cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

SFTP out, block port 22 coming in

New here

SFTP out, block port 22 coming in

I am trying to block SSH coming in, but would like to use sftp on a linux server to push files to one of our clients.  I have the below config right now:


Layer 3
allow TCP any any to the destination IP any port 

 

Layer 7

deny port 23

deny port 22

 

Any help is appreciated, 

 

Wally

 

 

11 REPLIES 11
Meraki Employee

Re: SFTP out, block port 22 coming in

Hi Wally, inbound connections are blocked by default unless the session was initiated by a client behind the MX. The SFTP you mentioned, can you explain the flow from the client to the server? Is that server external?

Highlighted
New here

Re: SFTP out, block port 22 coming in

The server is internal, and the client initiates the sftp connection to the remote host, the remote host accepts the packets.  It should be that simple.  

 

If I remove the Layer7 block ssh rule it works, but then my servers get pounded with attempted logins lol

 

Meraki Employee

Re: SFTP out, block port 22 coming in

Sounds like its internal to internal via different VLANs. You could create an Allow rule to allow a specific host or specific host subnet access on those ports to the SFTP server via a FW Rule:

 

Example: 

Screen Shot 2018-04-27 at 9.12.47 AM.png

 

And then another rule below it to block all other SFTP traffic to that particular server. 

New here

Re: SFTP out, block port 22 coming in

Sorry about the confusion.  Our server is pushing the sftp out to a client server not on our network.  The thing is it works when the layer 7 block port 22 is off.  

Meraki Employee

Re: SFTP out, block port 22 coming in

Makes sense, if that is the only client you want to allow access then you can create an Allow firewall rule specific to that client -> SFTP server. Then deny 22 from any other clients to the SFTP. 

New here

Re: SFTP out, block port 22 coming in

thats how I would like to do it, but I cant seem to find where I can create allow rules, only deny.  I know I'm missing something simple, but cant find where it is.  

Meraki Employee

Re: SFTP out, block port 22 coming in

The firewall rules have a policy section which is togglable between Deny and Allow:

 

Screen Shot 2018-04-27 at 12.09.20 PM.png

New here

Re: SFTP out, block port 22 coming in

Those are the outbound rules, and I have them set:
out.JPG

 

The inbound ssh seems to be blocking it.  If I turn off this rule it works fine.  

in.JPG

 

I have set up a nat and port rules trying to get through it, but I cant seem to poke any holes in the inbound rules

Meraki Employee

Re: SFTP out, block port 22 coming in

Sorry for the confusion I was not aware this was an external to internal flow. The Firewall rules dictate outbound communication while inbound is blocked by default unless part of an inside->outside session. To specify inbound access you would need to create a port-forwarding or 1:1 NAT rule and then open then specify the connections you want to access.

 

The port 22 and 23 rules you have in the L7 view above are blocking all 22/23 OUTBOUND. Here is a document that describes the inbound rules and how FW traffic flows:

 

Blocking Inbound Traffic:

https://documentation.meraki.com/MX-Z/NAT_and_Port_Forwarding/Blocking_Inbound_Traffic_on_MX_Securit...

 

Port Forwarding and NAT Rules:

https://documentation.meraki.com/MX-Z/NAT_and_Port_Forwarding/Port_Forwarding_and_NAT_Rules_on_the_M...

 

 

Kind of a big deal

Re: SFTP out, block port 22 coming in

You do realise that SFTP runs over (or though SSH)?  An SSH session is first established, and then FTP is run through that SSH session.

 

So you must allow SSH if you want to allow SFTP.

Here to help

Re: SFTP out, block port 22 coming in

The layer 7 rules you have are really layer 3 rules. You could configure them all in the layer 3 firewall.

 

Do you have a port forward configured for port 22? You can configure the list of allowed hosts there.

Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.