ExtremeSwitching (EXOS)

 View Only
  • 1.  HTTP(s) server listening in all VRs once enabled

    Posted 12-25-2021 08:35
    Hello,

    We use several public routing instances (VRs) on our L3 switches.

    The http(s) server is enabled in order to be able to monitor the switch, as some things like transceiver power are not available using SNMP.

    Now it looks like all that I can do is create access lists to disallow public access to the HTTP server, but not disable it entirely for the public VRs. The logs are full of background noise trying to connect.

    We really don't want to get hacked that way in case this instance of CherryPi(?) (that's what the access denied page says) would be vulnerable somehow.

    It doesn't seem professional at all that it's not possible to just specifically enable the http(s) service/API where you need it. (Or at least specifically disable it when you really don't need it.)

    Now I don't want to stick my head in the sand and just disable logging. The entire situation doesn't feel right.

    Thoughts?

    Best regards,
    Marki


  • 2.  RE: HTTP(s) server listening in all VRs once enabled

    Posted 12-30-2021 13:29

    Hi,

    You can configure an access profile (which IMO are easier to maintain/diagnose) to block those connection using a dynamic ACL like below:

    Before:

    ExtremeCore.3 # show ses
                                                                 CLI
        #       Login Time               User     Type    Auth   Auth Location
    ================================================================================
    *489        Thu Dec 30 18:20:13 2021 cthom .. ssh2    local  dis  10.1.1.54     
     490        Thu Dec 30 18:21:03 2021 cthom .. xml     local  dis  10.1.1.54 


    Creating dynamic ACL:

    create access-list blockhttps " source-address 10.1.1.0/24;" "


    Applying ACL:

    ExtremeCore.10 # configure web http access-profile add blockhttps first
    


    Verify that is is blocking connections as expected:

    * ExtremeCore.12 # show access-list counter process http
    ================================================================================
    Access-list                                Permit Packets          Deny Packets 
    ================================================================================
    blockhttps                                              0                     8
    ================================================================================
    Total Rules : 1
    

    Thanks,
    Chris Thompson




  • 3.  RE: HTTP(s) server listening in all VRs once enabled

    Posted 01-04-2022 11:31
    Hello,
    I already knew that.
    The question was how do we prevent the service from listening in that VR at all?
    Like this it is still listening and potentially subject to hacks, DoS, etc. in an Internet-facing VR. That's not good.
    Thanks
    Marki


  • 4.  RE: HTTP(s) server listening in all VRs once enabled

    Posted 01-07-2022 10:44
    Hi Marki,

    There is currently no option to disable the web interface on a per-VR basis. If you're interested in that feature, please create a feature request with your account team. Otherwise, the access-profile will allow HTTP/S connections only from specified clients/networks.