Configuration of the ACL to restrict access via SSH/Telnet

Similar Questions

• Configuration of the DMZ for MS access

  I set up a DMZ for a Web server. I'll probably put an RODC in there later, but for now I want to open ports to the domain controller.

  I'm a bit new to DMZ and I'm a bit confused.

  I put in place services for different ports and then configure the rules of lan/dmz coming out of the demilitarized zone to the domain controller, but I get no connection.

  I have the DMZ a 10.0.0.1 / 255.255.240.0
  The value 10.0.0.5 Web server / 255.255.255.240.0
  Gateway is 10.0.0.1

  DNS server on the primary domain controller 192.168.10.1

  I opened the ports following services:

  Kerberos 88 (TCP, UDP)
  Time 123 (UDP)
  135 Kerberos authentication (TCP)
  LDAP 389
  LDAP 445
  MS DS 3268 (TCP)
  1025-4999 RPC Ports (TCP)

  In the rules of the DMZ Lan, for those leaving, should I simply specify the machine side of DMZ DMZ users or do I need to specify the side Lan Lan users too?

  Then I need to duplicate these ports in the Incoming, correct?

  Any help in pointing to the relevant documentation would be great.

  No, you should not need to configure static routes, unless you have something weird going. You can check the network path by adding rules incoming/outgoing ICMP LAN DMZ (ICMP-TYPE-8, to be precise) and ping back and forth between the DC and the Web server (ensuring any intermediate software firewall is disabled). If you can test in both directions, then you know with certainty that none of the static routes are needed.

• Restricting access via AAA auth group AnyConnect IKEV2

  Hello world

  I have config ASA with 2 groups of connection

  Say Group 1 and 2.

  Both are currently assigned to the same Auth AAA group

  One of our external suppliers has access to these two files group of connections 1 and 2 XM...

  If I want the seller must only connect to connect to the Group 2 should I change the Group AAA auth for Group 2 of the connection?

  Then, even if he tries to connection group 1 should not function as a group AAA Auth will only affect Group 2 right?

  Concerning

  Mahesh

  Mahesh

  If you have a single authentication server (or a pair of servers in operation HA), then it would seem that the seller would be authenticated any group, they are trying to access.

  I have a client who was using the function of blocking the group to accomplish something similar to what you describe. They used the RSA authentication two factors as you do so. They had the air was to send the authentication request to a Radius server. The Radius server would send the ID and code is entered at the RSA to do the authentication to the Radius Server and two factors would also querry Active Directory to learn more about membership in a user group. The Radius server then would return the results of the RSA and ED to the ASA group that would use the group lock feature to ensure that the user entered the right group. Maybe something like that might work for you?

  HTH

  Rick

• Our website gets a red screen, the 'attack page' when accessed via Firefox, but not learn it happened on many computers. Can you please tell me what is happening and how to fix it?

  Attack page! Since Firefox, but not know

  What happened when Google visited this site?

     Of the 5 pages Google tested on the site over the past 90 days, 2 page(s) resulted in malicious software being downloaded and installed without user consent. The last time Google visited this site was on 2011-11-05, and the last time suspicious content was found on this site was on 2011-11-05.
  

     Malicious software includes 1 scripting exploit(s), 1 trojan(s), 1 exploit(s). Successful infection resulted in an average of 6 new process(es) on the target machine.
  

     Malicious software is hosted on 2 domain(s), including passinggas.net/, delicatecurrant.mysecondarydns.com/.
  

  Works for me in Firefox 3.6.x and 8.0 Firefox and Google Chrome.

  • http://www.divisionofpsychotherapy.org
  • http://www.Google.com/SafeBrowsing/diagnostic?site=http%3A%2f%2Fwww.divisionofpsychotherapy.org

  What is the current state of the list for www.divisionofpsychotherapy.org?
  
  This site is not currently listed as a suspect.

• Access via SSH o/s RN102 iSCSI LUN

  Hello

  I can access NAS via SFTP & SCP.

  Where in the structure of the file is the LUN file so that I can copy off the coast of the NAS for editing also.

  We have an iSCSI partition that is only considered as RAW by the iSCSI connector in Windows and we need to see if he really is totally damaged,

  The data\LUN file appears to be empty.

  Andy

  It's in a hidden directory .iscsi

• How to restrict access to the service web application deployed on weblogic for user group only

  I built the web service application in jdevelopler 11.1.1.7. Their security policy applied in the web service of the default Oracle policy which is (policy: Wssp1.2 - 2007-Https-UsernameToken - Plain.xml)

  Now all want to access the web service application must provide the name of user and password in the header section of the SOAP request to meet the requirement of the policy.

  the following steps I'm trying to restrict access to the application of web service with a specific group of users among users of weblogic:

  Connect to the weblogic administration console

  Create user or group of users

  Click on the links of deployments

  Select your web service

  Click the Security tab

  Click the sub-tab political

  Choose your authorization provider in the menu drop-down (looks like by default)

  Choose Add Conditions-> Group-> Type in the name of the Group

  Finishing

  But access is always available for all weblogic users (IE users not in the group specified in the above security configuration). How can I restrict access to only authorized group? Any thing lacking in my approach?

  There is nothing wrong with the steps mentioned in the question. In addition, you must do the following

  At the time of the application deployment with regard to the security part, there is a list in the title of the question (which security template you want to use with this application?)

  You must select (Advanced: use a custom template that you have configured on the page of configuration of the Kingdom) a configuration mentioned in the question will be work

• IOS - XE 4500: Crash on the ACL configuration

  Hi all

  We have recently migrated from stand-alone to VSS on our switches C4500 with Sup 7 - E.

  but the switch hangs at every time we edit or modify the ACL with the below error message:

  % SYS-3-BADBLOCK: bad block pointer

  % SYS-6-MTRACE: mallocfree: addr, pc

  % SYS-6-BLKINFO: corrupted next pointer blk

  % SYS-6-MEMDUMP: 0X7E043FF8

  We have noticed that there is a new bug for this issue is to say

  CSCun33897 Symptom: 
  A series switch Catalyst 4500 running IOS - XE may restart unexpectedly when the configuration of the ACL is applied to an interface.

  but there is no solution available yet.

  Please let me know if anyone had this kind of issue. Appreciate your suggestion and comments thereon.

  Used current Image: cat4500e-universalk9. Spa.03.05.00.E.152 - 1.E.bin.

  Thanks in advance.

  its seems to be closely related to the bug you mentioned

  If you download crashinfo I can look at it and try to confirm.

  Concerning

  Naveen

  rate if it's useful. *

• restrict access to the php page problems

  I'm trying to use the dreamweaver php restrict access server behavior and will have success on both my local maching and my own host. However, the same script does not work on the server of a customer hosted by Verio on a Windows shared hosting plan.
  
  index.php = login page
  Login.php = forwarding connection failed
  client.php = page with a script to restrict access.
  
  If I remove the script of restricted access, I was able to connect fine and see page client.php. However, if I understand the access restricted in the client.php script, I get kicked to the login.php page. I only check the username and password, not the user level.
  
  Here is a brief overview of the two assemblies
  
  localhost:
  MacBook pro running apache
  PHP 5.2.0, mysql 5.0.22
  register_globals = Off
  
  Client server:
  Host = verio
  Windows shared hosting plan
  PHP 5.2.0, mysql 5.0.24a
  register_globals = Off
  
  Session settings are the same as the file phpinfo.php (with the exception of the local value of the session.save_path to the verio server)
  
  I can return the value of the username (and pass) using the {print $_SESSION ['MM_Username'] ;} on client.php page when I comment on the script to access restricted on the client files.}
  
  I wonder if there is a php setting that is causing the problem?
  
  Any help is greatly appreciated.
  
  Kind regards
  
  Mike
  

  According to media, the current windows has limited hosting plan supports for php scripts.

• Remove the ACL

  Hello

  I participate in an exercise of Packet Tracer.

  I have to remove a 110 ACL extended a router (R1):

  I type: R1 #(config) no access-list 110

  Now the network devices warks as I want, but the output of "R1 #show running-config' always to show me the 110 ACL extended. Why?

  Thank you

  I don't see the ACL in the configuration.

  You use access-list 101 only under int S0/0/0 you want to delete this?

  You can then tap

  conf t

  int s0/0/0

  no out ip-group 101 access

  end

  So in fact, the ACL is gone (or removed from the configuration), but orders referring to the ACL (ie. ip access-group under interface or under SNMP community ACL or ACL under VTY) is still intact. You must remove them manually.

• Disable access via RDP client?

  Hi guys,.

  I'm all new to vmware view. Have a good undertanding of vsphere and have now been asked to do a trial of opinion.

  I'll probably ask a lot of questions, probably the most stupid in this forum.

  I have a very operational core facility and was able to access my VD through the client on several different platforms.
  My first question is whether it is actually possible to prevent someone to access the DV via a RDP client and only allow access through VMware View Client?
  Now I can connect through the client view, determine the host name and access via RDP disconnecting as well display the session.

  See you soon

  How about disabling RDP of the OS and that the only available connection connection will be PCOIP - which means he would only come from the customer to view.

• Restrict access works sometimes

  With DW CS3 on Mac 10.4.11 & PHP 4.4.7 & MySQL 4.1.21 - standard on Apache 1.3.37 on a UNIX server.
  
  I've implemented "Log In User" SB. Works fine.
  I've set up "Restricting access" SB on PHP pages dummy (based on the model, but with little content, no other PHP or SBs on the page) and "restricting access" works very well.
  Then, I put "Restricting access" with pages PHP contain RecordSets and other PHP code (using the standard DW SB). When I try to access the page, it just crashes if I am connected.
  
  An orientation or direction will be GREATLY appreciated!
  
  Thank you
  
  Here is the code for a page that does NOT work:
  
  

  Found the answer to my own question. I changed the line 1 of the 'virtual' to 'require_once' and everything works fine!

• restricting access to a schema for all

  What are the methods to restrict access to a particular schema obects?
  
  My impression was always that all access to an application schema should only be given through roles. and it was as simple as turning off these roles to restrict access. but I get the impression now that disabling a role is at the user level only session...
  
  the most popular direction.

  If it's just a backup to close applications, perhaps just looking for the opportunity to password protect the roles, as I mentioned in my original post. You could certainly password protect all the roles in the database with a password only you know (assuming, of course, none of the upgrade scripts rely on any of the roles or that the upgrade scripts are modified to activate the roles), and then remove the password when the upgrade is completed. This would be a relatively unique solution - I have not heard of someone who was particularly concerned that a request would be left inadvertently on and cause corruption of the information during a major database upgrade - application error if the schema definition is not what they want - but it would probably normally as possible. And it would be relatively easy to script.

  Of course, you still have to deal with sessions that existed before your password protected the role, but who would usually point you in the direction of an application that had not yet been arrested.

  Justin

• Configure the read-access via user-defined privilege level

  Hello everyone,

  I m looking for the best configuration to restrict a user read-only. The restriction must be configured through CLI not GANYMEDE.

  Material: 3750 (probably not interesting for that matter)

  More old IOS: 12.2 (53) SE1

  The user should be allowed to:

  • See the running configuration
  • trigger all sorts of orders-show
  • Ping and traceroute of the device

  The user should not be allowed to:

  • Download/delete/rename files on the flash memory
  • Enter the level 15 (not sure if I can avoid it)
  • all orders despite those level 1 and those specified above

  Can someone help me with this?

  Thanks in advance!

  I have won´t forgotten messages useful rates

  Hi Tobias,.

  You can

  set up multiple levels of privilege on a switch as explained below.

  By default, the Cisco IOS Software has two modes of password security: user EXEC and

  Privileged EXEC. You can configure up to 16 levels of commands for each mode.

  By configuring multiple passwords, you can allow different sets of users to have access to

  specified commands.

  For example, if you want many users to have access to the clear line command, you can

  He attributed a level 2 security and distribute the level 2 password fairly widely. But if you

  want more restricted access to the command configure, you can assign security to level 3

  and distribute the password to a more restricted group of users.

  Definition of the level of privilege for a command

  Beginning in privileged EXEC mode, follow these steps to set the privilege level for a

  control mode:

  Purpose of command

  Step 1

  Configure the terminal

  Enter global configuration mode.

  Step 2

  level privilege mode level control

  Set the level of privilege for a command.

  For mode, enter set for the global configuration mode, exec to EXEC mode, interface

  for the interface configuration mode, or the line for line configuration mode.

  For level, the range is from 0 to 15. Level 1 is normal user EXEC mode privileges.

  Level 15 is the level of access allowed by the enable password.

  For command, enter the command that you want to restrict access.

  Step 3

  activate the password level

  Specify the password to enable for the privilege level.

  . For level, the range is from 0 to 15. Level 1 is normal user EXEC mode privileges.

  Password, specify a string from 1 to 25 alphanumeric characters. The string cannot

  start with a number, is case sensitive and allows spaces but ignores leading spaces. By

  by default, no password is defined.

  Step 4

  end

  Return to privileged mode.

  Step 5

  Show running-config

  or

  Show privilege

  Check your entries.

  The first command shows the level of the password configuration and access. The second command

  Displays the privilege level configuration.

  Step 6

  copy running-config startup-config

  (Optional) Save your entries in the configuration file.

  When you set a command to a privilege level, all commands whose syntax is a subset of this

  control can also be programmed at this level. For example, if you set the show ip traffic command

  level 15 show commands and show ip commands are automatically set to privilege level

  15 unless you set them individually at different levels.

  To return to the privilege by default for a given command, use the no privilege mode level

  control of level global configuration command.

  This example shows how to set the command configures to focus on level 14 and set

  SecretPswd14 as the password users must enter to use 14 level controls:

  Switch (config) # level 14 exec privileges set up

  Switch (config) # enable password 14 SecretPswd14 level

  You can also change the default privilege for every user level.

  Change the level of privilege by default for lines beginning in privileged EXEC mode follow these steps to change the default privilege for a line level: complete order

  Step 1 Configure terminal enter global configuration mode.

  Step 2 line vty select the virtual terminal line to restrict access.

  Step 3 privilege level change the default privilege for the line level.

  For level, the range is from 0 to 15. Level 1 is normal user EXEC mode

  privileges. Level 15 is the level of access allowed by the enable password.

  End of step 4 back in privileged mode.

  Step 5 show running-config or show privilege

  Check your entries. The first command shows the level of the password configuration and access.

  The second command shows the privilege level configuration.

  Step 6 copy running-config startup-config (optional) save your entries in the configuration file.

  Users can replace the privilege level that you set by using the privilege level line configuration command

  you connect to the line and enabling a different privilege level.

  They can lower the privilege level by using the disable command.

  If users know the password to a higher privilege level, they can use this password to enable the higher privilege level. You can specify a privilege for your console line level to restrict the use of the line or high-level.

  To restore the default line privilege level, use the no privilege level line configuration command. Also I send you a document for your reference.

  http://www.Cisco.com/univercd/CC/TD/doc/product/LAN/cat3750/12225see/SCG/swauthen.htm #wp1154063

  HTH

  Concerning

  Reem

• Restrict access to the administration to WLC5500

  Hi all
  We have configured all our devices in WLC5500 with a service port interface, which helps us to management and monitoring. Given that in our situation, the management interface is accessible from enterprise networks, this means that desktop clients have the ability to achieve the WLC logon screens.

  Is the only way to restrict access to ports to place an on the management interface access ports, or am I missing a GUI/SSH secret command / button that will allow me to disable or limit the management of devices through the management interface?

  In which case I'll have to use an ACL on the WLC management interface, are there any known issues with denying them access to the ports http, https, telnet, ssh and LWAPs trying to connect?

  Thank you
  Leon

  You have hit it on the nose.  You must have an ACL that blocks the terminals "non-admin" to http/https/telnet/ssh/snmp on the device.  as long as you have the permit ip any at the end of the ACL, you should have no problems, or explicitly allow udp 5246/5247

• my wireless connection says "restricted access" no network connection. I used the same key code to get my other computer online

  my wireless connection says "restricted access" no network connection, I used the same key code to get my other computer I can have up to 5 computers online at the same time online.

  Ideas:

  • You have problems with programs
  • Error messages
  • Recent changes to your computer
  • What you have already tried to solve the problem

  Hello

  This means that the computer cannot connect to the router.

  Try this process.

  Check the Device Manager for the wireless card valid entry.

  http://www.ezlan.NET/Win7/net_dm.jpg

  If there is no valid entry, remove any entry from fake and re - install the drivers for the wireless card.

  Check network connections to make sure that you have a network icon/entry wireless connection, and that the properties of the icon (right-click on the icon) are correctly configured with the TCP/IPv4 protocol in the properties of network connections.

  http://www.ezlan.NET/Win7/net_connection_tcp.jpg

  Make sure that if there is Wireless Utility a utility vendor is not running with the native Windows wireless utility.

  Make sure you firewall No. preventing / blocks wireless components to join the network.

  Stack TCP/IP work should look like.

  Right-click on the wireless network connection card, select status, details and see if she got an IP address and the rest of the settings.

  http://www.ezlan.NET/Win7/status-NIC.jpg

  Description is the data of the card making.

  The physical address is MAC of the card number.

  The xx must be a number between 0 and 255 (all xx even number).

  YY should be between 0 and 255

  ZZ should be between 0 and 255 (zz all the same number.)

  The date of the lease must be valid at the present time.

  * Note 1. IP that starts with 169.xxx.xxx.xxx isn't valid functional IP.

  * Note 2. There could be an IPv6 entries too. However, they are not functional for Internet or LAN traffic. They are necessary for Win 7 homegroup special configuration.

  ---------------------------------------------------

  Above everything is OK, you must be able to connect to the router.  A window that says connected does not mean that you are really connected. Connection to the router means that you can enter the IP of the router base in an address bar in one go, being able to connect and configure the router menus see. If it is not connected in the log to router from any computer that can connect to the router wirelessly with a wire, disable wireless security, (make sure that the wireless SSID broadcast) is on and try to connect with no. wireless security.

  --------------------------------------------------

  I really checked and configured every thing and it doesn't work.

  Software firewall application that is not configured to allow local traffic (between the computer and the router is also a possible problem.
  some 3rd party software firewall continue to block the same aspects it traffic Local, they are turned Off (disabled). If possible, configure the firewall correctly or completely uninstall to allow a clean flow of local network traffic. If the 3rd party software is uninstalled, or disables, make sure Windows native firewall is active .

  Jack-MVP Windows Networking. WWW.EZLAN.NET