[c-nsp] Changing SSH Port on IOS
Church, Charles
cchurc05 at harris.com
Sun Mar 22 23:40:54 EDT 2009
Another useful feature in newer IOSs is 'Cisco IOS login enhancements'.
We find it pretty useful. Upon so many failed logins in a certain
timeframe, it can fall back to a more restrictive ACL, then go back to
the original after so many minutes.
http://www.cisco.com/en/US/docs/ios/security/configuration/guide/sec_log
in_enhance.html
Chuck
-----Original Message-----
From: cisco-nsp-bounces at puck.nether.net
[mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Justin Shore
Sent: Sunday, March 22, 2009 11:26 PM
To: Charles Wyble
Cc: cisco-nsp at puck.nether.net
Subject: Re: [c-nsp] Changing SSH Port on IOS
Agreed. Never ever put an IOS box up on the Internet with a public IP
without at least restricting VTY access.
We were directly targetted about 3 years ago right after I came back to
the SP. My predecessor hadn't implemented any VTY ACLs. One day I
while going through my rediscovery of the network I started noticing
that I couldn't get into several devices. The list of devices I
couldn't access grew rapidly and within an hour I couldn't log into
anything. The attacker pounded every piece of network gear we had from
hundreds of remote IPs trying to guess a working userid/password combo.
They consumed all VTYs on every device at once. The gear was in 2
states and spread out over many hours of driving so I couldn't visit
much of it in person. I spent well over a day getting everything tied
down. Fortunately syslog confirmed that we hadn't been compromised.
Forgetting the VTY ACL is like forgetting to check you fly being picking
up your hot date for the big night or forgetting to turn off your cell
phone ringer before showing up at the interview for the perfect job.
>> #sh ip ssh
>> SSH Enabled - version 1.99
Also, disable SSH version 1 support. Only use SSHv2.
ip ssh version 2
Justin
Charles Wyble wrote:
> Um..... why don't you setup some ACL to limit access? It's generally
ill
> advised to run dameons with shell access directly connected to the
> internet. :)
>
> I use OpenVPN for all my access, and only run SSH on the private
> interface. I realize this isn't always possible, but is a good
solution.
>
> Andy BIERLAIR wrote:
>> I'm running s72033-ipservicesk9-mz.122-18.SXF15a with SSH on Port 22.
>>
>> Due too many bots hammering that well-known port, I wanted to change
>> it to
>> something else, but somehow I can't:
_______________________________________________
cisco-nsp mailing list cisco-nsp at puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/
More information about the cisco-nsp
mailing list