How would you allow SSH management via a non-default port and restrict access to a given IP range?

Unlock all questions

This demo includes only 20 questions. Upgrade to access hundreds of questions, flashcards, exam simulations, and disable ads.

Full question bankExam simulationsFlashcards
From $9.99Unlock all

Study for the MTCNA Foundation Exam. Prepare with flashcards and multiple choice questions, each question has hints and explanations. Get ready for your certification!

Multiple Choice

How would you allow SSH management via a non-default port and restrict access to a given IP range?

Explanation:
Securing SSH management by moving the service to a non-default port and locking it down to a specific source network. Change the SSH service to listen on a non-default port, such as 2222. This reduces exposure to automated scans that target the standard port. Then use firewall rules on the input chain to allow only connections from a trusted IP range to that port, and add a final rule to drop any other attempts on that port. The reason this works is that RouterOS processes firewall rules in order, and the first matching rule wins. By permitting the trusted subnet to port 2222 and then dropping all other sources for that same port, you effectively restrict access to that port to only the allowed network while still preventing access from anywhere else. In detail, you would set the SSH port to 2222, create an allow rule for TCP traffic to port 2222 from 192.168.0.0/24, and then add a subsequent drop rule for TCP traffic to port 2222 from any other source. This ensures the allowed network can manage the device, while all other sources attempting to reach port 2222 are blocked. Why other approaches don’t fit: leaving SSH on the default port would keep it more exposed to automated probes. Allowing SSH on the default port from anywhere would defeat the IP-range restriction. Setting a mismatched port for the allow rule or using a non-existent port in the drop rule would leave the intended access either unreachable or inconsistent, defeating the goal of locking down management access to a specific port and range.

Securing SSH management by moving the service to a non-default port and locking it down to a specific source network.

Change the SSH service to listen on a non-default port, such as 2222. This reduces exposure to automated scans that target the standard port. Then use firewall rules on the input chain to allow only connections from a trusted IP range to that port, and add a final rule to drop any other attempts on that port. The reason this works is that RouterOS processes firewall rules in order, and the first matching rule wins. By permitting the trusted subnet to port 2222 and then dropping all other sources for that same port, you effectively restrict access to that port to only the allowed network while still preventing access from anywhere else.

In detail, you would set the SSH port to 2222, create an allow rule for TCP traffic to port 2222 from 192.168.0.0/24, and then add a subsequent drop rule for TCP traffic to port 2222 from any other source. This ensures the allowed network can manage the device, while all other sources attempting to reach port 2222 are blocked.

Why other approaches don’t fit: leaving SSH on the default port would keep it more exposed to automated probes. Allowing SSH on the default port from anywhere would defeat the IP-range restriction. Setting a mismatched port for the allow rule or using a non-existent port in the drop rule would leave the intended access either unreachable or inconsistent, defeating the goal of locking down management access to a specific port and range.

More Multiple Choice Questions
Subscribe

Get the latest from Examzify

You can unsubscribe at any time. Read our privacy policy