Disabling Telnet on Brocade Switches

We were recently directed by audit requirements to disable telnet access on all of our brocade switches.  We’re going to use ssh only for remote access.   The steps for disabling telnet aren’t obvious although it’s not difficult to do.  I’ve outlined two different procedures below for disabling telnet on FOS, as it’s different if you’re running an FOS version below 5.3.x.

Commands for disabling telnet for ipv4 and ipv6

For FOS 5.3.x and above:

You cannot change the default filter sets,  you have to clone the default_ipv4 and default_ipv6 to new sets.  While logged on to the switch using ssh enter the following command:

ipfilter –clone BlockPort23 -from default_ipv4 ipfilter –clone BlockPort23ipv6 -from default_ipv6

A filter set is built on a list of numbered rules.   You need to verify the number of the rule for the telnet port (23). This can be done with this command:

ipfilter –show  

The default rule for telnet is 2.

The next step is to delete the old rule and create a new one.  Change the -rule 2 to the appropriate rule number from the previous step, if needed.

ipfilter –delrule BlockPort23 -rule 2

ipfilter –delrule BlockPort23ipv6 -rule 2

ipfilter –addrule BlockPort23 -rule 2 -sip any -dp 23 -proto tcp -act deny

ipfilter –addrule BlockPort23ipv6 -rule 2 -sip any -dp 23 -proto tcp -act deny

Next you need to save the new filter set and activate it:

ipfilter –save BlockPort23 ipfilter –save BlockPort23ipv6

ipfilter –activate BlockPort23 ipfilter –activate BlockPort23ipv6

Now all traffic on port 23 is blocked.  You can verify it by typing in  ipfilter –show again:

Name: BlockPort23ipv6, Type: ipv6, State: active
Rule    Source IP                               Protocol   Dest Port   Action
1     any                                            tcp       22     permit 
2     any                                            tcp       23     deny 
3     any                                            tcp      897     permit 
4     any                                            tcp      898     permit 
5     any                                            tcp      111     permit 
6     any                                            tcp       80     permit 
7     any                                            tcp      443     permit 
8     any                                            udp      161     permit 
9     any                                            udp      111     permit 
10    any                                            udp      123     permit 
11    any                                            tcp      600 - 1023     permit 
12    any                                            udp      600 - 1023     permit 

For FOS 5.2.x and below:

It’s a bit simpler for the older FOS versions.  Simply type “configure” at the prompt, type yes for system services, then ‘off’ for telnetd.

switchname:admin> configure
Not all options will be available on an enabled switch. To disable the switch, use the “switchDisable” command.
  System services (yes, y, no, n): [no] y
    rstatd (on, off): [off]
    rusersd (on, off): [off]
    telnetd (on, off): [on] off
    ssl attributes (yes, y, no, n): [no]
   http attributes (yes, y, no, n): [no]
   snmp attributes (yes, y, no, n): [no]
   rpcd attributes (yes, y, no, n): [no]
   cfgload attributes (yes, y, no, n): [no]
   webtools attributes (yes, y, no, n): [no]

10 thoughts on “Disabling Telnet on Brocade Switches”

  1. For the newer FoS versions, wouldn’t removing rule 2, from the cloned policy, accomplish the same thing, since the default ipFilter action is to deny?

    1. I didn’t test that, but assuming an implicit ‘deny all’ then yes you would be correct. Proving compliance with an explicitly defined rule was done for inclusion in an audit report.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.