04-14-2007 01:32 PM - edited 03-05-2019 03:28 PM
I just setup my Cisco 851 router for my home network. Things are working. I would now like to setup a few access lists, but need some help. I would like the following.
1. Log all SSH connections.
2. Deny SSH connections from the outside.
3. Permit/allow SSH connections from the inside.
Let me know.
Ryan
Solved! Go to Solution.
04-15-2007 11:15 PM
Re-reading my post above in the light of a new (week) day I've found lots of mistakes in the first access-list - my apologies.
Please ignore the first access-list - it doesn't work. Here is an access-list that does work - I've tested it.
ip access-list extended VTY-LOCKDOWN
permit tcp 10.0.0.0 0.255.255.255 any eq 22 log
deny tcp any any eq 22 log
permit ip any any
Most of the rest of the post is correct - except that bit about 10.0.0.0/8 being 10.0.0.0 0.0.0.255 which of course is wrong.
10.0.0.0/8 = 10.0.0.0 0.255.255.255.255
04-15-2007 12:09 AM
If you specifically want to control ssh separately from other terminal access protocols like telnet you can create an named extended access list as follows:
ip access-list standard VTY-LOCKDOWN
permit tcp 10.0.0.0 0.0.0.255 host 192.168.100.1 eq 22 log
deny tcp any host 192.168.100.1 eq 22 log
permit ip any any
In the above example VTY-LOCKDOWN is the name of your access-list, 10.0.0.0/8 (or 10.0.0.0 0.0.0.255 in Cisco wildcard mask notation) is your inside subnet address and 192.168.100.1 is the address of your router. 22 is the TCP port number used by SSH and the entries are logged by adding the log keyword to the end of the access-list.
The above access-list will only block ssh from the non-local networks, but will permit other protocols such as telnet.
If you just want to control all terminal access protocols equally (i.e. telnet and ssh) you can create a simpler standard access-list as following:
ip access-list standard VTY-LOCKDOWN
permit 10.0.0.0 0.0.0.255 log
deny any any log
You apply one of the above access-lists to your vty line interface to control access to your router:
line vty 0 15
access-class VTY-LOCKDOWN in
04-15-2007 11:15 PM
Re-reading my post above in the light of a new (week) day I've found lots of mistakes in the first access-list - my apologies.
Please ignore the first access-list - it doesn't work. Here is an access-list that does work - I've tested it.
ip access-list extended VTY-LOCKDOWN
permit tcp 10.0.0.0 0.255.255.255 any eq 22 log
deny tcp any any eq 22 log
permit ip any any
Most of the rest of the post is correct - except that bit about 10.0.0.0/8 being 10.0.0.0 0.0.0.255 which of course is wrong.
10.0.0.0/8 = 10.0.0.0 0.255.255.255.255
04-18-2007 05:15 PM
It works. Thanks for your help.
05-02-2007 07:30 PM
Keep in mind that a VTY access-list doesn't actually protect the router from being exploited or DOSSed. The SSH daemon will actually get the packet and reject it, kind of like a securetty file in Linux. The point being that the router actually processes the packet. Several Cisco HTTP, telnet, and SSH server exploits over the past few years have proved this for many users the hard way.
A better and more secure solution would be to use an ACL to block ssh access to *ANY* public IP interface on the router applied to the outside Internet facing interface.
There are some good best practice guides on Cisco's web site about properly locking down a router on the Internet that will protect the router but still allow packets to flow through it.
The best course of action is to protect the router IPs specifically, block anti-spoofing and unassigned IP blocks (IANA list), use the 'control-plane' interface if possible, and allow access to only the IP range that you own.
Obviously your example of a home Cisco 831/851/871 router complicates this as you most likely have a single public IP available to you and you need to allow return traffic to the router for NAT, etc. which limits your ability to protect the router.
A few older but good documents are at the following URLs:
http://www.cisco.com/web/about/security/intelligence/sp_infrastruct_scty.html
ftp://ftp-eng.cisco.com/cons/isp/essentials/IOS_Essentials_2-9.pdf
ftp://ftp-eng.cisco.com/pfs/seminars/SANOG2-ISP-Essentials.pdf
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide