12-02-2019 03:37 PM
Hi everybody.
I have done management access to the switch through ssh and applied the Access Profile. The Access Profile is work. But SSH port is still opened for network scanners. And I have a huge amount of fail access attempts in a log file. How I can completely close the SSH port from outside?
X590-24x-1q
ExtremeXOS version 22.6
entry NOC {
if match any {
source-address x.x.x.x/26 ;
}
then {
permit ;
}
}
entry DenyAll {
if match any {
source-address 0.0.0.0/0;
}
then {
deny;
}
}
Thanks.
12-03-2019 10:51 AM
SVI - it’s simple VLAN. In case of EXOS - all configurations are vlan-based. So if you have VLAN with IP, then you can map your ACL to VLAN and it would be like ACL for L3 subinterface.
access-profile is for snmp, telnet, ssh2 - for manage access to switch. (for example #configure ssh2 access-profile TRUSTED-NETWORKS)
configure access-list - it’s packet inspection (for example #configure access-list [any | ports < portlist > | vlan < vlanname >] ) - it’s static ACL.
Also you can create dynamic ACL (for example #create access-list UNTRUSTED-NETWORKS «source-address 82.144.x.x/26 ;» «deny» → #conf access-list add UNTRUSTED-NETWORKS ports 11-21 ingress )
About “error appeared:” - https://gtacknowledge.extremenetworks.com/articles/Solution/Summit-reports-error-when-applying-ACL-t...
Thank you!
12-03-2019 10:22 AM
Thanks, it works.
I have applied access-profile to VLAN.
As I understand, it is impossible to apply the access-profile to the L3 subinterface (SVI in Cisco terms) of VLAN. Only to the whole L2 VLAN. Correct ?
And I have forced to change POLICY_NAME file.
When the file has been mapped to the ssh2 access-profile I could use a multiply source-address in IF construction. For example :
if match any {
source-address 82.144.x.x/26 ;
source-address 77.120.x.x/26 ;
}
And It was Ok.
But when the file had been mapped to VLAN the error appeared:
Line 4 : Attribute source-address already exists as a match statement in Acl entry ...
And I needed to create a separate entry for each source-address.
12-03-2019 08:02 AM
Hi!
So this ACL is working normally.
Because it’s block SSH access to switch from untrusted IP’s.
If you want block all SSH traffic from untrusted IP’s you have to map this ACL not to access-profile but to inbound port or vlan. (In this case ACL will be checking packet for combinations IP/port and if it from untrusted IP with port 22 switch will block this packet).
Thank you!
12-02-2019 04:35 PM
Thanks for the fast answer.
I have mapped this ACL to access-profile :
#
enable ssh2
configure ssh2 access-profile TRUSTED-NETWORKS
Dec 2 18:29:19 x.x.x.x exsshd: SSH connection from source 112.85.42.237 has been denied by access-list TRUSTED-NETWORKS. Rejecting connection.
Dec 2 18:30:29 x.x.x.x exsshd: SSH connection from source 112.85.42.237 has been denied by access-list TRUSTED-NETWORKS. Rejecting connection.
12-02-2019 03:52 PM
Hello!
It have to be more information - how do you map this ACL. (to port, to vlan, inbout or outbount, access-profile...)
If you need to restrict SSH access to network - you can add match line with port 22.
If you want to restrict access to switch you have to map with # configure ssh2 access-profile <name>.
Also you don’t need match condition source-address 0.0.0.0/0, you can make just:
entry DenyAll {
if match {
}
then {
deny;
it will mark like “all other traffic”
Thank you!