On a functioning router:
Enable service type for local user
CMW5local-user admin
service-type web
CMW7
local-user admin class manage
service-type web
ip http enable
ip https enable
web https-authorization mode manual
Enable WebUI
webui log enableRestrict access from WAN facing interface (g3/0/0 here)
Verify listener port:dis ip http
HTTP port: 80
Operation status : Enabled <-- Bad Practice 😱
dis ip https
HTTPS port: 443
Operation status : Enabled
Create ACL and Apply to the inbound interface
acl advanced name BLOCK-REMOTE
rule 9 deny tcp destination-port eq 443 logging
rule 10 deny tcp destination-port eq 80 logging
! Poke a hole at your own peril
rule 12 permit tcp source <ip-of-peril> 0 destination-port eq 443
rule 13 permit tcp source <ip-of-peril> 0 destination-port eq 80
interface GigabitEthernet3/0/0
packet-filter name BLOCK-REMOTE inbound
Disable <ip-of-peril> from Attack Defenses (if enabled - optional)
acl basic name WAN
rule 0 permit source <ip-of-peril> 0
interface GigabitEthernet3/0/0
attack-defense apply policy Defense-Attack-Policy
attack-defense policy Defense-Attack-Policy
exempt acl name WAN
http-flood action logging drop
http-flood threshold 100
No comments:
Post a Comment
Please add comments so I may update the material to accommodate platform modification to various commands. Also if you have some real-world caveats, do please share.