No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>Search

Reminder

To have a better experience, please upgrade your IE browser.

upgrade
Knowledge Base

How to deny access for FTP and SSH on AR routers

Publication Date:  2016-06-24  |   Views:  342  |   Downloads:  0  |   Author:  a84053107  |   Document ID:  EKB1000125083

Contents

Issue Description

If you have an AR router and want to secure it from a network point of view this is the way you should do it.

For example in this KB we will illustrate how to close port 21 (FTP) and 22 (SSH) in order to prevent logged in throught public networks.

Handling Process

Apply the commands highlighted below for obtaining a more secured network.

Root Cause

This is not an issue, is just a network security rpevention.

Solution

Please conduct the following commands in order to deny FTP and SSH from being accessed from public networks and allowing to be accessed just by the private IPs:

<Huawei>
<Huawei>sys
<Huawei>system-view
Enter system view, return user view with Ctrl+Z.
[Huawei]acl 3000
[Huawei-acl-adv-3000]rule permit tcp source 192.168.X.X   0.0.0.255 source-port eq 21
[Huawei-acl-adv-3000]rule permit tcp source 192.168.X.X   0.0.0.255 source-port eq 22 
[Huawei-acl-adv-3000]rule deny tcp source-port eq 21
[Huawei-acl-adv-3000]rule deny tcp source-port eq 22
[Huawei-acl-adv-3000]q

[Huawei]interface Ethernet 0/0/0
description ***Wan Port to internet***
[Huawei-Ethernet0/0/0]ip address 176.168.2.20 255.255.255.0
[Huawei-Ethernet0/0/0]

[Huawei-Ethernet0/0/0]traffic-filter inbound acl 3000
[Huawei-Ethernet0/0/0]nat server protocol udp global current-interface snmp inside 192.168.8.16 snmp
[Huawei-Ethernet0/0/0]nat server protocol tcp global current-interface any inside 192.168.8.11 any
[Huawei-Ethernet0/0/0]nat outbound 3000 address-group 1

NOTE: 192.168.X.X -> inside Server's IP address

Suggestions

We suggest to deny FTP and SSH from being accessed from public networks and allowing to be accessed just by the private IPs, just to avoid any DDoS attack or such external individuals that are supposing to not have access to your data/network.