ACL to block range of IP's 1

[drewdown]

I want to block SSH/Telnet access to my core router from a range of IP's: IE 172.23.32.50 - 99 but allow it for any other IP. How would I word my ACL using a wildcard to match only those IP addresses?

deny tcp 172.23.32.50 0.0.0.? host 172.23.32.1 eq 23
permit ip any any

 

[burtsbees]

deny tcp 172.23.32.48 0.0.0.15 host 172.23.32.1 eq 23
deny tcp 172.23.32.64 0.0.0.31 host 172.23.32.1 eq 23
deny tcp 172.23.32.96 0.0.0.3 host 172.23.32.1 eq 23
deny tcp 172.23.32.48 0.0.0.15 host 172.23.32.1 eq 22
deny tcp 172.23.32.64 0.0.0.31 host 172.23.32.1 eq 22
deny tcp 172.23.32.96 0.0.0.3 host 172.23.32.1 eq 22
permit ip any any

Burt

 

[burtsbees]

The first line will block .49, so you'll have to allow that first...sorry

permit ip host 172.23.32.49 host 172.23.32.1
IF you want all IP...

Burt

 

[drewdown]

Does anyone have any idea how failed login attempts affect a switch or router?

Say you have a device that is trying to login into a device every 2 seconds for 10 minutes???

 

[burtsbees]

It won't affect it like Cisco routers used to be affected. People used to be able to do a very long string for the password, and while the router was working it out (along with a ping of death), a hacker would be able to log into the router without a password. You can log the attempts.

Burt

 

[drewdown]

Thanks man. I am logging it and at this point I am fully aware of it, trying to decide whether or not I should block it all together.

Thanks again for your help.

 

[burtsbees]

I would---where does dnsstuff.com say the IP is from? If it's from the University of Beijing or something, I'd block the entire range. Do you allow telnet?
router(config)#line vty 0 4
router(config-line)#transport input ssh

This is what I would do.

Burt

 

[drewdown]

Hahha, its internal man. My company builds a piece of network equipment that allows you to proactively support enterprise level networks. And to do that it needs to be able to get telnet/SSH access to network devices, amongst other things.

Thanks for your help.

 

[burtsbees]

What indication do you have that someone is trying to log in and failing?

Burt

 

[drewdown]

1. Radius: failed login attempts show on my IAS server

User write was denied access.
 Fully-Qualified-User-Name = domain\username
 NAS-IP-Address = 0.0.0.0
 NAS-Identifier = <not present> 
 Called-Station-Identifier = <not present> 
 Calling-Station-Identifier = xxx.xx.xx.xx
 Client-Friendly-Name = DNSNAME
 Client-IP-Address = xxx.xx.xx.xx
 NAS-Port-Type = Virtual
 NAS-Port = 1
 Proxy-Policy-Name = Use Windows authentication for all users
 Authentication-Provider = Windows 
 Authentication-Server = <undetermined> 
 Policy-Name = <undetermined> 
 Authentication-Type = PAP
 EAP-Type = <undetermined> 
 Reason-Code = 16
 Reason = Authentication was not successful because an unknown user name or incorrect password was used.

2. I have "(config)#logging on-failure every 3" on my network devices which logs events to a sys log program:

04-11-2008	13:31:59	Local7.Warning	xxx.xx.xx.xx	131645: 11w3d: %SEC_LOGIN-4-LOGIN_FAILED: Login failed [user: ] [Source: xxx.xx.xx.xx] [localport: 23] [Reason: Login Authentication Failed] at 17:31:58 UTC Fri Apr 11 2008

You would cringe if you saw how many times these devices are getting hit with failed login attempts. Almost like an unintentional dictionary DoS attack.

 

[burtsbees]

I would definitely only allow ssh in and not telnet---if you have people behind your own network trying to crack passwords, then you may also eventually have someone sniffing the line, and telnet traffic, usernames and passwords, are sent across in clear text.

Burt

 

[drewdown]

Have to re-visit this. I am having issues with making this work internally on my network, here is my ACL to block SSH from an entire subnet to the mgmt IP of a certain network device:

deny   tcp 172.23.32.0 0.0.0.255 host 10.40.9.1 eq 22
 permit ip any any

If I put the ACL on line vty without the permit ip any any it blocks all SSH connections. If I put it on the lines with permit ip any any and try to ssh from a device on the .32 subnet it still allows the SSH connection.

I am confused as to where this needs to go block all ssh from the 172.23.32.0/24 subnet to all mgmt IP addresses. At this point I am trying to get it to work on 1 device before I do it on all of them. Does the ACL need to be on the core router or on each individual device?

Any ideas?

 

[burtsbees]

How are you applying it to the vty lines? You have to do this...
line vty 0 4
ip access-class blablabla in

Use access-class, not access-group.
Also, on vty lines, you don't need permit ip any any, since they don't pass traffic through.

Burt

 

[drewdown]

Yes thats what I am doing. But if I configure the ACL as follows:

Extended IP access list DEV_SSH
deny   tcp 172.23.32.0 0.0.0.255 host 10.40.9.1 eq 22

line vty 0 4
 access-class DEV_SSH in
 privilege level 15
 password 7 XXXXXXXXXXXXXXXXX
 login authentication ADMINS
 transport input ssh
line vty 5 15
 access-class DEV_SSH in
 privilege level 15
 password 7 XXXXXXXXXXXXXXXXX
 login authentication ADMINS
 transport input ssh

It blocks all SSH connections to the switch, even from a different subnet, IE 172.23.25.115 can't ssh into it.

I cant figure out what the problem is.

 

[drewdown]

Also, no ip access-class on line vty, its just:

switch(config-line)#access-class.....

 

[burtsbees]

Memory's rusty...
For the vty lines, you only use standard acl's. It will deny whatever protocol you have input from whatever subnet you define. Let's say the router is 10.10.10.1...

router(config)#access-list 10 deny 172.23.32.0 0.0.0.255
router(config)#line vty 0 4
router(config-line)#access-class 10 in
This will deny ssh from 172.23.32.0/24 because you have
transport input ssh

Burt

 

[drewdown]

Thanks but its still not working right. if I do this:

NET-ANN-SW-02(config)#access-list 10 deny 172.23.32.0 0.0.0.255   
NET-ANN-SW-02(config)#line vty 0 4
NET-ANN-SW-02(config-line)#acces
NET-ANN-SW-02(config-line)#access-class 10 in

line con 0
 password 7 XXXXXXXXXXXXXXX
line vty 0 4
 access-class 10 in
 password 7 XXXXXXXXXXXXXXXX
 login authentication ADMINS
 transport input ssh
line vty 5 14
 password 7 XXXXXXXXXXXXXXXXX
 login authentication ADMINS
 transport input ssh
line vty 15
 password 7 XXXXXXXXXXXXXXXXX
 login authentication ADMINS
 transport input ssh

It blocks all SSH connections

Tried it from that subnet and another one, 172.23.25.0/24

It shows this:

Standard IP access list 10
    10 deny   172.23.22.0, wildcard bits 0.0.0.255 (2 matches)

Both of which were denied SSH attempts.


Any other idea's?

 

[drewdown]

EDIT: the last snipet should read as follows:

Standard IP access list 10
    10 deny   172.23.32.0, wildcard bits 0.0.0.255 (2 matches)

It is correct in my config.

 

[burtsbees]

I guess try the permit any after it...can't remember if there is an implicit deny or not, but I do know you should use standard acls...

Burt

 

[drewdown]

Yeah that was it, I just figured it out before you posted it.

This is working like it should (denying anything on the .32 subnet and allowing everything else):

Standard IP access list 10
    10 deny   172.23.32.0, wildcard bits 0.0.0.255 (1 match)
    20 permit any log

Thanks Burt!