Monday, October 2, 2017

HOWTO eliminate CBC ssh ciphers cisco IOS-XE

In order to locked down SSH accesss here's a few tips for execution. CBC ciphers should be eliminate and replaced with  CTR ciphers.

In various  cisco IOS devices this is quite easy todo;

( sample   cfg )


config term
ip ssh logging events
ip ssh server algorithm encryption aes256-ctr aes192-ctr aes128-ctr
!
ip access-list standard SSHACCESS
 permit 10.13.1.0 0.0.0.255
 permit 10.12.22.0  0.0.0.255
 remark " PLACE MANAGEMENT NETWORKS HERE"
!



line vty 0 97
 session-timeout 10
 access-class SSHACCESS in vrf-also
 exec-timeout 30 0
 logging synchronous
 length 0
 transport input ssh
 transport output none

~                    


     Use the  vrf-also if you are running  VRFs.


Run  a open ssh client with the verbose  -v  switch and supply inferiors CBC ciphers and ensure they are not allowed.


e.g  testing a ASR  for  support of a CBC cipher








 
 
Ken Felix
NSE ( network security expert) and Route/Switching Engineer
kfelix  -----a----t---- socpuppets ---dot---com
     ^      ^
=(  @  @ )=
         o 


        /  \

No comments:

Post a Comment