Wireless Access

last person joined: yesterday 

Access network design for branch, remote, outdoor and campus locations with Aruba access points, and mobility controllers.
Expand all | Collapse all

Disable SSH/WebUI on outside interface

Jump to Best Answer
  • 1.  Disable SSH/WebUI on outside interface

    Posted Dec 04, 2014 03:03 PM

    We have noticed brute force attacks on the outside interfaces on our controllers. I want to disable all management access on the outside interface (SSH, Telnet, WebUI, please fill in any I missed). The public IPs are assigned on a VLAN on the controller so there is no NAT or firewall between our controllers and the internet. From the forum I see that an ACL has to be applied. We use our controllers to terminate RAPs so I want to make sure my ACL below is correct and will not interrupt communication. Per the VRD "Firewall Ports

    RAPs connect to the controller on UDP port 4500 for establishing the IPsec connection. So this port should be opened on all the firewalls leading up to the controllers in the DMZ." The allow all statement at the bottom should allow this traffic.

     

    ip access-list session Block-TermServ
    Block-TermServ
    --------------
    Priority Source Destination Service Action TimeRange Log Expired Queue TOS 8021P Blacklist Mirror DisScan ClassifyMedia IPv4/6
    -------- ------ ----------- ------- ------ --------- --- ------- ----- --- ----- --------- ------ ------- ------------- ------
    1 any any svc-ssh deny Low 4
    2 any any svc-telnet deny Low 4
    3 any any svc-http deny Low 4
    4 any any svc-https deny Low 4
    5 any any any permit Low 4



  • 2.  RE: Disable SSH/WebUI on outside interface
    Best Answer

    Posted Dec 04, 2014 03:04 PM

    The controller GUI uses TCP 4343, so you can remove the two http and https policies and add one for that port. 

     

    Otherwise, looks correct.



  • 3.  RE: Disable SSH/WebUI on outside interface

    Posted Dec 04, 2014 03:10 PM
    Like this...

    ip access-list session Block-TermServ
    Block-TermServ
    --------------
    Priority Source Destination Service Action TimeRange Log Expired Queue TOS 8021P Blacklist Mirror DisScan ClassifyMedia IPv4/6
    -------- ------ ----------- ------- ------ --------- --- ------- ----- --- ----- --------- ------ ------- ------------- ------
    1 any any svc-ssh deny Low 4
    2 any any svc-telnet deny Low 4
    3 any any tcp 4343 deny Low 4
    4 any any any permit Low 4

    As always, thanks Tim.


    ________________________________
    The material in this transmission contains confidential information
    intended for the addressee. If you are not the addressee, any disclosure
    or use of this information by you is strictly prohibited. If you have
    received this transmission in error, please delete it and destroy
    all copies. Notify AIM Specialty Health at 847 564-8500.
    Thank You.


  • 4.  RE: Disable SSH/WebUI on outside interface

    Posted Dec 04, 2014 03:13 PM

    Looks good!