03-17-2023 04:07 AM
Hello. If I check my static external IP address on https://www.yougetsignal.com/tools/open-ports/
It says that port 22 is open on it.
ISP is plugged to my Cisco 2901.
How do I make sure the port 22 (SSH) is not open to public?
I tried following suggestions I found on other discussions here but couldn't succeed. I'm not an expert at all here.
Could someone please assist?
03-17-2023 04:38 AM
you can under VTY config transport telnet
this will make your R never answer request for SSH/port 22
03-17-2023 04:49 AM
Would you have the commands how to do it?...
03-17-2023 04:50 AM
03-17-2023 04:52 AM
Do you mean it will answer to telnet instead?
03-17-2023 04:56 AM
I have this running:
line vty 0 40
transport input none
But I guess it's wrong coz it didn't help.
03-17-2023 05:00 AM
why ? Now with this anyone never can access your R with SSH/22 port
never.
03-17-2023 06:30 AM
My suggestion was outside interface, users can still can access from inside right ? (or am i overthinking ?) - Friday hangover ?
03-17-2023 06:38 AM
I never try but the ACL can not stop traffic direct to interface it stop traffic pass through interface.
this what I know.
Configure SSH on Routers and Switches - Cisco
if he want to use SSH he can use then access-class instead of ACL to permit or deny some user.
03-17-2023 07:41 AM
I run lab and test @balaji.bandi suggestion
and it work not issue
you can use ACL to deny SSH port 22 to access from interface connect to ISP
thanks
MHM
03-17-2023 07:54 AM
I use transport input none
and without using ACL I can not telnet anymore to Router
so I prefer transport input than ACL.
thanks
MHM
03-17-2023 04:59 AM
How do I make sure the port 22 (SSH) is not open to public?
Then you can create ACL and add to external interface.
Example (understand the ACL before apply to the device)
ip access-list extended ssh_deny
10 deny tcp any any eq 22
20 permit ip any any
interface gigx/x (external Interface)
ip access-group ssh_deny in
03-17-2023 06:54 AM
Do not take the approach of only allowing telnet in via transport input telnet - telnet should not be allowed on the device at all. You should stick with transport input ssh - but use ACLs to manage this.
In general for ISP facing interfaces you should have an inbound access list blocking more than just SSH. For instance - you would likely want to block any network mgmt protocol related coming in from your ISP side - such as telnet, ssh, ntp, snmp, specific icmp messages, and any other protocols such as RDP that you may need to filter. In addition this access list should block traffic sourced with private IP space in RFC1918, your own IP space, etc. An example list can be found here: https://freenetworktutorials.com/bogon-ipv4-ingress-and-egress-filtering-in-cisco/
03-17-2023 09:10 AM
"In general for ISP facing interfaces you should have an inbound access list blocking more than just SSH."
Yup, in fact, I'm an advocate of denying ALL external ingress traffic to Internet "visible" interfaces' IPs, possibly also additional same device or further in device IPs too (such as the device's internal facing or loopback interface IPs - remember this ACL is against traffic entering from outside your network), and then add permits as required. (BTW, to be clear, this ACL would be "in" on your most external facing interface connecting to the Internet.)
Understand this doesn't control traffic transiting though the interface, just traffic to interfaces' IPs, which often, from the outside, there's limited need.
For the cases where external traffic really does need external access to interfaces' IPs, e.g. tunnels, BGP, your permit ACL's ACEs can be very restrictive, such as such traffic must have a known good source IP and/or the protocol being used.
The above approach just provides an often easy to manage ACL that provide an initial access barrier. Other security hardening best practices should be considered. (I recall [?] Cisco has some recommendations along those lines on their main site.)
03-17-2023 09:28 AM
I will send you private message explain some point about the traffic direct to itnerface.
thanks
MHM
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide