Question about access lists

Answered Question
Apr 14th, 2007

I just setup my Cisco 851 router for my home network. Things are working. I would now like to setup a few access lists, but need some help. I would like the following.


1. Log all SSH connections.

2. Deny SSH connections from the outside.

3. Permit/allow SSH connections from the inside.


Let me know.


Ryan


Correct Answer by Craig Balfour about 9 years 10 months ago

Re-reading my post above in the light of a new (week) day I've found lots of mistakes in the first access-list - my apologies.


Please ignore the first access-list - it doesn't work. Here is an access-list that does work - I've tested it.


ip access-list extended VTY-LOCKDOWN

permit tcp 10.0.0.0 0.255.255.255 any eq 22 log

deny tcp any any eq 22 log

permit ip any any


Most of the rest of the post is correct - except that bit about 10.0.0.0/8 being 10.0.0.0 0.0.0.255 which of course is wrong.

10.0.0.0/8 = 10.0.0.0 0.255.255.255.255


  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 3.5 (2 ratings)
Loading.
Craig Balfour Sun, 04/15/2007 - 00:09

If you specifically want to control ssh separately from other terminal access protocols like telnet you can create an named extended access list as follows:

ip access-list standard VTY-LOCKDOWN

permit tcp 10.0.0.0 0.0.0.255 host 192.168.100.1 eq 22 log

deny tcp any host 192.168.100.1 eq 22 log

permit ip any any


In the above example VTY-LOCKDOWN is the name of your access-list, 10.0.0.0/8 (or 10.0.0.0 0.0.0.255 in Cisco wildcard mask notation) is your inside subnet address and 192.168.100.1 is the address of your router. 22 is the TCP port number used by SSH and the entries are logged by adding the log keyword to the end of the access-list.


The above access-list will only block ssh from the non-local networks, but will permit other protocols such as telnet.


If you just want to control all terminal access protocols equally (i.e. telnet and ssh) you can create a simpler standard access-list as following:


ip access-list standard VTY-LOCKDOWN

permit 10.0.0.0 0.0.0.255 log

deny any any log


You apply one of the above access-lists to your vty line interface to control access to your router:


line vty 0 15

access-class VTY-LOCKDOWN in


Correct Answer
Craig Balfour Sun, 04/15/2007 - 23:15

Re-reading my post above in the light of a new (week) day I've found lots of mistakes in the first access-list - my apologies.


Please ignore the first access-list - it doesn't work. Here is an access-list that does work - I've tested it.


ip access-list extended VTY-LOCKDOWN

permit tcp 10.0.0.0 0.255.255.255 any eq 22 log

deny tcp any any eq 22 log

permit ip any any


Most of the rest of the post is correct - except that bit about 10.0.0.0/8 being 10.0.0.0 0.0.0.255 which of course is wrong.

10.0.0.0/8 = 10.0.0.0 0.255.255.255.255


rseiler Wed, 05/02/2007 - 19:30

Keep in mind that a VTY access-list doesn't actually protect the router from being exploited or DOSSed. The SSH daemon will actually get the packet and reject it, kind of like a securetty file in Linux. The point being that the router actually processes the packet. Several Cisco HTTP, telnet, and SSH server exploits over the past few years have proved this for many users the hard way.


A better and more secure solution would be to use an ACL to block ssh access to *ANY* public IP interface on the router applied to the outside Internet facing interface.


There are some good best practice guides on Cisco's web site about properly locking down a router on the Internet that will protect the router but still allow packets to flow through it.


The best course of action is to protect the router IPs specifically, block anti-spoofing and unassigned IP blocks (IANA list), use the 'control-plane' interface if possible, and allow access to only the IP range that you own.


Obviously your example of a home Cisco 831/851/871 router complicates this as you most likely have a single public IP available to you and you need to allow return traffic to the router for NAT, etc. which limits your ability to protect the router.


A few older but good documents are at the following URLs:


http://www.cisco.com/web/about/security/intelligence/sp_infrastruct_scty.html


ftp://ftp-eng.cisco.com/cons/isp/essentials/IOS_Essentials_2-9.pdf


ftp://ftp-eng.cisco.com/pfs/seminars/SANOG2-ISP-Essentials.pdf


Actions

This Discussion