1 Reply Latest reply on Feb 11, 2011 11:21 PM by lancekentwell

    Couple of questions

      Can anyone tell me how I cnat change the default "Access Denied" message you get when a SSH login fails to something different?  I want to customize this, and even furthher how I can change the greetin banner for SSH when you first connect

       

      And last quesiton how do i specify IP addresses that are allowed to SSH\HTTP\HTTPS to the devices manamgnet on the internet interface?

        • 1. Re: Couple of questions

          To the best of my knowledge, any "Access Denied" SSH failure message is generated by your client, not the server (SnapGear).


          The "Sash command shell" bannier is, I believe, built into the shell and mostly beyond customization (barring recompilation).  However, I expect the /etc/motd message, were the file to contain anything, would likely get displayed.  I do not know how to get it modified through a reboot.

           

          Your question on restricting IP addresses allowd to manage the device is pretty straight forward:

          1) Create multiple Address Definitions, one per IP address or subnet to which you wish to grant access.

          2) Create an Address Group Definition called "Mgmt Addresses" or such, adding all the individual Addresses to it.

          3) Create a Service Group Definition called "SnapGear Mgmt" or such, select HTTP, HTTPS, Telnet, SSH, SNMP (or whatever protocols you wish to grant).

          4) Create a Packet Filter Rule with the following settings:

            4a) Name: SnapGear Mgmt

            4b) Enable: yes

            4c) Action: Accept

            4d) Type: Input

            4e) Incoming Interface: Any

            4f) Source Address: Mgmt Addresses

            4g) Destination Address: Internet Port

            4h) Services: SnapGear Mgmt

          5) Ensure you have completed the above steps accurately and are, preferably, connected via the LAN inteface.

          6) In the Firewall/Incoming Access section, UNCHECK everything for Internet interfaces.

           

          The Incoming Access section defines the *default* access rights. By creating the Packet Filter rule explicitly granting access as configured it will come before the default rules, now set to denied.