Monday, February 8, 2016

How to configure  ssh  for maximum security with in  IOS. Cisco has started to include the  ability not only to select ssh version ( version #2 is the default btw for most items ) but the ability to  set the RSA key size and the DHGRP.

Here's the bare minimum that you should do when security ssh on a cisco router and for a interface that must face the  untrusted internet

1: Set the version to sshv2

ip ssh version 2

2: specify the  dhgrp size to a minimum of 2K or 4K bits

ip ssh dh min size 2048

3: define a RSA key size of at least 2K bits

router#crypto key generate  rsa
% You already have RSA keys defined named
% Do you really want to replace them? [yes/no]: yes
Choose the size of the key modulus in the range of 360 to 4096 for your
  General Purpose Keys. Choosing a key modulus greater than 512 may take
  a few minutes.

How many bits in the modulus [512]: 2048
% Generating 2048 bit RSA keys, keys will be non-exportable...
[OK] (elapsed time was 1 seconds)

Once you have this all done, you should set trusthost ACL for inbound ssh access and  only from networks you deem trust worthly.

config t

access-list 10 permit
access-list 10 permit  host
access-list 10 permit  host
line vty 0 15
 access-class 10 in
 transport input ssh

Ken Felix
NSE ( network security expert) and Route/Switching Engineer
kfelix  -----a----t---- socpuppets ---dot---com

     ^      ^
=(  @  @ )=
        /  \

No comments:

Post a Comment