The default Telnet port for most Cisco router products is 23, making it an easy target for hackers or malicious actors to exploit. Changing the default port number and blocking port 23 can therefore improve network security to some extent.
Here are 4 steps to configure a VTY interface password, change the Telnet port number, and block port 23:
Step 1: Configure a Password for the VTY Interface
Router(config)#line vty 0 X ## X varies depending on the router model
Router(config-line)#password Telnet-password ## Set the Telnet password
Router(config-line)#login ## Enable password authentication
Step 2: Change the Telnet Port
Router(config-line)#rotary N ## N represents a number (on a Cisco 3500, the range is <1-99>). The new port is calculated by adding N to the base number 3000. For example, if N=2, the Telnet port for login becomes 3002.
Step 3: Block the Default Port 23
1) Set up an extended access list
Router(config)#access-list 101 deny tcp any any eq 23
Router(config)#access-list 101 permit ip any any
Of course, if you want to restrict the IP range allowed to Telnet to the router, you can change access-list 101 permit ip any any to:
access-list 101 permit ip A.B.C.D E.F.G.H I.J.K.L W.X.Y.Z
Where: A.B.C.D is the Source address;
E.F.G.H is the Source wildcard bits;
I.J.K.L is the Destination address;
W.X.Y.Z is the Destination wildcard bits;
2) Apply the access list to the VTY interface
Router(config-line)# line vty 0 X
Router(config-line)#access-class 101 in
Step 4: Test
telnet router-IP 3002