This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
- Extreme Networks
- Community List
- Switching & Routing
- ExtremeSwitching (EXOS/Switch Engine)
- Prevent SSH response on VR-Default
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Prevent SSH response on VR-Default
Prevent SSH response on VR-Default
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Get Direct Link
- Report Inappropriate Content
10-27-2020 11:08 AM
I have an X460-G2 on firmware 30.3.1.6.
I want SSH access to only be available from VR-Mgmt, so I have configured as follows:
enable ssh2 vr VR-Mgmt
If I attempt to SSH to the device using an IP that belongs to VR-Default, while I can’t log in I do get an SSH login prompt. Additionally if I use portqry to probe port 22 the port is returned as ‘listening’. The addresses in question are accessible from the internet so this is not really acceptable from a security standpoint.
I have already disabled SSH and re-enabled specifically specifying VR-Mgmt.
Firstly - how can I prevent all SSH repsonse on VR-Default? Port 22 should not be seen as open.
I do not wish to restrict access to specific IP addresses - it should be allowed from VR-Mgmt and nowhere else.
Secondly - surely this behaviour is a bug and there should be no response on VR-Default? Why would the device respond when SSH is specifically only enabled on VR-Mgmt?
10 REPLIES 10
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Get Direct Link
- Report Inappropriate Content
10-27-2020 01:56 PM
Hi Jon,
Below is an article that explains the ACL and how to apply it:
https://gtacknowledge.extremenetworks.com/articles/Q_A/SSH-Access-Profile
Thanks,
Chris Thompson
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Get Direct Link
- Report Inappropriate Content
10-27-2020 01:46 PM
So if I need to use an ACL, what is the best approach? It doesn’t seem to be possible to specify a VR as a match condition as far as I can see.
There are only two active VLANs/SVIs in VR-Default, would it be best just to deny SSH for those VLANs?
Can anyone give a sample configuration?
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Get Direct Link
- Report Inappropriate Content
10-27-2020 12:43 PM
I was surprised because I with think ssh would be effectively disabled on the default VR. I would think getting a prompt is a bug. Unless Extreme agrees and changes the behavior which I am sure will require a code upgrade I agree an ACL would be the only option.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Get Direct Link
- Report Inappropriate Content
10-27-2020 12:31 PM
Sounds like it’s similar to SNMP then - “we listen everywhere, and let the CPU sort things out”. I fear ACLs are in your future, but I hope someone with more experience can weigh in.
Sorry!
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Get Direct Link
- Report Inappropriate Content
10-27-2020 11:40 AM
I have the same as you:
# Module exsshd configuration.
#
enable ssh2 vr VR-Mgmt
All the rest of the SSH config is at default values I believe:
# show config detail exsshd
#
# Module exsshd configuration.
#
enable ssh2 port 22 vr VR-Mgmt
configure ssh2 secure-mode off
configure ssh2 dh-group minimum 14
configure ssh2 idletimeout 60
configure ssh2 disable cipher aes128-cbc
configure ssh2 disable cipher 3des-cbc
configure ssh2 disable cipher blowfish-cbc
configure ssh2 disable cipher cast128-cbc
configure ssh2 disable cipher aes192-cbc
configure ssh2 disable cipher aes256-cbc
configure ssh2 disable cipher arcfour
configure ssh2 disable cipher rijndael-cbc@lysator.liu.se
configure ssh2 enable cipher aes128-ctr
configure ssh2 enable cipher aes192-ctr
configure ssh2 enable cipher aes256-ctr
configure ssh2 disable cipher arcfour256
configure ssh2 disable cipher arcfour128
configure ssh2 enable cipher chacha20-poly1305@openssh.com
configure ssh2 disable mac hmac-md5-etm@openssh.com
configure ssh2 enable mac hmac-sha1-etm@openssh.com
configure ssh2 enable mac hmac-sha2-256-etm@openssh.com
configure ssh2 enable mac hmac-sha2-512-etm@openssh.com
configure ssh2 disable mac hmac-ripemd160-etm@openssh.com
configure ssh2 disable mac hmac-sha1-96-etm@openssh.com
configure ssh2 disable mac hmac-md5-96-etm@openssh.com
configure ssh2 disable mac hmac-md5
configure ssh2 enable mac hmac-sha1
configure ssh2 enable mac hmac-sha2-256
configure ssh2 enable mac hmac-sha2-512
configure ssh2 disable mac hmac-ripemd160
configure ssh2 disable mac hmac-ripemd160@openssh.com
configure ssh2 disable mac hmac-sha1-96
configure ssh2 disable mac hmac-md5-96
configure ssh2 rekey time-interval none
configure ssh2 rekey data-limit default
configure ssh2 enable pk-alg ssh-rsa
configure ssh2 disable pk-alg ssh-dss
configure ssh2 enable pk-alg x509v3-sign-rsa
configure ssh2 enable pk-alg x509v3-sign-dss
