If you ever had a cisco router conneted to the public internet, you know that the port 22 or even 23 is always probed ( please don't use telnet :) ), and then you have ten millions wanna-bees trying to brute force or random hack user/passwords like these;
i.e:
cisco/cisco
cisco/password
admin/password
admin/administrator
Okay so how do you provide remote access to your cisco IOS-router & allowed it to be open up, no matter from where ? And with some w/ some degree of hidden access ?
Will the fix is to use the; ip ssh port "port-number" rotary "rotary-group-number" cmd
Okay simple, so let's look at the method, that I used. In my example, I'm using port number 22022. It's a easy number to remember, and only I know the router has a listener on that port, unless it was probed.
Yes an attacker could portscan my ports, but most are lazy and will look for well-known-ports, and will not scan all 64K ports of a typical hosts.
So 1st I crafted a vty access-class ACL name vtyacl;
step1:
ip access-list extended vtyacl
remark I left this open for ANY but could have restrict this to a certain network_space
permit tcp any any eq 2022
!
step2:
Install the ip ssh rotary cmd and assign a group, this group number will be applied later on.
ip ssh port 22022 rotary 1
step3:
Now apply the vtyacl to your vty lines, to get an ideal of the number of lines, execute a cmd "show run | sec line " and this will show you the line vty ranges;
router3825#sh run | sec line
line con 0
line aux 0
line 130
no activation-character
no exec
transport preferred none
transport input all
transport output lat pad telnet rlogin lapb-ta mop udptn v120 ssh
line vty 0 4
access-class vtyacl in
rotary 1
transport input ssh
line vty 5 15
access-class vtyacl in
rotary 1
transport input ssh
line vty 16 924
no exec
transport input none
Notice we have lines vty 0 thru 924?
Also I disabled the lines vty 16-924?
I did this to only allow up to 16 sessions at one sitting. I also applied the transport input none , which really has no effect since the no exec was enable on these other VTYs lines. This is equivalent to the unix getty ( get teletype ) function being disable on a unix host.
When you try to ssh at session #17, the router then will display the following;
router3825>ssh -p 22022 -l kfelix 1.1.1.253
% Connection refused by remote host
router3825>
i.e ( 16 kfelixs logged into this router to show you the max users )
router3825>sh users
Line User Host(s) Idle Location
578 vty 0 kfelix 1.1.1.253 00:00:00 1.1.1.1
579 vty 1 kfelix 1.1.1.253 00:00:00 1.1.1.253
580 vty 0/0/0 kfelix 1.1.1.253 00:00:00 1.1.1.253
581 vty 0/0/1 kfelix 1.1.1.253 00:00:03 1.1.1.253
582 vty 4 kfelix 1.1.1.253 00:00:00 1.1.1.253
583 vty 5 kfelix 1.1.1.253 00:00:00 1.1.1.253
584 vty 6 kfelix 1.1.1.253 00:00:00 1.1.1.253
585 vty 7 kfelix 1.1.1.253 00:00:00 1.1.1.253
586 vty 8 kfelix 1.1.1.253 00:00:00 1.1.1.253
587 vty 9 kfelix 1.1.1.253 00:00:00 1.1.1.253
588 vty 10 kfelix 1.1.1.253 00:00:00 1.1.1.253
589 vty 11 kfelix 1.1.1.253 00:00:00 1.1.1.253
590 vty 12 kfelix 1.1.1.253 00:00:00 1.1.1.253
591 vty 13 kfelix 1.1.1.253 00:00:00 1.1.1.253
592 vty 14 kfelix 1.1.1.253 00:00:00 1.1.1.253
*593 vty 15 kfelix idle 00:00:04 1.1.1.253
I hope this posting was useful for hardening the cisco IOS for ssh access, and changing the the default ssh port. As with any ssh services, please use a RSA key with modulus of 1024bits or better, and always change your password on a regular basis.
how_to_enable_ssh
Ken Felix
Freelance Network Security Engineer
kfelix " at " hyperfeed "dot" com
No comments:
Post a Comment