Are you suffering attacks to your servers?

[Manny Veloso]

Actually, they might be coming from his IP space!

You can set things up so that you restrict not only on your IP range but only allow HTTP POSTs. CWMP only uses POST requests, so you can disable GET/PUT/DELETE on the web front end (you are using a web front-end, right?).

That doesn’t mean someone can’t break in with a POST, but it’ll make the attack surface a bit smaller. You can also restrict traffic to the specific URLs that genie uses, which I forget.

---
Manny Veloso / technical person
o: +360 859 1780


Follow SmartRG<http://www.smartrg.com/> news and events on Facebook<https://www.facebook.com/SmartRG?fref=ts> | Twitter<https://twitter.com/SRGcrew> | LinkedIn<https://www.linkedin.com/company/2568791?trk=vsrp_companies_res_name&trkInfo=VSRPsearchId%3A80173221376409258784%2CVSRPtargetId%3A2568791%2CVSRPcmpt%3Aprimary> | YouTube<https://www.youtube.com/channel/UCxs7PruCYyHnuAVHO_oQAmQ>

From: Users on behalf of Dan Morphis
Reply-To: Community support for GenieACS users
Date: Wednesday, July 27, 2016 at 12:08 PM
To: Community support for GenieACS users
Subject: Re: Are you suffering attacks to your servers?

Why is your ACS allowing connections from CPEs not in your IP space?

We setup our DSL CPE's with two PVCs, one on the standard 0/35 that customer internet traffic uses, and 0/36 which is strictly for the ACS and lives in private IP space. For our PON and ethernet customers, untagged traffic is public internet, and traffic tagged to a specific VLAN goes to the ACS. The tagging is done by the CPE. In this way, our attack surface is significantly reduced.

-dan


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.genieacs.com/pipermail/users/attachments/20160728/44c0912c/attachment-0001.html>