1 Reply Latest reply on May 5, 2014 12:09 PM by cj!

    How to block an external WAN Static IP address on a netvanta 3448

    it_field_technician New Member

      Hello,

       

      I have identified an ip address that is brute force attacking my term server and I wish to block this ip address in the firewall section of my adtran netvanta 3448 router.

       

      Can someone please take a few minutes to take me through it step by step?

       

      Thanks for your time.

        • Re: How to block an external WAN Static IP address on a netvanta 3448
          cj! Beta_User

          Hi it_field_technician:

           

          Given that this is a malicious host, I would recommend blocking all traffic from it.  I would create a new ACL to match traffic sourced from that IP and then add it to your Public policy-class to deny it.  Note that policies are processed top-down, so you'll want to have the new policy above the RDS or TS policy at a minimum.  You may want to place it above all of your other service-related policies:

           

          !

          ip access-list extended Blocked-IP

            remark IP to block

            permit ip host 12.34.56.78  any  log

          !

          !

          ip policy-class Public

            discard list Blocked-IP

            nat destination list admin self

            nat destination list RDS address 192.168.1.5

            nat destination list OWA address 192.168.1.6 port 443

          !

           

          In the GUI, you'd expand the Data section and click Security Zones.  Click the Public (or similar) zone.  Add a new policy, type Filter.  Use a specified source address and enter the offending IP (mask 255.255.255.255 for only one IP).  Destination IP = Any.  Protocol = Any.  After you click Apply, you'll need to move the new policy up so that it's above your RDS/TS policy, or at the very top.  You can click the 'down arrow' to move from the bottom to the very top.

           

          All this will block only one IP though, and it's not difficult for an attacker to renew and obtain a new address or move to another ISP or service, then resume brute force attempts.  Better options, if possible:

           

          • Allow RDS/TS connections from known, trusted IP addresses only (whitelist valid sources instead of blacklisting single offenders)
          • Port-shift away from 3389 (not an air-tight measure, but helps some)
          • Require VPN!  Your 3448 is a fine IPSec VPN server (or can be if you're not already running Enhanced Feature Pack).  Unless there's some specific reason your clients cannot use VPN, I highly recommend standardizing on it.

           

          Best,

          CJ