Scheduled opening/closing of ports

Discuss and get help configuring CacheGuard to protect Web servers
Douglas
Posts: 55
Joined: 15 Feb 2018 12:04

Scheduled opening/closing of ports

Post by Douglas » 02 May 2018 16:49

Hi, is there any way of only opening selected web server ports at specific times. For example, only allow FTP server access during office hours?
If nothing inbuilt, can you advise if and how one might setup Windows Scheduled Tasks for this?

User avatar
charles
Site Admin
Posts: 41
Joined: 06 Nov 2014 16:23
Location: Paris
Contact:

Re: Scheduled opening/closing of ports

Post by charles » 02 May 2018 20:48

Hi,

Time based firewall rules are not available in the current version of CG (EH-1.3.6 at the time of writing). However you yourself have suggested a smart workaround based on the usage of a scheduler. My recommendation is to use an SSH client on the scheduler side to activate/deactivate required firewall rules at required times.

In order to avoid having to enter CG's admin password whenever your scheduler connects to CG, you can generate a public/private SSH key pair on the client side and import the public key into CG. You can find more information on how to import an SSH public key into CG at https://www.cacheguard.net/doc/guide/ad ... e.html#ssh.

Therefore if you have previously added a firewall rule named R1, your ssh call under a Linux system would look like this (assuming that your CG has the IP address 10.0.10.254):

Code: Select all

ssh admin@10.0.10.254 "firewall external off R1 ; apply force ; quit"
Under Windows you can replace the ssh command by your favourite SSH client (putty?) and its appropriate options.

Best Regards,
Charles Tajvidi
IT Technical Architect
http://www.cacheguard.com

Douglas
Posts: 55
Joined: 15 Feb 2018 12:04

Re: Scheduled opening/closing of ports

Post by Douglas » 10 Aug 2018 09:52

Hi
I followed the link above. After running
admin ssh key add ftp <file-server-ip> <sshkey-file-name>
I got 100%. Please note I had to change tftp to ftp. Hope that's ok?

Running
ssh admin@10.0.10.254 "firewall external off R1 ; apply force ; quit"
still prompts me for a password.
What have I missed and where can I see my public key in CG?

User avatar
david
Posts: 154
Joined: 08 Aug 2015 20:38

Re: Scheduled opening/closing of ports

Post by david » 10 Aug 2018 10:33

Hi,

You can use the following command to see all installed public SSH keys:

Code: Select all

admin ssh key
Did you use the apply command after having imported your public SSH key?

Best Regards,
David Jan
CacheGuard Technical Team
https://www.cacheguard.com

Douglas
Posts: 55
Joined: 15 Feb 2018 12:04

Re: Scheduled opening/closing of ports

Post by Douglas » 10 Aug 2018 10:46

Thanks.
"admin ssh key" shows the key but I'm still prompted by CG for admin's password?

User avatar
david
Posts: 154
Joined: 08 Aug 2015 20:38

Re: Scheduled opening/closing of ports

Post by david » 10 Aug 2018 10:54

Are you using RSA or DSA keys?

BR,
David Jan
CacheGuard Technical Team
https://www.cacheguard.com

Douglas
Posts: 55
Joined: 15 Feb 2018 12:04

Re: Scheduled opening/closing of ports

Post by Douglas » 10 Aug 2018 11:00

RSA

User avatar
david
Posts: 154
Joined: 08 Aug 2015 20:38

Re: Scheduled opening/closing of ports

Post by david » 10 Aug 2018 11:07

RSA is fine! When you print the list of imported SSH keys with the command "admin ssh key", do you have a '[NEW]' tag for your SSH key on not?

BR,
David Jan
CacheGuard Technical Team
https://www.cacheguard.com

Douglas
Posts: 55
Joined: 15 Feb 2018 12:04

Re: Scheduled opening/closing of ports

Post by Douglas » 10 Aug 2018 11:14

No

User avatar
david
Posts: 154
Joined: 08 Aug 2015 20:38

Re: Scheduled opening/closing of ports

Post by david » 10 Aug 2018 11:17

How did you generate your SSH keys? Can you please copy/paste the used command (if under Linux)?

Also please double check that you are trying to connect to your CG from the machine having the SSH private key associated to the imported public key.

BR,
David Jan
CacheGuard Technical Team
https://www.cacheguard.com

Post Reply