Monday, February 8, 2016

How to configure  ssh  for maximum security with in  IOS. Cisco has started to include the  ability not only to select ssh version ( version #2 is the default btw for most items ) but the ability to  set the RSA key size and the DHGRP.


Here's the bare minimum that you should do when security ssh on a cisco router and for a interface that must face the  untrusted internet

1: Set the version to sshv2

ip ssh version 2

2: specify the  dhgrp size to a minimum of 2K or 4K bits

ip ssh dh min size 2048


3: define a RSA key size of at least 2K bits

router#crypto key generate  rsa
% You already have RSA keys defined named  router.mydomain.com
% Do you really want to replace them? [yes/no]: yes
Choose the size of the key modulus in the range of 360 to 4096 for your
  General Purpose Keys. Choosing a key modulus greater than 512 may take
  a few minutes.

How many bits in the modulus [512]: 2048
% Generating 2048 bit RSA keys, keys will be non-exportable...
[OK] (elapsed time was 1 seconds)


Once you have this all done, you should set trusthost ACL for inbound ssh access and  only from networks you deem trust worthly.

config t

access-list 10 permit 192.0.2.0 0.0.0.255
access-list 10 permit  host 1.1.1.1
access-list 10 permit  host 1.1.1.2
!
!
!
line vty 0 15
 access-class 10 in
 transport input ssh




Ken Felix
NSE ( network security expert) and Route/Switching Engineer
kfelix  -----a----t---- socpuppets ---dot---com

     ^      ^
=(  @  @ )=
         o 
        /  \



No comments:

Post a Comment