topic RE: HTTP(s) server listening in all VRs once enabled in ExtremeSwitching (EXOS/Switch Engine)

HTTP(s) server listening in all VRs once enabled

jeronimo — Sat, 25 Dec 2021 16:35:00 GMT

Hello,

We use several public routing instances (VRs) on our L3 switches.

The http(s) server is enabled in order to be able to monitor the switch, as some things like transceiver power are not available using SNMP.

Now it looks like all that I can do is create access lists to disallow public access to the HTTP server, but not disable it entirely for the public VRs. The logs are full of background noise trying to connect.

We really don't want to get hacked that way in case this instance of CherryPi(?) (that's what the access denied page says) would be vulnerable somehow.

It doesn't seem professional at all that it's not possible to just specifically enable the http(s) service/API where you need it. (Or at least specifically disable it when you really don't need it.)

Now I don't want to stick my head in the sand and just disable logging. The entire situation doesn't feel right.

Thoughts?

Best regards,
Marki

RE: HTTP(s) server listening in all VRs once enabled

CThompsonEXOS — Thu, 30 Dec 2021 21:29:00 GMT

Hi,

You can configure an access profile (which IMO are easier to maintain/diagnose) to block those connection using a dynamic ACL like below:

Before:

ExtremeCore.3 # show ses
                                                             CLI
    #       Login Time               User     Type    Auth   Auth Location
================================================================================
*489        Thu Dec 30 18:20:13 2021 cthom .. ssh2    local  dis  10.1.1.54     
 490        Thu Dec 30 18:21:03 2021 cthom .. xml     local  dis  10.1.1.54

Creating dynamic ACL:

create access-list blockhttps " source-address 10.1.1.0/24;" "

Applying ACL:

ExtremeCore.10 # configure web http access-profile add blockhttps first

Verify that is is blocking connections as expected:

* ExtremeCore.12 # show access-list counter process http
================================================================================
Access-list                                Permit Packets          Deny Packets 
================================================================================
blockhttps                                              0                     8
================================================================================
Total Rules : 1

Thanks,
Chris Thompson

RE: HTTP(s) server listening in all VRs once enabled

jeronimo — Tue, 04 Jan 2022 19:31:00 GMT

Hello,
I already knew that.
The question was how do we prevent the service from listening in that VR at all?
Like this it is still listening and potentially subject to hacks, DoS, etc. in an Internet-facing VR. That's not good.
Thanks
Marki

RE: HTTP(s) server listening in all VRs once enabled

Gabriel_G — Fri, 07 Jan 2022 18:44:00 GMT

Hi Marki,

There is currently no option to disable the web interface on a per-VR basis. If you're interested in that feature, please create a feature request with your account team. Otherwise, the access-profile will allow HTTP/S connections only from specified clients/networks.