Thursday, December 20, 2012

changing ssh cisco IOS routers ports & hardening vty access

If you ever had a cisco router conneted to the public internet, you know that the port 22 or even 23 is always  probed ( please don't use telnet  :)  ),  and then you have ten millions wanna-bees trying to brute force or random hack user/passwords  like these;



Okay so how do you  provide remote access to your cisco IOS-router & allowed it to be open up, no matter from where ? And with some  w/ some degree  of hidden access ?

Will the fix is to use the;  ip ssh port "port-number" rotary "rotary-group-number" cmd

Okay simple, so let's look at the method, that I used. In my example, I'm using port number 22022. It's a easy number to remember, and only I know the router has a listener on that port, unless it was probed.

Yes an attacker could portscan my ports, but most are lazy and will look for  well-known-ports,  and will not  scan all 64K ports of a typical hosts.

So 1st I crafted a vty access-class  ACL name vtyacl;


     ip access-list extended vtyacl
        remark I left this open for ANY but could have restrict this to a certain network_space
        permit tcp any any eq 2022


Install the ip ssh rotary cmd and assign a group, this group number will be applied later on.

        ip  ssh port 22022 rotary 1


Now apply the  vtyacl to your vty lines, to get an ideal of the number of lines, execute a cmd "show run | sec line " and this will show you the line vty ranges;

  router3825#sh run | sec line
   line con 0
   line aux 0
   line 130
   no activation-character
   no exec
   transport preferred none
   transport input all
   transport output lat pad telnet rlogin lapb-ta mop udptn v120 ssh

  line vty 0 4
     access-class vtyacl in
     rotary 1
     transport input ssh

  line vty 5 15
      access-class vtyacl in
      rotary 1
      transport input ssh

   line vty 16 924
      no exec
      transport input none

Notice we have lines vty 0 thru 924?
Also I disabled the  lines vty 16-924?

I did this to only allow up to 16 sessions at one sitting. I also applied the  transport input none , which really has no effect since the  no exec was enable on these other VTYs lines. This is equivalent to the  unix getty ( get teletype ) function being disable on a unix host.

When you try to  ssh at session #17, the router then will display the following;

router3825>ssh -p 22022 -l kfelix
% Connection refused by remote host


i.e ( 16 kfelixs logged into this router to show you the max users )

router3825>sh users
    Line       User       Host(s)              Idle       Location
 578 vty 0     kfelix            00:00:00
 579 vty 1     kfelix            00:00:00
 580 vty 0/0/0 kfelix            00:00:00
 581 vty 0/0/1 kfelix            00:00:03
 582 vty 4     kfelix            00:00:00
 583 vty 5     kfelix            00:00:00
 584 vty 6     kfelix            00:00:00
 585 vty 7     kfelix            00:00:00
 586 vty 8     kfelix            00:00:00
 587 vty 9     kfelix            00:00:00
 588 vty 10    kfelix            00:00:00
 589 vty 11    kfelix            00:00:00
 590 vty 12    kfelix            00:00:00
 591 vty 13    kfelix            00:00:00
 592 vty 14    kfelix            00:00:00
*593 vty 15    kfelix     idle                 00:00:04


I hope this posting was useful for hardening  the cisco IOS for ssh access, and changing the  the default ssh port. As with any ssh services, please use a RSA key with modulus of 1024bits  or better, and always change your password on a regular basis.


Ken Felix

Freelance Network Security Engineer
kfelix  " at " hyperfeed "dot" com

No comments:

Post a Comment