Sunday, March 11, 2018

Extreme Switch - How to create an ACL to restrict Telnet, SSH, SNMP, HTTP access in EXOS


Before you read this post, you may refer to the following two articles about Extreme ACLs.

Extreme Switch - How to create an ACL in EXOS

Extreme Switch - How to create Dynamic ACLs in EXOS

In this post, I will show you how to create an ACL in order to restrict Telnet, SSH, SNMP, HTTP access to the switch you manage. It is an essential step to protect your switch from brute-force attacks from outside.

Step 1. Create a policy file (.pol) with the content listed below


Use the local Vi editor to create the policy file.

exos_switch # vi sshaccess

1-1. Example of allowing SSH access for specific IP addresses

entry sshaccess {
if match any{
 source-address 10.10.10.10/32;
 source-address 10.10.10.20/32;
 source-address 10.10.10.30/24;
} then {
 permit;
 count sshaccess_count;
}
}


Make sure the “if” statement is “match any”, “If” by default is “match all”

In the Vi editor, type press the i key to enter insert mode.
* Here is a link if you want to know more about vi editor.
How do I edit a file in vi editor?

[Optional]
Or you may upload the .pol file to the switch via TFTP as below.

exos_switch.1 # download url tftp://134.141.115.254/sshaccess.pol
Downloading tftp://134.141.115.254/sshaccess.pol


exos_switch.1 # ls
-rw-rw-rw- 1 root root 165 Mar 24 15:32 sshaccess.pol
drw-r--r-- 2 root root 1024 Feb 6 2020 cc_logs
drw-r--r-- 2 root root 1024 Mar 21 2018 lost+found
-rw-rw-rw- 1 admin admin 557413 Nov 10 21:12 primary.cfg
-rw-r--r-- 1 admin admin 1256763 Apr 22 2019 primary_slotted.cfg
drw-r--r-- 4 root root 1024 May 6 2019 ssl
drwxr-xr-x 2 root root 1024 Nov 10 20:27 vmt



Step 2. Use the following command to verify the ACL formatting.


check policy <policy_name>

exos_switch.1 # check policy snmpaccess.pol
Policy file check successful.


※ Additional options for the old way

There is an old way to create and apply the ACLs. If you use this method, it is hard to add, delete, modify the ACLs. Unless you have less than five ACL lines, I strongly recommend using the policy-based ACL.

One advantage of this method is that you can easily check the ACL status. See the example in the Step 4.

create access-list SSH_ACL_1 "source-address 10.10.10.10/32;" "permit; count SSH_COUNT;" application "Cli"
create access-list SSH_ACL_2 "source-address 10.10.10.20/32;" "permit; count SSH_COUNT;" application "Cli"
create access-list SSH_ACL_3 "source-address 10.10.10.30/24;" "permit; count SSH_COUNT;" application "Cli"
create access-list SSH_DENY_ALL " source-address 0.0.0.0/0 ;" "deny; count SSH_COUNT ;" application "Cli"



Step 3. Configure the SSH2 service to apply the .pol file.


configure ssh2 access-profile <policy_name>

The ACL is applied as an inbound traffic filter to the SSH2 service.

If the XOS switch has multiple routing interfaces configured, the ACL will be applied to “all” interfaces as an inbound ACL.

3-1. Example of applying SSH access-profile
configure ssh2 access-profile sshaccess.pol

3-2. Example of applying SNMP access-profile
configure snmp access-profile "snmpaccess" readwrite

3-3. Example of applying HTTP access-profile
configure ssh2 access-profile httpaccess.pol


※ Additional options for the old way

configure ssh2 access-profile add "SSH_ACL_1" first
configure ssh2 access-profile add "SSH_ACL_2" after "SSH_ACL_1"
configure ssh2 access-profile add "SSH_ACL_3" after "SSH_ACL_2"
configure ssh2 access-profile add "SSH_DENY_ALL" after "SSH_ACL_3"



Step 4. Check the ACL status.

4-1. Use the "show access-list dynamic" cli command to verify the dynamic ACL list.

exos_switch # show access-list dynamic
Dynamic Rules: ((*)- Rule is non-permanent )

(*)hclag_arp_0_4_96_9b_b3_17       Bound to 0 interfaces for application HealthCheckLAG
   icmp-echo                       Bound to 0 interfaces for application Cli

4-2. Use the "show management" cli command to verify the access-profile is applied to the SSH2 service.

exos_switch # show management
CLI idle timeout                 : Enabled (20 minutes)
CLI max number of login attempts : 3
CLI max number of sessions       : 8
CLI paging                       : Enabled (this session only)
CLI space-completion             : Disabled (this session only)
CLI configuration logging        : Disabled
CLI password prompting only      : Disabled
CLI RADIUS cmd authorize tokens  : 2
CLI scripting                    : Disabled (this session only)
CLI scripting error mode         : Ignore-Error (this session only)
CLI persistent mode              : Persistent (this session only)
CLI prompting                    : Enabled (this session only)
CLI screen size                  : 27 Lines 135 Columns (this session only)
CLI refresh                      : Enabled
Telnet access                    : Disabled (tcp port 23 vr all)
                                 : Access Profile : not set
SSH access                       : Enabled (Key valid, tcp port 22 vr all)
                                 : Secure-Mode    : Off
                                 : Access Profile : sshaccess
SSH2 idle time                   : 60 minutes
Web access                       : Disabled (tcp port 80)
                                 : Access Profile : not set
Total Read Only Communities  : 1
Total Read Write Communities   : 0
RMON                             : Disabled
SNMP access                      : v1,v2c Disabled, v3 Enabled,
                                   v3DefaultGroup Disabled
                                 : Access Profile : snmpaccess
                                 : Access Profile Mode : ReadWrite
SNMP Compatibility Options       :
    GETBULK Reply Too Big Action : Too Big Error
    IP Fragmentation             : Disallow
SNMP Notifications               : Enabled
SNMP Notification Receivers  :
    Destination Address      : 134.141.5.175:162
    Source Address           : Not Configured
    Virtual Routers          : VR-Default, VR-Mgmt
    Version                  : v2c               Type      : Trap
    Timeout                  : -                 Retries   : -

SNMP stats: InPkts 6587517 OutPkts   6587517 Errors 0       AuthErrors 0
    Gets   3577523 GetNexts  361430  Sets   0       Drops      1905
SNMP traps: Sent   0       AuthTraps Enabled
SNMP inform:  Sent   0       Retries   0       Failed 0


4-3. Use the cli command "show log" will display any "hits" to the policy.

exos-switch # show log
03/03/2018 19:16:47.09 <Warn:exsshd.RejctConnAccessDeny> SSH connection from source 1.1.1.145 has been denied by access-list sshaccess. Rejecting connection.



※ Additional options for the old way

exos_switch # show access-list counter process ssh2
================================================================================
Access-list                                Permit Packets          Deny Packets
================================================================================
SSH_ACL_1                                               119                    24
SSH_ACL_2                                               3                     0
SSH_ACL_3                                               19                     0
SSH_DENY_ALL                                            0                     0
================================================================================
Total Rules : 4

(Step 5). Remove the ACL.


To remove the ACL/policy from the SSH2 service use the “none” option in place of the <policy_name>:

configure ssh2 access-profile none


※ Additional options for the old way

configure ssh2 access-profile delete SSH_ACL_1
configure ssh2 access-profile delete SSH_ACL_2
configure ssh2 access-profile delete SSH_ACL_3
configure ssh2 access-profile delete SSH_DENY_ALL



(Step 6). Delete the ACL.


▶ How to Delete a Policy file in EXOS.

exos_switch # ls
-rw-r--r-- 1 admin admin 2 Oct 28 09:13 sshaccess.pol
drwxrwxrwx 2 root root 1024 Jan 29 2019 cc_logs
drw-r--r-- 2 root root 1024 Nov 20 2017 lost+found
-rw-rw-rw- 1 admin admin 903935 Oct 20 08:37 primary.cfg

exos_switch # rm sshaccess.pol
Remove sshaccess.pol from /usr/local/cfg? (y/N) Yes



※ Additional options for the old way

delete access-list SSH_ACL_1
delete access-list SSH_ACL_2
delete access-list SSH_ACL_3
delete access-list SSH_DENY_ALL



* Reference links:
How To Create an ACL on an XOS Switch for SSH2 Service Access


No comments:

Post a Comment