Description:
Remote access to our routers should preferably be implemented by means of a VPN client dial-in, for example using the LANCOM Advanced VPN Client. If this is not possible, it is often necessary to enable access via the WAN connection.
This article explains the different ways of securing the remote access to a LANCOM router from the WAN.



Requirements:



Section 1: Restricting specific management protocols for WAN access
1) Open the router configuration in LANconfig and go to the menu Management → Admin → Access settings.

2) Click on Access rights and select the option From a WAN interface.

3) You can allow or restrict access to the management protocols in this menu.
  • If access to a specific protocol from the WAN is to be enabled, then select allowed in the drop-down menu.
  • If access from the WAN is not allowed, then select denied.
  • If the router should only be accessible via VPN, then select only via VPN.
  • By default, access to all of the management protocols from the WAN is denied.

In general, LANCOM Systems recommends to prohibit access to the management protocols from the WAN (setting denied) or only allow access via VPN (setting only via VPN).

If access from the WAN is necessary, make absolutely sure, that only encrypted protocols are used (HTTPS, SSH, Telnet over SSL, SNMPv3). Otherwise the password can be read as plain text! Additionally the access should be restricted to specific IP addresses and/or networks (see Option 2).

 



Section 2: Restricting access to the router from specific IP addresses and/or IP networks only 

1) Open the router configuration in LANconfig and go to the menu Management → Admin → Access settings.
2) Go to the menu Access stations.

3) Enter the networks and the IP addresses, which should have access to the router. For a network, enter the asscociated subnetmask. For a single IP address, enter the subnetmask 255.255.255.255

As the table Access stations works as a Whitelist, it needs to contain all of the IP networks or IP addresses from which access to the router should be allowed. Consequently, the internal networks must also be stored here. Otherwise access to the router will no longer be possible from the internal network!

 



Section 3: Deactivating the web server services from the WAN interface

1) Open the router configuration in LANconfig and go to the menu Management → Admin → Access settings.

 2) Click on HTTP access and select the option From a WAN interface.

3) For the HTTP port select the option Disabled. In doing so, the web server is closed for all services. This is only practical in scenarios, where no access to the router should be possible from the WAN via HTTP/HTTPS (also not via VPN) and no services should be available on the WAN interface which require the web server (e.g. the OCSP server/responder).

An exception is IPSec-over-HTTPS. If the option Accept IPSec-over-HTTPS is active, the message "403 Access Forbidden" is still displayed when trying to access the router via WEBconfig from the WAN even if the web server is deactivated.



Section 4: Configuration login lock

When management protocols are accessible from the WAN, you should expect frequent Internet-based brute force attacks attempting to gain access to the router. This is where brute-force protection comes into effect.

The relevant setting can be found under Management → Admin → Configuration login lock. With default settings, 5 failed logins cause the management protocol to be locked globally for 5 minutes.

If a management protocol is locked, it is therefore also not available from the internal network.

The Event Log shows whether a management protocol is locked. The Event Log can be read out via the CLI command ls Status/Config/Event-Log. The following figure shows that too many failed login attempts were made via SSH. This protocol was locked as a consequence (LoginBlocked).

 As an alternative you can also open the Event Log in WEBconfig under (Extras →) LCOS menu tree →  Status →  Config → Event Log.



Section 5: Change the default port
Since brute-force attacks usually target the default ports, we recommend that you change the ports used by any management protocols that are accessible from the WAN.
1) Open the router configuration in LANconfig and go to the menu Management → Admin → Settings.
2) You can modify the default ports in this menu (in this exampie the HTTPS port was modified).

The port settings are global. Access to these management protocols from both the WAN and the LAN is only possible on the changed port.

All LANCOM products and software versions are subject to LANCOM Software Lifecycle Management.
You can find information on our website at https://www.lancom-systems.com/products/firmware/software-lifecycle-management

© 2019-2024 LANCOM Systems GmbH