No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>

Reminder

To have a better experience, please upgrade your IE browser.

upgrade

FTP control is not working properly even configure ACL

Publication Date:  2013-10-28 Views:  50 Downloads:  0
Issue Description

FTP control is not working properly even configured ACL.
(** is used to protect customer data.)

1. Check the log to clarify the phenomenon of "not working properly". There were lot of similar log as below:
Apr 25 2013 07:45:55+06:00 ***NE40E_X3 %%01FTPS/3/LOGIN_FAIL(l)[27]:The user failed to log in. (UserName="an****s", IpAddress=61.***.***.133, VpnInstanceName="")

The log indicated some unauthorized user was trying to login the NE40E.

2. Confirm with customer about ACL configuration. 
#
 FTP server enable
#
acl number 3999
 description TELNET_CONTROL
 rule 10 permit ip source 1.*.1.0 0.0.0.3
 rule 15 permit ip source 10.*.0.0 0.0.0.255
 rule 20 permit ip source 10.*.0.0 0.0.0.255
 rule 25 permit ip source 10.*.0.0 0.0.0.255
 rule 30 permit ip source 192.168.*.0 0.0.0.255
 rule 35 permit ip source 103.12.*.0 0.0.0.255
 rule 40 permit ip source 103.4.*.176 0.0.0.3
 rule 45 permit ip source 27.0.*.40 0.0.0.3
#
aaa
 local-user g**l password cipher %$%$%************&Sr%yp%$%$
 local-user g**l service-type ftp terminal telnet ssh
 local-user g**l level 15
 local-user g**l ftp-directory cfcard2:
#
user-interface vty 0 4
 acl 3999 inbound
 authentication-mode aaa
 idle-timeout 20 0
 protocol inbound all

Handling Process

1. The rule under ACL is matched from rule 5 utill 45. The IP address of 61.***.***.133 cannot match any of them and should be restricted.
2. VTY user-interface supports telnet and ssh protocol. Based on current configration, NE40E restricts telnet and ssh users only.
3. NE40E adopts "FTP ACL acl-number" to restrict FTP users. 

Root Cause
Acl under user-interface cannot restrict FTP users.Related configutation is lacked.
Solution

1.       Create a basic acl , for example , acl 2000

#

acl number 2000

 rule 10 permit ip source 1.*.1.0 0.0.0.3
 rule 15 permit ip source 10.*.0.0 0.0.0.255
 rule 20 permit ip source 10.*.0.0 0.0.0.255
 rule 25 permit ip source 10.*.0.0 0.0.0.255
 rule 30 permit ip source 192.168.*.0 0.0.0.255
 rule 35 permit ip source 103.12.*.0 0.0.0.255
 rule 40 permit ip source 103.4.*.176 0.0.0.3
 rule 45 permit ip source 27.0.*.40 0.0.0.3

2.       Enable the ACL under FTP server.

 

<Huawei>system-view

Enter system view, return user view with Ctrl+Z.

[Huawei]ftp acl 2000

 

Then the ftp user from unauthorized IP will be denied.

Suggestions

It is recommended to close FTP server if it's not used frequently in live network.

END