Deans Blog

By default Brocade SAN switches have the Telnet protocol enabled, you may wish to disable this as part of security hardening of your devices to mitigate to the session being transmitted in clear text and enforce SSH connectivity as the management protocol.

In order to disable the Telnet protocol you will be required to modify the IP filter policy to disable inbound connectivity to the TCP service port, which can be performed using the Fabric OS CLI.

As the default IP filter policy cannot be modified,  in order to modify the rules an IP filter policy is required to be created by cloning the default policy.

ipfilter –-clone deny_telnet_ipv4 -from default_ipv4 
ipfilter –-clone deny_telnet_ipv6 -from default_ipv6

Once we have cloned the default policies we will be required to remove the existing rule to permit connectivity on TCP service port 23. By invoking the command ‘ipfilter –show’, we can determine the current rule number which permits the connectivity.

ipfilter --delrule deny_telnet_ipv4 -rule 2
ipfilter --delrule deny_telnet_ipv6 -rule 2

Now we will add the rule to deny inbound connectivity to the fabric switch on TCP service port 23.

ipfilter –-addrule deny_telnet_ipv4 -rule 2 -sip any -dp 23 -proto tcp -act deny
ipfilter –-addrule deny_telnet_ipv6 -rule 2 -sip any -dp 23 -proto tcp -act deny

Now that we have created the rule we will first save the IP filter policy and then apply to the fabric switch

ipfilter –-save deny_telnet_ipv4 
ipfilter –-save deny_telnet_ipv6
ipfilter –-activate deny_telnet_ipv4 
ipfilter –-activate deny_telnet_ipv6