How to block all the unused Ewon Flexy/Cosy131 services on the LAN, WAN and/or VPN interface

06 Jun 2024

This document describes how to block all the unused services/servers like HTTP, FTP, IPtoSerial,... on an Ewon Flexy/Cosy131 device.

This can be needed when, for instance, HTTP and FTP servers cannot be used onsite because not matching the onsite security policies.

APPLICABLE PRODUCTS

Ewon : Flexy

Ewon : Cosy131

IN THIS ARTICLE

Block HTTP & FTP servers

For this, first make sure your device runs the firmware 14.9 or above.
From this version, a new COM parameter is available called "ClosedDevice".
You can access it either by using the tabular edition of the device web interface, by a comcfg.txt configuration file pushed via FTP or USB/SD card or through BASIC/JAVA programming.




The ClosedDevice parameter is a bitwise value that allows you to block the access to the web server (HTTP) and or the FTP server on the different Ewon IP interfaces (LAN, WAN & VPN).


Here is the table of the possible values :

Bit settings Decimal value

Description

Behavior change from FW15.0 on
(WAN services removed)

Bits Byte
00000000 0 No additional protection (default)  
1 00000001 1 Close FTP Server on LAN interface  
2 00000010 2 Close HTTP Server on LAN interface  
1+2 00000011 3 Close FTP and HTTP Servers on LAN interface  
3 00000100 4 Close FTP server on WAN interface No FTP over WAN
1+3 00000101 5 Close FTP server on LAN & WAN interfaces No FTP over WAN
4 00001000 8 Close HTTP server on WAN interface No HTTP over WAN
2+4 00001010 10 Close HTTP server on LAN and WAN interfaces No HTTP over WAN
3+4 00001100 12 Close FTP & HTTP servers on WAN interface No FTP & HTTP over WAN
5 00010000 16 Close FTP server on VPN interface  
1+5 00010001 17 Close FTP server on LAN & VPN interfaces  
3+5 00010100 20 Close FTP server on WAN & VPN interfaces No FTP over WAN
1+3+5 00010101 21 Close FTP server on LAN, WAN & VPN interfaces No FTP over WAN
6 00100000 32 Close HTTP server on VPN interface No HTTP over WAN
2+6 00100010 34 Close HTTP server on LAN & VPN interfaces  
4+6 00101000 40 Close HTTP server on WAN & VPN interfaces No HTTP over WAN
2+4+6 00101010 42 Close HTTP server on LAN, WAN & VPN interfaces No HTTP over WAN
5+6 00110000 48 Close FTP & HTTP servers on VPN interface  
1+2+3+
4+5+6
00111111 63 Close all protocols on all interfaces No FTP & HTTP over WAN

 

The HTTP & FTP servers ports blocked by the ClosedDevice parameters are the ones configured in the COM parameters "IpsHttpP1", "IpsHttpP2" and "IpsFtpP"



NOTE : A reboot of the device is required to apply properly the blocking of the selected service.

 

Block IPtoSerial services


By default, the IptoSerial (aka Serial gateways) services like ModbusTCP to Modbus RTU, Siemens ISOTCP to MPI,... are opened.
If there are not used and you want to block them on all IP interfaces, just set the respective ports to 0 and reboot your device.
You can access it either through the menu IOServers > Global Settings or via the tabular edition of the device web interface, by a config.txt configuration file pushed via FTP or USB/SD card or through BASIC/JAVA programming





Block Ebuddy connections

To block the Ebuddy UDP port 1507, you can set the COM parameter "CfgProtoDis" to 0

 

Block USPIP Service

The USBIP Service is the service that allows you to connect USB devices remotely through Talk2m.  The service uses the TCP ports starting with 6000. If you do not use it and you want to block it, simply disable it by setting the COM parameter "UsbIpEnable" to 0.