Thursday, December 20, 2012

changing ssh cisco IOS routers ports & hardening vty access

If you ever had a cisco router conneted to the public internet, you know that the port 22 or even 23 is always  probed ( please don't use telnet  :)  ),  and then you have ten millions wanna-bees trying to brute force or random hack user/passwords  like these;


    i.e:

   cisco/cisco
   cisco/password
   admin/password
   admin/administrator

Okay so how do you  provide remote access to your cisco IOS-router & allowed it to be open up, no matter from where ? And with some  w/ some degree  of hidden access ?

Will the fix is to use the;  ip ssh port "port-number" rotary "rotary-group-number" cmd


Okay simple, so let's look at the method, that I used. In my example, I'm using port number 22022. It's a easy number to remember, and only I know the router has a listener on that port, unless it was probed.

Yes an attacker could portscan my ports, but most are lazy and will look for  well-known-ports,  and will not  scan all 64K ports of a typical hosts.

So 1st I crafted a vty access-class  ACL name vtyacl;

step1:

     ip access-list extended vtyacl
        remark I left this open for ANY but could have restrict this to a certain network_space
        permit tcp any any eq 2022
    !


step2:

Install the ip ssh rotary cmd and assign a group, this group number will be applied later on.

        ip  ssh port 22022 rotary 1

step3:

Now apply the  vtyacl to your vty lines, to get an ideal of the number of lines, execute a cmd "show run | sec line " and this will show you the line vty ranges;

  router3825#sh run | sec line
   line con 0
   line aux 0
   line 130
   no activation-character
   no exec
   transport preferred none
   transport input all
   transport output lat pad telnet rlogin lapb-ta mop udptn v120 ssh




  line vty 0 4
     access-class vtyacl in
     rotary 1
     transport input ssh

  line vty 5 15
      access-class vtyacl in
      rotary 1
      transport input ssh

   line vty 16 924
      no exec
      transport input none


Notice we have lines vty 0 thru 924?
Also I disabled the  lines vty 16-924?

I did this to only allow up to 16 sessions at one sitting. I also applied the  transport input none , which really has no effect since the  no exec was enable on these other VTYs lines. This is equivalent to the  unix getty ( get teletype ) function being disable on a unix host.

When you try to  ssh at session #17, the router then will display the following;


router3825>ssh -p 22022 -l kfelix 1.1.1.253
% Connection refused by remote host

router3825>


i.e ( 16 kfelixs logged into this router to show you the max users )

router3825>sh users
    Line       User       Host(s)              Idle       Location
 578 vty 0     kfelix     1.1.1.253            00:00:00 1.1.1.1
 579 vty 1     kfelix     1.1.1.253            00:00:00 1.1.1.253
 580 vty 0/0/0 kfelix     1.1.1.253            00:00:00 1.1.1.253
 581 vty 0/0/1 kfelix     1.1.1.253            00:00:03 1.1.1.253
 582 vty 4     kfelix     1.1.1.253            00:00:00 1.1.1.253
 583 vty 5     kfelix     1.1.1.253            00:00:00 1.1.1.253
 584 vty 6     kfelix     1.1.1.253            00:00:00 1.1.1.253
 585 vty 7     kfelix     1.1.1.253            00:00:00 1.1.1.253
 586 vty 8     kfelix     1.1.1.253            00:00:00 1.1.1.253
 587 vty 9     kfelix     1.1.1.253            00:00:00 1.1.1.253
 588 vty 10    kfelix     1.1.1.253            00:00:00 1.1.1.253
 589 vty 11    kfelix     1.1.1.253            00:00:00 1.1.1.253
 590 vty 12    kfelix     1.1.1.253            00:00:00 1.1.1.253
 591 vty 13    kfelix     1.1.1.253            00:00:00 1.1.1.253
 592 vty 14    kfelix     1.1.1.253            00:00:00 1.1.1.253
*593 vty 15    kfelix     idle                 00:00:04 1.1.1.253


  

I hope this posting was useful for hardening  the cisco IOS for ssh access, and changing the  the default ssh port. As with any ssh services, please use a RSA key with modulus of 1024bits  or better, and always change your password on a regular basis.

how_to_enable_ssh


Ken Felix

Freelance Network Security Engineer
kfelix  " at " hyperfeed "dot" com






No comments:

Post a Comment