dell 5148f-on ssh trusted host

Question

OS Version: 10.4.3.6Build Version: 10.4.3.6.244Build Time: 2019-08-19T17:26:44-0700System Type: S5148F-ONArchitecture: x86_64I have problem with ip access-list for line VTI. Its working with telnet but not working for ssh. ip access-list telnet_snmp seq 10 permit ip xx.34.231.34/32 any count fragment seq 20 permit ip xx.48.231.48/32 any count fragment seq 30 permit ip xx.52.231.52/32 any count fragment seq 40 permit ip xx.131.231.31/32 any count fragment seq 50 permit ip xx.231.32.2/32 any count fragment seq 60 permit ip xx.231.143.143/32 any count fragment seq 70 permit ip xx.231.202.202/32 any count fragment seq 80 permit ip xx.16.240.0/24 any count fragment seq 90 permit ip xx.73.0.0/19 any count fragment seq 100 permit ip xx.57.1.0/24 any count fragment seq 110 permit ip xx.57.241.0/25 any count fragment seq 120 deny ip any any ! line vty ip access-class telnet_snmp

zhukk · Answer

i try use access-list on control plane, but its not working too. and I think access-list on control plane not working on this model, but I'm not sure.

and I try edit:

system " vi /etc/hosts.allow

system " vi /etc/hosts.deny

its working but I can't login to cli. after login and pass I see label "switch is still loading" or something similar, I don't remember clearly.

Dell-DylanJ · Answer

Good morning,   So as to not duplicate effort, what troubleshooting steps have been taken so far?

Dell-DylanJ · Answer

If the switch OS is getting stuck loading, you might try power cycling it, if you haven't already.

zhukk · Answer

example :OS10# system 'sudo nano /etc/hosts.allowsshd: 210.123.134.56OS10# system 'sudo nano /etc/hosts.denysshd: ALL if I do this - I can't login from other host except 210.123.134.56. but when I login from trusted I see : OS10 login: admin Password: Last login: Thu Dec 23 07:49:27 UTC 2021 on pts/0 Linux OS10 4.9.168 #1 SMP Debian 4.9.168-1+deb9u3 x86_64 The programs included with the Debian GNU/Linux system are free software; the exact distribution terms for each program are described in the individual files in /usr/share/doc/*/copyright. Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent permitted by applicable law. -*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*- -* Dell EMC Network Operating System (OS10) *- -* *- -* Copyright (c) 1999-2019 by Dell Inc. All Rights Reserved. *- -* *- -*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*- This product is protected by U.S. and international copyright and intellectual property laws. Dell EMC and the Dell EMC logo are trademarks of Dell Inc. in the United States and/or other jurisdictions. All other marks and names mentioned herein may be trademarks of their respective companies. System is loading. this message showing until I cleared file /etc/hosts.denyI do no understand why not working standard access-list on line vty in dellOS10 now I have many in log file million messages like this : 1 2021-12-14T07:39:44.156845+02:00 GOLOS7 sshd 13460 - - Node.1-Unit.1:PRI [event], Dell EMC (OS10) pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=47.243.232.191 user=root 1 2021-12-14T07:39:47.452888+02:00 GOLOS7 sshd 13464 - - Node.1-Unit.1:PRI [event], Dell EMC (OS10) pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=47.243.232.191 user=root 1 2021-12-14T07:39:52.417133+02:00 GOLOS7 sshd 13467 - - Node.1-Unit.1:PRI [event], Dell EMC (OS10) pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=47.243.232.191 user=root 1 2021-12-14T07:39:57.357261+02:00 GOLOS7 sshd 13471 - - Node.1-Unit.1:PRI [event], Dell EMC (OS10) pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=47.243.232.191 user=root 1 2021-12-14T07:40:02.436969+02:00 GOLOS7 sshd 13473 - - Node.1-Unit.1:PRI [event], Dell EMC (OS10) pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=47.243.232.191 user=root 1 2021-12-14T07:40:05.677254+02:00 GOLOS7 sshd 13483 - - Node.1-Unit.1:PRI [event], Dell EMC (OS10) pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=47.243.232.191 user=root 1 2021-12-14T07:40:10.668899+02:00 GOLOS7 sshd 13487 - - Node.1-Unit.1:PRI [event], Dell EMC (OS10) pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=47.243.232.191 user=root 1 2021-12-14T07:40:15.760666+02:00 GOLOS7 sshd 13490 - - Node.1-Unit.1:PRI [event], Dell EMC (OS10) pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=47.243.232.191 user=root 1 2021-12-14T07:40:20.808645+02:00 GOLOS7 sshd 13495 - - Node.1-Unit.1:PRI [event], Dell EMC (OS10) pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=47.243.232.191 user=root 1 2021-12-14T07:40:25.969039+02:00 GOLOS7 sshd 13504 - - Node.1-Unit.1:PRI [event], Dell EMC (OS10) pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=47.243.232.191 user=root 1 2021-12-14T07:40:31.096919+02:00 GOLOS7 sshd 13508 - - Node.1-Unit.1:PRI [event], Dell EMC (OS10) pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=47.243.232.191 user=root 1 2021-12-14T07:40:36.160772+02:00 GOLOS7 sshd 13519 - - Node.1-Unit.1:PRI [event], Dell EMC (OS10) pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=47.243.232.191 user=root 1 2021-12-14T07:40:39.628955+02:00 GOLOS7 sshd 13523 - - Node.1-Unit.1:PRI [event], Dell EMC (OS10) pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=47.243.232.191 user=root 1 2021-12-14T07:40:44.600631+02:00 GOLOS7 sshd 13526 - - Node.1-Unit.1:PRI [event], Dell EMC (OS10) pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=47.243.232.191 user=root 1 2021-12-14T07:40:47.944618+02:00 GOLOS7 sshd 13530 - - Node.1-Unit.1:PRI [event], Dell EMC (OS10) pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=47.243.232.191 user=root 1 2021-12-14T07:40:53.001186+02:00 GOLOS7 sshd 13533 - - Node.1-Unit.1:PRI [event], Dell EMC (OS10) pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=47.243.232.191 user=root 1 2021-12-14T07:40:58.061165+02:00 GOLOS7 sshd 13537 - - Node.1-Unit.1:PRI [event], Dell EMC (OS10) pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=47.243.232.191 user=root ​ I need some thing to deny untrusted host.

DELL-Erman O · Answer

Hello, Can you try to permit or deny filters via as below

Create IPv4 or IPv6 access lists with permit or deny filters; for example:

OS10(config)# ip access-list permit10
OS10(config-ipv4-acl)# permit ip 172.16.0.0 255.255.0.0 any
OS10(config-ipv4-acl)# exit
OS10(config)#

Enter VTY mode using the line vty command in CONFIGURATION mode.
```
OS10(config)# line vty
OS10(config-line-vty)# 
```
Apply the access lists to the VTY line with the {ip | ipv6} access-class access-list-name command in LINE-VTY mode.
```
OS10(config-line-vty)# ip access-class permit10
```

View VTY ACL configuration

OS10(config-line-vty)# show configuration
!
line vty
 ip access-class permit10
 ipv6 access-class deny10
OS10(config-line-vty)#

zhukk · Answer

what should be in the access-list 'deny10' ?

zhukk · Answer

if you mean something like that ip access-list denyall seq 10 deny ip any anyI try this many times. Its like in manual. but its wrong because There is no implicit deny rule. If none of the configured conditions match, the default behavior is to permit. If you need to deny traffic that does not match any of the configured conditions, explicitly configure a deny statement.with this configuration telnet all not working correctly too.I do what say:ip access-list ssh_telnet seq 10 permit ip 10.96.102.0/24 any ! ip access-list denyall seq 10 deny ip any any line vty ip access-class ssh_telnet ipv6 access-class denyall but easy login from any other ipshow users Index Line User Role Application Idle Login-Time Location Privilege-Level ----- ----- ------------ ------ ------------ ----- -------------------------- --------------------- --------------- 1 pts/0 admin sysadmin clish 50.4s 2021-12-23 T 11:20:36Z 10.96.102.254 [telnet] 15 2 pts/1 admin sysadmin bash 3.7s 2021-12-23 T 12:04:31Z 159.224.222.1 [ssh] 15

DELL-Erman O · Answer

yes, actually I meant that, but I'm not sure why you can still access it from the other IP. It seems like we're missing something, but what?
Just an idea using deny (for Extended IP ACLs) can be tried but I couldn't find it for OS10. Like for OS9 https://dell.to/3FoC7uB

zhukk · Answer

if change access list and add deny : ip access-list ssh_telnet seq 10 permit ip 10.96.102.0/24 any seq 20 deny ip any any it close telnet from other ip but not ssh. Why?

zhukk · Answer

can someone's help me?

Dell-DylanJ · Answer

Heya Zhukk,

I obviously misunderstood you at the beginning of the thread. With the additional information, it does look to me like you're doing things correctly. I did notice that you're firmware is behind, though. Would it be possible for you to try updating it to see if the behavior remains?

The reason that I ask is that because it does appear to be set up correctly, it would open up the possibility that the switch isn't working properly, but for me to send that through the proper channels, it would need to be either up to date, or I would need to find someone to validate the behavior.

zhukk · Answer

unfortunately it's latest firmware for this switch. https://www.dell.com/support/kbdoc/ru-ua/000192674/smartfabric-os10-hardware-compatibility-list

Dell-DylanJ · Answer

I'll have to pass this up the chain, then. I'm not confident when or if I'll be able to give you an update afterwards, but at least it'll get looked at. There's no contact channel for techs to follow these sorts of issues or where they're at in being addressed.

zhukk · Answer

OK. thanks for trying help.

Networking General

Was this post helpful?