Solved

How to disable TFTP on VDX6720


Hello, we have a requirement to have TFTP disabled on our switch... Is this possible? If so what commands can I run?
icon

Best answer by Truyen Phan 16 January 2019, 07:54

Hi Adam,

TFTP is executed under the inetd process. TFTPd is disabled by default on higher releases (6.x+) which the 6720 does not support. IPfilter is not needed to block this.

Please do the following to disable tftpd. A reload will be needed to take effect.

The below will do the following:

  1. take back up of inetd.conf
  2. comment out tftpd in inetd.conf and put in new file via sed
  3. overwrite inetd.conf with update file
  4. copy inetd.conf to 2nd partition in case of partition swap in the future
  5. reload switch
code:
sw0# unhide foscmd
Password: ******** (fibranne)
sw0# fos bash | no
sw0:root> netstat -anp | grep :69
udp 0 0 0.0.0.0:69 0.0.0.0:* 1295/inetd

sw0:root> cat /etc/inetd.conf | grep tftpd
tftp dgram udp wait nobody /usr/sbin/in.tftpd in.tftpd /tftpboot

bash-2.04# cp /etc/inetd.conf /etc/inetd.conf.bak
bash-2.04# cp /mnt/etc/inetd.conf /mnt/etc/inetd.conf.bak
bash-2.04# sed -e 's/^tftp/#tftp/' /etc/inetd.conf > /etc/inetd.conf.new
bash-2.04# cp /etc/inetd.conf.new /etc/inetd.conf
bash-2.04# grep tftp /etc/inetd.conf
#tftp dgram udp wait nobody /usr/sbin/in.tftpd in.tftpd /tftpboot

bash-2.04# cp /etc/inetd.conf /mnt/etc/inetd.conf
bash-2.04# exit
exit
sw0# reload system


### After switch boots up ###

code:
sw0# unhide foscmd
Password: ******** (fibranne)
sw0# fos bash | no
bash-2.04# netstat -anp | grep :69
bash-2.04#

View original

22 replies

Hi Adam,

In later version, Telnet Server cli is enhanced to allow you do that just that to disable Telnet server for both mgmt.-vrf and default-vrf as well as the active and the standby.

What version are you running? We need to check it your NOS version supports what you intend to do - earlier version does not support some of the cli commands shown below.

Below is steps to shut down telnet server for both default-vrf and mgmt.-vrf of the active for NOS 7.3.0a

Static-Lab-SM08_VDX2# sh ver
Network Operating System Software
Network Operating System Version: 7.3.0a
Copyright (c) 1995-2017 Brocade Communications Systems, Inc.
Firmware name: 7.3.0a
Build Time: 07:59:32 Sep 24, 2018
Install Time: 05:24:19 Jan 5, 2019
Kernel: 2.6.34.6
BootProm: 1.0.1
Control Processor: e500mc with 4096 MB of memory
Slot Name Primary/Secondary Versions Status
---------------------------------------------------------------------------
SW/0 NOS 7.3.0a ACTIVE*
7.3.0a
SW/1 NOS 7.3.0a STANDBY
7.3.0a
Static-Lab-SM08_VDX2#

Static-Lab-SM08_VDX2# sh telnet server status
rbridge-id 2
VRF-Name: mgmt-vrf Status: Enabled
VRF-Name: default-vrf Status: Enabled
Static-Lab-SM08_VDX2# sh ssh server status rb all
rbridge-id 2
VRF-Name: mgmt-vrf Status: Enabled
VRF-Name: default-vrf Status: Enabled
Static-Lab-SM08_VDX2# conf t
Entering configuration mode terminal
Static-Lab-SM08_VDX2(config-rbridge-id-1)# rb 2
Static-Lab-SM08_VDX2(config-rbridge-id-2)# telnet server
Possible completions:
shutdown Shutdown Telnet Server
standby Configure Standby Telnet
use-vrf Configure VRF Name
Static-Lab-SM08_VDX2(config-rbridge-id-2)# telnet server shutdown
Possible completions:

Static-Lab-SM08_VDX2(config-rbridge-id-2)# telnet server shutdown
Static-Lab-SM08_VDX2(config-rbridge-id-2)# do show telnet server status rbridge-id 2
Possible completions:

Static-Lab-SM08_VDX2(config-rbridge-id-2)# do show telnet server status rbridge-id 2
rbridge-id 2
VRF-Name: default-vrf Status: Enabled
VRF-Name: mgmt-vrf Status: Disabled
Hi Adam,

What version of NOS are you running on the switch.
Earlier version does not have the telnet server shutdown cli; the capability was added in later release.
Let me know what version you are running so we can check.

Below is the step to disable Telnet Server on the Active.

Static-Lab-SM08_VDX2# sh ver
Network Operating System Software
Network Operating System Version: 7.3.0a
Copyright (c) 1995-2017 Brocade Communications Systems, Inc.
Firmware name: 7.3.0a
Build Time: 07:59:32 Sep 24, 2018
Install Time: 05:24:19 Jan 5, 2019
Kernel: 2.6.34.6
BootProm: 1.0.1
Control Processor: e500mc with 4096 MB of memory
Slot Name Primary/Secondary Versions Status
---------------------------------------------------------------------------
SW/0 NOS 7.3.0a ACTIVE*
7.3.0a
SW/1 NOS 7.3.0a STANDBY
7.3.0a
Static-Lab-SM08_VDX2#

Static-Lab-SM08_VDX2# sh telnet server status rb all
rbridge-id 2
VRF-Name: mgmt-vrf Status: Enabled
VRF-Name: default-vrf Status: Enabled
Static-Lab-SM08_VDX2# sh ssh server status rb all
rbridge-id 2
VRF-Name: mgmt-vrf Status: Enabled
VRF-Name: default-vrf Status: Enabled
Static-Lab-SM08_VDX2# conf t
Static-Lab-SM08_VDX2(config-rbridge-id-1)# rb 2
Static-Lab-SM08_VDX2(config-rbridge-id-2)# telnet server
Possible completions:
shutdown Shutdown Telnet Server
standby Configure Standby Telnet
use-vrf Configure VRF Name
Static-Lab-SM08_VDX2(config-rbridge-id-2)# telnet server shutdown
Possible completions:

Static-Lab-SM08_VDX2(config-rbridge-id-2)# telnet server shutdown
Static-Lab-SM08_VDX2(config-rbridge-id-2)# do show telnet server status rbridge-id 2
Possible completions:

Static-Lab-SM08_VDX2(config-rbridge-id-2)# do show telnet server status rbridge-id 2
rbridge-id 2
VRF-Name: default-vrf Status: Enabled
VRF-Name: mgmt-vrf Status: Disabled
Anyone?
Sorry Adam, my 2 earlier replies did not make it into the system.
Have to redo it.

BTW, what NOS version are you running ?
Hey Ivan, yes seen that you replied but was wondering where it was 🙂

NOS version 4.1.3b
The telnet server shut functionality has been changed, the below cli may not be available in earlier NOS version.

Here is the steps to shut down Telnet Server in Active …

Static-Lab-SM08_VDX2# sh ver
Network Operating System Software
Network Operating System Version: 7.3.0a
Copyright (c) 1995-2017 Brocade Communications Systems, Inc.
Firmware name: 7.3.0a
Build Time: 07:59:32 Sep 24, 2018
Install Time: 05:24:19 Jan 5, 2019
Kernel: 2.6.34.6
BootProm: 1.0.1
Control Processor: e500mc with 4096 MB of memory
Slot Name Primary/Secondary Versions Status
---------------------------------------------------------------------------
SW/0 NOS 7.3.0a ACTIVE*
7.3.0a
SW/1 NOS 7.3.0a STANDBY
7.3.0a


Static-Lab-SM08_VDX2# sh telnet server status rb all
rbridge-id 2
VRF-Name: mgmt-vrf Status: Enabled
VRF-Name: default-vrf Status: Enabled
Static-Lab-SM08_VDX2# sh ssh server status rb all
rbridge-id 2
VRF-Name: mgmt-vrf Status: Enabled
VRF-Name: default-vrf Status: Enabled

Static-Lab-SM08_VDX2(config-rbridge-id-1)# rb 2
Static-Lab-SM08_VDX2(config-rbridge-id-2)# telnet server
Possible completions:
shutdown Shutdown Telnet Server
standby Configure Standby Telnet
use-vrf Configure VRF Name
Static-Lab-SM08_VDX2(config-rbridge-id-2)# telnet server shutdown
Possible completions:

Static-Lab-SM08_VDX2(config-rbridge-id-2)# telnet server shutdown
Static-Lab-SM08_VDX2(config-rbridge-id-2)# do show telnet server status rbridge-id 2
Possible completions:

Static-Lab-SM08_VDX2(config-rbridge-id-2)# do show telnet server status rbridge-id 2
rbridge-id 2
VRF-Name: default-vrf Status: Enabled
VRF-Name: mgmt-vrf Status: Disabled
doesnt look like your reply posted again
I don't have a switch with 4.1.3 to do a quick check …
But, the cli for NOS 6.0.1a is also different … you may want to try the same command and see what is the result.

Here is the check on NOS 6.0.1a

sadie# sh vers
Network Operating System Software
Network Operating System Version: 6.0.1
Copyright (c) 1995-2015 Brocade Communications Systems, Inc.
Firmware name: 6.0.1a
Build Time: 21:02:59 Sep 15, 2015
Install Time: 01:37:03 Dec 25, 2018
Kernel: 2.6.34.6
BootProm: 1.0.1
Control Processor: e500mc with 8192 MB of memory
Slot Name Primary/Secondary Versions Status
---------------------------------------------------------------------------
SW/0 NOS 6.0.1a ACTIVE*
6.0.1a
SW/1 NOS 6.0.1a STANDBY
6.0.1a
sadie# sh telnet server status
rbridge-id 1:Telnet server status:Enabled
sadie# conf t
Entering configuration mode terminal
sadie(config)# rb 1
sadie(config-rbridge-id-1)# telnet server standby enable
Possible completions:

sadie(config-rbridge-id-1)# telnet server standby enable
sadie(config-rbridge-id-1)# no telnet server standby enable
sadie(config-rbridge-id-1)# do show telnet server status
rbridge-id 1:Telnet server status:Enabled
sadie(config-rbridge-id-1)# do show ssh server status
rbridge-id 1:SSH server status:Enabled
sadie(config-rbridge-id-1)# telnet server shut
sadie(config-rbridge-id-1)# do show telnet server status
rbridge-id 1:Telnet server status:Disabled
sadie(config-rbridge-id-1)#
sadie# sh vrf
Total number of VRFs configured: 2
VrfName VrfId V4-Ucast V6-Ucast
default-vrf 1 Enabled Enabled
mgmt-vrf 0 Enabled Enabled
sadie# sh run | inc telnet
telnet server shutdown
if you have a free 10-15 min, we can log into your switch and check …

Here is a link for a live session.
(removed by Community Manager - let's share these via PM in the future)
So when I do that it shows telnet is disabled. When we run scans against it, it is showing tftp enabled. Also we are on a secure segregated network so you wont be able to login to it.
this other reply was on-hold pending moderator !!!
if you click on the link for the live session, we can share the session.
You can login to show me … the link is above, session is still open for the next 30 min.
Would like to be able to disable the TFTP daemon....
I cannot access that link from the other network.
was tftp using telnet or ssh
Im not exactly sure how to see which on tftp is using. SSH is enabled and Tenet is disabled.

# sh vrf - shows nothing.
check sh proc cpu and not seeing tftpd running, that it can be disabled ...
Looks like port 69/UDP
on 4.1.3 it does not have vrf context - which is added in NOS 5.0
yeah. TFTP is using well known port 69 UDP

69 UDP TFTP (Trivial File Transfer Protocol) Offical
Any way to disable that on 4.1.3?
So I do not see a tftp process running when i do a # sh proc cpu
How can I get the ipfilter comands on 4.1.3?
Hi Adam,

TFTP is executed under the inetd process. TFTPd is disabled by default on higher releases (6.x+) which the 6720 does not support. IPfilter is not needed to block this.

Please do the following to disable tftpd. A reload will be needed to take effect.

The below will do the following:

  1. take back up of inetd.conf
  2. comment out tftpd in inetd.conf and put in new file via sed
  3. overwrite inetd.conf with update file
  4. copy inetd.conf to 2nd partition in case of partition swap in the future
  5. reload switch
code:
sw0# unhide foscmd
Password: ******** (fibranne)
sw0# fos bash | no
sw0:root> netstat -anp | grep :69
udp 0 0 0.0.0.0:69 0.0.0.0:* 1295/inetd

sw0:root> cat /etc/inetd.conf | grep tftpd
tftp dgram udp wait nobody /usr/sbin/in.tftpd in.tftpd /tftpboot

bash-2.04# cp /etc/inetd.conf /etc/inetd.conf.bak
bash-2.04# cp /mnt/etc/inetd.conf /mnt/etc/inetd.conf.bak
bash-2.04# sed -e 's/^tftp/#tftp/' /etc/inetd.conf > /etc/inetd.conf.new
bash-2.04# cp /etc/inetd.conf.new /etc/inetd.conf
bash-2.04# grep tftp /etc/inetd.conf
#tftp dgram udp wait nobody /usr/sbin/in.tftpd in.tftpd /tftpboot

bash-2.04# cp /etc/inetd.conf /mnt/etc/inetd.conf
bash-2.04# exit
exit
sw0# reload system


### After switch boots up ###

code:
sw0# unhide foscmd
Password: ******** (fibranne)
sw0# fos bash | no
bash-2.04# netstat -anp | grep :69
bash-2.04#
This is perfect!! Thank you so much!!!!!

Reply