Solved: Blocking SSH connection from outside WAN on my router

kkragelund · ‎12-26-2014

Hello all from Denmark :)

I want to block ssh on my wan port, so that no one can access my router from the outside.

Everybody says that make an access-list and apply on the vty lines. But i think i found a good way to block it without making access-list in the vty line.

I did

ip access-list extended DENIED_SSH_ACCESS
deny tcp any host MY_INTERNAL_IP eq 22
permit ip any any

And then apply it, on my wan interface

interface fastethernet 4

ip access-group DENIED_SSH_ACCESS in

If i use my port scanner. Port 22 wont show as open wich i think its good think to protect my network. But if i make a access-list in the vty lines allowing only my local network to access and deny everything else, my port scanner vill show port 22 as open. I have used my 4g internet connection from my iphone to test this and it works.

Is there any problem using my methode, instead of using access-list in the vty lines?

Hope you understand my question, my writing skills in english sucks abit and i am training for my CCNA routing and switching certification ! :)

Reza Sharifi · ‎12-26-2014

Hi,

Your writing skill is very good and your question is clear. You have taken the correct approach by applying the access-list to the link that connects to your provider (your WAN link), so no one can access your network from outside. It is probably a good idea to block telnet as well

deny tcp any host MY_INTERNAL_IP eq 23

HTH

View solution in original post

Reza Sharifi · ‎12-26-2014

Hi,

Your writing skill is very good and your question is clear. You have taken the correct approach by applying the access-list to the link that connects to your provider (your WAN link), so no one can access your network from outside. It is probably a good idea to block telnet as well

deny tcp any host MY_INTERNAL_IP eq 23

HTH

kkragelund · ‎12-27-2014

Thank you for your reply Reza Sharifi ! :)

I was wondering if i should add some more roles to the acl, Like denying private addresses from accessing my wan interface?

Maybe you got som tips for wan acls? :)

Reza Sharifi · ‎12-27-2014

Hi,

Yes, here is good link an how to protect yourself from the Internet.

http://www.team-cymru.org/ReadingRoom/Templates/secure-bgp-template.html

HTH

feltinsilije · ‎12-29-2014

Hi, my friend

How you are not apply you access-list on the virtual interface?? like this for example:

interface vty 0 4

ip access-class xx in.

vmf76 · ‎12-24-2019

I needed to get rid of brutforcing on my WAN and I applied this way:

IP access-list extended SSH-ACCESS
permit tcp host MY-SECOND-ISP-IP any eq 22

line vty 0 4

transport input ssh

access-class SSH-ACCESS in

So, I didn't apply anything on interface F4 and my problem is solved - only me from my second public IP can SSH.

paul driver · ‎12-24-2019

Hello
Just like to add for completeness - You could also append a management plane policer to accomplish a similar thing by stating a specific internal/external interface for mgt access and allowing just the protocol you wish it to be used for?

conf t
control-plane host
management-interface x/x allow ?

Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul