Securing Router Management

One of the easiest and best things you can do to secure a Cisco IOS router is to exclusively enable SSH, thus preventing sniffing of the management traffic. In this day and age there is really no reason to use Telnet or any other plain text protocol for sensitive data.

First the router will need a domain name, it will use this domain name when it creates the RSA certificate.

SC(config)#config t
SC(config)#ip domain-name startup-config.com

Warning, the following command will remove the current RSA key and should only be done if you want to remove the current RSA keys, skip this and the next step if you want to use the current RSA keys for SSH.

SC(config)#crypto key zeroize rsa
% All RSA keys will be removed.
% All router certs issued using these keys will also be removed.
Do you really want to remove these keys? [yes/no]: yes
SC(config)#
*Mar  1 02:57:04.715: %SSH-5-DISABLED: SSH 1.99 has been disabled
SC(config)#

Generate new general RSA key, also, this command will enable SSH.

SC(config)#crypto key generate rsa
The name for the keys will be: SC.startup-config.com
Choose the size of the key modulus in the range of 360 to 2048 for your
  General Purpose Keys. Choosing a key modulus greater than 512 may take
  a few minutes.

How many bits in the modulus [512]: 1024
% Generating 1024 bit RSA keys, keys will be non-exportable...[OK]

SC(config)#
*Mar  1 03:04:18.802: %SSH-5-ENABLED: SSH 1.99 has been enabled
SC(config)#

I like to set the protocol version to 2, Version 2 is generally considered to be the more solid implementation of SSH and therefore should be used for implementation.

SC(config)#ip ssh version 2

Set timeout to 120 seconds. (Optional)

SC(config)#ip ssh time-out 120

Set authentication retries to 4. (Optional)

SC(config)#ip ssh authentication-retries 4

Now, we will exclusively enable SSH on all VTY lines of the router.

SC(config)#line vty 0 903
SC(config-line)#transport input ssh

We can verify that telnet isn’t being used on our router, by connecting to port 23. We can even do this right from the IOS CLI.

SC#172.16.0.1
Trying 172.16.0.1 ...
% Connection refused by remote host

SC#172.16.0.1 22
Trying 172.16.0.1, 22 ... Open
SSH-2.0-Cisco-1.25

[Connection to 172.16.0.1 closed by foreign host]
SC#

Oddly enough, show control-panel host opened-ports reports that port 23 is still open by the Telnet service and in the LISTEN state.

SC#show control-plane host open-ports
Active internet connections (servers and established)
Prot        Local Address      Foreign Address                  Service    State
 tcp                 *:22                  *:0               SSH-Server   LISTEN
 tcp                 *:23                  *:0                   Telnet   LISTEN
 tcp                 *:80                  *:0                HTTP CORE   LISTEN
 udp                 *:67                  *:0            DHCPD Receive   LISTEN
 udp                *:123                  *:0                      NTP   LISTEN

SC#
Sep 14th, 2010 • Posted in IOS, Management Plane Protection
No comments yet.

Leave a comment

XHTML: You can use these tags: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>