How to secure SSH and HTTP access for the VBP?
This article is created to describe difference between a VBP-E and a VBP-ST secure measures and how to prevent your VBP from unwanted external access.
In the VBP S/ST Series, the Firewall page for allowing management access to the unit works differently than for an E-Series unit. In order to access an S/ST for management, you must allow an access type (i.e. HTTP, HTTPS, telnet, SSH, etc.), but doing so allows access to both the WAN (Subscriber) as well as the LAN (Provider) ports. If you uncheck HTTP, for example, you will not be able to access the S/ST unit via HTTP from any interface. Notice the text on the Firewall page states “Basic Provider/Subscriber Interfaces Firewall Settings” which means that you are controlling access to both interfaces using the single check-box. In order to properly configure an S/ST Series unit that does not have the Management Interface in use, you must select the checkboxes for the types of access you want (i.e. HTTP and SSH), and then enter User Commands (located in System -> user commands) which constitute iptables rules to prevent access via the Subscriber port. iptables -I INPUT -i eth0+ -p tcp --dport 80 -j DROP iptables -I INPUT -i eth0+ -p tcp --dport 22 -j DROP At the VBP-E then, you need to uncheck options "Allow SSH Access through Firewall" and "Allow HTTP Access through firewall" at the "Firewall" page. Again, deselecting that options at the VBP-ST will block bot WAN and LAN sides from access and you will have to call Polycom to recover access.