3 Replies Latest reply on Oct 6, 2014 12:10 PM by david

    Blocking External IP Address

    dwessell New Member

      Hi,

       

      I have an Adtran on a public IP address and I'm already starting to see it getting scanned by international IP address with folks looking to make international calls

       

      The SIP trunk is locked down by IP address and only traffic from the PRI is allowed through it.

       

      However I would imagine that these scans can take up some CPU.

       

      So how can I go about blocking an external IP address from accessing the Adtran 904 via the gui?

       

      Thanks

      David

        • Re: Blocking External IP Address
          jayh Hall_of_Fame

          The following should be a good start:

           

          ip access-list standard sip-access-list

            permit host [ip of your external SIP provider]

            permit 192.168.100.0 0.0.0.255 [Modify to match IP range of internal SIP phones]


          ip sip access-class sip-access-list in


          Then for management of the box:


          ip access-list standard admin-list

            permit 192.168.100.0 0.0.0.255 [Modify to match IP range of internal hosts]

          permit [any external management IPs that need to access the box]

           

           

          line telnet 0 4

            login local-userlist

            shutdown ! [unless you really need telnet, best to shut it down]

            ip access-class admin-list in

          line ssh 0 4

            login local-userlist

            no shutdown

            ip access-class admin-list in

          http ip access-class admin-list in

          http ip secure-access-class admin-list in


          The following turn off some things that aren't usually needed and represent security risks, as well as hide passwords from casual snooping of the running configuration.


          service password-encryption

          no tftp server

          no tftp server overwrite

          no ip ftp server

          no ip scp server

          no ip sntp server

          no snmp agent


          On most devices you can type the following:


          run audit security

          show audit security


          which will give some useful guidance and possibly a few red herrings but it's pretty good at finding big holes.  It whines about SSH and HTTP timeouts over 15 minutes as high risk as well as having the HTTP server enabled at all, even if both are locked down to inside addresses by access lists as shown above.

           

          Delete the "admin" user and create one or more username/password pairs unique to your needs.  Change the enable password as well.


          • Re: Blocking External IP Address
            david Employee

            Mr. Wessell,

             

            I wanted to add the following link to this post.

             

            Security Best Practices for AOS Products

             

            Another command which is helpful, specifically for port scans, is "ip firewall stealth".


            Thanks,

            David

            • Re: Blocking External IP Address
              david Employee

              David,

               

              I went ahead and flagged the "Correct Answer" on this post to make it more visible and help other members of the community find solutions more easily. If you don't feel like the answer I marked was correct, feel free to come back to this post and unmark it and select another in its place with the applicable buttons.  If you still need assistance, we would be more than happy to continue working with you on this - just let us know in a reply.

               

              Thanks,

              David