Wireless Access

last person joined: yesterday 

Access network design for branch, remote, outdoor, and campus locations with HPE Aruba Networking access points and mobility controllers.
Back to discussions
Expand all | Collapse all

Disable SSH/WebUI on outside interface

This thread has been viewed 11 times

  • 1.  Disable SSH/WebUI on outside interface

    Posted Dec 04, 2014 03:03 PM

    We have noticed brute force attacks on the outside interfaces on our controllers. I want to disable all management access on the outside interface (SSH, Telnet, WebUI, please fill in any I missed). The public IPs are assigned on a VLAN on the controller so there is no NAT or firewall between our controllers and the internet. From the forum I see that an ACL has to be applied. We use our controllers to terminate RAPs so I want to make sure my ACL below is correct and will not interrupt communication. Per the VRD "Firewall Ports

    RAPs connect to the controller on UDP port 4500 for establishing the IPsec connection. So this port should be opened on all the firewalls leading up to the controllers in the DMZ." The allow all statement at the bottom should allow this traffic.

     

    ip access-list session Block-TermServ
    Block-TermServ
    --------------
    Priority Source Destination Service Action TimeRange Log Expired Queue TOS 8021P Blacklist Mirror DisScan ClassifyMedia IPv4/6
    -------- ------ ----------- ------- ------ --------- --- ------- ----- --- ----- --------- ------ ------- ------------- ------
    1 any any svc-ssh deny Low 4
    2 any any svc-telnet deny Low 4
    3 any any svc-http deny Low 4
    4 any any svc-https deny Low 4
    5 any any any permit Low 4



  • 2.  RE: Disable SSH/WebUI on outside interface
    Best Answer

    EMPLOYEE
    Posted Dec 04, 2014 03:04 PM

    The controller GUI uses TCP 4343, so you can remove the two http and https policies and add one for that port. 

     

    Otherwise, looks correct.



  • 3.  RE: Disable SSH/WebUI on outside interface

    Posted Dec 04, 2014 03:10 PM
    Like this...

    ip access-list session Block-TermServ
    Block-TermServ
    --------------
    Priority Source Destination Service Action TimeRange Log Expired Queue TOS 8021P Blacklist Mirror DisScan ClassifyMedia IPv4/6
    -------- ------ ----------- ------- ------ --------- --- ------- ----- --- ----- --------- ------ ------- ------------- ------
    1 any any svc-ssh deny Low 4
    2 any any svc-telnet deny Low 4
    3 any any tcp 4343 deny Low 4
    4 any any any permit Low 4

    As always, thanks Tim.


    ________________________________
    The material in this transmission contains confidential information
    intended for the addressee. If you are not the addressee, any disclosure
    or use of this information by you is strictly prohibited. If you have
    received this transmission in error, please delete it and destroy
    all copies. Notify AIM Specialty Health at 847 564-8500.
    Thank You.


  • 4.  RE: Disable SSH/WebUI on outside interface

    EMPLOYEE
    Posted Dec 04, 2014 03:13 PM

    Looks good!