deny ssh access from a specific internet facing port

  • 0
  • 1
  • Question
  • Updated 2 years ago
  • Answered
I need to deny any SSH access ( switch management )  from a specific port that the internet is connected to the internet . ( basically i want to stop any response from the switch from an specific port 

The Switch still needs to be ssh accessible from the internal secure network.

I already run a Switch Manage policy for SSH/TELNET/and web. which are working as expected.
Photo of Rod Robertson

Rod Robertson

  • 2,344 Points 2k badge 2x thumb

Posted 2 years ago

  • 0
  • 1
Photo of Mike Thomas

Mike Thomas, Employee - GTAC - NMS

  • 7,498 Points 5k badge 2x thumb
What is the device / product type your working with, and what firmware revision?
Photo of Rod Robertson

Rod Robertson

  • 2,344 Points 2k badge 2x thumb
X670-48X 15.3.3.5-patch1-2

I really want to stop any response at all (BANNER etc ) ... other than the log 
Photo of Frank

Frank

  • 3,662 Points 3k badge 2x thumb
If the Internet is on a different VR than your internal network, you can limit ssh to only listen on a VR - for instance "enable ssh2 vr VR-Mgmt" to only listen on the management port/vr
Photo of Rod Robertson

Rod Robertson

  • 2,344 Points 2k badge 2x thumb
For this external switch ( internet one side , firewall the other ) we are using vr vr-default ..
Thought the ip address of the switch for management is on vr-mgmt ..

So basically 
I would disable ssh2 vr vr-default , enable ssh2 vr vr-mgmt .. 
That should stop the external hits we are getting for ssh..
Photo of Frank

Frank

  • 3,662 Points 3k badge 2x thumb
My memory is spotty - I would start saying "enable ssh2 vr vr-mgmt" and see if that took it off vr-default. Don't want to leave you hanging without ssh or a long console cable.
Photo of Drew C.

Drew C., Community Manager

  • 37,366 Points 20k badge 2x thumb
Photo of Rod Robertson

Rod Robertson

  • 2,344 Points 2k badge 2x thumb
Drew

We already do this and it works , we limit what internal  networks and specific  IP addresses can access the switch , on SSH2 , telnet and SNMP .what I want to stop , is any response from the switch to the external addresses that are trying to access the switch IP  via SSH2 ( janet address ). Currently the extrenal users ( lets call them hackers ) still receive an SSH2 prompt to sigh on ..I need this to stop .. 
Photo of Ron Huygens

Ron Huygens, Employee

  • 2,928 Points 2k badge 2x thumb
What if you add an ingress ACL on that port that deny traffic to the switch IP and only allow the needed connections ( BGP peers etc..)
Photo of Rod Robertson

Rod Robertson

  • 2,344 Points 2k badge 2x thumb
Thanks for all your input .. I'm going for franks option , in disabling ssh2 on the vr-default , and enable on Vr-mgmt so internally w e can get to the switch , externally hopefully they ( alleged hackers ) get no response what so ever , so in future they have nothing to help there attack.

Basically I need to test this before I suggest this to my customer ..

Many thanks everyone..