VTY ACLs don't block HTTP/S access

A VTY ACL doesn't control https accessI was doing some testing on a 3750X and saw that the http and http services were enabled. I knew that you could apply an ACL to restrict HTTP access, but had assumed that the HTTP security was an optional extra on top of the VTY ACL.
I tested this … and found out I was wrong. Although http(s) uses the same inband access path as SSH, web admin is not restricted in any way by VTY ACLS.
This will be quite obvious to some readers but it wasn’t for me, so I’ll assume at least one other person on the interwebz had the same issue.

Test – VTY ACL doesn’t block HTTP/S

Let’s start with a baseline. https and http secure are configured, and no VTY ACL is applied. A quick public safety announcement I’m consoled into a non-production switch.

TestSwitch#sh run | i http
ip http server
ip http secure-server

I’m testing here from another directly attached switch.

Switch_2#ssh -l admin
Password:     !! SSH Works
Switch_2#telnet 80
Trying, 80 ... Open   !! HTTP also works

Let’s create a deny-all ACL and apply it to the VTY lines

conf t
ip access-list extended VTYACL
deny ip any any
line vty 0 15
access-class VTYACL in

Testing again…

Switch_2#ssh -l admin
% Connection refused by remote host !! SSH is now blocked
Switch_2#telnet 80
Trying, 80 ... Open  !! Whaaa?

You do have the option of adding a basic access-list to restrict http access and https access You should do this…

TestSwitch(config)#ip http access-class ?
1-99 Access list number

….or you follow your instinct and blow away web access.

TestSwitch(config)#no ip http server
TestSwitch(config)#no ip http secure-server

And all is right with the world. I’d go back and adjust deny all VTY ACL though.

Switch_2#telnet 80
Trying, 80 ...
% Connection refused by remote host
Switch_2#telnet 443
Trying, 443 ...
% Connection refused by remote host

Learning and Actions

  • Http and Https are secured independently of the VTY access-list.
  • If you see http or https services in your config but don’t ‘http access-class’ you should be concerned.
  • Immediately move past the worry stage – lock down web admin access to http and https with access-lists or remove http admin completely.






2 responses to “VTY ACLs don't block HTTP/S access”

  1. Sebastian Avatar

    I really hope that IPv6 is not in use. The “ip http access-class” only matches ipv4 traffic. There is nothing similar for IPv6.
    Cisco docs: “However, an access list configured with the ip http access-class command will only be applied to IPv4 traffic. IPv6 traffic filtering is not supported.”
    The only way to block unwanted ipv6 http traffic to the device is with interface acls.

    1. John Harrington Avatar

      Thanks for the comment Sebastian, much appreciated. I just saw @ioshints retweet a post from 2012 on this and the issue still isn’t fixed. http://blog.ipspace.net/2012/05/http-over-ipv6-on-cisco-ios.html

Leave a Reply

Your email address will not be published. Required fields are marked *