15.2 Remote access with Telnet
Telnet is a protocol that was very widely used to connect remotely to computers and other devices including routers. Because it is not secure, it should no longer be used over the internet, but it is easy to configure and still used internally within companies and for legacy equipment.
Watch the video below, which is about 3 minutes long. You will see how Telnet can be used to connect to a router, how to protect the router with a password and warning message.
Remote access with Telnet
We’ve now seen how we can connect to the router’s console directly through the console port; now we’ll see how I can connect over the network.
At this stage I am going to use Telnet – it is simple, still used internally and for legacy devices, but isn’t secure.
I’m going to connect from a PC on the same LAN: traffic won’t be going over the internet so the lack of security isn’t too great a problem. I’ve opened a command prompt and now use the command telnetand then the IP address of the router 192.168.1.1.
And it doesn’t let me in! This is because Cisco routers are set up by default to require a login for Telnet – but since I haven’t yet set a password, the login is going to fail.
So back to the router console window where I can setup the password. In global configuration mode, enter the command line vty – vty stands for virtual teletypes which is how it refers to terminal connections. Routers can support a number of simultaneous connections. I want to configure them all, so I’ll type 0 then a question mark ?so that the router will tell me the maximum it supports, which turns out to be 0 through 15, that is 16 in total. Now we are configuring all 16 vty lines. And I add a password with password onlvty.
I can do one more thing. I can get the router to display a message whenever someone tries to connect. I’m back in global configuration mode and now I’ll use the command banner motd (motd means message of the day). To enter my message, I need to type some character at the start – the same one will be used to end the message – I’ll use an exclamation mark. So I’ve entered ! Authorised users only, please ! Now a hacker can’t claim ‘Well, the door was open so I just wandered in …’.
Let me test by Telnetting from my PC again. I’ll enter telnet 192.168.1.1and this time I can see a banner message telling me I must be authorised. I am and I know the password, which was onlvty, so now I’m back in to the router’s console.
I said earlier that Telnet is insecure because the characters are sent over the wire in plain text form. This means that packet capture software like Wireshark for example, which is a really useful tool for diagnosing network problems, can easily show all the text in a Telnet session. You can see from this screenshot. Everything we did in the Telnet session was captured – including the password we logged in with!
Activity 4 Try it out
Openin a new tab or window so you can read these instructions.
In this activity you will configure the router in the network to accept a Telnet connection from the PC.
Open the router console and enter global configuration mode using the password ‘opennetlab’.
Configure the virtual teletypes (vty) with the password ‘onlvty’.
Set a message of the day.
Now open the PC command line and check that you can ping from the PC (192.168.0.100) to the router (192.168.0.1).
Open a Telnet session by entering the command telnet 192.168.0.1, giving the appropriate password.
Confirm that you are connected to the router by entering global configuration mode and entering the command show running-configuration.
Finish the Telnet session by entering exit.
The router will accept Telnet connections from a PC or other remote device; the router considers these to be ‘virtual teletypes’. For security, a password must be given before a connection is allowed.
To configure the virtual teletypes, enter the command line vty 0 15 (the range depends on the particular model of router). Then enter password onlvty to set the password to ‘onlvty’.
In global configuration mode, set a message of the day with a command such as banner motd !Authorised users only, please!.
This completes the setup for the router. To test the connection, you will need to turn to the command line on the PC. You can first confirm that the PC is connected to the router with a ping.
Then to open a Telnet session, you should enter the command telnet 192.168.0.1, giving the password ‘onlvty’ which you previously set on the router. You will see the message of the day and the prompt will change to ‘Router>’ showing that you are now giving commands to the router.
You can now work with the router’s command line, for example entering global configuration mode (you will need the password ‘opennetlab’) and show the running configuration.
You should exit from the Telnet session using exit.
Confirm that you are back on the PC command line by checking the prompt and using commands such as ipconfig.