Security
Management router
Configure SSH server
Disable SSH access with password. Instead operators can ssh into the testbed only if their public keys are registered.
Having logged in, run the following commands to switch off password access:
configure
set service ssh disable-password-authentication
commit
save
exit
To add SSH public keys, the key must be saved in a file first, then be loaded.
vi /tmp/my_pubkey
configure
loadkey <user> /tmp/my_pubkey
commit
save
exit
Bring up the firewall
Follow the instructions here to establish a basic set of firewall rules: WAN_IN
and WAN_LOCAL
configure
set firewall name WAN_IN default-action drop
set firewall name WAN_IN description 'WAN to internal'
set firewall name WAN_IN rule 10 action accept
set firewall name WAN_IN rule 10 description 'Allow established/related'
set firewall name WAN_IN rule 10 state established enable
set firewall name WAN_IN rule 10 state related enable
set firewall name WAN_IN rule 20 action drop
set firewall name WAN_IN rule 20 description 'Drop invalid state'
set firewall name WAN_IN rule 20 state invalid enable
set firewall name WAN_LOCAL default-action drop
set firewall name WAN_LOCAL description 'WAN to router'
set firewall name WAN_LOCAL rule 10 action accept
set firewall name WAN_LOCAL rule 10 description 'Allow established/related'
set firewall name WAN_LOCAL rule 10 state established enable
set firewall name WAN_LOCAL rule 10 state related enable
set firewall name WAN_LOCAL rule 20 action drop
set firewall name WAN_LOCAL rule 20 description 'Drop invalid state'
set firewall name WAN_LOCAL rule 20 state invalid enable
set interfaces ethernet eth3 firewall in name WAN_IN
set interfaces ethernet eth3 firewall local name WAN_LOCAL
commit ; save
Then, we open only SSH port on the firewall.
Use the GUI to add a new rule to the WAN_LOCAL chain. It already has:
Rule 1 - allow established and related
Rule 2 - drop invalid.
So add Rule 3 -
On the Basic pane: Enable, Action accept, Protocol tcp
On the Advanced pane: State new
On the Destination pane: Port 22
Check out the source.
Controller node
Configure SSH server
Limit SSH access only to the management network and make sure public key authentication is disabled.
sudo vim /etc/ssh/sshd_config
...
ListenAddress 10.10.2.1
...
Bring up the firewall
Check ufw
's status
sudo ufw status
Apply the default policy firewall
sudo ufw default allow outgoing
sudo ufw default deny incoming
Make sure the directive IPV6=yes
do exists in /etc/default/ufw
file. For instance:
cat /etc/default/ufw
Open and limit SSH TCP port 22 connections, HTTP, and HTTPS
sudo ufw allow ssh
sudo ufw limit ssh
sudo ufw allow http
sudo ufw allow https
Turn on firewall
sudo ufw enable
Check it is up
sudo systemctl status ufw.service
Last updated