[c-nsp] Changing SSH Port on IOS
Justin Shore
justin at justinshore.com
Sun Mar 22 23:25:43 EDT 2009
Agreed. Never ever put an IOS box up on the Internet with a public IP
without at least restricting VTY access.
We were directly targetted about 3 years ago right after I came back to
the SP. My predecessor hadn't implemented any VTY ACLs. One day I
while going through my rediscovery of the network I started noticing
that I couldn't get into several devices. The list of devices I
couldn't access grew rapidly and within an hour I couldn't log into
anything. The attacker pounded every piece of network gear we had from
hundreds of remote IPs trying to guess a working userid/password combo.
They consumed all VTYs on every device at once. The gear was in 2
states and spread out over many hours of driving so I couldn't visit
much of it in person. I spent well over a day getting everything tied
down. Fortunately syslog confirmed that we hadn't been compromised.
Forgetting the VTY ACL is like forgetting to check you fly being picking
up your hot date for the big night or forgetting to turn off your cell
phone ringer before showing up at the interview for the perfect job.
>> #sh ip ssh
>> SSH Enabled - version 1.99
Also, disable SSH version 1 support. Only use SSHv2.
ip ssh version 2
Justin
Charles Wyble wrote:
> Um..... why don't you setup some ACL to limit access? It's generally ill
> advised to run dameons with shell access directly connected to the
> internet. :)
>
> I use OpenVPN for all my access, and only run SSH on the private
> interface. I realize this isn't always possible, but is a good solution.
>
> Andy BIERLAIR wrote:
>> I'm running s72033-ipservicesk9-mz.122-18.SXF15a with SSH on Port 22.
>>
>> Due too many bots hammering that well-known port, I wanted to change
>> it to
>> something else, but somehow I can't:
More information about the cisco-nsp
mailing list