HPE Community
Comware Based
1753760 Members
4692 Online
108799 Solutions
New Discussion

Re: Recommended ACL to block remote logging

 
SOLVED
Go to solution
lorn10
Valued Contributor

‎07-02-2020 10:27 AM - edited ‎07-06-2020 11:22 AM

‎07-02-2020 10:27 AM - edited ‎07-06-2020 11:22 AM

Recommended ACL to block remote login

Hi there!

Time is running, a new month has begun and a new topic is needed by me. I want to ask if the ACL listed in the second post would effectively block any incoming (from the Internet) remote login (access) for the HTTPS, HTTP and SSH service?

In my case absolutely NO remote login is needed. Furthermore, I have noticed in my syslog several SSH login attempts from outside (see example below).

Should I enable also some of the “attack-defense apply policy” rules? Which one would be recommended in a small business environment?

 

Jul  2 17:05:14:608 2020	SHELL	Notification	SHELL_LOGINFAIL	SSH user  failed to log in from 112.85.42.229 on VTY0..
Jul  2 17:04:59:009 2020	SHELL	Notification	SHELL_LOGINFAIL	SSH user  failed to log in from 222.186.42.137 on VTY0..
Jul  2 17:01:32:190 2020	SSH	Information	SSH_CONNECTION_CLOSE	STEL user admin (IP: 195.3.147.47) logged out because the SSH client closed the connection.
Jul  2 17:01:32:140 2020	SHELL	Notification	SHELL_LOGINFAIL	SSH user admin failed to log in from 195.3.147.47 on VTY0..
Jul  2 17:01:32:138 2020	LS	Notification	LS_AUTHEN_FAILURE	-AccessType=login-UserName=admin; Authentication is failed. Password verified failed.
Jul  2 17:01:32:138 2020	SC	Information	SC_AAA_LAUNCH	-AAAType=AUTHEN-AAAScheme= local-Service=login-UserName=admin@system; AAA launched.
Jul  2 16:57:03:973 2020	SHELL	Notification	SHELL_LOGINFAIL	SSH user  failed to log in from 222.186.175.23 on VTY0..
Jul  2 16:54:35:935 2020	SSH	Information	SSH_AUTH_TIMEOUT	SSH user  (IP: 218.92.0.220) failed to log in because of authentication timeout.
.
Jul  2 16:48:49:788 2020	SHELL	Notification	SHELL_LOGINFAIL	SSH user  failed to log in from 222.186.15.62 on VTY0..
Jul  2 16:46:53:613 2020	SSH	Information	SSH_CONNECTION_CLOSE	STEL user  (IP: 199.59.62.236) logged out because the SSH client closed the connection.
.
.
.
Jul  2 16:40:43:326 2020	SSH	Information	SSH_CONNECTION_CLOSE	STEL user root (IP: 85.209.0.100) logged out because the SSH client closed the connection.
Jul  2 16:40:43:284 2020	SSH	Information	SSH_CONNECTION_CLOSE	STEL user root (IP: 85.209.0.100) logged out because the SSH client closed the connection.
Jul  2 16:40:43:241 2020	SHELL	Notification	SHELL_LOGINFAIL	SSH user root failed to log in from 85.209.0.100 on VTY1..
Jul  2 16:40:43:240 2020	LS	Notification	LS_AUTHEN_FAILURE	-AccessType=login-UserName=root; Authentication is failed. User not found.
Jul  2 16:40:43:239 2020	SC	Information	SC_AAA_LAUNCH	-AAAType=AUTHEN-AAAScheme= local-Service=login-UserName=root@system; AAA launched.
Jul  2 16:40:43:192 2020	SHELL	Notification	SHELL_LOGINFAIL	SSH user root failed to log in from 85.209.0.100 on VTY2..
Jul  2 16:40:43:190 2020	LS	Notification	LS_AUTHEN_FAILURE	-AccessType=login-UserName=root; Authentication is failed. User not found.
Jul  2 16:40:43:190 2020	SC	Information	SC_AAA_LAUNCH	-AAAType=AUTHEN-AAAScheme= local-Service=login-UserName=root@system; AAA launched.
Jul  2 16:40:41:554 2020	SSH	Information	SSH_CONNECTION_CLOSE	STEL user  (IP: 85.209.0.100) logged out because the SSH client closed the connection.
Jul  2 16:40:14:698 2020	SHELL	Notification	SHELL_LOGINFAIL	SSH user  failed to log in from 222.186.30.35 on VTY1..
Jul  2 16:37:04:926 2020	SSH	Information	SSH_CONNECTION_CLOSE	STEL user  (IP: 103.96.36.22) logged out because the SSH client closed the connection.
Jul  2 16:36:39:968 2020	SHELL	Notification	SHELL_LOGINFAIL	SSH user  failed to log in from 112.85.42.104 on VTY1..
Jul  2 16:32:11:906 2020	SHELL	Notification	SHELL_LOGINFAIL	SSH user  failed to log in from 222.186.175.23 on VTY1..

 

0 Kudos
5 REPLIES 5
lorn10
Valued Contributor

‎07-04-2020 12:51 PM - edited ‎07-06-2020 11:19 AM

‎07-04-2020 12:51 PM - edited ‎07-06-2020 11:19 AM

Solution

Re: Recommended ACL to block remote login

According to different web sources, the following ACL should block any incoming remote login for the mentioned three services:

Note, if no logging is favored, then the parameter “logging” must not be used.

(Comware 5)
acl number 3010

  rule 5 deny tcp destination-port eq 22 logging
  rule 10 deny tcp destination-port eq 80 logging
  rule 15 deny tcp destination-port eq 443 logging

At Comware 5 devices, the ACL must be configured at the WAN interface with the following command:
firewall packet-filter 3010 inbound

(Comware 7)
acl advanced name BLOCK-REMOTE

  rule 5 deny tcp destination-port eq 22 logging
  rule 10 deny tcp destination-port eq 80 logging
  rule 15 deny tcp destination-port eq 443 logging

For Comware 7 devices, the command syntax at the WAN interface is somewhat shorter:
packet-filter name BLOCK-REMOTE inbound

0 Kudos
-Alex-
HPE Pro

‎07-05-2020 11:24 PM - edited ‎07-05-2020 11:25 PM

‎07-05-2020 11:24 PM - edited ‎07-05-2020 11:25 PM

Re: Recommended ACL to block remote logging

Hello lorn10 ,

If you are talking about the remote log in (access) SSH, HTTP and HTTPS, you should be good with the ACL which you created. You are corect about appling inbound direction on the WAN interface.

 

I am an HPE Employee

Accept or Kudo

lorn10
Valued Contributor

‎07-06-2020 01:48 AM - edited ‎07-06-2020 11:16 AM

‎07-06-2020 01:48 AM - edited ‎07-06-2020 11:16 AM

Re: Recommended ACL to block remote login

Thanks Alex for the answer. Yes, I can confirm that the ACL is working fine. However, if I check the syslog, it is still not optimal (see below).

A really good solution would be an ACL that blocks and bans (blacklists) the incoming attacker IPs. So this would then work like the “jail concept” in the Fail2ban intrusion prevention software (in Linux).

So, exist there a way to implement an ACL that blacklists the attackers IP?

 

Jul  6 10:34:47:299 2020	FILTER	Information	FLT_EXECUTION_LOG	GigabitEthernet1/0 inbound ACL 3010 deny tcp (222.186.30.76 38153) to (84.75.186.99 22) 2 packets received  from GigabitEthernet1/0.
Jul  6 10:34:47:297 2020	FILTER	Information	FLT_EXECUTION_LOG	GigabitEthernet1/0 inbound ACL 3010 deny tcp (222.186.30.76 26330) to (84.75.186.99 22) 2 packets received  from GigabitEthernet1/0.
Jul  6 10:34:47:296 2020	FILTER	Information	FLT_EXECUTION_LOG	GigabitEthernet1/0 inbound ACL 3010 deny tcp (222.186.30.76 17107) to (84.75.186.99 22) 2 packets received  from GigabitEthernet1/0.
Jul  6 10:32:47:295 2020	FILTER	Information	FLT_EXECUTION_LOG	GigabitEthernet1/0 inbound ACL 3010 deny tcp (195.54.160.183 30995) to (84.75.186.99 22) 1 packets received  from GigabitEthernet1/0.
Jul  6 10:30:08:731 2020	FILTER	Information	FLT_EXECUTION_LOG	GigabitEthernet1/0 inbound ACL 3010 deny tcp (222.186.30.76 17107) to (84.75.186.99 22) 1 packets received  from GigabitEthernet1/0.
Jul  6 10:30:03:727 2020	FILTER	Information	FLT_EXECUTION_LOG	GigabitEthernet1/0 inbound ACL 3010 deny tcp (222.186.30.76 26330) to (84.75.186.99 22) 1 packets received  from GigabitEthernet1/0.
Jul  6 10:29:58:693 2020	FILTER	Information	FLT_EXECUTION_LOG	GigabitEthernet1/0 inbound ACL 3010 deny tcp (222.186.30.76 38153) to (84.75.186.99 22) 1 packets received  from GigabitEthernet1/0.
Jul  6 10:29:47:296 2020	FILTER	Information	FLT_EXECUTION_LOG	GigabitEthernet1/0 inbound ACL 3010 deny tcp (61.177.172.102 50346) to (84.75.186.99 22) 2 packets received  from GigabitEthernet1/0.
Jul  6 10:29:47:295 2020	FILTER	Information	FLT_EXECUTION_LOG	GigabitEthernet1/0 inbound ACL 3010 deny tcp (61.177.172.102 39609) to (84.75.186.99 22) 1 packets received  from GigabitEthernet1/0.
Jul  6 10:29:47:294 2020	FILTER	Information	FLT_EXECUTION_LOG	GigabitEthernet1/0 inbound ACL 3010 deny tcp (61.177.172.102 29544) to (84.75.186.99 22) 2 packets received  from GigabitEthernet1/0.
Jul  6 10:28:34:092 2020	FILTER	Information	FLT_EXECUTION_LOG	GigabitEthernet1/0 inbound ACL 3010 deny tcp (195.54.160.183 30995) to (84.75.186.99 22) 1 packets received  from GigabitEthernet1/0.
Jul  6 10:28:25:098 2020	FILTER	Information	FLT_EXECUTION_LOG	GigabitEthernet1/0 inbound ACL 3010 deny tcp (195.54.160.183 30995) to (84.75.186.99 22) 1 packets received  from GigabitEthernet1/0.
Jul  6 10:25:14:261 2020	FILTER	Information	FLT_EXECUTION_LOG	GigabitEthernet1/0 inbound ACL 3010 deny tcp (61.177.172.102 29544) to (84.75.186.99 22) 1 packets received  from GigabitEthernet1/0.
.
.
Jul  6 10:25:10:261 2020	FILTER	Information	FLT_EXECUTION_LOG	GigabitEthernet1/0 inbound ACL 3010 deny tcp (61.177.172.102 39609) to (84.75.186.99 22) 1 packets received  from GigabitEthernet1/0.
Jul  6 10:25:04:269 2020	FILTER	Information	FLT_EXECUTION_LOG	GigabitEthernet1/0 inbound ACL 3010 deny tcp (61.177.172.102 50346) to (84.75.186.99 22) 1 packets received  from GigabitEthernet1/0.
Jul  6 10:23:47:294 2020	FILTER	Information	FLT_EXECUTION_LOG	GigabitEthernet1/0 inbound ACL 3010 deny tcp (222.186.190.14 29859) to (84.75.186.99 22) 2 packets received  from GigabitEthernet1/0.
Jul  6 10:23:47:292 2020	FILTER	Information	FLT_EXECUTION_LOG	GigabitEthernet1/0 inbound ACL 3010 deny tcp (222.186.190.14 15144) to (84.75.186.99 22) 2 packets received  from GigabitEthernet1/0.
Jul  6 10:23:47:291 2020	FILTER	Information	FLT_EXECUTION_LOG	GigabitEthernet1/0 inbound ACL 3010 deny tcp (222.186.190.14 42400) to (84.75.186.99 22) 2 packets received  from GigabitEthernet1/0.
Jul  6 10:21:51:696 2020	FILTER	Information	FLT_EXECUTION_LOG	GigabitEthernet1/0 inbound ACL 3010 deny tcp (193.118.53.139 42757) to (84.75.186.99 443) 1 packets received  from GigabitEthernet1/0.
.
.
Jul  6 10:19:17:574 2020	FILTER	Information	FLT_EXECUTION_LOG	GigabitEthernet1/0 inbound ACL 3010 deny tcp (222.186.190.14 15144) to (84.75.186.99 22) 1 packets received  from GigabitEthernet1/0.
Jul  6 10:19:12:540 2020	FILTER	Information	FLT_EXECUTION_LOG	GigabitEthernet1/0 inbound ACL 3010 deny tcp (222.186.190.14 29859) to (84.75.186.99 22) 1 packets received  from GigabitEthernet1/0.
Jul  6 10:19:07:564 2020	FILTER	Information	FLT_EXECUTION_LOG	GigabitEthernet1/0 inbound ACL 3010 deny tcp (222.186.190.14 42400) to (84.75.186.99 22) 1 packets received  from GigabitEthernet1/0.
.
.
Jul  6 10:12:47:288 2020	FILTER	Information	FLT_EXECUTION_LOG	GigabitEthernet1/0 inbound ACL 3010 deny tcp (222.186.180.142 14336) to (84.75.186.99 22) 2 packets received  from GigabitEthernet1/0.
Jul  6 10:12:47:287 2020	FILTER	Information	FLT_EXECUTION_LOG	GigabitEthernet1/0 inbound ACL 3010 deny tcp (222.186.180.142 25045) to (84.75.186.99 22) 2 packets received  from GigabitEthernet1/0.
Jul  6 10:12:47:286 2020	FILTER	Information	FLT_EXECUTION_LOG	GigabitEthernet1/0 inbound ACL 3010 deny tcp (222.186.180.142 58434) to (84.75.186.99 22) 2 packets received  from GigabitEthernet1/0.
.
.
Jul  6 10:08:47:286 2020	FILTER	Information	FLT_EXECUTION_LOG	GigabitEthernet1/0 inbound ACL 3010 deny tcp (218.92.0.215 30433) to (84.75.186.99 22) 2 packets received  from GigabitEthernet1/0.
Jul  6 10:08:47:285 2020	FILTER	Information	FLT_EXECUTION_LOG	GigabitEthernet1/0 inbound ACL 3010 deny tcp (218.92.0.215 54281) to (84.75.186.99 22) 2 packets received  from GigabitEthernet1/0.
Jul  6 10:08:47:284 2020	FILTER	Information	FLT_EXECUTION_LOG	GigabitEthernet1/0 inbound ACL 3010 deny tcp (218.92.0.215 41018) to (84.75.186.99 22) 2 packets received  from GigabitEthernet1/0.

 

0 Kudos
-Alex-
HPE Pro

‎07-06-2020 08:07 AM

‎07-06-2020 08:07 AM

Re: Recommended ACL to block remote logging

Hello  lorn10,

 

With this ACL you are actually blacklisting every ip address trying to reach the router on this ports. You can only see this logs as you have enabled logging of the dropped packets. They should not be able to reach or invoke the login process when they are blocked/dropped. So in theory if you are using blacklist it should be useful in cases where there are some ip addresses which are allowed and if needed dynamically to be black listed under certain scenarios. In your case everything is blacklisted on this port, so I am not sure what will be the benefit of additional ban of an ip.

Please let me know what you think.

Thank you!

I am an HPE Employee

Accept or Kudo

lorn10
Valued Contributor

‎07-06-2020 11:09 AM - edited ‎07-09-2020 02:45 AM

‎07-06-2020 11:09 AM - edited ‎07-09-2020 02:45 AM

Re: Recommended ACL to block remote login

Again thanks Alex for your informative answer.

Okay, I understand now. The parameter “logging” makes effectively the “visual” difference.

So if I use the above mentioned command, I see all the ACL related events in the syslog.

 rule 5 deny tcp destination-port eq 22 logging

If I don’t use the parameter “logging”, then I will not see anything regarding that ACL in the syslog.

 rule 5 deny tcp destination-port eq 22

In both cases the attacker is “blacklisted”, - that’s the most important information.

Again many thanks for the clarification, - because I am not native English I had a little confusion with "login" and "logging".

And as I said, - out of the Fail2ban perspective, the attackers are usually “sitting in the jails”. (So far the “jail” is correctly created.) No information is present in the “syslog” regarding such attacks; the syslog remains “clean”. However, Comware is not Linux.

Will update my config examples and mark that thread as solved.

0 Kudos
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.