Details

When you want to allow only an outgoing connection on a line, use the no exec command.

Rationale:

Unused ports should be disabled, if not required, since they provide a potential access path for attackers. Some devices include both an auxiliary and console port that can be used to locally connect to and configure the device. The console port is normally the primary port used to configure the device; even when remote, backup administration is required via console server or Keyboard, Video, Mouse (KVM) hardware. The auxiliary port is primarily used for dial-up administration via an external modem; instead, use other available methods.

Impact:

Organizations should prevent all unauthorized access of auxiliary ports by disabling all protocols using the ‘transport input none’ command.

Solution

Disable the inbound connections on the auxiliary port.

hostname(config)#line aux 0
hostname(config-line)#transport input none

Supportive Information

The following resource is also helpful.

• https://workbench.cisecurity.org/files/3160https://workbench.cisecurity.org/files/3160

This security hardening control applies to the following category of controls within NIST 800-53: Access Control.This control applies to the following type of system Cisco.

References

• 800-53|AC-11
• CSCv6|16.4
• CSCv7|16.11

Source

• Tenable.com/audits