Header Only - DO NOT REMOVE - Extreme Networks

deny ssh access from a specific internet facing port


Userlevel 3
I need to deny any SSH access ( switch management ) from a specific port that the internet is connected to the internet . ( basically i want to stop any response from the switch from an specific port

The Switch still needs to be ssh accessible from the internal secure network.

I already run a Switch Manage policy for SSH/TELNET/and web. which are working as expected.

9 replies

Userlevel 6
What is the device / product type your working with, and what firmware revision?
Userlevel 3
X670-48X 15.3.3.5-patch1-2

I really want to stop any response at all (BANNER etc ) ... other than the log
Userlevel 5
If the Internet is on a different VR than your internal network, you can limit ssh to only listen on a VR - for instance "enable ssh2 vr VR-Mgmt" to only listen on the management port/vr
Userlevel 3
Frank wrote:

If the Internet is on a different VR than your internal network, you can limit ssh to only listen on a VR - for instance "enable ssh2 vr VR-Mgmt" to only listen on the management port/vr

For this external switch ( internet one side , firewall the other ) we are using vr vr-default ..
Thought the ip address of the switch for management is on vr-mgmt ..

So basically
I would disable ssh2 vr vr-default , enable ssh2 vr vr-mgmt ..
That should stop the external hits we are getting for ssh..
Userlevel 5
Frank wrote:

If the Internet is on a different VR than your internal network, you can limit ssh to only listen on a VR - for instance "enable ssh2 vr VR-Mgmt" to only listen on the management port/vr

My memory is spotty - I would start saying "enable ssh2 vr vr-mgmt" and see if that took it off vr-default. Don't want to leave you hanging without ssh or a long console cable.
Userlevel 7
Rod, take a look at this article:
How do you restrict SSH access to an IP addresses range?
Userlevel 3
Drew C. wrote:

Rod, take a look at this article:
How do you restrict SSH access to an IP addresses range?

Drew

We already do this and it works , we limit what internal networks and specific IP addresses can access the switch , on SSH2 , telnet and SNMP .what I want to stop , is any response from the switch to the external addresses that are trying to access the switch IP via SSH2 ( janet address ). Currently the extrenal users ( lets call them hackers ) still receive an SSH2 prompt to sigh on ..I need this to stop ..
Userlevel 5
Drew C. wrote:

Rod, take a look at this article:
How do you restrict SSH access to an IP addresses range?

What if you add an ingress ACL on that port that deny traffic to the switch IP and only allow the needed connections ( BGP peers etc..)
Userlevel 3
Drew C. wrote:

Rod, take a look at this article:
How do you restrict SSH access to an IP addresses range?

Thanks for all your input .. I'm going for franks option , in disabling ssh2 on the vr-default , and enable on Vr-mgmt so internally w e can get to the switch , externally hopefully they ( alleged hackers ) get no response what so ever , so in future they have nothing to help there attack.

Basically I need to test this before I suggest this to my customer ..

Many thanks everyone..

Reply