Buy or Renew
Buy or Renew
Cisco Virtual Engineer generative AI bot now active in Wireless Discussion Forum. Learn more.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1794
Views
0
Helpful
6
Replies

Block Guest SSH to 1.1.1.1

Go to solution
Eugen Serban
Level 1
Level 1

‎10-26-2016 07:34 AM - edited ‎07-05-2021 06:02 AM

Hello,


I just found out that when connecting to a guest network I can ssh to 1.1.1.1. If I have the username and password, I can log in and wreck havoc in the network.

Of course, an attacker will find the 1.1.1.1 address (or whatever) and try to exploit it: it's in the web portal or shown as the dhcp server when doing an ipconfig.

My idea was to create a CPU acl that blocks ssh and telnet to 1.1.1.1, but would this be enough? Will I break other stuff?

Any ideas are greatly appreciated.

Btw, is there a guide regarding hardening the guest network?

Regards,
Eugen

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
M. Wisely
Level 4
Level 4

‎10-27-2016 12:54 AM

Do you have 'Management Via Wireless' enabled? We don't and we cannot access the controller via the virtual address.

View solution in original post

0 Helpful
6 Replies 6

Go to solution
Rasika Nayanajith
VIP
VIP

‎10-26-2016 01:06 PM 

I just found out that when connecting to a guest network I can ssh to 1.1.1.1.

Did you able to log onto your WLC using this IP ?

Rasika

0 Helpful

Go to solution
Eugen Serban
Level 1
Level 1
In response to Rasika Nayanajith

‎10-26-2016 02:31 PM

Hello,

Yes, when connected to the guest network, I am able to ping 1.1.1.1 and ssh to it. As I have the credentials for the WLC, I was able to log in.

0 Helpful

Go to solution
Andrew MacTaggart
Level 1
Level 1

‎10-26-2016 01:15 PM

you should be using an RFC5737 address for your virtual interface.

0 Helpful

Go to solution
M. Wisely
Level 4
Level 4

‎10-27-2016 12:54 AM

Do you have 'Management Via Wireless' enabled? We don't and we cannot access the controller via the virtual address.

0 Helpful

Go to solution
Eugen Serban
Level 1
Level 1
In response to M. Wisely

‎10-27-2016 01:34 AM

On the anchor, we do, yes. On the remote sites we don't.

This is indeed a proper solution. Thanks!

0 Helpful

Go to solution
Eugen Serban
Level 1
Level 1
In response to M. Wisely

‎10-27-2016 05:08 AM

I applied the change and now it's behaving like it should :)

Thanks again!

Eugen

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card