On my ASR907 IOSXE I need to deploy netconf, but I see different problems.
If I activate netconf, router answer on any IP (public also). I tried to secure it by command:
netconf ssh acl 80
it does nothing...
(of course called acls like numbered 80 or named netconf-named-acl below are configured)
netconf-yang ssh ipv4 access-list name netconf-named-acl
It works better, but still allows three-way-handshake and then ends:
allows SYN, SYN-ACK, ACK and then SYN which I see as potential DDoS vulnerability.
ssh secured by following commands:
line vty 5 15
makes immediate answer RST on any SYN on port 22
The best what I expect is no sendind RST at all on 830 and 22 port if IP defined in access-list does not permit connection.
Due to a lot of configured public IPs on router, which I don't want to expose in Internet with such management interface like port 830 with netconf, I am looking for any more secure solution...