Solved

How to disable TFTP on VDX6720


Hello, we have a requirement to have TFTP disabled on our switch... Is this possible? If so what commands can I run?
icon

Best answer by Truyen Phan 16 January 2019, 07:54

Hi Adam,

TFTP is executed under the inetd process. TFTPd is disabled by default on higher releases (6.x+) which the 6720 does not support. IPfilter is not needed to block this.

Please do the following to disable tftpd. A reload will be needed to take effect.

The below will do the following:

  1. take back up of inetd.conf
  2. comment out tftpd in inetd.conf and put in new file via sed
  3. overwrite inetd.conf with update file
  4. copy inetd.conf to 2nd partition in case of partition swap in the future
  5. reload switch
code:
sw0# unhide foscmd
Password: ******** (fibranne)
sw0# fos bash | no
sw0:root> netstat -anp | grep :69
udp 0 0 0.0.0.0:69 0.0.0.0:* 1295/inetd

sw0:root> cat /etc/inetd.conf | grep tftpd
tftp dgram udp wait nobody /usr/sbin/in.tftpd in.tftpd /tftpboot

bash-2.04# cp /etc/inetd.conf /etc/inetd.conf.bak
bash-2.04# cp /mnt/etc/inetd.conf /mnt/etc/inetd.conf.bak
bash-2.04# sed -e 's/^tftp/#tftp/' /etc/inetd.conf > /etc/inetd.conf.new
bash-2.04# cp /etc/inetd.conf.new /etc/inetd.conf
bash-2.04# grep tftp /etc/inetd.conf
#tftp dgram udp wait nobody /usr/sbin/in.tftpd in.tftpd /tftpboot

bash-2.04# cp /etc/inetd.conf /mnt/etc/inetd.conf
bash-2.04# exit
exit
sw0# reload system


### After switch boots up ###

code:
sw0# unhide foscmd
Password: ******** (fibranne)
sw0# fos bash | no
bash-2.04# netstat -anp | grep :69
bash-2.04#

View original

22 replies

Anyone?
Sorry Adam, my 2 earlier replies did not make it into the system.
Have to redo it.

BTW, what NOS version are you running ?
Hey Ivan, yes seen that you replied but was wondering where it was 🙂

NOS version 4.1.3b
doesnt look like your reply posted again
I don't have a switch with 4.1.3 to do a quick check …
But, the cli for NOS 6.0.1a is also different … you may want to try the same command and see what is the result.

Here is the check on NOS 6.0.1a

sadie# sh vers
Network Operating System Software
Network Operating System Version: 6.0.1
Copyright (c) 1995-2015 Brocade Communications Systems, Inc.
Firmware name: 6.0.1a
Build Time: 21:02:59 Sep 15, 2015
Install Time: 01:37:03 Dec 25, 2018
Kernel: 2.6.34.6
BootProm: 1.0.1
Control Processor: e500mc with 8192 MB of memory
Slot Name Primary/Secondary Versions Status
---------------------------------------------------------------------------
SW/0 NOS 6.0.1a ACTIVE*
6.0.1a
SW/1 NOS 6.0.1a STANDBY
6.0.1a
sadie# sh telnet server status
rbridge-id 1:Telnet server status:Enabled
sadie# conf t
Entering configuration mode terminal
sadie(config)# rb 1
sadie(config-rbridge-id-1)# telnet server standby enable
Possible completions:

sadie(config-rbridge-id-1)# telnet server standby enable
sadie(config-rbridge-id-1)# no telnet server standby enable
sadie(config-rbridge-id-1)# do show telnet server status
rbridge-id 1:Telnet server status:Enabled
sadie(config-rbridge-id-1)# do show ssh server status
rbridge-id 1:SSH server status:Enabled
sadie(config-rbridge-id-1)# telnet server shut
sadie(config-rbridge-id-1)# do show telnet server status
rbridge-id 1:Telnet server status:Disabled
sadie(config-rbridge-id-1)#
sadie# sh vrf
Total number of VRFs configured: 2
VrfName VrfId V4-Ucast V6-Ucast
default-vrf 1 Enabled Enabled
mgmt-vrf 0 Enabled Enabled
sadie# sh run | inc telnet
telnet server shutdown
if you have a free 10-15 min, we can log into your switch and check …

Here is a link for a live session.
(removed by Community Manager - let's share these via PM in the future)
So when I do that it shows telnet is disabled. When we run scans against it, it is showing tftp enabled. Also we are on a secure segregated network so you wont be able to login to it.
this other reply was on-hold pending moderator !!!
if you click on the link for the live session, we can share the session.
You can login to show me … the link is above, session is still open for the next 30 min.
Would like to be able to disable the TFTP daemon....
I cannot access that link from the other network.
was tftp using telnet or ssh
Im not exactly sure how to see which on tftp is using. SSH is enabled and Tenet is disabled.

# sh vrf - shows nothing.
check sh proc cpu and not seeing tftpd running, that it can be disabled ...
Looks like port 69/UDP
on 4.1.3 it does not have vrf context - which is added in NOS 5.0
yeah. TFTP is using well known port 69 UDP

69 UDP TFTP (Trivial File Transfer Protocol) Offical
Any way to disable that on 4.1.3?
So I do not see a tftp process running when i do a # sh proc cpu
How can I get the ipfilter comands on 4.1.3?
Hi Adam,

TFTP is executed under the inetd process. TFTPd is disabled by default on higher releases (6.x+) which the 6720 does not support. IPfilter is not needed to block this.

Please do the following to disable tftpd. A reload will be needed to take effect.

The below will do the following:

  1. take back up of inetd.conf
  2. comment out tftpd in inetd.conf and put in new file via sed
  3. overwrite inetd.conf with update file
  4. copy inetd.conf to 2nd partition in case of partition swap in the future
  5. reload switch
code:
sw0# unhide foscmd
Password: ******** (fibranne)
sw0# fos bash | no
sw0:root> netstat -anp | grep :69
udp 0 0 0.0.0.0:69 0.0.0.0:* 1295/inetd

sw0:root> cat /etc/inetd.conf | grep tftpd
tftp dgram udp wait nobody /usr/sbin/in.tftpd in.tftpd /tftpboot

bash-2.04# cp /etc/inetd.conf /etc/inetd.conf.bak
bash-2.04# cp /mnt/etc/inetd.conf /mnt/etc/inetd.conf.bak
bash-2.04# sed -e 's/^tftp/#tftp/' /etc/inetd.conf > /etc/inetd.conf.new
bash-2.04# cp /etc/inetd.conf.new /etc/inetd.conf
bash-2.04# grep tftp /etc/inetd.conf
#tftp dgram udp wait nobody /usr/sbin/in.tftpd in.tftpd /tftpboot

bash-2.04# cp /etc/inetd.conf /mnt/etc/inetd.conf
bash-2.04# exit
exit
sw0# reload system


### After switch boots up ###

code:
sw0# unhide foscmd
Password: ******** (fibranne)
sw0# fos bash | no
bash-2.04# netstat -anp | grep :69
bash-2.04#
This is perfect!! Thank you so much!!!!!

Reply