12-02-2019 03:37 PM
Hi everybody.
I have done management access to the switch through ssh and applied the Access Profile. The Access Profile is work. But SSH port is still opened for network scanners. And I have a huge amount of fail access attempts in a log file. How I can completely close the SSH port from outside?
X590-24x-1q
ExtremeXOS version 22.6
entry NOC {
if match any {
source-address x.x.x.x/26 ;
}
then {
permit ;
}
}
entry DenyAll {
if match any {
source-address 0.0.0.0/0;
}
then {
deny;
}
}
Thanks.
12-05-2019 12:33 PM
Hi!
Actually, I think both your questions have to be directed to GTAC.
First question (it’s just my guesses) - when we talking about management access (access-profile), it’s pointed to session (like flows) it’s mean that you block management session (it’s like in flow-based inspection few packets can be forwarded to destination).
When we talking about ACL-based packet processing it’s more to per packet inspection and switch inspect every packet and make decision on it (block or allow).
About second issue - you have to give more information. Is there some logs about this issue? IP became unreachable from where (it’s better to have scheme and configuration)?
Thank you!
12-05-2019 12:22 PM
It is a little bit strange implementation.
To completely hide SSH service from untrusted hosts, it demands to apply an access-profile to SSH and also to apply ACL to VLAN. If we have one L3 interface it is Ok. But if your switch has two or more L3 interfaces with the white IP it becomes not convenient to apply ACL to each L3 VLAN interface.
It is only my opinion.
So, now the issue about applying ACL to VLAN.
When I applied ACL to VLAN it was normal about half an hour.
After that time the switch's IP became unreachable. And I lost SSH to it.
After turning off ACL and turning on the situation repeated.
What can be the cause of this behaviour?
12-03-2019 11:23 AM
Could you tell task more detailed?
If we talking about mgmt access to switch - then by security principles you have to ban all IP’s except few trusted. And map it to vlan and/or ports. Here is no need for SVI-based ACL.
Thank you!
12-03-2019 11:14 AM
SVI - it’s simple VLAN. In case of EXOS - all configurations are vlan-based. So if you have VLAN with IP, then you can map your ACL to VLAN and it would be like ACL for L3 subinterface.
Yeah, but unlike of Cisco, ACL is mapped to all ports which contain this VLAN. In my case, it isn't a problem, but in other ones, it may be some nuances.