX in the below config] 进行了一些扫描,发现了一些意外打开的端口。

我发现以下内容,他们允许 telnet 访问我们的网络设备。具体来说:

2002  Telnet access to Wireless AP on Cisco 800  
4002  Telnet to something Cisco but times out before I can get a login. Suspect the Wireless AP again.  
6002  Telnet to the wireless AP
9002  Telnet to the wireless AP

无线 AP 是路由器中的一个模块,桥接到主网络。配置在底部。

我无法在 AP 或路由器的配置中看到允许此访问的内容。

我也不确定 Telnet 是如何成功连接到 AP 的,因为它看起来只配置了 SSH transport input ssh

作为一个单独的问题,端口 2220 配置为允许 SSH 连接到我们的路由器。鉴于我们只是使用本地密码,这是一个糟糕的主意吗?

路由器配置:

version 15.4
no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec localtime
service timestamps log datetime msec localtime
service password-encryption
service linenumber
!
hostname COMPANY
!
boot-start-marker
boot system flash flash:/c800-universalk9-mz.SPA.154-3.M7.bin
warm-reboot
boot-end-marker
!
!
logging buffered 51200
enable secret 5 $xxxxxxxxxxxxxxxxxxxxxxxxx$
!
aaa new-model
!
!
aaa authentication banner C
*******************************************************************************
*******************************************************************************

aaa authentication login default local
aaa authentication login NO_AUTHEN none
aaa authentication login SSLVPN local
aaa authorization exec default local 
aaa authorization network groupauthor local 
!
!
!
!
!
aaa session-id common
clock timezone BST 0 0
clock summer-time BST recurring last Sun Mar 1:00 last Sun Oct 2:00
service-module wlan-ap 0 bootimage autonomous
!
crypto pki trustpoint TRUSTPOINT
 enrollment selfsigned
 ip-address XX.XX.XX.XXX
 subject-name CN=remote.COMPANY.com
 revocation-check crl
 rsakeypair SSLVPN_KEYPAIR
!
!
crypto pki certificate chain TRUSTPOINT
 certificate self-signed 01
  308203A2  7B64
    quit
!
!
!
!
!
!
!
!


!
!
!
!
ip flow-cache timeout active 1
ip domain name COMPANY.LOCAL
ip name-server 8.8.8.8
ip name-server 8.8.4.4
ip cef
no ipv6 cef
!
!
!
!
!
multilink bundle-name authenticated
!
!
!
!
!
!
!
!
cts logging verbose
license udi pid C887VA-W-E-K9 sn XXXXXXXXX
!
!
username COMPANY password 7 XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
!
crypto vpn anyconnect flash:/webvpn/anyconnect-win-4.4.00243-webdeploy-k9.pkg sequence 1
!
crypto vpn anyconnect flash:/webvpn/anyconnect-macosx-i386-4.2.02075-k9.pkg sequence 2
!
!
!
!
!
controller VDSL 0
!
! 
!
crypto isakmp policy 50
 encr 3des
 hash md5
 authentication pre-share
 group 14
!
crypto isakmp policy 55
 encr 3des
 authentication pre-share
 group 2
crypto isakmp key XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX address 190.160.120.90 
crypto isakmp invalid-spi-recovery
crypto isakmp keepalive 20
!
crypto isakmp client configuration group COMPANY
 key XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
 dns 192.168.50.2
 wins 192.168.50.2
 domain COMPANY.local
 pool VPN_CLIENTS
 acl 109
crypto isakmp profile VPNCLIENT
   match identity group VPN_CLIENTS
   client authentication list local
   isakmp authorization list groupauthor
   client configuration address respond
!
!
crypto ipsec transform-set 3DES esp-3des esp-sha-hmac 
 mode tunnel
crypto ipsec df-bit clear
!
crypto ipsec profile VTI
 set transform-set 3DES 
!
!
!
crypto dynamic-map DYNAMIC_MAP 10
 set transform-set 3DES 
 set isakmp-profile VPNCLIENT
!
!
crypto map COMPANY_RAS_VPN 10 ipsec-isakmp dynamic DYNAMIC_MAP 
!
!
!
!
!
!
interface Loopback0
 no ip address
!
interface Tunnel65535
 description COMPANY to MSP256_VPNCORE TunnelTunnel65535
 ip address 10.99.199.2 255.255.255.252
 ip mtu 1374
 ip flow ingress
 ip nat outside
 ip virtual-reassembly in
 ip load-sharing per-packet
 ip tcp adjust-mss 1334
 tunnel source XX.XX.XX.XXX
 tunnel mode ipsec ipv4
 tunnel destination 190.160.120.90
 tunnel sequence-datagrams
 tunnel checksum
 tunnel path-mtu-discovery
 tunnel protection ipsec profile VTI
!
interface ATM0
 description 01883 349484 #23 Line 1
 no ip address
 shutdown
 no atm ilmi-keepalive
 hold-queue 224 in
 pvc 0/38 
  encapsulation aal5mux ppp dialer
  dialer pool-member 1
 !
!
interface Ethernet0
 no ip address
 shutdown
!
interface FastEthernet0
 switchport access vlan 50
 no ip address
 duplex full
 speed 100
!
interface FastEthernet1
 switchport access vlan 82
 no ip address
 duplex full
 speed 100
!
interface FastEthernet2
 switchport access vlan 50
 no ip address
 duplex full
 speed 100
!
interface FastEthernet3
 switchport access vlan 50
 no ip address
 duplex full
 speed 100
!
interface Wlan-GigabitEthernet0
 switchport access vlan 50
 no ip address
!
interface wlan-ap0
 ip unnumbered Vlan50
!
interface Vlan1
 no ip address
 ip virtual-reassembly in
!
interface Vlan50
 ip address 192.168.50.1 255.255.255.0
 ip helper-address 192.168.50.2
 ip flow ingress
 ip flow egress
 ip nat inside
 ip virtual-reassembly in
!
interface Vlan82
 ip address XX.XX.XX.XXX 255.255.255.248
 ip flow ingress
 ip flow egress
 ip nat outside
 ip virtual-reassembly in
 crypto map COMPANY_RAS_VPN
!
interface Dialer1
 description ADSL dialer PLusnet Dialer1
 ip address negotiated
 ip access-group ACL_Outside_In in
 ip flow ingress
 ip flow egress
 ip nat outside
 ip virtual-reassembly in
 encapsulation ppp
 dialer pool 1
 dialer-group 1
!
!
router eigrp 65535
 traffic-share min across-interfaces
 network 10.99.199.0 0.0.0.3
 network 10.168.50.0 0.0.0.255
 network 192.168.50.0
 passive-interface default
 no passive-interface Tunnel65535
 no passive-interface Vlan50
 no eigrp log-neighbor-changes
!
ip local pool NAT_POOL 10.168.50.0 10.168.50.255
ip local pool VPN_CLIENTS 192.168.50.220 192.168.50.229
ip local pool WEBVPN-POOL 192.168.50.230 192.168.50.234
ip forward-protocol nd
no ip http server
ip http port 8080
ip http authentication local
no ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
!
ip flow-export source Vlan82
ip flow-export version 9
ip flow-export destination 192.168.50.12 12245
ip flow-export destination 192.168.50.12 12246
ip flow-top-talkers
 top 20
 sort-by bytes
 cache-timeout 360
 match destination address 0.0.0.0 0.0.0.0
!
no ip nat service sip udp port 5060
ip nat pool COMPANY 10.168.50.0 10.168.50.255 prefix-length 24 type match-host
ip nat inside source list 101 interface Vlan82 overload
ip nat inside source static tcp 192.168.50.2 3389 interface Vlan82 3389
ip nat inside source static tcp 192.168.50.2 80 interface Vlan82 80
ip nat inside source static tcp 192.168.50.2 443 interface Vlan82 443
ip nat inside source static tcp 192.168.50.2 1723 interface Vlan82 1723
ip nat inside source static tcp 192.168.50.2 987 interface Vlan82 987
ip nat inside source static tcp 192.168.50.2 4125 interface Vlan82 4125
ip nat inside source static tcp 192.168.50.2 25 interface Vlan82 25
ip nat inside source static tcp 192.168.50.50 990 interface Vlan82 990
ip nat inside source static udp 192.168.50.50 990 interface Vlan82 990
ip nat inside source static tcp 192.168.50.50 50000 interface Vlan82 50000
ip nat inside source static udp 192.168.50.50 50000 interface Vlan82 50000
ip nat inside source static tcp 192.168.50.50 50001 interface Vlan82 50001
ip nat inside source static udp 192.168.50.50 50001 interface Vlan82 50001
ip nat inside source static tcp 192.168.50.50 50002 interface Vlan82 50002
ip nat inside source static udp 192.168.50.50 50002 interface Vlan82 50002
ip nat inside source static tcp 192.168.50.50 50003 interface Vlan82 50003
ip nat inside source static udp 192.168.50.50 50003 interface Vlan82 50003
ip nat inside source static tcp 192.168.50.50 50004 interface Vlan82 50004
ip nat inside source static udp 192.168.50.50 50004 interface Vlan82 50004
ip nat inside source static tcp 192.168.50.50 50005 interface Vlan82 50005
ip nat inside source static udp 192.168.50.50 50005 interface Vlan82 50005
ip nat inside source static tcp 192.168.50.50 50006 interface Vlan82 50006
ip nat inside source static udp 192.168.50.50 50006 interface Vlan82 50006
ip nat inside source static tcp 192.168.50.50 50007 interface Vlan82 50007
ip nat inside source static udp 192.168.50.50 50007 interface Vlan82 50007
ip nat inside source static tcp 192.168.50.50 50008 interface Vlan82 50008
ip nat inside source static udp 192.168.50.50 50008 interface Vlan82 50008
ip nat inside source static tcp 192.168.50.50 50009 interface Vlan82 50009
ip nat inside source static udp 192.168.50.50 50009 interface Vlan82 50009
ip nat inside source static tcp 192.168.50.50 50010 interface Vlan82 50010
ip nat inside source static udp 192.168.50.50 50010 interface Vlan82 50010
ip nat inside source static tcp 192.168.50.7 22 interface Vlan82 22
ip nat inside source static tcp 192.168.50.7 9090 interface Vlan82 9090
ip nat inside source static 192.168.50.1 10.168.50.1 route-map MSP256 extendable
ip nat inside source static 192.168.50.2 10.168.50.2 route-map MSP256 extendable
ip nat inside source static 192.168.50.3 10.168.50.3 route-map MSP256 extendable
ip nat inside source static 192.168.50.10 10.168.50.10 route-map MSP256 extendable
ip route 0.0.0.0 0.0.0.0 80.70.60.142
ip route 190.160.120.90 255.255.255.255 80.70.60.142
ip ssh port 2220 rotary 1
ip ssh source-interface Vlan50
ip ssh rsa keypair-name COMPANY.com
ip ssh version 2
!
ip access-list standard ACL_SPLIT_TUNNEL
!
ip access-list extended ACL_Outside_In
 deny   ip 192.168.0.0 0.0.255.255 any
 deny   ip 172.16.0.0 0.15.255.255 any
 deny   ip 10.0.0.0 0.255.255.255 any
 deny   ip 127.0.0.0 0.255.255.255 any
 deny   ip 255.0.0.0 0.255.255.255 any
 deny   ip 224.0.0.0 31.255.255.255 any
 deny   ip host 0.0.0.0 any
 deny   ip host 255.255.255.255 any
 permit tcp any any established
 permit udp any eq domain any
 permit udp any eq ntp any
 permit icmp any any unreachable
 permit icmp any any echo-reply
 permit icmp any any packet-too-big
 permit icmp any any time-exceeded
 permit icmp any any traceroute
 permit icmp any any administratively-prohibited
 permit icmp any any echo
 permit esp host 89.160.170.68 any
 permit udp host 89.160.170.68 any eq isakmp
 permit udp host 89.160.170.68 any eq non500-isakmp
 permit esp host 213.10.28.11 any
 permit udp host 213.10.28.11 any eq isakmp
 permit udp host 213.10.28.11 any eq non500-isakmp
 permit udp host 176.25.205.15 any eq 3700
 permit udp host 176.25.205.15 eq 3700 any
 permit udp host 80.238.12.230 eq 3700 any
 permit udp any any gt 1023
 remark permit udp any any
 deny   icmp any any
 deny   udp any any log
 deny   tcp any any log
 deny   ip any any log
ip access-list extended RAS_VPN_CLIENTS
 permit ip any host 192.168.50.220
 permit ip any host 192.168.50.221
 permit ip any host 192.168.50.222
 permit ip any host 192.168.50.223
 permit ip any host 192.168.50.224
 permit ip any host 192.168.50.225
 permit ip any host 192.168.50.226
 permit ip any host 192.168.50.227
 permit ip any host 192.168.50.228
 permit ip any host 192.168.50.229
!
logging trap debugging
logging source-interface Loopback0
dialer-list 1 protocol ip permit
!
route-map MSP256 permit 10
 match ip address 199
 match interface Tunnel65535
!
snmp-server community $$public$$ RO
snmp-server enable traps vrfmib vrf-up vrf-down
!
access-list 101 deny   ip 192.168.50.0 0.0.0.255 10.0.0.0 0.255.255.255
access-list 101 deny   ip 192.168.0.0 0.0.255.255 192.168.0.0 0.0.255.255
access-list 101 permit ip 192.168.50.0 0.0.0.255 any
access-list 102 permit ip 192.168.50.0 0.0.0.255 any
access-list 103 permit ip 192.168.50.0 0.0.0.255 10.99.1.0 0.0.0.255
access-list 103 permit ip 192.168.50.0 0.0.0.255 10.240.168.128 0.0.0.31
access-list 103 permit ip 192.168.50.0 0.0.0.255 10.240.140.0 0.0.0.31
access-list 103 permit ip 192.168.50.0 0.0.0.255 10.99.15.0 0.0.0.255
access-list 104 permit ip host 192.168.50.201 192.168.50.0 0.0.0.255
access-list 104 permit ip host 192.168.50.202 192.168.50.0 0.0.0.255
access-list 104 permit ip host 192.168.50.203 192.168.50.0 0.0.0.255
access-list 104 permit ip host 192.168.50.204 192.168.50.0 0.0.0.255
access-list 104 permit ip host 192.168.50.205 192.168.50.0 0.0.0.255
access-list 109 permit ip any host 192.168.50.220
access-list 109 permit ip any host 192.168.50.221
access-list 109 permit ip any host 192.168.50.222
access-list 109 permit ip any host 192.168.50.223
access-list 109 permit ip any host 192.168.50.224
access-list 109 permit ip any host 192.168.50.225
access-list 109 permit ip any host 192.168.50.226
access-list 109 permit ip any host 192.168.50.227
access-list 109 permit ip any host 192.168.50.228
access-list 109 permit ip any host 192.168.50.229
access-list 199 permit ip 192.168.50.0 0.0.0.255 10.99.0.0 0.0.255.255
!
!
!
control-plane
!
!
mgcp behavior rsip-range tgcp-only
mgcp behavior comedia-role none
mgcp behavior comedia-check-media-src disable
mgcp behavior comedia-sdp-force disable
!
mgcp profile default
!
!
!
!
!
!
alias exec ap service-module wlan-ap0 session
!
line con 0
 exec-timeout 0 0
 no modem enable
line aux 0
line 2
 no activation-character
 no exec
 transport preferred none
 transport input all
 stopbits 1
line vty 0 4
 exec-timeout 0 0
 rotary 1
 transport input ssh
!
scheduler allocate 20000 1000
ntp source Vlan50
ntp server 3.uk.pool.ntp.org
ntp server 2.uk.pool.ntp.org
ntp server 1.uk.pool.ntp.org
ntp server 0.uk.pool.ntp.org minpoll 10
onep
!
!
!
!
webvpn gateway WEBVPN-GATEWAY
 ip address XX.XX.XX.XXX port 9443  
 ssl encryption aes256-sha1
 ssl trustpoint TRUSTPOINT
 logging enable
 inservice
 !
webvpn context WEBVPN-CONTEXT
 title "COMPANY VPN"
 !
 acl "SSL-ACL"
   permit ip any 192.168.50.0 255.255.255.0
 login-message "COMPANY WebVPN"
 aaa authentication list SSLVPN
 gateway WEBVPN-GATEWAY
 max-users 8
 !
 ssl authenticate verify all
 !
 url-list "rewrite"
 inservice
 !
 policy group WEBVPNPOLICY
   functions svc-enabled
   filter tunnel SSL-ACL
   svc address-pool "WEBVPN-POOL" netmask 255.255.255.0
   svc default-domain "COMPANY.local"
   svc rekey method new-tunnel
   svc split include 192.168.50.0 255.255.255.0
   svc dns-server primary 192.168.50.2
   svc wins-server primary 192.168.50.2
 default-group-policy WEBVPNPOLICY
!
end

接入点配置:

!
version 12.4
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname COMPANY_AP
!
logging rate-limit console 9
enable secret 5 xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
!
no aaa new-model
!
!
dot11 syslog
!
dot11 ssid COMPANY
   authentication open
   authentication key-management wpa version 2
   guest-mode
   wpa-psk ascii 0 password1234
!
!
!
username patrick privilege 15 secret 5 XXXXXXXXXXXXXXXXXXXX
!
!
ip ssh rsa keypair-name COMPANY.com
ip ssh version 2
bridge irb
!
!
interface Dot11Radio0
 no ip address
 no ip route-cache
 !
 encryption mode ciphers aes-ccm
 !
 ssid COMPANY
 !
 antenna gain 0
 station-role root
 bridge-group 1
 bridge-group 1 subscriber-loop-control
 bridge-group 1 block-unknown-source
 no bridge-group 1 source-learning
 no bridge-group 1 unicast-flooding
 bridge-group 1 spanning-disabled
!
interface GigabitEthernet0
 description the embedded AP GigabitEthernet 0 is an internal interface connecting AP with the host router
 no ip address
 no ip route-cache
 bridge-group 1
 no bridge-group 1 source-learning
 bridge-group 1 spanning-disabled
!
interface BVI1
 ip address 192.168.50.10 255.255.255.0
 no ip route-cache
!
ip default-gateway 192.168.50.1
no ip http server
no ip http secure-server
ip http help-path http://www.cisco.com/warp/public/779/smbiz/prodconfig/help/eag
bridge 1 route ip
!
!
banner exec ^CC
-----------------------------------------------------------------------

-----------------------------------------------------------------------
^C
!
line con 0
 privilege level 15
 login local
 no activation-character
line vty 0 4
 login local
 transport input ssh
line vty 5 15
 login
 transport input ssh
!
cns dhcp
end
2个回答

我认为 telnet 在路由器中是打开的,因为第 2 行未配置为传输到 ssh :

line 2
 no activation-character
 no exec
 transport preferred none
 transport input all
 stopbits 1

我会再次回复你,我建议删除配置只是我们需要 ssh 和 acl 配置

为了将其从未答复的列表中清除。

在发现这只是该设备配置的一长串问题中的一个,而且是一个相对较小的问题后,解决方案是在一些备用设备上配置一个 pfSense 盒我们拥有的硬件并完全摆脱了思科。

其它你可能感兴趣的问题
上一篇注册:OSPF 类型 3 总结。如何为 type-3 获取 LSA 的原始 AREA ID? 下一篇CAT3 和 CAT5 在同一导管中。串音潜力?