If you wish to upgrade your PortMaster to 3.1.3c2, please FTP
<ftp://ftp.livingston.com/pub/livingston/upgrades/pm2_3.1.3c2>
and place it in /usr/portmaster/data/pm2_3.1.3c2 on a host that
supports pminstall, then run pminstall (or choose the Install button
from pmconsole).
You can change the TCP administrative port with the "set telnet" command,
or disable telnet access entirely with "set telnet 0".
NOTE that if you use "set telnet 0" you turn off YOUR ability to telnet to
the PortMaster as well.
A more complicated but less drastic approach is to use an input packet
filter. The following example filter turns off telnet access to the
PortMaster itself from the interface it is applied to, and logs such
attempts to your loghost using the auth.notice facility and priority.
If your PortMaster has multiple addresses (for example, one address on
the ethernet interface and another address for the Frame Relay
interface on W1 on a PM-2ER) you will need rules for both addresses.
In this example, the PortMaster's IP address is 192.168.2.2 and you
want to allow telnet to it from hosts on the 192.168.2.0 network and
block telnet to it from all other hosts. If you've moved your
administrative telnet port to something other than the default 23,
replace 23 in the following commands with that port number.
BE CAREFUL not to block your own access to the router if you are using
telnet to configure this filter!
add filter notelnet.in
add filter notelnet.in 1 permit 192.168.2.0/24 192.168.2.2/32 tcp dst eq 23 log
add filter notelnet.in 2 deny 0.0.0.0/0 192.168.2.2/32 tcp dst eq 23 log
add filter notelnet.in 3 permit
set ether0 ifilter notelnet.in
save all
If you're having problems with your dial-in users doing this, you can
block that too by adding the following RADIUS attribute:
Framed-Filter-Id = "notelnet"
(Note that the PortMaster adds the .in automatically.)
-- Carl Rigney support@livingston.com