Got it
Huawei Enterprise Support Community
Community Forums Security
Prevent malicious login a...

Prevent malicious login attempt from Internet to Firewall

Created: Oct 31, 2019 10:01:15Latest reply: Oct 31, 2019 10:31:32 374 2 0 0 0
  Rewarded HiCoins: 0 (problem resolved)
View the author 1#

Hi all,

I have enabled the channel for logging in to the device from the Internet so that the device can be debugged and modified remotely through the Internet.

However, once the firewall enables the login channel from the Internet, the firewall immediately encounters a large number of malicious scanning and login attempts, which may cause the vty to be occupied. As a result, it is difficult to log in to the device. According to the firewall logs, there are a large number of failed login attempts.

Because the administrator does not have a clear source address (public address) for logging in to the firewall through the Internet. It is difficult to restrict the range of IP addresses that can be used to log in to the firewall through the source address ACL.

In this case, how to improve the security and maintainability of the firewall effectively?

Thanks.

vtyloginacl

Like (0) Dislike (0) Favorite(0) Share Report
Previous: Prioritizing Voice and Video on a Virtual Local Area Network
Next: The traffic on the heartbeat interface is unbalanced.
Featured Answers

Best answer

(1) (0)
Popeye_Wang
Admin Created Oct 31, 2019 10:02:04

For what you said, I feel that the problem can be analyzed from the following aspects:

1. Vty is a concept similar to Control Plane. Before the Authentication/Authorization is passed, all login failures do not occupy Vty.

2. For the same user, the device has the feature of locking the password after multiple attempts to prevent brute force cracking.

3. In fact, it is not necessary to dial Public IP during remote debugging. The usual situation is to use the SSL VPN to dial the device and r configure/debug the device through Private IP. Therefore, for the Public IP, all risky TCP/UDP Port should be disabled.


View more
  • x
  • convention:
All Answers
(1) (0)
2#
Popeye_Wang
Popeye_Wang Admin Created Oct 31, 2019 10:02:04

For what you said, I feel that the problem can be analyzed from the following aspects:

1. Vty is a concept similar to Control Plane. Before the Authentication/Authorization is passed, all login failures do not occupy Vty.

2. For the same user, the device has the feature of locking the password after multiple attempts to prevent brute force cracking.

3. In fact, it is not necessary to dial Public IP during remote debugging. The usual situation is to use the SSL VPN to dial the device and r configure/debug the device through Private IP. Therefore, for the Public IP, all risky TCP/UDP Port should be disabled.


View more
  • x
  • convention:
(1) (0)
3#
wissal
wissal MVE Created Oct 31, 2019 10:31:32

Hello,

Please find below the solution for your issue.

CLI: Example for Configuring Intrusion Prevention

This section provides an example for configuring intrusion prevention. Intrusion prevention protects intranet PCs and web servers from Internet attacks.

Networking Requirements

As shown in Figure 1, an enterprise deploys a FW as the security gateway at the network border. In the networking:

  • An intranet user can access the intranet FTP server and Internet web server.

  • The intranet FTP server provides services for both intranet and Internet users.

Figure 1 Intrusion prevention networking diagram
vsp_ips_cfg_0021_fig01.png

The enterprise wants to enable intrusion prevention on the FW to meet the following requirements:

  • Defend against worms, Trojan horses, and botnet attacks.

  • Protect intranet users.

    Protect intranet users from attacks, such as an attacker launched from a website with malicious code, when the users access the Internet web server.

  • Protect the intranet FTP server.

    Prevent Internet and intranet users from launching attacks on the intranet FTP server.

    An attack matching the signature with ID 74320 occurs frequently in logs and must be blocked.

Data Planning

Based on the previous enterprise requirements, the intrusion prevention information to be configured is as follows:

  • Attacks on the enterprise include common worms, Trojan horses, and botnets, and the severity of these attacks in signatures is High.

  • Protect intranet users.

    The data planning for protecting intranet users is shown in Figure 2z.

    Figure 2 Data planning for protecting intranet users
    vsp_ips_cfg_0021_fig02.png

    • Configure security policies for the direction from the Trust zone to the Untrust zone.

    • Attacks are caused by intranet users' access to the Internet web server and the target is the intranet users acting as a client. Therefore, set the protocol to HTTP, object to Client, and severity to High for the signature filter.

  • Protect the intranet FTP server.

    The data planning for protecting intranet FTP server is shown in Figure 3.

    Figure 3 Data planning for protecting intranet FTP server
    vsp_ips_cfg_0021_fig03.png

    • Configure security policies for the directions from the Untrust zone to the DMZ zone and from the Trust zone to the DMZ zone.

    • Attacks on the FTP server. Therefore, set the protocol to FTP, object to Server, and severity to High for the signature filter.

    • Add the signature with ID 74320 to the exception signatures and set the action to Block.

Configuration Roadmap

The configuration roadmap is as follows:

  1. Set the interface IP addresses and add the interfaces to corresponding security zones as required.

  2. Configure intrusion prevention profile profile_ips_pc to protect intranet users. Then configure a signature filter to meet the requirement.

  3. Configure intrusion prevention profile profile_ips_server to protect intranet servers. Then configure a signature filter and add signatures as exceptions.

  4. Create security policy policy_sec_1 and reference profile profile_ips_pc to protect intranet users from Internet attacks.

  5. Create security policy policy_sec_2 and reference profile profile_ips_server to protect intranet servers from intranet and Internet attacks.

Procedure

  1. Set an IP address for each interface, assign interfaces to security zones, and complete basic parameter settings.


    [FW] interface GigabitEthernet 1/0/1[FW-GigabitEthernet1/0/1] ip address 1.1.1.1 255.255.255.0[FW-GigabitEthernet1/0/1] quit[FW] interface GigabitEthernet 1/0/2[FW-GigabitEthernet1/0/2] ip address 10.2.0.1 255.255.255.0[FW-GigabitEthernet1/0/2] quit[FW] interface GigabitEthernet 1/0/3[FW-GigabitEthernet1/0/3] ip address 10.3.0.1 255.255.255.0[FW-GigabitEthernet1/0/3] quit[FW] firewall zone trust[FW-zone-trust] add interface GigabitEthernet 1/0/3[FW-zone-trust] quit[FW] firewall zone dmz[FW-zone-dmz] add interface GigabitEthernet 1/0/2[FW-zone-dmz] quit[FW] firewall zone untrust[FW-zone-untrust] add interface GigabitEthernet 1/0/1[FW-zone-untrust] quit


  2. Configure intrusion prevention profile profile_ips_pc to protect intranet users.


    [FW] profile type ips name profile_ips_pc[FW-profile-ips-profile_ips_pc] description profile for intranet users[FW-profile-ips-profile_ips_pc] collect-attack-evidence enable[FW-profile-ips-profile_ips_pc] signature-set name filter1[FW-profile-ips-profile_ips_pc-sigset-filter1] target client[FW-profile-ips-profile_ips_pc-sigset-filter1] severity high[FW-profile-ips-profile_ips_pc-sigset-filter1] protocol HTTP[FW-profile-ips-profile_ips_pc-sigset-filter1] quit[FW-profile-ips-profile_ips_pc] quit


  3. Create intrusion prevention profile profile_ips_server to protect the intranet FTP server. Configure signature 74320 as an exception signature and set the action to block.


    [FW] profile type ips name profile_ips_server[FW-profile-ips-profile_ips_server] description profile for intranet servers[FW-profile-ips-profile_ips_server] collect-attack-evidence enable[FW-profile-ips-profile_ips_server] signature-set name filter2[FW-profile-ips-profile_ips_server-sigset-filter2] target server[FW-profile-ips-profile_ips_server-sigset-filter2] severity high[FW-profile-ips-profile_ips_server-sigset-filter2] protocol FTP[FW-profile-ips-profile_ips_server-sigset-filter2] quit[FW-profile-ips-profile_ips_server] exception ips-signature-id 74320 action block[FW-profile-ips-profile_ips_server] quit


  4. Commit the configuration information.


    [FW] engine configuration commit


  5. Configure a security policy between the Trust and Untrust zones and reference intrusion prevention profile profile_ips_pc.


    [FW] security-policy[FW-policy-security] rule name policy_sec_1[FW-policy-security-rule-policy_sec_1] source-zone trust[FW-policy-security-rule-policy_sec_1] destination-zone untrust[FW-policy-security-rule-policy_sec_1] source-address 10.3.0.0 24[FW-policy-security-rule-policy_sec_1] profile ips profile_ips_pc[FW-policy-security-rule-policy_sec_1] action permit[FW-policy-security-rule-policy_sec_1] quit


  6. Configure security policies for the Trust -> DMZ and Untrust -> DMZ interzones and reference intrusion prevention profile profile_ips_server.


    [FW-policy-security] rule name policy_sec_2[FW-policy-security-rule-policy_sec_2] source-zone trust untrust[FW-policy-security-rule-policy_sec_2] destination-zone dmz[FW-policy-security-rule-policy_sec_2] destination-address 10.2.0.0 24[FW-policy-security-rule-policy_sec_2] profile ips profile_ips_server[FW-policy-security-rule-policy_sec_2] action permit[FW-policy-security-rule-policy_sec_2] quit[FW-policy-security] quit


  7. Save the configuration information to upload the configuration file including the above-mentioned configurations automatically for the next startup.


    [FW] quit<FW> save


Configuration Scripts

#

interface GigabitEthernet 1/0/1

 ip address 1.1.1.1 255.255.255.0

#

interface GigabitEthernet 1/0/2

 ip address 10.2.0.1 255.255.255.0

#

interface GigabitEthernet 1/0/3

 ip address 10.3.0.1 255.255.255.0

#

firewall zone trust

 add interface GigabitEthernet 1/0/3#

firewall zone untrust

 add interface GigabitEthernet 1/0/1#

firewall zone dmz

 add interface GigabitEthernet 1/0/2#

profile type ips name profile_ips_pc

 description profile for intranet users

 collect-attack-evidence enable

 signature-set name filter1

  target client

  severity high 

  protocol HTTP

#

profile type ips name profile_ips_server

 description profile for intranet servers

 collect-attack-evidence enable

 signature-set name filter2

  target server

  severity high

  protocol FTP exception ips-signature-id 74320 action block#

security-policy

 rule name policy_sec_1

  source-zone trust

  destination-zone untrust

  source-address 10.3.0.0 24

  profile ips profile_ips_pc

  action permit

 rule name policy_sec_2

  source-zone trust

  source-zone untrust

  destination-zone dmz

  destination-address 10.2.0.0 24

  profile ips profile_ips_server

  action permit


# The following configuration is used to perform a one-time operation and not stored in the configuration profile.

 engine configuration commit

For details : https://support.huawei.com/hedex/hdx.do?lib=EDOC1100068394AEI0226D&docid=EDOC1100068394&lang=en&v=03&tocLib=EDOC1100068394AEI0226D&tocV=03&id=vsp_ips_cfg_0022_2&tocURL=resources/dc/sec_case_profile_0014.html&p=t&fe=1&ui=3&keyword=malicious%2Bcode%2B%2B%2Bfirewall%2B%2B%2Bcli


Thanks

View more
  • x
  • convention:
Back to list

Comment

Advanced
B Color Image Link Quote Code Smilies
You need to log in to comment to the post Login | Register
Comment

Notice: To protect the legitimate rights and interests of you, the community, and third parties, do not release content that may bring legal risks to all parties, including but are not limited to the following:
  • Politically sensitive content
  • Content concerning pornography, gambling, and drug abuse
  • Content that may disclose or infringe upon others ' commercial secrets, intellectual properties, including trade marks, copyrights, and patents, and personal privacy
Do not share your account and password with others. All operations performed using your account will be regarded as your own actions and all consequences arising therefrom will be borne by you. For details, see " User Agreement."

My Followers

Login and enjoy all the member benefits

Login
Huawei Website Support About Huawei Privacy User Agreement Terms of Use Cookies Cookie Settings
Huawei Enterprise Huawei Carrier Forum Training & Certification

Contact Us: e_online@huawei.com Copyright © 2022 Huawei Technologies Co., Ltd. All rights reserved.

APP

Block
Are you sure to block this user?
Users on your blacklist cannot comment on your post,cannot mention you, cannot send you private messages.
Reminder
Please bind your phone number to obtain invitation bonus.