Here's the bare minimum that you should do when security ssh on a cisco router and for a interface that must face the untrusted internet
1: Set the version to sshv2
ip ssh version 2
2: specify the dhgrp size to a minimum of 2K or 4K bits
ip ssh dh min size 2048
3: define a RSA key size of at least 2K bits
router#crypto key generate rsa
% You already have RSA keys defined named router.mydomain.com
% Do you really want to replace them? [yes/no]: yes
Choose the size of the key modulus in the range of 360 to 4096 for your
General Purpose Keys. Choosing a key modulus greater than 512 may take
a few minutes.
How many bits in the modulus [512]: 2048
% Generating 2048 bit RSA keys, keys will be non-exportable...
[OK] (elapsed time was 1 seconds)
Once you have this all done, you should set trusthost ACL for inbound ssh access and only from networks you deem trust worthly.
config t
access-list 10 permit 192.0.2.0 0.0.0.255
access-list 10 permit host 1.1.1.1
access-list 10 permit host 1.1.1.2
!
!
!
line vty 0 15
access-class 10 in
transport input ssh
Ken Felix
NSE ( network security expert) and Route/Switching Engineer
kfelix -----a----t---- socpuppets ---dot---com
^ ^
=( @ @ )=
o
/ \
No comments:
Post a Comment