There are usually 5 VTY lines on Cisco routers (VTY 0 to 4). An attacker can perform a Denial of Service attack by opening several simultaneous Telnet or SSH connections to the router, thus occupying all available lines and prohibiting the legitimate administrators for managing the device.

To protect from this kind of attack, we can configure and apply an ACL on lines 0 to 3 allowing the general Network Management address range, and then configure a more restrictive ACL for the last VTY line 4, which allows only a specific management station to connect.

 Configuration Example:

! Allow access from the general Network Management range (assume management network is 10.10.10.0/24)
Router(config)# access-list 100 permit tcp 10.10.10.0 0.0.0.255 any eq ssh

! Allow access from a single management station
Router(config)# access-list 101 permit tcp host 10.10.10.10 any eq ssh

Router(config)# line vty 0 3
Router(config-line)# access-class 100 in
Router(config)# line vty 4
Router(config-line)# access-class 101 in

Related posts:

1. Password Security for Cisco IOS Devices
2. CCNA Certification Exam Preparation Topics Part 2 – Router Passwords
3. Configuring local username and password on a Cisco IOS Router
4. Using Interfaces with same security levels on Cisco ASA
5. Basic Cisco Router Configuration Steps
6. Using TCP Intercept to mitigate DoS SYN Attacks
7. Cisco ASA QoS for VoIP Traffic