This document describes how to block all the unused services/servers like HTTP, FTP, IPtoSerial,... on an Ewon Flexy/Cosy131 device.
This can be needed when, for instance, HTTP and FTP servers cannot be used onsite because not matching the onsite security policies.
APPLICABLE PRODUCTS
Ewon : Flexy
Ewon : Cosy131
IN THIS ARTICLE
Block HTTP & FTP servers
For this, first make sure your device runs the firmware 14.9 or above.
From this version, a new COM parameter is available called "ClosedDevice".
You can access it either by using the tabular edition of the device web interface, by a comcfg.txt configuration file pushed via FTP or USB/SD card or through BASIC/JAVA programming.
The ClosedDevice parameter is a bitwise value that allows you to block the access to the web server (HTTP) and or the FTP server on the different Ewon IP interfaces (LAN, WAN & VPN).
Here is the table of the possible values :
| Bit settings |
Decimal value |
Description |
Behavior change from FW15.0 on |
|
| Bits | Byte | |||
| 0 | 00000000 | 0 | No additional protection (default) | |
| 1 | 00000001 | 1 | Close FTP Server on LAN interface | |
| 2 | 00000010 | 2 | Close HTTP Server on LAN interface | |
| 1+2 | 00000011 | 3 | Close FTP and HTTP Servers on LAN interface | |
| 3 | 00000100 | 4 | Close FTP server on WAN interface | No FTP over WAN |
| 1+3 | 00000101 | 5 | Close FTP server on LAN & WAN interfaces | No FTP over WAN |
| 4 | 00001000 | 8 | Close HTTP server on WAN interface | No HTTP over WAN |
| 2+4 | 00001010 | 10 | Close HTTP server on LAN and WAN interfaces | No HTTP over WAN |
| 3+4 | 00001100 | 12 | Close FTP & HTTP servers on WAN interface | No FTP & HTTP over WAN |
| 5 | 00010000 | 16 | Close FTP server on VPN interface | |
| 1+5 | 00010001 | 17 | Close FTP server on LAN & VPN interfaces | |
| 3+5 | 00010100 | 20 | Close FTP server on WAN & VPN interfaces | No FTP over WAN |
| 1+3+5 | 00010101 | 21 | Close FTP server on LAN, WAN & VPN interfaces | No FTP over WAN |
| 6 | 00100000 | 32 | Close HTTP server on VPN interface | No HTTP over WAN |
| 2+6 | 00100010 | 34 | Close HTTP server on LAN & VPN interfaces | |
| 4+6 | 00101000 | 40 | Close HTTP server on WAN & VPN interfaces | No HTTP over WAN |
| 2+4+6 | 00101010 | 42 | Close HTTP server on LAN, WAN & VPN interfaces | No HTTP over WAN |
| 5+6 | 00110000 | 48 | Close FTP & HTTP servers on VPN interface | |
| 1+2+3+ 4+5+6 |
00111111 | 63 | Close all protocols on all interfaces | No FTP & HTTP over WAN |
The HTTP & FTP servers ports blocked by the ClosedDevice parameters are the ones configured in the COM parameters "IpsHttpP1", "IpsHttpP2" and "IpsFtpP"
NOTE : A reboot of the device is required to apply properly the blocking of the selected service.
Block IPtoSerial services
By default, the IptoSerial (aka Serial gateways) services like ModbusTCP to Modbus RTU, Siemens ISOTCP to MPI,... are opened.
If there are not used and you want to block them on all IP interfaces, just set the respective ports to 0 and reboot your device.
You can access it either through the menu IOServers > Global Settings or via the tabular edition of the device web interface, by a config.txt configuration file pushed via FTP or USB/SD card or through BASIC/JAVA programming
Block Ebuddy connections
To block the Ebuddy UDP port 1507, you can set the COM parameter "CfgProtoDis" to 0