02-03-2014 03:37 PM - edited 03-11-2019 08:39 PM
Hi there,
Thanks for reading!
We have an outside user who's been impacted by an improper deploy of SFTP. The workaround allowing them to connect is this rule:
access-list outside_access_in_1 extended permit tcp any host <my server's outside ip> range 49000 65535
I entered an FTP rule opening ports 50000 50010 (according to documentation) but no success.
Is there a "dynamic ports" type of rule which would allow me to open fewer than the 16535 ports? The incoming FTP connection has generates a dynamic port <50000.
I'd like to furhter close the hole by naming the protocol.
Thanks again for reading!
Bob
Solved! Go to Solution.
02-03-2014 06:18 PM
Hi Bob,
In the ACE you defined, the range is from 49000 - 65535, but later in your question you mention less than 50,000. I'm a little confused by what you are asking.
However, if you are hosting the server, then the client should be connecting to your server's IP on port 22, and sourced from some dynamic port. Therefore, the ACL should be something like:
access-list outside permit tcp any host
But, what your ACL says, is that anyone can connect to your server on ports from 49000 to 65535. Which doesn't make sense.
Now, if the client used source ports <50000, and your server was hosting SFTP on port 22, then you could write an ACL such as:
access-list outside permit tcp host
Which would be about as locked down as you could get it.
Sincerely,
David.
02-03-2014 06:18 PM
Hi Bob,
In the ACE you defined, the range is from 49000 - 65535, but later in your question you mention less than 50,000. I'm a little confused by what you are asking.
However, if you are hosting the server, then the client should be connecting to your server's IP on port 22, and sourced from some dynamic port. Therefore, the ACL should be something like:
access-list outside permit tcp any host
But, what your ACL says, is that anyone can connect to your server on ports from 49000 to 65535. Which doesn't make sense.
Now, if the client used source ports <50000, and your server was hosting SFTP on port 22, then you could write an ACL such as:
access-list outside permit tcp host
Which would be about as locked down as you could get it.
Sincerely,
David.
02-04-2014 07:41 AM
Hi David,
Thanks for writing. Sorry for leaving out details.
The server team originally asked for ten ports: 50000 50010. The tcp rule specifying any host to
Now that 16 thousand ports are open to any host, the traffic is flowing.
The senior network guys (i'm a junior net admin) don't seem to have a problem with the rule. I think you and I see it similarly: anyone can connect and that doesn't make security sense.
But I think you've answered my question: I need to push for a single ip. Heck, maybe we just narrow it to the ISP range of our user! Even THAT's better.
Thanks again!
Bob
02-04-2014 10:28 AM
Hi Bob,
Yes, I find it highly odd that the clients would need to *connect* to a possible 16k ports!
The narrower you can make the hole, the more secure you are. So, if you can reduce the number of ports open and reduce the client IPs which can access the server, both improve the security of the policy.
You can look at your syslogs to see who is connecting to the server, and on what IPs/ports.
Sincerely,
David.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide