I don't see the typical lines in your config that you see on most routers:
no service udp-small-servers no service tcp-small-servers They could be misssing because they are the default (and not displayed), but they could be missing because they really aren't configured. Despite being the default, they used to always be displayed, but Cisco plays with that aspect of IOS with every release, causing us much grief in trying to figure out which features are on or not. Regardless, somehow you will want to make sure that those services are not enabled. I haven't seen a recent list of what they refer to, but they may refer to some of the ports that your scanner thinks are open. A few other things you should do: no service finger no ip bootp no ip identd no ntp enable no tftp server no ip http server Some of those are probably the default, though.... Oh, I just noticed you already have no ip bootp, which makes me question your scanner claiming that DHCP is open. DHCP uses Bootp. What is this scanner? Do you trust its reliability? ;-) One more comment below... [EMAIL PROTECTED] wrote: > > I'm running 12.2(11)T ip/fw/ids/3DES..... The scan came back > with Cu-seeme, > talk, tftp, rpc-nfs, rwho, biff, name, rpc-portmapper, rwho, > snmp-agent, > syslog, dhcp, dns, etc... Since the router is fundamentally a > unix box I > can see this happening... How the heck do ya shutdown the > services? Also > tried shutting down the VoIP stuff... No go! I didn't think an > ACL would be > useful given the services appear to be running on the router > itself. That's OK. You can do an extended access list to block access to ports on the router itself. You may be remembering the issue with access lists not applying to traffic sourced from the router, but they do apply to traffic destined to the router. Priscilla > Kinda > like stopping a service on a *nix or windoz computer. Plz > lemme know your > thoughts.... > > version 12.2 > service timestamps debug uptime > service timestamps log uptime > service password-encryption > ! > hostname Lhotse > no logging console > aaa new-model > ! > aaa authentication login ops line > aaa session-id common > enable secret > enable password > ! > ip subnet-zero > no ip source-route > ! > no ip domain lookup > ip domain name abnamrousa.com > ! > no ip bootp server > ip audit notify log > ip audit po max-events 100 > ! > mta receive maximum-recipients 0 > ! > interface Ethernet0/0 > ip address x.x.x.x 255.255.255.0 > ip access-group 2 out > ip nat inside > half-duplex > no cdp enable > ! > interface Serial0/0 > bandwidth 1536 > no ip address > no ip redirects > no ip unreachables > encapsulation frame-relay IETF > no ip route-cache > no ip mroute-cache > no fair-queue > service-module t1 timeslots 1-24 > frame-relay lmi-type ansi > ! > interface Serial0/0.1 point-to-point > bandwidth 1536 > ip address y.y.y.y 255.255.255.252 > ip access-group 1 in > no ip redirects > no ip unreachables > ip nat outside > no ip route-cache > no ip mroute-cache > no cdp enable > frame-relay interface-dlci 501 IETF > ! > interface Ethernet0/1 > no ip address > shutdown > half-duplex > no cdp enable > ! > interface Serial0/1 > no ip address > no keepalive > shutdown > no cdp enable > ! > ip classless > no ip http server > ! > access-list 1 deny 65.204.141.10 > access-list 1 deny 65.204.68.194 > access-list 1 deny 65.204.132.5 > access-list 1 deny 65.3.0.83 > access-list 1 deny 65.204.176.42 > access-list 1 deny 80.132.79.133 > access-list 1 deny 65.5.36.66 > access-list 1 deny 65.0.13.111 > access-list 1 deny 65.204.21.189 > access-list 1 deny 65.204.103.194 > access-list 1 deny 65.204.95.250 > access-list 1 deny 65.204.103.196 > access-list 1 deny 65.204.39.133 > access-list 1 deny 65.204.232.83 > access-list 1 deny 65.204.212.31 > access-list 1 deny 65.196.200.11 > access-list 1 deny 65.115.13.98 > access-list 1 deny 65.204.39.244 > access-list 1 deny 65.204.222.51 > access-list 1 deny 65.204.219.50 > access-list 1 deny 65.195.0.229 > access-list 1 deny 65.204.176.77 > access-list 1 deny 65.204.135.120 > access-list 1 deny 65.204.57.200 > access-list 1 deny 64.168.217.182 > access-list 1 deny 65.204.38.59 > access-list 1 deny 65.204.73.87 > access-list 1 deny 65.204.0.30 > access-list 1 deny 65.204.118.100 > access-list 1 deny 65.204.220.227 > access-list 1 deny 65.204.61.3 > access-list 1 deny 65.204.29.36 > access-list 1 deny 65.204.135.200 > access-list 1 deny 65.204.135.205 > access-list 1 deny 65.204.240.181 > access-list 1 deny 65.204.135.209 > access-list 1 deny 65.204.135.214 > access-list 1 deny 65.204.160.201 > access-list 1 deny 65.204.160.200 > access-list 1 deny 65.204.103.2 > access-list 1 deny 65.204.160.199 > access-list 1 deny 65.204.160.198 > access-list 1 deny 65.204.160.195 > access-list 1 deny 65.204.202.180 > access-list 1 deny 65.204.202.179 > access-list 1 deny 65.204.49.67 > access-list 1 deny 65.204.125.0 0.0.0.255 > access-list 1 permit any > access-list 2 deny 199.172.158.0 0.0.0.255 > access-list 2 deny 128.242.104.0 0.0.0.255 > access-list 2 permit any > access-list 13 permit x.x.x.x > no cdp run > ! > no call rsvp-sync > ! > ! > mgcp profile default > ! > dial-peer cor custom > ! > line con 0 > exec-timeout 0 0 > line aux 0 > line vty 0 4 > access-class 13 in > password > login authentication ops > transport input ssh > ! > end > > -----Original Message----- > From: Mark W. Odette II [mailto:[EMAIL PROTECTED]] > Sent: Wednesday, September 18, 2002 11:14 AM > To: [EMAIL PROTECTED] > Subject: RE: IOS upgrade/Strange services [7:53492] > > > What's the version of IOS? > > What's your Access-lists look like?? > > Truthfully, AFAIK, the only way that all of those services > could be > detected from multiple hosts after performing a port scan > (assuming from > the "far-end"/"outside" interface) is from either > > A) not having access-lists defined and static NAT is in place > for each > of the hosts in question, or > B) there are access-lists in place, but said ACLs are being > used/implemented incorrectly... i.e., Something like acl 101 > permit ip > any any rather than a more granular set of permit statements > and a deny > for everything else. > > Can you post a scrubbed version of your config for this router?? > > -Mark > > Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=53588&t=53492 -------------------------------------------------- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
