Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Question about access lists

I just setup my Cisco 851 router for my home network. Things are working. I would now like to setup a few access lists, but need some help. I would like the following.

1. Log all SSH connections.

2. Deny SSH connections from the outside.

3. Permit/allow SSH connections from the inside.

Let me know.

Ryan

1 ACCEPTED SOLUTION

Accepted Solutions

Re: Question about access lists

Re-reading my post above in the light of a new (week) day I've found lots of mistakes in the first access-list - my apologies.

Please ignore the first access-list - it doesn't work. Here is an access-list that does work - I've tested it.

ip access-list extended VTY-LOCKDOWN

permit tcp 10.0.0.0 0.255.255.255 any eq 22 log

deny tcp any any eq 22 log

permit ip any any

Most of the rest of the post is correct - except that bit about 10.0.0.0/8 being 10.0.0.0 0.0.0.255 which of course is wrong.

10.0.0.0/8 = 10.0.0.0 0.255.255.255.255

4 REPLIES

Re: Question about access lists

If you specifically want to control ssh separately from other terminal access protocols like telnet you can create an named extended access list as follows:

ip access-list standard VTY-LOCKDOWN

permit tcp 10.0.0.0 0.0.0.255 host 192.168.100.1 eq 22 log

deny tcp any host 192.168.100.1 eq 22 log

permit ip any any

In the above example VTY-LOCKDOWN is the name of your access-list, 10.0.0.0/8 (or 10.0.0.0 0.0.0.255 in Cisco wildcard mask notation) is your inside subnet address and 192.168.100.1 is the address of your router. 22 is the TCP port number used by SSH and the entries are logged by adding the log keyword to the end of the access-list.

The above access-list will only block ssh from the non-local networks, but will permit other protocols such as telnet.

If you just want to control all terminal access protocols equally (i.e. telnet and ssh) you can create a simpler standard access-list as following:

ip access-list standard VTY-LOCKDOWN

permit 10.0.0.0 0.0.0.255 log

deny any any log

You apply one of the above access-lists to your vty line interface to control access to your router:

line vty 0 15

access-class VTY-LOCKDOWN in

Re: Question about access lists

Re-reading my post above in the light of a new (week) day I've found lots of mistakes in the first access-list - my apologies.

Please ignore the first access-list - it doesn't work. Here is an access-list that does work - I've tested it.

ip access-list extended VTY-LOCKDOWN

permit tcp 10.0.0.0 0.255.255.255 any eq 22 log

deny tcp any any eq 22 log

permit ip any any

Most of the rest of the post is correct - except that bit about 10.0.0.0/8 being 10.0.0.0 0.0.0.255 which of course is wrong.

10.0.0.0/8 = 10.0.0.0 0.255.255.255.255

New Member

Re: Question about access lists

It works. Thanks for your help.

Silver

Re: Question about access lists

Keep in mind that a VTY access-list doesn't actually protect the router from being exploited or DOSSed. The SSH daemon will actually get the packet and reject it, kind of like a securetty file in Linux. The point being that the router actually processes the packet. Several Cisco HTTP, telnet, and SSH server exploits over the past few years have proved this for many users the hard way.

A better and more secure solution would be to use an ACL to block ssh access to *ANY* public IP interface on the router applied to the outside Internet facing interface.

There are some good best practice guides on Cisco's web site about properly locking down a router on the Internet that will protect the router but still allow packets to flow through it.

The best course of action is to protect the router IPs specifically, block anti-spoofing and unassigned IP blocks (IANA list), use the 'control-plane' interface if possible, and allow access to only the IP range that you own.

Obviously your example of a home Cisco 831/851/871 router complicates this as you most likely have a single public IP available to you and you need to allow return traffic to the router for NAT, etc. which limits your ability to protect the router.

A few older but good documents are at the following URLs:

http://www.cisco.com/web/about/security/intelligence/sp_infrastruct_scty.html

ftp://ftp-eng.cisco.com/cons/isp/essentials/IOS_Essentials_2-9.pdf

ftp://ftp-eng.cisco.com/pfs/seminars/SANOG2-ISP-Essentials.pdf

328
Views
3
Helpful
4
Replies