[c-nsp] Changing SSH Port on IOS

Church, Charles cchurc05 at harris.com
Mon Mar 23 09:02:06 EDT 2009


I use it on some managed routers sitting on other ISP networks.  We
allow access via the access class from the ISPs that us admins have home
accounts on, in addition to the block dedicated to the company that
manages them.  If we get more than 3 failed attempts in a 1 minute
period, it'll lock down to an ACL that allows only the corporate network
block, then unlock after 5 minutes (and the BOT has moved on).  Of
course you'll need to fine tune it for the amount of BOT traffic you've
got, etc.

Chuck

-----Original Message-----
From: cisco-nsp-bounces at puck.nether.net
[mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Ziv Leyes
Sent: Monday, March 23, 2009 3:53 AM
To: cisco-nsp at puck.nether.net
Subject: Re: [c-nsp] Changing SSH Port on IOS


Nice feature the login enhancement, but could you please share with me
what would be a good recommended setting for all the values?
On the web page they talk about using the "auto secure" command, I don't
seem to have such option on my IOS, but I have all the others, so I
guess I'll have to set it up manually, so what do you recommend?
Ziv


-----Original Message-----
From: cisco-nsp-bounces at puck.nether.net
[mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Church, Charles
Sent: Monday, March 23, 2009 5:41 AM
To: Justin Shore; Charles Wyble
Cc: cisco-nsp at puck.nether.net
Subject: Re: [c-nsp] Changing SSH Port on IOS

Another useful feature in newer IOSs is 'Cisco IOS login enhancements'.
We find it pretty useful.  Upon so many failed logins in a certain
timeframe, it can fall back to a more restrictive ACL, then go back to
the original after so many minutes.  
http://www.cisco.com/en/US/docs/ios/security/configuration/guide/sec_log
in_enhance.html

Chuck 

-----Original Message-----
From: cisco-nsp-bounces at puck.nether.net
[mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Justin Shore
Sent: Sunday, March 22, 2009 11:26 PM
To: Charles Wyble
Cc: cisco-nsp at puck.nether.net
Subject: Re: [c-nsp] Changing SSH Port on IOS


Agreed.  Never ever put an IOS box up on the Internet with a public IP 
without at least restricting VTY access.

We were directly targetted about 3 years ago right after I came back to 
the SP.  My predecessor hadn't implemented any VTY ACLs.  One day I 
while going through my rediscovery of the network I started noticing 
that I couldn't get into several devices.  The list of devices I 
couldn't access grew rapidly and within an hour I couldn't log into 
anything.  The attacker pounded every piece of network gear we had from 
hundreds of remote IPs trying to guess a working userid/password combo. 
  They consumed all VTYs on every device at once.  The gear was in 2 
states and spread out over many hours of driving so I couldn't visit 
much of it in person.  I spent well over a day getting everything tied 
down.  Fortunately syslog confirmed that we hadn't been compromised.

Forgetting the VTY ACL is like forgetting to check you fly being picking

up your hot date for the big night or forgetting to turn off your cell 
phone ringer before showing up at the interview for the perfect job.

 >> #sh ip ssh
 >> SSH Enabled - version 1.99

Also, disable SSH version 1 support.  Only use SSHv2.

ip ssh version 2

Justin



Charles Wyble wrote:
> Um..... why don't you setup some ACL to limit access? It's generally
ill 
> advised to run dameons with shell access directly connected to the 
> internet. :)
> 
> I use OpenVPN for all my access, and only run SSH on the private 
> interface. I realize this isn't always possible, but is a good
solution.
> 
> Andy BIERLAIR wrote:
>> I'm running s72033-ipservicesk9-mz.122-18.SXF15a with SSH on Port 22.
>>
>> Due too many bots hammering that well-known port, I wanted to change 
>> it to
>> something else, but somehow I can't:

_______________________________________________
cisco-nsp mailing list  cisco-nsp at puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/
_______________________________________________
cisco-nsp mailing list  cisco-nsp at puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/
 
 
************************************************************************
************
This footnote confirms that this email message has been scanned by
PineApp Mail-SeCure for the presence of malicious code, vandals &
computer viruses.
************************************************************************
************

 
 
************************************************************************
************
This footnote confirms that this email message has been scanned by
PineApp Mail-SeCure for the presence of malicious code, vandals &
computer viruses.
************************************************************************
************

_______________________________________________
cisco-nsp mailing list  cisco-nsp at puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/


More information about the cisco-nsp mailing list