The Adtran community holiday season is starting next week! The holiday period will span from December 21, 2024 to January 6, 2025. During this time, responses to feedback form submissions may be delayed. If you are encountering product issues, you can reach out to Adtran support at any time.
cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
dwessell
New Contributor

Blocking External IP Address

Jump to solution

Hi,

I have an Adtran on a public IP address and I'm already starting to see it getting scanned by international IP address with folks looking to make international calls

The SIP trunk is locked down by IP address and only traffic from the PRI is allowed through it.

However I would imagine that these scans can take up some CPU.

So how can I go about blocking an external IP address from accessing the Adtran 904 via the gui?

Thanks

David

Labels (1)
Tags (3)
1 Solution

Accepted Solutions
jayh
Honored Contributor
Honored Contributor

Re: Blocking External IP Address

Jump to solution

The following should be a good start:

ip access-list standard sip-access-list

  permit host [ip of your external SIP provider]

  permit 192.168.100.0 0.0.0.255 [Modify to match IP range of internal SIP phones]


ip sip access-class sip-access-list in


Then for management of the box:


ip access-list standard admin-list

  permit 192.168.100.0 0.0.0.255 [Modify to match IP range of internal hosts]

permit [any external management IPs that need to access the box]

line telnet 0 4

  login local-userlist

  shutdown ! [unless you really need telnet, best to shut it down]

  ip access-class admin-list in

line ssh 0 4

  login local-userlist

  no shutdown

  ip access-class admin-list in

http ip access-class admin-list in

http ip secure-access-class admin-list in


The following turn off some things that aren't usually needed and represent security risks, as well as hide passwords from casual snooping of the running configuration.


service password-encryption

no tftp server

no tftp server overwrite

no ip ftp server

no ip scp server

no ip sntp server

no snmp agent


On most devices you can type the following:


run audit security

show audit security


which will give some useful guidance and possibly a few red herrings but it's pretty good at finding big holes.  It whines about SSH and HTTP timeouts over 15 minutes as high risk as well as having the HTTP server enabled at all, even if both are locked down to inside addresses by access lists as shown above.

Delete the "admin" user and create one or more username/password pairs unique to your needs.  Change the enable password as well.


View solution in original post

0 Kudos
3 Replies
jayh
Honored Contributor
Honored Contributor

Re: Blocking External IP Address

Jump to solution

The following should be a good start:

ip access-list standard sip-access-list

  permit host [ip of your external SIP provider]

  permit 192.168.100.0 0.0.0.255 [Modify to match IP range of internal SIP phones]


ip sip access-class sip-access-list in


Then for management of the box:


ip access-list standard admin-list

  permit 192.168.100.0 0.0.0.255 [Modify to match IP range of internal hosts]

permit [any external management IPs that need to access the box]

line telnet 0 4

  login local-userlist

  shutdown ! [unless you really need telnet, best to shut it down]

  ip access-class admin-list in

line ssh 0 4

  login local-userlist

  no shutdown

  ip access-class admin-list in

http ip access-class admin-list in

http ip secure-access-class admin-list in


The following turn off some things that aren't usually needed and represent security risks, as well as hide passwords from casual snooping of the running configuration.


service password-encryption

no tftp server

no tftp server overwrite

no ip ftp server

no ip scp server

no ip sntp server

no snmp agent


On most devices you can type the following:


run audit security

show audit security


which will give some useful guidance and possibly a few red herrings but it's pretty good at finding big holes.  It whines about SSH and HTTP timeouts over 15 minutes as high risk as well as having the HTTP server enabled at all, even if both are locked down to inside addresses by access lists as shown above.

Delete the "admin" user and create one or more username/password pairs unique to your needs.  Change the enable password as well.


0 Kudos
Anonymous
Not applicable

Re: Blocking External IP Address

Jump to solution

Mr. Wessell,

I wanted to add the following link to this post.

Security Best Practices for AOS Products

Another command which is helpful, specifically for port scans, is "ip firewall stealth".


Thanks,

David

Anonymous
Not applicable

Re: Blocking External IP Address

Jump to solution

David,

I went ahead and flagged the "Correct Answer" on this post to make it more visible and help other members of the community find solutions more easily. If you don't feel like the answer I marked was correct, feel free to come back to this post and unmark it and select another in its place with the applicable buttons.  If you still need assistance, we would be more than happy to continue working with you on this - just let us know in a reply.

Thanks,

David