Hi,
I have an Adtran on a public IP address and I'm already starting to see it getting scanned by international IP address with folks looking to make international calls
The SIP trunk is locked down by IP address and only traffic from the PRI is allowed through it.
However I would imagine that these scans can take up some CPU.
So how can I go about blocking an external IP address from accessing the Adtran 904 via the gui?
Thanks
David
The following should be a good start:
ip access-list standard sip-access-list
permit host [ip of your external SIP provider]
permit 192.168.100.0 0.0.0.255 [Modify to match IP range of internal SIP phones]
ip sip access-class sip-access-list in
Then for management of the box:
ip access-list standard admin-list
permit 192.168.100.0 0.0.0.255 [Modify to match IP range of internal hosts]
permit [any external management IPs that need to access the box]
line telnet 0 4
login local-userlist
shutdown ! [unless you really need telnet, best to shut it down]
ip access-class admin-list in
line ssh 0 4
login local-userlist
no shutdown
ip access-class admin-list in
http ip access-class admin-list in
http ip secure-access-class admin-list in
The following turn off some things that aren't usually needed and represent security risks, as well as hide passwords from casual snooping of the running configuration.
service password-encryption
no tftp server
no tftp server overwrite
no ip ftp server
no ip scp server
no ip sntp server
no snmp agent
On most devices you can type the following:
run audit security
show audit security
which will give some useful guidance and possibly a few red herrings but it's pretty good at finding big holes. It whines about SSH and HTTP timeouts over 15 minutes as high risk as well as having the HTTP server enabled at all, even if both are locked down to inside addresses by access lists as shown above.
Delete the "admin" user and create one or more username/password pairs unique to your needs. Change the enable password as well.
The following should be a good start:
ip access-list standard sip-access-list
permit host [ip of your external SIP provider]
permit 192.168.100.0 0.0.0.255 [Modify to match IP range of internal SIP phones]
ip sip access-class sip-access-list in
Then for management of the box:
ip access-list standard admin-list
permit 192.168.100.0 0.0.0.255 [Modify to match IP range of internal hosts]
permit [any external management IPs that need to access the box]
line telnet 0 4
login local-userlist
shutdown ! [unless you really need telnet, best to shut it down]
ip access-class admin-list in
line ssh 0 4
login local-userlist
no shutdown
ip access-class admin-list in
http ip access-class admin-list in
http ip secure-access-class admin-list in
The following turn off some things that aren't usually needed and represent security risks, as well as hide passwords from casual snooping of the running configuration.
service password-encryption
no tftp server
no tftp server overwrite
no ip ftp server
no ip scp server
no ip sntp server
no snmp agent
On most devices you can type the following:
run audit security
show audit security
which will give some useful guidance and possibly a few red herrings but it's pretty good at finding big holes. It whines about SSH and HTTP timeouts over 15 minutes as high risk as well as having the HTTP server enabled at all, even if both are locked down to inside addresses by access lists as shown above.
Delete the "admin" user and create one or more username/password pairs unique to your needs. Change the enable password as well.
Mr. Wessell,
I wanted to add the following link to this post.
Security Best Practices for AOS Products
Another command which is helpful, specifically for port scans, is "ip firewall stealth".
Thanks,
David
David,
I went ahead and flagged the "Correct Answer" on this post to make it more visible and help other members of the community find solutions more easily. If you don't feel like the answer I marked was correct, feel free to come back to this post and unmark it and select another in its place with the applicable buttons. If you still need assistance, we would be more than happy to continue working with you on this - just let us know in a reply.
Thanks,
David