By default Brocade SAN switches have the Telnet protocol enabled, you may wish to disable this as part of security hardening of your devices to mitigate to the session being transmitted in clear text and enforce SSH connectivity as the management protocol.
In order to disable the Telnet protocol you will be required to modify the IP filter policy to disable inbound connectivity to the TCP service port, which can be performed using the Fabric OS CLI.
As the default IP filter policy cannot be modified, in order to modify the rules an IP filter policy is required to be created by cloning the default policy.
ipfilter –-clone deny_telnet_ipv4 -from default_ipv4 ipfilter –-clone deny_telnet_ipv6 -from default_ipv6
Once we have cloned the default policies we will be required to remove the existing rule to permit connectivity on TCP service port 23. By invoking the command ‘ipfilter –show’, we can determine the current rule number which permits the connectivity.
ipfilter --delrule deny_telnet_ipv4 -rule 2 ipfilter --delrule deny_telnet_ipv6 -rule 2
Now we will add the rule to deny inbound connectivity to the fabric switch on TCP service port 23.
ipfilter –-addrule deny_telnet_ipv4 -rule 2 -sip any -dp 23 -proto tcp -act deny ipfilter –-addrule deny_telnet_ipv6 -rule 2 -sip any -dp 23 -proto tcp -act deny
Now that we have created the rule we will first save the IP filter policy and then apply to the fabric switch
ipfilter –-save deny_telnet_ipv4 ipfilter –-save deny_telnet_ipv6 ipfilter –-activate deny_telnet_ipv4 ipfilter –-activate deny_telnet_ipv6
4 thoughts on “Disabling the Telnet protocol on Brocade SAN switches”
there’s a typo in the second –addrule: should be …ipv6
Thats the add rule command amended.
do we need to derule the newly created clone rule or the default rule?
ipfilter –delrule deny_telnet_ipv4 -rule 2
ipfilter –delrule deny_telnet_ipv6 -rule 2
We will need to delete the rule from the cloned IP filter policy as the default policy may not be modified. Once we have saved the cloned IP filter and activated, this will then be loaded to the fabric switch configuration instead of the default.