SFTP out, block port 22 coming in

WallyP
New here

SFTP out, block port 22 coming in

I am trying to block SSH coming in, but would like to use sftp on a linux server to push files to one of our clients.  I have the below config right now:


Layer 3
allow TCP any any to the destination IP any port 

 

Layer 7

deny port 23

deny port 22

 

Any help is appreciated, 

 

Wally

 

 

11 REPLIES 11
Korey
Meraki Employee
Meraki Employee

Hi Wally, inbound connections are blocked by default unless the session was initiated by a client behind the MX. The SFTP you mentioned, can you explain the flow from the client to the server? Is that server external?

The server is internal, and the client initiates the sftp connection to the remote host, the remote host accepts the packets.  It should be that simple.  

 

If I remove the Layer7 block ssh rule it works, but then my servers get pounded with attempted logins lol

 

Korey
Meraki Employee
Meraki Employee

Sounds like its internal to internal via different VLANs. You could create an Allow rule to allow a specific host or specific host subnet access on those ports to the SFTP server via a FW Rule:

 

Example: 

Screen Shot 2018-04-27 at 9.12.47 AM.png

 

And then another rule below it to block all other SFTP traffic to that particular server. 

Sorry about the confusion.  Our server is pushing the sftp out to a client server not on our network.  The thing is it works when the layer 7 block port 22 is off.  

Korey
Meraki Employee
Meraki Employee

Makes sense, if that is the only client you want to allow access then you can create an Allow firewall rule specific to that client -> SFTP server. Then deny 22 from any other clients to the SFTP. 

thats how I would like to do it, but I cant seem to find where I can create allow rules, only deny.  I know I'm missing something simple, but cant find where it is.  

Korey
Meraki Employee
Meraki Employee

The firewall rules have a policy section which is togglable between Deny and Allow:

 

Screen Shot 2018-04-27 at 12.09.20 PM.png

Those are the outbound rules, and I have them set:
out.JPG

 

The inbound ssh seems to be blocking it.  If I turn off this rule it works fine.  

in.JPG

 

I have set up a nat and port rules trying to get through it, but I cant seem to poke any holes in the inbound rules

Korey
Meraki Employee
Meraki Employee

Sorry for the confusion I was not aware this was an external to internal flow. The Firewall rules dictate outbound communication while inbound is blocked by default unless part of an inside->outside session. To specify inbound access you would need to create a port-forwarding or 1:1 NAT rule and then open then specify the connections you want to access.

 

The port 22 and 23 rules you have in the L7 view above are blocking all 22/23 OUTBOUND. Here is a document that describes the inbound rules and how FW traffic flows:

 

Blocking Inbound Traffic:

https://documentation.meraki.com/MX-Z/NAT_and_Port_Forwarding/Blocking_Inbound_Traffic_on_MX_Securit...

 

Port Forwarding and NAT Rules:

https://documentation.meraki.com/MX-Z/NAT_and_Port_Forwarding/Port_Forwarding_and_NAT_Rules_on_the_M...

 

 

PhilipDAth
Kind of a big deal
Kind of a big deal

You do realise that SFTP runs over (or though SSH)?  An SSH session is first established, and then FTP is run through that SSH session.

 

So you must allow SSH if you want to allow SFTP.

jdizzle
Here to help

The layer 7 rules you have are really layer 3 rules. You could configure them all in the layer 3 firewall.

 

Do you have a port forward configured for port 22? You can configure the list of allowed hosts there.

Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels