ā02-08-2019 06:02 AM
Hello,
I've got an email from our ISP, that our router is in danger... They found that the router has SNMP port opened. After that, I scanned our router I found more opened ports: UDP 161, 123, 500 (it is OK, the router does S2S).
Could you please check my configuration.
1) It is OK to be secured from external access?
2) Why UDP ports 161 and 123 are opened?
sh run Building configuration... Current configuration : 8466 bytes ! ! Last configuration change at 11:16:15 UTC Tue Jan 29 2019 by admin ! NVRAM config last updated at 11:17:21 UTC Tue Jan 29 2019 by admin ! version 15.4 service timestamps debug datetime msec service timestamps log datetime msec service password-encryption ! hostname router.dyndns.org ! boot-start-marker boot system flash:c800-universalk9-mz.SPA.154-3.M10.bin boot-end-marker ! aqm-register-fnf ! enable secret 5 00000000000000000000000 ! aaa new-model ! aaa session-id common clock timezone UTC 2 0 ! ip flow-cache timeout active 1 ip domain name domain.com ip ddns update method dyndns HTTP add http://user:password@members.dyndns.org/nic/update?system=dyndns&hostname=<h>&myip=<a> interval maximum 1 0 0 0 ! ip cef no ipv6 cef ! multilink bundle-name authenticated ! cts logging verbose license udi pid C886VA-K9 sn FCZ2044B08C ! username admin privilege 15 secret 5 00000000000000000000000000000 ! controller VDSL 0 firmware filename flash:VA_B_38V_d24m.bin ! ! class-map match-all Mikrotik-Dev match access-group 102 ! policy-map Hosts class Mikrotik-Dev ! crypto isakmp policy 50 encr aes 256 authentication pre-share group 5 lifetime 28800 crypto isakmp key 00000000000 address XXX.XXX.XXX.XXX ! ! crypto ipsec transform-set VPN-TS esp-aes 256 esp-sha-hmac mode tunnel ! crypto map VPN-CM 10 ipsec-isakmp description VPN to CITY Office set peer XXX.XXX.XXX.XXX set transform-set VPN-TS set pfs group5 match address VPN2CITY ! interface ATM0 no ip address shutdown no atm ilmi-keepalive ! interface ATM0.1 point-to-point pvc 1/32 pppoe-client dial-pool-number 1 ! ! interface BRI0 no ip address encapsulation hdlc shutdown isdn termination multidrop ! interface Ethernet0 description WAN no ip address ip nbar protocol-discovery ipv4 service-policy input Hosts ! interface Ethernet0.7 description VDSL VLAN 7 tagged encapsulation dot1Q 7 pppoe enable group global pppoe-client dial-pool-number 1 ! interface FastEthernet0 description Trunk switchport mode trunk no ip address ! interface FastEthernet1 description WAN switchport access vlan 4 no ip address shutdown duplex full ! interface FastEthernet2 description DMZ switchport access vlan 3 no ip address ! interface FastEthernet3 description LAN no ip address duplex full ! interface Vlan1 description LAN ip address 10.254.1.1 255.255.255.0 ip mtu 1492 ip nbar protocol-discovery ipv4 ip flow ingress ip nat inside ip virtual-reassembly in max-reassemblies 64 ! interface Vlan2 description Guest WiFi ip address 10.254.2.1 255.255.255.0 ip access-group 104 in ip helper-address 10.254.1.13 ip nbar protocol-discovery ipv4 ip flow ingress ip nat inside ip virtual-reassembly in ! interface Vlan401 description LAN ip address 10.254.100.1 255.255.255.0 ip access-group 104 in ip helper-address 10.254.1.13 ip mtu 1492 ip nbar protocol-discovery ipv4 ip flow ingress ip nat inside ip virtual-reassembly in max-reassemblies 64 ! interface Vlan402 description TEST ip address 10.254.200.1 255.255.255.0 ip access-group 104 in ip helper-address 10.254.1.13 ip mtu 1492 ip nbar protocol-discovery ipv4 ip flow ingress ip nat inside ip virtual-reassembly in max-reassemblies 64 ! interface Vlan403 description LAN ip address 10.254.3.1 255.255.255.0 ip access-group 104 in ip helper-address 10.254.1.13 ip mtu 1492 ip nbar protocol-discovery ipv4 ip flow ingress ip nat inside ip virtual-reassembly in max-reassemblies 64 ! interface Vlan404 description Guest WiFi ip address 10.254.4.1 255.255.255.0 ip access-group 104 in ip helper-address 10.254.1.13 ip mtu 1492 ip nbar protocol-discovery ipv4 ip flow ingress ip nat inside ip virtual-reassembly in max-reassemblies 64 ! interface Vlan405 description Corporate WiFi ip address 10.254.5.1 255.255.255.0 ip access-group 104 in ip helper-address 10.254.1.13 ip mtu 1492 ip nbar protocol-discovery ipv4 ip flow ingress ip nat inside ip virtual-reassembly in max-reassemblies 64 ! interface Vlan406 description DMZ ip address 10.254.6.1 255.255.255.0 ip mtu 1492 ip nbar protocol-discovery ipv4 ip flow ingress ip nat inside ip virtual-reassembly in max-reassemblies 64 ! interface Dialer0 description VDSL TELEKOM ip ddns update hostname router.dyndns.org ip ddns update dyndns ip address negotiated no ip redirects no ip unreachables no ip proxy-arp ip mtu 1492 ip nbar protocol-discovery ipv4 ip nat outside ip virtual-reassembly in encapsulation ppp ip tcp adjust-mss 1452 load-interval 30 dialer pool 1 dialer-group 1 no keepalive ppp authentication pap callin ppp pap sent-username ------------------------@t-online.de password 7 ------------------------ ppp ipcp dns request ppp ipcp mask request ppp ipcp route default no cdp enable crypto map VPN-CM ! ip forward-protocol nd no ip http server no ip http secure-server ! ip flow-export source Vlan1 ip flow-export version 9 ip flow-export destination 10.254.1.7 2055 ip flow-top-talkers top 10 sort-by bytes ! ip nat translation tcp-timeout 14400 ip nat inside source static tcp 10.254.1.56 8080 interface Dialer0 8080 ip nat inside source static tcp 10.254.1.8 3389 interface Dialer0 3389 ip nat inside source static udp 10.254.1.8 4500 interface Dialer0 4500 ip nat inside source static udp 10.254.1.8 1701 interface Dialer0 1701 ip nat inside source static tcp 10.254.2.23 8080 interface Dialer0 8081 ip nat inside source list NAT interface Dialer0 overload ip route 10.254.10.0 255.255.255.0 10.254.1.4 ip route 10.255.9.11 255.255.255.255 10.254.1.4 ip route 172.66.0.0 255.255.255.0 10.254.1.4 ! ip access-list extended NAT remark --- exclude S2S trafic --- deny ip 172.66.0.0 0.0.0.255 10.253.3.0 0.0.0.255 deny ip 172.66.0.0 0.0.0.255 10.253.1.0 0.0.0.255 deny ip 172.66.0.0 0.0.0.255 10.253.5.0 0.0.0.255 deny ip 10.254.1.0 0.0.0.255 10.253.3.0 0.0.0.255 deny ip 10.254.1.0 0.0.0.255 10.255.10.0 0.0.0.255 deny ip 10.254.3.0 0.0.0.255 10.253.3.0 0.0.0.255 remark --- Office CITY2NAT --- permit ip 10.254.1.0 0.0.0.255 any permit ip 10.254.2.0 0.0.0.255 any permit ip 10.254.3.0 0.0.0.255 any permit ip 10.254.4.0 0.0.0.255 any permit ip 10.254.5.0 0.0.0.255 any deny ip any any ip access-list extended VPN2CITY permit ip 10.254.1.0 0.0.0.255 10.253.3.0 0.0.0.255 permit ip 172.16.0.0 0.0.0.255 10.253.3.0 0.0.0.255 permit ip 172.16.0.0 0.0.0.255 10.253.1.0 0.0.0.255 permit ip 172.16.0.0 0.0.0.255 10.253.5.0 0.0.0.255 ! logging source-interface Vlan1 logging host 10.254.1.7 ! snmp-server community ------------ RO 2 snmp-server community ------------ RO 4 snmp-server location CITY2 snmp-server contact HelpDesk access-list 2 permit 10.254.0.0 0.0.0.255 access-list 2 permit 10.254.1.0 0.0.0.255 access-list 2 deny any access-list 4 permit 10.254.0.0 0.0.0.255 access-list 4 permit 10.254.1.0 0.0.0.255 access-list 4 deny any access-list 22 permit 10.254.1.0 0.0.0.255 access-list 102 permit tcp host YYY.YYY.YYY.YYY eq 8888 host CCC.CCC.CCC.CCC eq 8888 access-list 102 deny tcp any host YYY.YYY.YYY.YYY eq 8888 access-list 102 permit ip any any access-list 104 permit udp host 10.254.1.13 eq bootps 10.254.2.0 0.0.0.255 eq bootps access-list 104 permit udp host 10.254.1.13 eq bootpc 10.254.2.0 0.0.0.255 eq bootpc access-list 104 permit udp host 10.254.1.13 eq bootps 10.254.4.0 0.0.0.255 eq bootps access-list 104 permit udp host 10.254.1.13 eq bootpc 10.254.4.0 0.0.0.255 eq bootpc access-list 104 permit udp host 10.254.1.13 eq bootps 10.254.5.0 0.0.0.255 eq bootps access-list 104 permit udp host 10.254.1.13 eq bootpc 10.254.5.0 0.0.0.255 eq bootpc access-list 104 deny ip 10.254.4.0 0.0.0.255 10.254.1.0 0.0.0.255 access-list 104 deny ip 10.254.4.0 0.0.0.255 172.66.0.0 0.0.0.255 access-list 104 deny ip 10.254.2.0 0.0.0.255 10.254.1.0 0.0.0.255 access-list 104 deny ip 10.254.2.0 0.0.0.255 172.66.0.0 0.0.0.255 access-list 104 permit ip any any ! control-plane ! mgcp behavior rsip-range tgcp-only mgcp behavior comedia-role none mgcp behavior comedia-check-media-src disable mgcp behavior comedia-sdp-force disable ! mgcp profile default ! vstack ! line con 0 password 7 00000000000000000000 no modem enable line aux 0 line vty 0 4 access-class 22 in exec-timeout 30 0 password 7 00000000000000000000 logging synchronous transport input ssh line vty 5 189 exec-timeout 30 0 password 7 00000000000000000000 logging synchronous transport input ssh ! scheduler allocate 20000 1000 ntp server 10.254.1.9 ! end
Thank you in advance!
Solved! Go to Solution.
ā02-11-2019 03:51 AM
ā02-08-2019 09:04 AM
ā02-08-2019 09:59 AM
Hello Jaderson,
thank you for your answer.
yes, I use SNMP. But I limited SNMP with ACLs 2 and 4 for internal IPs only, didn't I? By the way, my scanner didn't use any community names, it just connected to 161 port.
snmp-server community --------- RO 2 snmp-server community --------- RO 4 snmp-server location City snmp-server contact HelpDesk access-list 2 permit 10.254.0.0 0.0.0.255 access-list 2 permit 10.254.1.0 0.0.0.255 access-list 2 deny any access-list 4 permit 10.254.0.0 0.0.0.255 access-list 4 permit 10.254.1.0 0.0.0.255 access-list 4 deny any
snmp-server community wewdwsd RO ?
<1-99> Std IP accesslist allowing access with this community string
I configured Cisco to use NTP server 10.254.1.9. Yes, this is an internal server, but why I can see this port on the external interface?
Could you please advice me an ACL to close undesired ports? Thank you!
ā02-08-2019 10:14 AM - edited ā02-08-2019 10:26 AM
yes, I use SNMP. But I limited SNMP with ACLs 2 and 4 for internal IPs only, didn't I? By the way, my scanner didn't use any community names, it just connected to 161 port.
R: Yes, you did it. :)
I configured Cisco to use NTP server 10.254.1.9. Yes, this is an internal server, but why I can see this port on the external interface?
R: If your router has a public ip address on any interface, it will be accessible from it.
Could you please advice me an ACL to close undesired ports? Thank you!
Check if address its ok.
ip access-list extended SNMP_LAN
permit udp 10.254.0.0 0.0.0.255 x.x.x.x(IP OF YOUR SNMP SERVER) 0.0.0.0 eq snmp
permit udp x.x.x.x(IP OF YOUR SNMP SERVER) eq snmp 10.254.0.0 0.0.0.255
vlan access-map MAP-SNMP
match ip address SNMP_LAN
action forward
vlan filter SNMP_LAN vlan-list 1,2,3,4,5-6 (YOUR VLANS)
its for SNMP, but you can use it for block other thing that you need, like ntp, ftp, tftp.. or something like that.
More information about:https://www.cisco.com/c/en/us/td/docs/switches/datacenter/sw/4_1/nx-os/security/configuration/guide/sec_nx-os-cfg/sec_vlanacls.pdf
ā02-11-2019 01:46 AM
I'm sorry Jaderson, but ISR 886VA doesn't have such commands like vlan access-map:
#conf t Enter configuration commands, one per line. End with CNTL/Z. (config)#ip access-list extended SNMP_LAN (config-ext-nacl)#$ 0.0.0.255 10.254.1.7 0.0.0.0 eq snmp (config-ext-nacl)#$ 0.0.0.0 eq snmp 10.254.1.0 0.0.0.255 (config-ext-nacl)#exit (config)# (config)# (config)#vlan access-map MAP_SNMP ^ % Invalid input detected at '^' marker. (config)#vlan access-map ? <cr> (config)#vlan acce? WORD (config)#vlan acce (config)#vlan ? WORD ISL VLAN IDs 1-4094 accounting VLAN accounting configuration dot1q dot1q parameters group Create a vlan group ifdescr VLAN subinterface ifDescr
#sh version Cisco IOS Software, C800 Software (C800-UNIVERSALK9-M), Version 15.4(3)M10, RELEASE SOFTWARE (fc1) Technical Support: http://www.cisco.com/techsupport Copyright (c) 1986-2018 by Cisco Systems, Inc. Compiled Wed 08-Aug-18 06:30 by prod_rel_team ROM: System Bootstrap, Version 15.4(1r)T1, RELEASE SOFTWARE (fc1)
ā02-11-2019 03:51 AM
ā02-12-2019 01:51 AM
Thank you Jaderson!
I applied this rule:
ip access-list extended FireWall deny udp any any eq snmp deny udp any any eq ntp permit ip any any
it works:
PORT STATE SERVICE VERSION 123/tcp closed ntp 161/tcp closed snmp 123/udp open|filtered ntp 161/udp open|filtered snmp
I have only one question: how it works? I allow all traffic with rule "permit ip any any" but at the same time the router is secured... Is it because of NAT?
ā02-12-2019 08:06 AM - edited ā02-12-2019 08:11 AM
Dear Exonix,
permit udp 10.254.0.0 0.0.0.255 x.x.x.x(IP OF YOUR SNMP SERVER) 0.0.0.0 eq snmp >> will allow snmp from your snmp-server to your lan. .
permit udp x.x.x.x(IP OF YOUR SNMP SERVER) eq snmp 10.254.0.0 0.0.0.255 >> will alow snmp from your lan to your snmp-server
deny udp any eq snmp any >> will block any other snmp traffic.
pertmit ip any any >> allow any other traffic.
Acls are read in order thats was applied. So, before alllow other traffic, snmp will blocked.
Nat's configuration on your router its just translate your internal ip for one or pool of public ip address.
ā02-12-2019 08:11 AM
Hello Jaderson,
My question isn't about the SNMP now.
My question is - I allow all traffic on WAN interface: permit ip any any - is it secure? Why?
ā02-12-2019 08:15 AM
ā02-12-2019 08:19 AM
would be it better to allow established TCP only and all UDP?
ā02-12-2019 08:22 AM
would a way, but if you want controll traffic on your network by acl, will be demand a lot of time and you router will increscent cpu usage. But, you can do it without problem.
ā02-12-2019 08:11 AM
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: