How to restrict SSH access to the controller to a particular host / subnet?

Aruba Employee
Requirement:

To Limit SSH access to controller interfaces.

 

SSH access to an Aruba controller requires valid credentials which includes username and password. However an attacker can run a script to enter multiple SSH requests with changing username / password pair. To prevent this, we can limit SSH access to the controller from a few subnets / hosts.



Solution:

 

We can use Service ACL also known as firewall-cp for this. Default configuration for this is given below.

 

#show firewall-cp

CP firewall policies
--------------------
IP Version  Source IP  Source Mask  Protocol  Start Port  End Port  Permit/Deny  hits  contract
----------  ---------  -----------  --------  ----------  --------  -----------  ----  --------
ipv4        any                     17        1900        1900      Permit       0
ipv4        any                     17        5999        5999      Permit       0

 

With Service ACL , we can put restrictions on the traffic hitting the controller. These ACLs will allow / prevent access to all the controller IP interfaces.



Configuration:

 

Here, we will restrict the SSH access to the controller to a host with an ip address 10.1.1.100


(config) #firewall  cp

(config-fw-cp) #ipv4 permit host 10.1.1.100 proto ssh

(config-fw-cp) #ipv4 deny any proto ssh

 

We can see the service ACL after the config:

(Aruba3600) (config-fw-cp) #show firewall-cp

CP firewall policies
--------------------
IP Version  Source IP   Source Mask      Protocol  Start Port  End Port  Permit/Deny  hits  contract
----------  ---------   -----------      --------  ----------  --------  -----------  ----  --------
ipv4        any                          17        1900        1900      Permit       0
ipv4        any                          17        5999        5999      Permit       0
ipv4        10.1.1.100  255.255.255.255  6         22          22        Permit       0
ipv4        any                          6         22          22        Deny         0

 

 



Verification

 

1. When we try to SSH to the controller from any other IP , the service ACL will block it. Below we initiate a SSH session from 10.1.1.247 which is dropped:

(config-fw-cp) #show datapath session table 10.1.1.247

Source IP       Destination IP  Prot SPort DPort Cntr  Prio ToS Age Destination TAge Packets    Bytes      Flags

--------------- --------------- ---- ----- ----- ----- ---- --- --- ----------- ---- ---------  --------- ---------------
10.1.1.247      10.1.1.5        6    36013 22     0/0  0    0   0   1/0         2    0          0          FDYC

 

2. We can also see the counters increase on the firewall-cp for deny ACL:

(config-fw-cp) #show firewall-cp

CP firewall policies
--------------------
IP Version  Source IP   Source Mask      Protocol  Start Port  End Port  Permit/Deny  hits  contract
----------  ---------   -----------      --------  ----------  --------  -----------  ----  --------
ipv4        any                          17        1900        1900      Permit       0
ipv4        any                          17        5999        5999      Permit       0
ipv4        10.1.1.100  255.255.255.255  6         22          22        Permit       0
ipv4        any                          6         22          22        Deny         6

 

3. When we initiate a session from the permitted host 10.1.1.100, we no longer see D flag:

(Aruba3600) (config-fw-cp) #show datapath session table 10.1.1.100

Source IP       Destination IP  Prot SPort DPort Cntr  Prio ToS Age Destination TAge Packets    Bytes      Flags

--------------- --------------- ---- ----- ----- ----- ---- --- --- ----------- ---- ---------  --------- ---------------
10.1.1.100      10.1.1.5        6    48671 22     0/0  0    0   1   1/0         9    12         1244       C
10.1.1.5        10.1.1.100      6    22    48671  0/0  0    4   1   1/0         9    10         1640

 

4. Also we see the counters increase in firewall-cp for permit ACL:

(config-fw-cp) #show firewall-cp

CP firewall policies
--------------------
IP Version  Source IP   Source Mask      Protocol  Start Port  End Port  Permit/Deny  hits  contract
----------  ---------   -----------      --------  ----------  --------  -----------  ----  --------
ipv4        any                          17        1900        1900      Permit       0
ipv4        any                          17        5999        5999      Permit       0
ipv4        10.1.1.100  255.255.255.255  6         22          22        Permit       27
ipv4        any                          6         22          22        Deny         7

 

Version history
Revision #:
2 of 2
Last update:
‎02-23-2017 03:50 PM
Updated by:
 
Labels (1)
Contributors
Search Airheads
cancel
Showing results for 
Search instead for 
Did you mean: 
Is this a frequent problem?

Request an official Aruba knowledge base article to be written by our experts.