I got it changed and I am still getting hit. here is the qos configuration. I left the conditions in place. I did not think that would matter.
Internet Gateway-> show configuration snapshot qos
! QOS :
policy port group Inside 1/15-25
policy port group OutSide 1/1
policy port group PGroup 1/25
policy condition BandWidthRestrict destination port group PGroup
policy condition NoSSHCond destination network group Switch ip protocol 6 destination ip port 22
policy condition NoUDPSSHCond destination network group Switch ip protocol 17 destination ip port 22
policy condition SSHCond source ip 192.168.254.4 ip protocol 6 destination ip port 22
policy condition noPing destination port group OutSide ip protocol 1
policy action Allow
policy action Deny disposition drop
policy action MaxBandWidth maximum bandwidth 1.40M
policy rule AllowTCPSSH precedence 5 condition SSHCond action Allow
policy rule BlockSSH precedence 4 condition NoSSHCond action Deny
qos apply
when I try to remove the ip protocol it gives me an error of "Must specify IP protocol when using IP ports"
Mark
aaa authentication 6648
-
doctora
Hi Mark
you don't need both - definitifely.
f.e. my earlier posted ACL has the following conditions:
-> policy condition allow_mgmt source network group mgmt-pc
-> policy condition deny_mgmt source ip Any destination network group Switch
In your message two post before you've written: "in all testing I have done it has blocked all improper access and has always allowed access from where it should."
I understand, that in your tests the ssh-access was like wished. Where is the problem?
regards Silvio
you don't need both - definitifely.
f.e. my earlier posted ACL has the following conditions:
-> policy condition allow_mgmt source network group mgmt-pc
-> policy condition deny_mgmt source ip Any destination network group Switch
In your message two post before you've written: "in all testing I have done it has blocked all improper access and has always allowed access from where it should."
I understand, that in your tests the ssh-access was like wished. Where is the problem?
regards Silvio
-
doctora
The improper access I am refering to are the tests that I have issued. I went to my house and was unable to log in. I went to a friends house and was unable to log in. I had my boss try from his house and he was unable to log in. I thought I had it working but then when I look at the log files I get attempted logins from china and panama and switzerland. They should not be able to attempt a connection.
If you refer to post #17. You can see some of the ip addresses that are making connections then (I assume) failed login attempts then dropping. I get these every couple minutes if I turn on almost any ip service. I am going to connect a console connection to my office so I can better make changes and then test for short periods of time.
I hope that I am not frustrating you to much. Maybe I am looking at this wrong.
Mark
If you refer to post #17. You can see some of the ip addresses that are making connections then (I assume) failed login attempts then dropping. I get these every couple minutes if I turn on almost any ip service. I am going to connect a console connection to my office so I can better make changes and then test for short periods of time.
I hope that I am not frustrating you to much. Maybe I am looking at this wrong.
Mark
-
benny
Hi Mark,
Could you please try the following (Silvio already mentioned it earlier):This will make sure that the IPs are checked even if the traffic is just bridged to the switch.
-benny
Could you please try the following (Silvio already mentioned it earlier):
Code: Select all
Switch-> qos classifyl3 bridged
Switch-> qos apply-benny
Hi Mark,
has you contact to the "bad guys" in all of the world which try to connect to your switch? Then you can do the wished tests with them. You have to detect which rule will match if they try to connect the switch. Also there my question: are all of theirs trials are successfull, or only some of them? I have had a similar issue at a 6624 with dhcp-server-rule: most of traffic from wrong server was droped (like wished) - but sometimes the clients get an ip from the wrong dhcp-server.
Have you the actual code in the switches?
regards Silvio
has you contact to the "bad guys" in all of the world which try to connect to your switch? Then you can do the wished tests with them. You have to detect which rule will match if they try to connect the switch. Also there my question: are all of theirs trials are successfull, or only some of them? I have had a similar issue at a 6624 with dhcp-server-rule: most of traffic from wrong server was droped (like wished) - but sometimes the clients get an ip from the wrong dhcp-server.
Have you the actual code in the switches?
regards Silvio
-
doctora
What do you mean by "Have you the actual code in the switches?"
I am down to only two rules first rule is to allow access using ssh to the addresses in the switch from a specific address. Then I have a deny all ssh requests to the addresses in the swtch. I figure that all the addresses that were in post #17 should be denied.
I got the console connection run to my desk yesterday. I will be able to make the "qos classifyl3 bridged" comand change this morning and see if it changes the behavior.
I have no idea if all certain ip address trials are successfull or not. I get a lot of matches in the deny rule and I see a bunch of ssh attempts in the log files. Is their a way to record which ip addresses are being denied?
Mark
I am down to only two rules first rule is to allow access using ssh to the addresses in the switch from a specific address. Then I have a deny all ssh requests to the addresses in the swtch. I figure that all the addresses that were in post #17 should be denied.
I got the console connection run to my desk yesterday. I will be able to make the "qos classifyl3 bridged" comand change this morning and see if it changes the behavior.
I have no idea if all certain ip address trials are successfull or not. I get a lot of matches in the deny rule and I see a bunch of ssh attempts in the log files. Is their a way to record which ip addresses are being denied?
Mark
I mean software version (actual I know 5.4.1 build 553).
I only know sniffer for finding more infos (via mirror-port). It seems to be successfully logins in the swlog.
you can check the actual users with > show users.
(You can try to increase the appid for the swlog level to 9 - but I don't know which is the relevant application.)
but I hope you have changed the password.
Is SSH the onliest allowed service? Then you can leave out the "destination ip port 22" - so the condition will be easier with same result.
Silvio
I only know sniffer for finding more infos (via mirror-port). It seems to be successfully logins in the swlog.
you can check the actual users with > show users.
(You can try to increase the appid for the swlog level to 9 - but I don't know which is the relevant application.)
but I hope you have changed the password.
Is SSH the onliest allowed service? Then you can leave out the "destination ip port 22" - so the condition will be easier with same result.
Silvio
-
doctora
-
doctora
Good news since adding the classifyl3 command and enabling the ssh service I have had no unwanted connections. The not so bad news is that I have only blocked 3 attempts. Being shut down for a day has reduced the number of attempts to log in. I am going to change it from ssh to all ports like Silvio recommends. I don't want anyone out side to access any ports on the switch. I will update this entry before I leave for the day and add again tomorrow.
Thanks
Mark
Thanks
Mark
