Loading

Thursday, July 23, 2009

Source IP Range to allow remote access for Barracuda Support to SSH

You should NEVER open up any SSH port for unlimited access from the outside world. People are run brute-force SSH grinders to own boxes for botnets 24/7 these days. As such, you need to know the source IPs that Barracuda uses to provide remote management support so that you can restrict access to only their team from the internet.

Read on to learn how to do this with a cisco firewall w/ PIX or ASA IOS of 6.3(5) or later
====================================================================

Allow inbound access via SSH from ONLY Barracuda support to your appliance by taking the following steps:

1. Create a static NAT from the inside (or DMZ) interface where the Barracuda lives to the outside interface. In the example below, tcp port 22 for SSH is forwarded to outside address "P.P.P.P" is from inside address "I.I.I.I":

static (inside,outside) tcp P.P.P.P 22 I.I.I.I 22 netmask 255.255.255.255


2. Create an object group for the remote BARRACUDA management source IPs:

object-group network BARRACUDA_MGMT_IPS
network-object host 205.158.110.60
network-object host 216.129.105.112
network-object host 216.129.105.127
network-object host 216.129.105.129
network-object host 216.129.105.181
network-object host 216.129.105.182
network-object host 216.129.105.183
network-object host 216.129.105.184
network-object host 216.129.125.201
network-object host 216.129.125.202
network-object host 216.129.125.203

3. Create an ACL that allows ONLY the BARRACUDA_MGMT_IPS to access the public address on the outside interface at P.P.P.P. In the example below, "OAI" stand for Outside Access Inbound.

access-list OAI line 1 extended permit tcp object-group BARRACUDA_MGMT_IPS host P.P.P.P eq ssh

4. Apply the ACL to the outside interface inbound:

access-group OAI in interface outside


If you execute "show run | inc ssh", you should see output similar to the output below:

ASAfirewall# sho access-list OAI | inc ssh
access-list OAI line 1 extended permit tcp object-group BARRACUDA_MGMT_IPS host P.P.P.P eq ssh 0x6f529c33
access-list OAI line 1 extended permit tcp host 205.158.110.60 host P.P.P.P eq ssh (hitcnt=2) 0xdad49ba7
access-list OAI line 1 extended permit tcp host 216.129.105.112 host P.P.P.P eq ssh (hitcnt=0) 0x19777899
access-list OAI line 1 extended permit tcp host 216.129.105.127 host P.P.P.P eq ssh (hitcnt=0) 0x67c53462
access-list OAI line 1 extended permit tcp host 216.129.105.129 host P.P.P.P eq ssh (hitcnt=0) 0x1b9299ec
access-list OAI line 1 extended permit tcp host 216.129.105.181 host P.P.P.P eq ssh (hitcnt=0) 0x450442d4
access-list OAI line 1 extended permit tcp host 216.129.105.182 host P.P.P.P eq ssh (hitcnt=0) 0x11aff386
access-list OAI line 1 extended permit tcp host 216.129.105.183 host P.P.P.P eq ssh (hitcnt=0) 0xf3db4de7
access-list OAI line 1 extended permit tcp host 216.129.105.184 host P.P.P.P eq ssh (hitcnt=0) 0x491444d0
access-list OAI line 1 extended permit tcp host 216.129.125.201 host P.P.P.P eq ssh (hitcnt=0) 0x952b3413
access-list OAI line 1 extended permit tcp host 216.129.125.202 host P.P.P.P eq ssh (hitcnt=0) 0xcc7e836b
access-list OAI line 1 extended permit tcp host 216.129.125.203 host P.P.P.P eq ssh (hitcnt=0) 0x31489fcb

In the example above, we know the ACL is working because we see two hits on the first entry.

Good luck! I wish they would publish this information instead of making us call in to get it from them - what a waste of time.

No comments:

Post a Comment