Disabling the Telnet protocol on Brocade SAN switches

By default Brocade SAN switches have the Telnet protocol enabled, you may wish to disable this as part of security hardening of your devices to mitigate to the session being transmitted in clear text and enforce SSH connectivity as the management protocol.

In order to disable the Telnet protocol you will be required to modify the IP filter policy to disable inbound connectivity to the TCP service port, which can be performed using the Fabric OS CLI.

As the default IP filter policy cannot be modified,  in order to modify the rules an IP filter policy is required to be created by cloning the default policy.

ipfilter –-clone deny_telnet_ipv4 -from default_ipv4 
ipfilter –-clone deny_telnet_ipv6 -from default_ipv6

Once we have cloned the default policies we will be required to remove the existing rule to permit connectivity on TCP service port 23. By invoking the command ‘ipfilter –show’, we can determine the current rule number which permits the connectivity.

ipfilter --delrule deny_telnet_ipv4 -rule 2
ipfilter --delrule deny_telnet_ipv6 -rule 2

Now we will add the rule to deny inbound connectivity to the fabric switch on TCP service port 23.

ipfilter –-addrule deny_telnet_ipv4 -rule 2 -sip any -dp 23 -proto tcp -act deny
ipfilter –-addrule deny_telnet_ipv6 -rule 2 -sip any -dp 23 -proto tcp -act deny

Now that we have created the rule we will first save the IP filter policy and then apply to the fabric switch

ipfilter –-save deny_telnet_ipv4 
ipfilter –-save deny_telnet_ipv6
ipfilter –-activate deny_telnet_ipv4 
ipfilter –-activate deny_telnet_ipv6
Advertisements

4 thoughts on “Disabling the Telnet protocol on Brocade SAN switches

  1. Hi Dean,
    do we need to derule the newly created clone rule or the default rule?
    ipfilter –delrule deny_telnet_ipv4 -rule 2
    ipfilter –delrule deny_telnet_ipv6 -rule 2

    Like

    1. We will need to delete the rule from the cloned IP filter policy as the default policy may not be modified. Once we have saved the cloned IP filter and activated, this will then be loaded to the fabric switch configuration instead of the default.

      Like

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s