Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations Mike Lewis on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

blocking ssh and other management protocols

Status
Not open for further replies.
V98Cubes

V98Cubes

Vendor
Jan 17, 2008
50
US
I have a cat6500 running IOS and have a public facing vlan. This vlan has my web server hanging off of it. I need to block using an ACL ssh and other management traffic but allow all other traffic in. Can I get some assistance on setting up an inbound ACL to block this type of traffic. I have had a number of ssh brute force hits lately.

Thanks,
V
 
Sort by date Sort by votes
personally I wouldn't block SSH access.
Code: 
aaa authentication login default local
security authentication failure rate 10 log
login block-for 60 attempts 4 within 30
login delay 3

line vty 0 16
 timeout login response 300
 logging synchronous
 transport input ssh

I use a radius server for authentication, however I changed above code to use a local username with full access which you can create using:

Code: 
username NOTROOT privilege 15 password 0 SOMESECURE

also you can run a command from global exec called:

autosecure

however if you really want to block JUST ssh:
Code: 
access-list 101 deny tcp any any eq ssh
access-list 101 permit tcp any any
access-list 101 permit udp any any
access-list 101 permit icmp any any 
interface vlan XXX
ip access-group in 101


We must go always forward, not backward
always up, not down and always twirling twirling towards infinity.
 
Upvote 0 Downvote
Thanks for your response. I have sshe enabled on my vty ports with a rsa ket enabled. The vlan I want to block this traffic on is on a vlan which faces the public. It has a web server on it along with a few other devices offering services to the public. I am trying to block ssh telnet etc from being used as a possible hack into these devices. So I started with:

access-list 112 deny ip 10.0.0.0 0.255.255.255 any log
access-list 112 deny ip 127.0.0.0 0.255.255.255.any log
access-list 112 deny 192.168.0.0 0.0.255.255 any log
access-list 112 deny tcp any any eq telnet log
access-list 112 deny any any eq 22 log
access-list 112 deny tcp any any 161 log
access-list 112 deny udp any any eq 22 log
access-list 112 deny udp any any eq snmp log
access-list 112 deny udp any any eq 23 log
access-list 112 permit any any log
 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

Lccarter
  • Locked
  • Question
Cisco CUCM Provisioning and Order Management System
Replies
1
Views
154
Lccarter
Lccarter
CDIV
  • Locked
  • Question
How do I enable SSH access in 2960x 1
Replies
4
Views
499
iggsterman
iggsterman
acabezas2014
  • Locked
  • Question
Need to create QoS for SNMP and Radius traffic on Cisco 4948 Switches
Replies
0
Views
81
acabezas2014
acabezas2014
jmkelly
  • Locked
  • Question
Dynamic routing protocols for catalyst 3850 switches
Replies
4
Views
209
ADB100
ADB100
mrdom
  • Locked
  • Question
RV325: Accessing LAN and WAN resources using the same hostname ...
Replies
0
Views
76
mrdom
mrdom

Part and Inventory Search

Sponsor

Back
Top