topic RE: deny ssh access from a specific internet facing port in ExtremeSwitching (EXOS/Switch Engine)

deny ssh access from a specific internet facing port

Rod_Robertson2 — Tue, 08 Nov 2016 20:40:00 GMT

I need to deny any SSH access ( switch management ) from a specific port that the internet is connected to the internet . ( basically i want to stop any response from the switch from an specific port

The Switch still needs to be ssh accessible from the internal secure network.

I already run a Switch Manage policy for SSH/TELNET/and web. which are working as expected.

RE: deny ssh access from a specific internet facing port

Mike_Thomas — Tue, 08 Nov 2016 20:41:00 GMT

What is the device / product type your working with, and what firmware revision?

RE: deny ssh access from a specific internet facing port

Rod_Robertson2 — Tue, 08 Nov 2016 20:55:00 GMT

X670-48X 15.3.3.5-patch1-2

I really want to stop any response at all (BANNER etc ) ... other than the log

RE: deny ssh access from a specific internet facing port

Frank — Tue, 08 Nov 2016 21:07:00 GMT

If the Internet is on a different VR than your internal network, you can limit ssh to only listen on a VR - for instance "enable ssh2 vr VR-Mgmt" to only listen on the management port/vr

RE: deny ssh access from a specific internet facing port

Rod_Robertson2 — Tue, 08 Nov 2016 21:07:00 GMT

For this external switch ( internet one side , firewall the other ) we are using vr vr-default ..
Thought the ip address of the switch for management is on vr-mgmt ..

So basically
I would disable ssh2 vr vr-default , enable ssh2 vr vr-mgmt ..
That should stop the external hits we are getting for ssh..

RE: deny ssh access from a specific internet facing port

Frank — Tue, 08 Nov 2016 21:07:00 GMT

My memory is spotty - I would start saying "enable ssh2 vr vr-mgmt" and see if that took it off vr-default. Don't want to leave you hanging without ssh or a long console cable.

RE: deny ssh access from a specific internet facing port

Drew_C — Tue, 08 Nov 2016 21:14:00 GMT

Rod, take a look at this article:
How do you restrict SSH access to an IP addresses range?

RE: deny ssh access from a specific internet facing port

Rod_Robertson2 — Tue, 08 Nov 2016 21:14:00 GMT

Drew

We already do this and it works , we limit what internal networks and specific IP addresses can access the switch , on SSH2 , telnet and SNMP .what I want to stop , is any response from the switch to the external addresses that are trying to access the switch IP via SSH2 ( janet address ). Currently the extrenal users ( lets call them hackers ) still receive an SSH2 prompt to sigh on ..I need this to stop ..

RE: deny ssh access from a specific internet facing port

Ron_Huygens — Tue, 08 Nov 2016 21:14:00 GMT

What if you add an ingress ACL on that port that deny traffic to the switch IP and only allow the needed connections ( BGP peers etc..)

RE: deny ssh access from a specific internet facing port

Rod_Robertson2 — Tue, 08 Nov 2016 21:14:00 GMT

Thanks for all your input .. I'm going for franks option , in disabling ssh2 on the vr-default , and enable on Vr-mgmt so internally w e can get to the switch , externally hopefully they ( alleged hackers ) get no response what so ever , so in future they have nothing to help there attack.

Basically I need to test this before I suggest this to my customer ..

Many thanks everyone..