Posted on July 31, 2019 3:34 pm
 |  Asked by Dittmar Schaepke
 |  101 views
Tags:
RESOLVED
0
0
Print Friendly, PDF & Email

Hi all,

I’m curious about the possibility to set a service acl under management api http-commands


management api http-commands
vrf default
no shutdown
ip access-group api-access
!
vrf vrf-mgmt
no shutdown
ip access-group api-acc

#sh ip access-lists api-access
IP Access List api-access
statistics per-entry
10 remark “Salt-Proxy”
20 permit ip 10.3.76.132/30 any
30 deny ip any any

#sh ip access-lists api-acc
Standard IP Access List api-acc
statistics per-entry
10 permit 10.3.76.132/30
15 permit 192.168.12.40/30
20 deny any

both acls does not have any effect to restrict access to the api

e.g. from src ip 172.17.88.46
$ nc -zv 192.168.12.144 443 -> outofband ip in mgt vrf
Connection to 192.168.12.144 443 port [tcp/https] succeeded!

I know, it’s a common way to tweak control-plane acl to limit the access.

Currently I’m not able to see the purpose for what the acl in this section is good for and what it can affect?
Maybe someone here can bring light to my head…

regards Dittmar

0
Posted by Tamas Plugor
Answered on July 31, 2019 4:33 pm

Hi Dittmar,

Doing a portscan does not tell you if the API is reachable or not. The ACL is working at a higher level, meaning you cannot access the webpage and you cannot do any API calls, so if you check you cannot reach the URL of your switch and you won’t be able to run commands via eAPI.

The best is to look at nginx logs in /var/log/nginx-access.log, and you’ll see that when you deny your IP you will get HTTP 444, so the connection is closed with no response vs if you permit your IP you’ll see HTTP 200

This maybe changed in the future denying the session alltogether, I assume you’d expect to have HTTP 403 or 404 returned, at the moment the behavior is as I’ve described above, so you’ll still see port 443 open, but you won’t be able to do anything.

Hope this helps!
Tamas

0
Posted by Lokesh Charora
Answered on July 31, 2019 5:32 pm

Adding to Tamas’s response, you will not be able to run the EAPI commands from the IP address which is filtered out, Please see below:

$nc -zv 443
found 0 associations
found 1 connections:
1: flags=82
outif en0
src port 61484
dst port 443
rank info not available
TCP aux info available

Connection to port 443 [tcp/https] succeeded!

Now trying to run a request to this management IP:

$curl -u admin: -d ‘{“jsonrpc”: “2.0”,”method”: “runCmds”,”params”: {“version”: 1,”cmds”:[“show version”]},”id”:1}’ http:///command-api
Filtered by service ACL

Hope this helps.

0
Posted by Dittmar Schaepke
Answered on August 1, 2019 11:41 am

Hi,

thank you both for the explanation.
And indeed, I was able to verify it also.

In my small acl world I would’ve expected a connection refused / timeout on my request, and never imagined it’s handled on application level.

but I’m never to old to learn something new every day :)

Still quite unhappy with the technique itself, because I think it allows a wider range of attack possibilities, but that is something we’ve now to discuss internally.

best regards and a nice weekend
Dittmar

Post your Answer

You must be logged in to post an answer.