Monday, October 2, 2017

HOWTO eliminate CBC ssh ciphers cisco IOS-XE

In order to locked down SSH accesss here's a few tips for execution. CBC ciphers should be eliminate and replaced with  CTR ciphers.

In various  cisco IOS devices this is quite easy todo;

( sample   cfg )

config term
ip ssh logging events
ip ssh server algorithm encryption aes256-ctr aes192-ctr aes128-ctr
ip access-list standard SSHACCESS

line vty 0 97
 session-timeout 10
 access-class SSHACCESS in vrf-also
 exec-timeout 30 0
 logging synchronous
 length 0
 transport input ssh
 transport output none


     Use the  vrf-also if you are running  VRFs.

Run  a open ssh client with the verbose  -v  switch and supply inferiors CBC ciphers and ensure they are not allowed.

e.g  testing a ASR  for  support of a CBC cipher

Ken Felix
NSE ( network security expert) and Route/Switching Engineer
kfelix  -----a----t---- socpuppets ---dot---com
     ^      ^
=(  @  @ )=

        /  \

No comments:

Post a Comment