Aruba & ProVision-based
cancel
Showing results for 
Search instead for 
Did you mean: 

Restrict ssh access to local plus a single public subnet

SMRedwood
Occasional Contributor

Restrict ssh access to local plus a single public subnet

Hello,

I am having some "failed ssh login" problems with a Procurve 2920G PoE switch that we are using for L3 routing from a PtP fiber connection to a public routed block.  Because there is a public address on a VLAN, we are getting tons of failed login attempts from random public IPs over the internet.

 

I'm looking to restrict access to only the public address of our office or local to the network of the switch.  We don't have RADIUS authentication set up currently so we're using local login credentials.  Do I accomplish this with an ACL, or  is there another "best practice" for restricting ssh access?  I'm sort of new with ACL's so apologies if I am a bit confused.

 

Would it go something like this:?

ip access-list extended "restrict-ssh"

permit tcp (public address of our office) 0.0.0.15 host (public address on VLAN 50) eq 22

permit tcp (public address of our office) 0.0.0.15 host (public address on VLAN 51) eq 22

permit tcp 192.168.90.0 0.0.0.255 host 192.168.90.10 eq 22

deny tcp 0.0.0.0 255.255.255.255 host 192.168.90.10 eq 22

deny tcp 0.0.0.0 255.255.255.255 host (public address on VLAN50) eq 22

deny tcp 0.0.0.0 255.255.255.255 host (public address on VLAN51) eq 22

permit ip any any

 

VLAN 1 //device LAN

ip access-group restrict-ssh vlan

 

VLAN 50 //public ptp /30

ip access-group restrict-ssh vlan

 

VLAN 51 //public /27 block

ip access-group restrict-ssh vlan

 

This switch is in production and is a good drive away, so I don't want to lock myself out or cause any problems by tinkering which is what I would usually do if I was on site :)

Thank you very much for any help!

3 REPLIES
Richard Litchfield
Respected Contributor

Re: Restrict ssh access to local plus a single public subnet

You are brave connecting something like that without a firewall! 

You might want to try something like this:

ip authorized-managers 172.20.0.0 255.255.0.0 access manager
ip authorized-managers 172.25.0.0 255.255.0.0 access manager
ip authorized-managers 172.20.254.0 255.255.255.0 access operator access-method ssh

You still need a firewall. Or at the very least, block everything except your HQ public IP.

I would suggest an MSR954 router at each end, configured with an IPSEC tunnel.

SMRedwood
Occasional Contributor

Re: Restrict ssh access to local plus a single public subnet

Everything else on the network is behind a firewall. It is just a DMZ VLAN that's routing to a public IP block. I think we just handled it using certificates for ssh access rather than complicated ACLs.

Thank you for the reply!
Linkk
Frequent Advisor

Re: Restrict ssh access to local plus a single public subnet

You should really consider putting a firewall in front of the switch and take the public IP from the switch. You could create routes from your other office to the private address of the switch behind the firewall. Or build a branch office VPN between the offices to be much safer. And you could still configure the switch without having it exposed to the internet.