I seem to have locked myself out of a 6102


#1

Good morning, all, and happy holidays!

I was experimenting with the security settings on a 6102 - remotely. This device has the most up-to-date firmware available, with the exception of the very recent security release. I was adding rules to the Dynamic Defense list. I created a rule blocking access on ports 20001-65535 from any IP. I added a whitelist rule for the VoIP server, but didn’t think about doing so for my office IP address or the local LAN.

I could access the device remotely as my office IP is whitelisted on the router, and port 8089 forwards to the UCM. Or, I could connect to the router by VPN and then access the device as if I was on the local LAN.

Neither of those paths work any more. I didn’t expect this as I thought the UCM was communicating on port 8089 for configuration changes, and that port was not in the range I specified.

Unfortunately this device is an hour away from my office. I’m afraid that even if I go there, I will be unable to access the device even on the local LAN. I’m afraid that I’m looking at a factory reset and then restore a backup.

Can I access the device locally through its LAN port?

The device appears to be functioning - or at least I can see that it is connected to the VoIP servers.

Any ideas would be most welcome.

Mike


#2

NEVER block those ports. These are dynamic ports used by HTTP to send reponses.

You’ll need to reset or try locally to access it.


#3

You were communicating to port 8089 on the UCM, but likely the source port from which you were sending was one in the range that you blocked.

I am not understanding why, if the UCM is behind a router/firewall already (given the whitelist and VPN remark), you are blocking ports that the router shouldn’t be allowing thru anyway.

Almost sounds like a “double, super secret probation” to me.

You may be able to “bind” to a port using the netsh command. Do a Google search for it.


#4

Thank you. I hate when I do boneheaded things and make more work for myself. :frowning:

I was able to regain access. I used netsh to set the dynamic TCP range on my PC to 10000-10999, then rebooted. I don’t know if this is what got my access back, or if it was just dumb luck that I got a port that was not being blocked by my sweeping rule.

To your question as to why - the inexpensive Cisco firewall that is in this customer’s office is not properly obeying its access rules. If I write “allow” rules for specific IP addresses and then a (lower) “deny” rule to block everything else - then no one can connect. So I was hoping to use the firewall on the UCM itself to block the random connection requests. Fail2Ban works OK, but there are already 100+ banned IP addresses on the list and I don’t want to clog things up as that number grows.

Is there a reason I couldn’t use the Static Defense in the UCM’s firewall to whitelist the necessary IP addresses and then write a “drop” rule for 1.1.1.1/32? When the inbound request is dropped the scanner doesn’t know that there’s even anything at that IP address and gives up instead of continuing to try other ports, etc.

Thanks again for the help - you saved me a 2-hour round trip to visit them in person.

Mike


#5

dynamic defense only works when the UMC is in route mode.I with never use the UCM has a firewall anyway using fail to be ban is a good last line of defense strategy.


#6

“I was experimenting with the security settings on a 6102 - remotely. This device has the most up-to-date firmware available, with the exception of the very recent security release”

it is essential to update the latest release or UCM remains exposed to critical issues and testing a critical product does not make sense.

I don’t understand if the NAT rules (mandatory in ACL) are on the firewall or on UCM.
Use UCM as a voip server only and not as a firewall, it’s a suggestion.

Also, as a tip, disable “Dynamic Defense” and only use “Fail2ban” on UCM.