Hi Mark,
I would like to suggest to look into my earlier post regarding "other services" (Link: Click here). Maybe you don't want to use them at all, so the best way would be to shut down the service port (also means you would need less rules).
Your AOS is 4,5 years old, you might want to update that when you have some time. (Well, or you replace the switch with a new OmniSwitch as you previously mentioned.)
-benny
aaa authentication 6648
-
doctora
I already have the other services off. That is how I shut off SSH at night while I have been testing the ACL's. I know the AOS is old but I have not done an upgrade before. I plan on upgrading a test switch before I upgrade an important one. As I have stated before our paid consultants (which I have no say in the matter) do not believe in upgrades so I am on my own.
Thanks, So far I still have not had a illegal SSH log in. I will be leaving it on tonight and see what happens. When this is all done I will post my qos configuration in hopes that it helps someone else.
Mark
Thanks, So far I still have not had a illegal SSH log in. I will be leaving it on tonight and see what happens. When this is all done I will post my qos configuration in hopes that it helps someone else.
Mark
-
doctora
I had about a thousand attempts last night and not one was blocked. I went back to something either Benny or Silvio wrote about not using protocals today and just like that it satrted working. I am blocking and only allowing me.
qos classifyl3 bridged
policy port group Inside 1/15-25
policy port group OutSide 1/1
policy port group PGroup 1/25
policy condition BandWidthRestrict destination port group PGroup
policy condition NoSSHCond destination network group Switch ip protocol 6 destination ip port 22
policy condition NoUDPSSHCond destination network group Switch ip protocol 17 destination ip port 22
policy condition SNMPMon source ip 192.168.254.14 destination network group Switch
policy condition SSHCond source ip 192.168.254.4 ip protocol 6 destination ip port 22
policy condition allowAll source ip 192.168.254.4 destination network group Switch
policy condition blockAll destination network group Switch
policy condition noPing destination port group OutSide ip protocol 1
policy action Allow
policy action Deny disposition drop
policy action MaxBandWidth maximum bandwidth 1.40M
policy rule AllowSNMPMon precedence 6 condition SNMPMon action Allow
policy rule AllowTCPSSH precedence 5 condition allowAll action Allow
policy rule BlockSSH precedence 4 condition blockAll action Deny
qos apply
I know there are a lot of conditions that I can purge but they shouldn't hurt anything for a couple days. I also had to add another internal address for our MRTG SNMP monitoring. I feel very confident that simplifying it wiill make it work. This is the first time I have made a change and instantly saw data like blocks and allows that match. They MRTG rule is great because I know exactly how many matches I should get. This whole situation is one that I think I over thought a bit. I should have approached it as block everyhting and then figure out what to allow. If either of you suggested that original give me a big I told you so. I deserve it. So far I have learned a ton and I can write conditions/actions and rules without looking up stuff. That is pretty good for me.
I may leave out the Max bandwidth policy. It has been in place for so long that any one affected by it does not realize that it was lifted and they are not abusing it anymore. I will see if it lasts.
Thanks I hope this gets it.
Mark
qos classifyl3 bridged
policy port group Inside 1/15-25
policy port group OutSide 1/1
policy port group PGroup 1/25
policy condition BandWidthRestrict destination port group PGroup
policy condition NoSSHCond destination network group Switch ip protocol 6 destination ip port 22
policy condition NoUDPSSHCond destination network group Switch ip protocol 17 destination ip port 22
policy condition SNMPMon source ip 192.168.254.14 destination network group Switch
policy condition SSHCond source ip 192.168.254.4 ip protocol 6 destination ip port 22
policy condition allowAll source ip 192.168.254.4 destination network group Switch
policy condition blockAll destination network group Switch
policy condition noPing destination port group OutSide ip protocol 1
policy action Allow
policy action Deny disposition drop
policy action MaxBandWidth maximum bandwidth 1.40M
policy rule AllowSNMPMon precedence 6 condition SNMPMon action Allow
policy rule AllowTCPSSH precedence 5 condition allowAll action Allow
policy rule BlockSSH precedence 4 condition blockAll action Deny
qos apply
I know there are a lot of conditions that I can purge but they shouldn't hurt anything for a couple days. I also had to add another internal address for our MRTG SNMP monitoring. I feel very confident that simplifying it wiill make it work. This is the first time I have made a change and instantly saw data like blocks and allows that match. They MRTG rule is great because I know exactly how many matches I should get. This whole situation is one that I think I over thought a bit. I should have approached it as block everyhting and then figure out what to allow. If either of you suggested that original give me a big I told you so. I deserve it. So far I have learned a ton and I can write conditions/actions and rules without looking up stuff. That is pretty good for me.
I may leave out the Max bandwidth policy. It has been in place for so long that any one affected by it does not realize that it was lifted and they are not abusing it anymore. I will see if it lasts.
Thanks I hope this gets it.
Mark
Hi Mark,
this config is a good one. The conditions with no association to a rule will not be used.
If there are furthermore ssh-access than you are in trouble. You shoul make an update to 5.4.1
Your version (5.1.6.424.R01 Service Release, June 24, 2005) is not the newest one
Have you an idea how the access from all over the world is occured? normaly there has to be a firewall or/and NAT-router?
regards Silvio
this config is a good one. The conditions with no association to a rule will not be used.
If there are furthermore ssh-access than you are in trouble. You shoul make an update to 5.4.1
Your version (5.1.6.424.R01 Service Release, June 24, 2005) is not the newest one
Have you an idea how the access from all over the world is occured? normaly there has to be a firewall or/and NAT-router?
regards Silvio
-
doctora
This swtch is on the world side of the firewall/NAT router. I know this is not the best but that portion/decision is not mine. I am not to question why just to do or die. Make it work is usually what I hear. Since no one got through I found this challenge quite enjoyable. It is still blocking. I am checking it every hour.
-
doctora
-
doctora
It appears that all is well. Here is the final configuration. The lesson I learned is to work backward from blocking all. It made for a simple config and appears to be fine. I am still not completely sure why the original did not work but I have spent to much time on this and as long as it works and I understand why it works I am happy. Thanks for the time and help both of you.
! QOS :
policy port group PGroup 1/25
policy condition BandWidthRestrict destination port group PGroup
policy condition BlockAll destination network group Switch
policy condition SNMPMon source ip 192.168.254.14 destination network group Switch
policy condition allowSome source ip 192.168.254.4 destination network group Switch
policy action Allow
policy action Deny disposition drop
policy action MaxBandWidth maximum bandwidth 1.40M
policy rule Allow precedence 5 condition allowSome action Allow
policy rule AllowSNMP precedence 4 condition SNMPMon action Allow
policy rule Block precedence 3 condition BlockAll action Deny
policy rule MaxBandRule condition BandWidthRestrict action MaxBandWidth
qos apply
! QOS :
policy port group PGroup 1/25
policy condition BandWidthRestrict destination port group PGroup
policy condition BlockAll destination network group Switch
policy condition SNMPMon source ip 192.168.254.14 destination network group Switch
policy condition allowSome source ip 192.168.254.4 destination network group Switch
policy action Allow
policy action Deny disposition drop
policy action MaxBandWidth maximum bandwidth 1.40M
policy rule Allow precedence 5 condition allowSome action Allow
policy rule AllowSNMP precedence 4 condition SNMPMon action Allow
policy rule Block precedence 3 condition BlockAll action Deny
policy rule MaxBandRule condition BandWidthRestrict action MaxBandWidth
qos apply
