[lenovomen]

Hello,

I want to disable the SSH and Telnet access on both the wired (all connected LAN devices) and wireless (all wireless AP) side using the firewall.

I found "Limit SSH Access" and "Limit Telnet Access" configuration option in the SECURITY-->FIREWALL settings, but it only restricts attacks against hackers, it does not disable the ports.

FIREWALL:
---------
Limit SSH Access

Limit Telnet Access

Limit PPTP Server Access

Limit FTP Server Access

iptables -N bruteprotect
iptables -A bruteprotect -m recent --set --name BRUTEFORCE --rsource
iptables -A bruteprotect -m recent ! --update --seconds 60 --hitcount 4 --name BRUTEFORCE --rsource -j RETURN
iptables -A bruteprotect -j LOG --log-prefix "[DROP BRUTEFORCE] : " --log-tcp-options --log-ip-options
iptables -A bruteprotect -j DROP

How Can I disable or block these points so that they are not accessible from any device on the network at all?

[Alozaros]

for local access you have to, just disable those(SSh/Tlenet) form GUI Services... and those will not exist as a service and not load....
in general Telnet is not a good/safe service...

The other way is to reject/drop those used ports (the default ssh is tcp 22, telnet 23) via iptables rules...
iptables -I INPUT -p tcp --dport 22 -j REJECT
iptables -I INPUT -p tcp --dport 23 -j REJECT


If you just want to make SSh usable for only particular client via mac or ip's, you can make specific iptables rules for those...
for example i want to deny the use of SSh (default port is 22)

iptables -I INPUT -p tcp --dport 22 -j DROP
iptables -I INPUT -p tcp --dport 22 -m mac --mac-source XX:XX:XX:XX:XX -j ACCEPT

-replace XX:XX:XX:XX:XX with the mac you want to exclusively to give an local(LAN) SSh access

if you have SSh for wan turned on, turn it off(disable) form GUI Management>Web Access

to have a secure SSh form wan side if you decide to enable it...than use it with secure key only...no password log in for SSh...

also if you turn those rules "limit SSh Access", SSh is brute force protected, so in case if someone tries it with brute force it will report and prevent form its use for period of time...

[egc]

By default only Telnet is enabled from the LAN side everything else is blocked:
Services/Services/Telnet Enable server

If you disable this there is no Telnet and only the GUI to access the router.

Disabling console access is not something I would recommend, of course telnet is not the safest option but SSH with keys is.

For maximum security I would disable GUI access and telnet and keep SSH access with keys.

But hey if your LAN network is compromised you have bigger problems
(all IoT and other unsafe clients are of course on their own network with no access at all to router or safe network)

P.S we can give better support if you state router model and build number