Requirement:How to disable SSH access to the ClearPass server in case of security complaince?
Solution:From the ClearPass server version 6.6.3, two new commands are included for the customers to Allow or Deny ports with specific to inward or outward on ClearPass server.
#show ports (To list all the ports and their status)
#configure port (To configure the port access)
With help of these commands we can disable the SSH connection to the server through appadmin login.
Syntax: configure port <direction> <protocol> <port> <action>
Where,
direction -- Specify the access control rule direction. Allowed values are - input, output.
protocol -- Specify the access protocol. Allowed values are tcp, udp.
port -- Specify the port number within the range 1-65535.
action -- Rule to signify accept or reject action. Allowed values are accept, reject.
Configuration:From the CLI through appadmin login,
Run the following command to see that status of the port 22.
#show ports
Note: By default, ssh connection would be enabled in all ClearPass server versions.
# show ports
==============================================================================
Port | Protocol | State | Process | Input Rule | Output Rule |
==============================================================================
22 | tcp | LISTEN | sshd | ACCEPT | Not Defined |
25 | tcp | LISTEN | master | Not Defined | Not Defined |
80 | tcp | LISTEN | httpd | ACCEPT | Not Defined |
443 | tcp | LISTEN | httpd | ACCEPT | Not Defined |
1241 | tcp | LISTEN | nessusd | Not Defined | Not Defined |
2812 | tcp | LISTEN | monit | Not Defined | Not Defined |
4441 | tcp | LISTEN | policy_server | Not Defined | Not Defined |
5432 | tcp | LISTEN | postmaster | ACCEPT | Not Defined |
6432 | tcp | LISTEN | pgbouncer | Not Defined | Not Defined |
8015 | tcp | LISTEN | java | Not Defined | Not Defined |
8019 | tcp | LISTEN | java | Not Defined | Not Defined |
8081 | tcp | LISTEN | httpd | Not Defined | Not Defined |
8090 | tcp | LISTEN | java | Not Defined | Not Defined |
8100 | tcp | LISTEN | lighttpd | Not Defined | Not Defined |
12345 | tcp | LISTEN | php | Not Defined | Not Defined |
33341 | tcp | ESTABLISHED | java | Not Defined | Not Defined |
...
Run the following command to reject the ssh connections through the TCP port 22:
#configure port input tcp 22 reject
Stopping cpass-firewall. Revert to basic iptables config: [ OK ]
Stopping docker: [ OK ]
Starting cpass-firewall: [ OK ]
Starting docker: [ OK ]
Executing the above command would block the SSH connection requests to the ClearPass server.
VerificationBy default, SSH connection would be enabled.
[appadmin@Janakiram]# show ports
==============================================================================
Port | Protocol | State | Process | Input Rule | Output Rule |
==============================================================================
22 | tcp | LISTEN | sshd | ACCEPT | Not Defined |
25 | tcp | LISTEN | master | Not Defined | Not Defined |
80 | tcp | LISTEN | httpd | ACCEPT | Not Defined |
Running the below command to reject the SSH connection requests to the server.
[appadmin@Janakiram]#configure port input tcp 22 reject
Stopping cpass-firewall. Revert to basic iptables config: [ OK ]
Stopping docker: [ OK ]
Starting cpass-firewall: [ OK ]
Starting docker: [ OK ]
To confirm, running the #show ports command:
[appadmin@Janakiram]# show ports
==============================================================================
Port | Protocol | State | Process | Input Rule | Output Rule |
==============================================================================
22 | tcp | LISTEN | sshd | DROP | ACCEPT |
25 | tcp | LISTEN | master | Not Defined | Not Defined |
80 | tcp | LISTEN | httpd | ACCEPT | Not Defined |
199 | tcp | LISTEN | snmpd | Not Defined | Not Defined |