Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1404
Views
5
Helpful
6
Replies

restrict VTY access on switch

Go to solution
mdieken011
Level 1
Level 1

‎01-30-2018 06:51 AM - edited ‎03-05-2019 09:50 AM

I have a switch outside our firewall open to the Internet.  It is a newer 3650 switch.  I have an ACL assigned to the vty interface that should restrict management traffic to it.  I found it went into quiet mode because someone was doing a dictionary attack against it.  They attackers were using http authentication built into the switch for management to launch the attack.  I had to turn off http and https server to block them.  My question is why was the ACL not blocking this dictionary attack?

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Joseph W. Doherty
Hall of Fame
Hall of Fame
In response to mdieken011

‎01-30-2018 08:31 AM

Believe SSH is also considered to use a VTY line.

SSH and telnet are also controlled by transport line under VTY. Not so for HTTP or HTTPS.

View solution in original post

0 Helpful
6 Replies 6

Go to solution
Joseph W. Doherty
Hall of Fame
Hall of Fame

‎01-30-2018 07:00 AM

If you're asking why a VTY ACL didn't block HTTP or HTTPS, it's likely because the latter isn't using a VTY line.
0 Helpful

Go to solution
mdieken011
Level 1
Level 1
In response to Joseph W. Doherty

‎01-30-2018 07:13 AM

I don't quite follow Joseph.  It was blocking ssh traffic but not port 80 and 443 access.

0 Helpful

Go to solution
Joseph W. Doherty
Hall of Fame
Hall of Fame
In response to mdieken011

‎01-30-2018 08:31 AM

Believe SSH is also considered to use a VTY line.

SSH and telnet are also controlled by transport line under VTY. Not so for HTTP or HTTPS.
0 Helpful

Go to solution
Joseph W. Doherty
Hall of Fame
Hall of Fame
In response to Joseph W. Doherty

‎01-30-2018 08:33 AM - edited ‎01-30-2018 08:34 AM

BTW, some other vendors work differently. One that comes to mine, you apply an ACL to the loopback interface, and it controls what goes to the device's management.

0 Helpful

Go to solution
Mark Malone
VIP Alumni
VIP Alumni
In response to mdieken011

‎01-30-2018 08:33 AM

its good practice to turn off http/https on switches its unsecure , dont use it on any of our switches globally for that reason

no ip http server
no ip http secure-server

also good practice to use login feature matched to the acl on your vty list for a bit of extra protection

login block-for 300 attempts 10 within 60
login quiet-mode access-class xx
login on-failure log
login on-success log
0 Helpful

Go to solution
Mark Malone
VIP Alumni
VIP Alumni
In response to Mark Malone

‎01-30-2018 08:35 AM

You can also use MPP feature for mgmt traffic to prevent certain interfaces using it
https://www.cisco.com/c/en/us/td/docs/ios/12_4t/12_4t11/htsecmpp.html
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card