This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Accept
Reject
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

HTTP(s) server listening in all VRs once enabled

HTTP(s) server listening in all VRs once enabled

jeronimo
Contributor III

‎12-25-2021 08:35 AM

Hello,

We use several public routing instances (VRs) on our L3 switches.

The http(s) server is enabled in order to be able to monitor the switch, as some things like transceiver power are not available using SNMP.

Now it looks like all that I can do is create access lists to disallow public access to the HTTP server, but not disable it entirely for the public VRs. The logs are full of background noise trying to connect.

We really don't want to get hacked that way in case this instance of CherryPi(?) (that's what the access denied page says) would be vulnerable somehow.

It doesn't seem professional at all that it's not possible to just specifically enable the http(s) service/API where you need it. (Or at least specifically disable it when you really don't need it.)

Now I don't want to stick my head in the sand and just disable logging. The entire situation doesn't feel right.

Thoughts?

Best regards,
Marki
0 Kudos
3 REPLIES 3

CThompsonEXOS
Extreme Employee

‎12-30-2021 01:29 PM

Hi,

You can configure an access profile (which IMO are easier to maintain/diagnose) to block those connection using a dynamic ACL like below:

Before:

ExtremeCore.3 # show ses
                                                             CLI
    #       Login Time               User     Type    Auth   Auth Location
================================================================================
*489        Thu Dec 30 18:20:13 2021 cthom .. ssh2    local  dis  10.1.1.54     
 490        Thu Dec 30 18:21:03 2021 cthom .. xml     local  dis  10.1.1.54


Creating dynamic ACL:

create access-list blockhttps " source-address 10.1.1.0/24;" "


Applying ACL:

ExtremeCore.10 # configure web http access-profile add blockhttps first


Verify that is is blocking connections as expected:

* ExtremeCore.12 # show access-list counter process http
================================================================================
Access-list                                Permit Packets          Deny Packets 
================================================================================
blockhttps                                              0                     8
================================================================================
Total Rules : 1

Thanks,
Chris Thompson

0 Kudos

jeronimo
Contributor III
In response to CThompsonEXOS

‎01-04-2022 11:31 AM

Hello,
I already knew that.
The question was how do we prevent the service from listening in that VR at all?
Like this it is still listening and potentially subject to hacks, DoS, etc. in an Internet-facing VR. That's not good.
Thanks
Marki
0 Kudos

Gabriel_G
Extreme Employee
In response to jeronimo

‎01-07-2022 10:44 AM

Hi Marki,

There is currently no option to disable the web interface on a per-VR basis. If you're interested in that feature, please create a feature request with your account team. Otherwise, the access-profile will allow HTTP/S connections only from specified clients/networks.
0 Kudos
GTM-P2G8KFN