Hour 305: Dynamic ACL and security through obscurity

I’m not studying for the security track but quite a few security features are in the CCIE R&S exam. Today, I will be demonstrating how to secure a WAN edge router by using a combination of SSH port security and dynamic ACL’s (lock in key). This feature will add some additional security through obscurity.

This will the topology for this example:


Let’s first start by configuring basic SSH on the router.

conf t
ip domain name routingnull0
crypto key generate rsa modulus 768
username admin password admin
enable secret admin
line vty 0 15
transport input ssh
login local


Alright, let’s test this:


All is good, basic SSH works.

Now let’s add an additional layer of security and change the SSH port to 2222. First, we need to add the rotary command to add an additional access port for SSH (in this case 2222) and then add an ACL on the inbound WAN port to block port 22. If we don’t block port 22, we will be able to SSH through 22 and 2222. Let’s also log any entry through port 2222:

ip ssh port 2222
line vty 0 15
rotary 1
ip access-list extended ACL_PROTECT_WAN_IN
permit tcp any any eq 2222 log input
deny ip any any
int g0/1
ip access-group ACL_PROTECT_WAN_IN in


Now we should only be able to SSH through port 2222. Let’s test.


As expected, we cannot SSH through port 22, and can only SSH through port 2222.

At this point, this is pretty secure. Someone can still scan our ports and see 2222 open and try to brute force SSH passwords. Let’s add some more security by restricting access for 300 seconds (5 minutes) if failed 3 attempts within 20 seconds

login block-for 300 attempts 3 within 20


Awesome, this is looking good but we could add an additional step to obscure and restrict the access even more: a Dynamic ACL. What this feature does is it permits to add an ACL if a telnet login is successful. In this example, we will use it to authenticate through telnet to open the SSH port.

First let’s remove old ACL and change it to new one:

no ip access-list extended ACL_PROTECT_WAN_IN
ip access-list extended ACL_PROTECT_WAN_IN
permit tcp any any eq 23
dynamic knock permit tcp any any eq 2222 log-input
deny ip any any


Let’s add the username and password for the dynamic ACL and enable telnet:

username knock password knock

username knock autocommand access-enable host timeout 1
line vty 0 15
transport input ssh telnet


We should not be able to SSH to either 22 or 2222 until we telnet into the router and use the authentication username: knock password: knock. Once we have authenticated through that, we should be able to SSH through 2222 only for 60 seconds (after that the port will close again). Let’s test:


Excellent everything seems to be working. There’s one more thing we can do to obscure even more the access, change the port we can telnet on. For this, we already changed it by adding the rotary 1. This changed the telnet port to 3001 and 23. With a deny statement we can block port 23 and only allow 3001.

Change the ACL:

no ip access-list extended ACL_PROTECT_WAN_IN<
ip access-list extended ACL_PROTECT_WAN_IN
permit tcp any any eq 3001
dynamic knock permit tcp any any eq 2222 log-input
deny ip any any


Now let’s test the whole thing:


Success! With this method, you need to authenticate through telnet port 3001 with username knock and password knock; it will then open SSH port 2222. You then need to authenticate through SSH with correct username and credentials. If a hacker can figure this all out, well I guess he deserves to get into that router!

I hope this was informative.


Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s