- Community Home
- >
- Networking
- >
- Switching and Routing
- >
- Comware Based
- >
- Recommended ACL to block remote login
Categories
Company
Local Language
Forums
Discussions
Forums
- Data Protection and Retention
- Entry Storage Systems
- Legacy
- Midrange and Enterprise Storage
- Storage Networking
- HPE Nimble Storage
Discussions
Discussions
Discussions
Discussions
Forums
Forums
Discussions
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
- BladeSystem Infrastructure and Application Solutions
- Appliance Servers
- Alpha Servers
- BackOffice Products
- Internet Products
- HPE 9000 and HPE e3000 Servers
- Networking
- Netservers
- Secure OS Software for Linux
- Server Management (Insight Manager 7)
- Windows Server 2003
- Operating System - Tru64 Unix
- ProLiant Deployment and Provisioning
- Linux-Based Community / Regional
- Microsoft System Center Integration
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Community
Resources
Forums
Blogs
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Printer Friendly Page
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО07-02-2020 10:27 AM - edited тАО07-06-2020 11:22 AM
тАО07-02-2020 10:27 AM - edited тАО07-06-2020 11:22 AM
Hi there!
Time is running, a new month has begun and a new topic is needed by me. I want to ask if the ACL listed in the second post would effectively block any incoming (from the Internet) remote login (access) for the HTTPS, HTTP and SSH service?
In my case absolutely NO remote login is needed. Furthermore, I have noticed in my syslog several SSH login attempts from outside (see example below).
Should I enable also some of the тАЬattack-defense apply policyтАЭ rules? Which one would be recommended in a small business environment?
Jul 2 17:05:14:608 2020 SHELL Notification SHELL_LOGINFAIL SSH user failed to log in from 112.85.42.229 on VTY0..
Jul 2 17:04:59:009 2020 SHELL Notification SHELL_LOGINFAIL SSH user failed to log in from 222.186.42.137 on VTY0..
Jul 2 17:01:32:190 2020 SSH Information SSH_CONNECTION_CLOSE STEL user admin (IP: 195.3.147.47) logged out because the SSH client closed the connection.
Jul 2 17:01:32:140 2020 SHELL Notification SHELL_LOGINFAIL SSH user admin failed to log in from 195.3.147.47 on VTY0..
Jul 2 17:01:32:138 2020 LS Notification LS_AUTHEN_FAILURE -AccessType=login-UserName=admin; Authentication is failed. Password verified failed.
Jul 2 17:01:32:138 2020 SC Information SC_AAA_LAUNCH -AAAType=AUTHEN-AAAScheme= local-Service=login-UserName=admin@system; AAA launched.
Jul 2 16:57:03:973 2020 SHELL Notification SHELL_LOGINFAIL SSH user failed to log in from 222.186.175.23 on VTY0..
Jul 2 16:54:35:935 2020 SSH Information SSH_AUTH_TIMEOUT SSH user (IP: 218.92.0.220) failed to log in because of authentication timeout.
.
Jul 2 16:48:49:788 2020 SHELL Notification SHELL_LOGINFAIL SSH user failed to log in from 222.186.15.62 on VTY0..
Jul 2 16:46:53:613 2020 SSH Information SSH_CONNECTION_CLOSE STEL user (IP: 199.59.62.236) logged out because the SSH client closed the connection.
.
.
.
Jul 2 16:40:43:326 2020 SSH Information SSH_CONNECTION_CLOSE STEL user root (IP: 85.209.0.100) logged out because the SSH client closed the connection.
Jul 2 16:40:43:284 2020 SSH Information SSH_CONNECTION_CLOSE STEL user root (IP: 85.209.0.100) logged out because the SSH client closed the connection.
Jul 2 16:40:43:241 2020 SHELL Notification SHELL_LOGINFAIL SSH user root failed to log in from 85.209.0.100 on VTY1..
Jul 2 16:40:43:240 2020 LS Notification LS_AUTHEN_FAILURE -AccessType=login-UserName=root; Authentication is failed. User not found.
Jul 2 16:40:43:239 2020 SC Information SC_AAA_LAUNCH -AAAType=AUTHEN-AAAScheme= local-Service=login-UserName=root@system; AAA launched.
Jul 2 16:40:43:192 2020 SHELL Notification SHELL_LOGINFAIL SSH user root failed to log in from 85.209.0.100 on VTY2..
Jul 2 16:40:43:190 2020 LS Notification LS_AUTHEN_FAILURE -AccessType=login-UserName=root; Authentication is failed. User not found.
Jul 2 16:40:43:190 2020 SC Information SC_AAA_LAUNCH -AAAType=AUTHEN-AAAScheme= local-Service=login-UserName=root@system; AAA launched.
Jul 2 16:40:41:554 2020 SSH Information SSH_CONNECTION_CLOSE STEL user (IP: 85.209.0.100) logged out because the SSH client closed the connection.
Jul 2 16:40:14:698 2020 SHELL Notification SHELL_LOGINFAIL SSH user failed to log in from 222.186.30.35 on VTY1..
Jul 2 16:37:04:926 2020 SSH Information SSH_CONNECTION_CLOSE STEL user (IP: 103.96.36.22) logged out because the SSH client closed the connection.
Jul 2 16:36:39:968 2020 SHELL Notification SHELL_LOGINFAIL SSH user failed to log in from 112.85.42.104 on VTY1..
Jul 2 16:32:11:906 2020 SHELL Notification SHELL_LOGINFAIL SSH user failed to log in from 222.186.175.23 on VTY1..
Solved! Go to Solution.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО07-04-2020 12:51 PM - edited тАО07-06-2020 11:19 AM
тАО07-04-2020 12:51 PM - edited тАО07-06-2020 11:19 AM
SolutionAccording to different web sources, the following ACL should block any incoming remote login for the mentioned three services:
Note, if no logging is favored, then the parameter тАЬloggingтАЭ must not be used.
(Comware 5)
acl number 3010
rule 5 deny tcp destination-port eq 22 logging
rule 10 deny tcp destination-port eq 80 logging
rule 15 deny tcp destination-port eq 443 logging
At Comware 5 devices, the ACL must be configured at the WAN interface with the following command:
firewall packet-filter 3010 inbound
(Comware 7)
acl advanced name BLOCK-REMOTE
rule 5 deny tcp destination-port eq 22 logging
rule 10 deny tcp destination-port eq 80 logging
rule 15 deny tcp destination-port eq 443 logging
For Comware 7 devices, the command syntax at the WAN interface is somewhat shorter:
packet-filter name BLOCK-REMOTE inbound
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО07-05-2020 11:24 PM - edited тАО07-05-2020 11:25 PM
тАО07-05-2020 11:24 PM - edited тАО07-05-2020 11:25 PM
Re: Recommended ACL to block remote logging
Hello lorn10 ,
If you are talking about the remote log in (access) SSH, HTTP and HTTPS, you should be good with the ACL which you created. You are corect about appling inbound direction on the WAN interface.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО07-06-2020 01:48 AM - edited тАО07-06-2020 11:16 AM
тАО07-06-2020 01:48 AM - edited тАО07-06-2020 11:16 AM
Re: Recommended ACL to block remote login
Thanks Alex for the answer. Yes, I can confirm that the ACL is working fine. However, if I check the syslog, it is still not optimal (see below).
A really good solution would be an ACL that blocks and bans (blacklists) the incoming attacker IPs. So this would then work like the тАЬjail conceptтАЭ in the Fail2ban intrusion prevention software (in Linux).
So, exist there a way to implement an ACL that blacklists the attackers IP?
Jul 6 10:34:47:299 2020 FILTER Information FLT_EXECUTION_LOG GigabitEthernet1/0 inbound ACL 3010 deny tcp (222.186.30.76 38153) to (84.75.186.99 22) 2 packets received from GigabitEthernet1/0.
Jul 6 10:34:47:297 2020 FILTER Information FLT_EXECUTION_LOG GigabitEthernet1/0 inbound ACL 3010 deny tcp (222.186.30.76 26330) to (84.75.186.99 22) 2 packets received from GigabitEthernet1/0.
Jul 6 10:34:47:296 2020 FILTER Information FLT_EXECUTION_LOG GigabitEthernet1/0 inbound ACL 3010 deny tcp (222.186.30.76 17107) to (84.75.186.99 22) 2 packets received from GigabitEthernet1/0.
Jul 6 10:32:47:295 2020 FILTER Information FLT_EXECUTION_LOG GigabitEthernet1/0 inbound ACL 3010 deny tcp (195.54.160.183 30995) to (84.75.186.99 22) 1 packets received from GigabitEthernet1/0.
Jul 6 10:30:08:731 2020 FILTER Information FLT_EXECUTION_LOG GigabitEthernet1/0 inbound ACL 3010 deny tcp (222.186.30.76 17107) to (84.75.186.99 22) 1 packets received from GigabitEthernet1/0.
Jul 6 10:30:03:727 2020 FILTER Information FLT_EXECUTION_LOG GigabitEthernet1/0 inbound ACL 3010 deny tcp (222.186.30.76 26330) to (84.75.186.99 22) 1 packets received from GigabitEthernet1/0.
Jul 6 10:29:58:693 2020 FILTER Information FLT_EXECUTION_LOG GigabitEthernet1/0 inbound ACL 3010 deny tcp (222.186.30.76 38153) to (84.75.186.99 22) 1 packets received from GigabitEthernet1/0.
Jul 6 10:29:47:296 2020 FILTER Information FLT_EXECUTION_LOG GigabitEthernet1/0 inbound ACL 3010 deny tcp (61.177.172.102 50346) to (84.75.186.99 22) 2 packets received from GigabitEthernet1/0.
Jul 6 10:29:47:295 2020 FILTER Information FLT_EXECUTION_LOG GigabitEthernet1/0 inbound ACL 3010 deny tcp (61.177.172.102 39609) to (84.75.186.99 22) 1 packets received from GigabitEthernet1/0.
Jul 6 10:29:47:294 2020 FILTER Information FLT_EXECUTION_LOG GigabitEthernet1/0 inbound ACL 3010 deny tcp (61.177.172.102 29544) to (84.75.186.99 22) 2 packets received from GigabitEthernet1/0.
Jul 6 10:28:34:092 2020 FILTER Information FLT_EXECUTION_LOG GigabitEthernet1/0 inbound ACL 3010 deny tcp (195.54.160.183 30995) to (84.75.186.99 22) 1 packets received from GigabitEthernet1/0.
Jul 6 10:28:25:098 2020 FILTER Information FLT_EXECUTION_LOG GigabitEthernet1/0 inbound ACL 3010 deny tcp (195.54.160.183 30995) to (84.75.186.99 22) 1 packets received from GigabitEthernet1/0.
Jul 6 10:25:14:261 2020 FILTER Information FLT_EXECUTION_LOG GigabitEthernet1/0 inbound ACL 3010 deny tcp (61.177.172.102 29544) to (84.75.186.99 22) 1 packets received from GigabitEthernet1/0.
.
.
Jul 6 10:25:10:261 2020 FILTER Information FLT_EXECUTION_LOG GigabitEthernet1/0 inbound ACL 3010 deny tcp (61.177.172.102 39609) to (84.75.186.99 22) 1 packets received from GigabitEthernet1/0.
Jul 6 10:25:04:269 2020 FILTER Information FLT_EXECUTION_LOG GigabitEthernet1/0 inbound ACL 3010 deny tcp (61.177.172.102 50346) to (84.75.186.99 22) 1 packets received from GigabitEthernet1/0.
Jul 6 10:23:47:294 2020 FILTER Information FLT_EXECUTION_LOG GigabitEthernet1/0 inbound ACL 3010 deny tcp (222.186.190.14 29859) to (84.75.186.99 22) 2 packets received from GigabitEthernet1/0.
Jul 6 10:23:47:292 2020 FILTER Information FLT_EXECUTION_LOG GigabitEthernet1/0 inbound ACL 3010 deny tcp (222.186.190.14 15144) to (84.75.186.99 22) 2 packets received from GigabitEthernet1/0.
Jul 6 10:23:47:291 2020 FILTER Information FLT_EXECUTION_LOG GigabitEthernet1/0 inbound ACL 3010 deny tcp (222.186.190.14 42400) to (84.75.186.99 22) 2 packets received from GigabitEthernet1/0.
Jul 6 10:21:51:696 2020 FILTER Information FLT_EXECUTION_LOG GigabitEthernet1/0 inbound ACL 3010 deny tcp (193.118.53.139 42757) to (84.75.186.99 443) 1 packets received from GigabitEthernet1/0.
.
.
Jul 6 10:19:17:574 2020 FILTER Information FLT_EXECUTION_LOG GigabitEthernet1/0 inbound ACL 3010 deny tcp (222.186.190.14 15144) to (84.75.186.99 22) 1 packets received from GigabitEthernet1/0.
Jul 6 10:19:12:540 2020 FILTER Information FLT_EXECUTION_LOG GigabitEthernet1/0 inbound ACL 3010 deny tcp (222.186.190.14 29859) to (84.75.186.99 22) 1 packets received from GigabitEthernet1/0.
Jul 6 10:19:07:564 2020 FILTER Information FLT_EXECUTION_LOG GigabitEthernet1/0 inbound ACL 3010 deny tcp (222.186.190.14 42400) to (84.75.186.99 22) 1 packets received from GigabitEthernet1/0.
.
.
Jul 6 10:12:47:288 2020 FILTER Information FLT_EXECUTION_LOG GigabitEthernet1/0 inbound ACL 3010 deny tcp (222.186.180.142 14336) to (84.75.186.99 22) 2 packets received from GigabitEthernet1/0.
Jul 6 10:12:47:287 2020 FILTER Information FLT_EXECUTION_LOG GigabitEthernet1/0 inbound ACL 3010 deny tcp (222.186.180.142 25045) to (84.75.186.99 22) 2 packets received from GigabitEthernet1/0.
Jul 6 10:12:47:286 2020 FILTER Information FLT_EXECUTION_LOG GigabitEthernet1/0 inbound ACL 3010 deny tcp (222.186.180.142 58434) to (84.75.186.99 22) 2 packets received from GigabitEthernet1/0.
.
.
Jul 6 10:08:47:286 2020 FILTER Information FLT_EXECUTION_LOG GigabitEthernet1/0 inbound ACL 3010 deny tcp (218.92.0.215 30433) to (84.75.186.99 22) 2 packets received from GigabitEthernet1/0.
Jul 6 10:08:47:285 2020 FILTER Information FLT_EXECUTION_LOG GigabitEthernet1/0 inbound ACL 3010 deny tcp (218.92.0.215 54281) to (84.75.186.99 22) 2 packets received from GigabitEthernet1/0.
Jul 6 10:08:47:284 2020 FILTER Information FLT_EXECUTION_LOG GigabitEthernet1/0 inbound ACL 3010 deny tcp (218.92.0.215 41018) to (84.75.186.99 22) 2 packets received from GigabitEthernet1/0.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО07-06-2020 08:07 AM
тАО07-06-2020 08:07 AM
Re: Recommended ACL to block remote logging
Hello lorn10,
With this ACL you are actually blacklisting every ip address trying to reach the router on this ports. You can only see this logs as you have enabled logging of the dropped packets. They should not be able to reach or invoke the login process when they are blocked/dropped. So in theory if you are using blacklist it should be useful in cases where there are some ip addresses which are allowed and if needed dynamically to be black listed under certain scenarios. In your case everything is blacklisted on this port, so I am not sure what will be the benefit of additional ban of an ip.
Please let me know what you think.
Thank you!
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО07-06-2020 11:09 AM - edited тАО07-09-2020 02:45 AM
тАО07-06-2020 11:09 AM - edited тАО07-09-2020 02:45 AM
Re: Recommended ACL to block remote login
Again thanks Alex for your informative answer.
Okay, I understand now. The parameter тАЬloggingтАЭ makes effectively the тАЬvisualтАЭ difference.
So if I use the above mentioned command, I see all the ACL related events in the syslog.
rule 5 deny tcp destination-port eq 22 logging
If I donтАЩt use the parameter тАЬloggingтАЭ, then I will not see anything regarding that ACL in the syslog.
rule 5 deny tcp destination-port eq 22
In both cases the attacker is тАЬblacklistedтАЭ, - thatтАЩs the most important information.
Again many thanks for the clarification, - because I am not native English I had a little confusion with "login" and "logging".
And as I said, - out of the Fail2ban perspective, the attackers are usually тАЬsitting in the jailsтАЭ. (So far the тАЬjailтАЭ is correctly created.) No information is present in the тАЬsyslogтАЭ regarding such attacks; the syslog remains тАЬcleanтАЭ. However, Comware is not Linux.
Will update my config examples and mark that thread as solved.