Equipment Support > Hardware By Brand > Cisco > Who keeps their router's SSH port open?

Who keeps their router's SSH port open?

No access lists?

Yes. I only allow local internal subnet and one IP address from my job to access all VTY lines.

The only thing that worries me is that in order to get the ACL to work I had to allow to any that equals 22 and apply it inbound to the VTY lines. I wanted to specify an IP address in the destination but as far as I know, you can't set an IP address to a VTY line.

reply to state
Doh! I checked the VTY lines. I created the ACL but forgot to set it to the lines.

The script kiddie from China is no longer in my NAT statistics table.

reply to Network Guy
I do when I'm bored. And I create a priv level 0 user named "root" with password "root"... sit back and watch their scripts fail. None of these idiots know what to do when they find something that's not tHe LiNuX.

(generally, NEVER leave port 22 open to the internet. Even if it's not an SSH server.)

reply to Network Guy
Nothing wrong with leaving it open to the world. Just have to keep a proper access list.

It'll be much safer if you only allow a specific range of IPs access to the router(s).

reply to cramer

Im thinking the same thing. My FreeBSD box is constantly being "attacked" from all over the place. This could be quite amusing.

reply to Network Guy
I do. Control Plane Policing gets alot of the ones set to connect at too high a rate, thought I should probably
retune my thresholds lower now.

Are you logging your SSH attempts? Ones that just don't get the hint I nullroute to the bit bucket (and
their subnet too) for a very permanent solution. Sending emails to their ISP's abuse email is the highlight
of the day.

@cramer
I'll have to try your idea as well and see how it goes.

Regards

reply to Network Guy
If you leave SSH open to the Internet, then it is possible to get dos'ed if all lines are kept open. You will not be able to login(except via the console).

For SSH its simpler to avoid scans by using the rotary feature to move ssh to a new port other than 22.

Additional security through obscurity is available by using a "knock" rotary configuration for your router. You have to "knock"/authenticate on a given TCP port, and then you can initiate a new SSH session for the next say 60 seconds (dynamic ACL knock entry). This is useful to prevent scan / attack of hosts behind your router that you may want to NAT to ssh/rdp/vnc/whatever to.

ip ssh port 2222 rotary 1
username knock secret 5 $1$whatever
username knock autocommand access-enable host timeout 1
ip access-list extended ACL_PROTECT_WAN_IN
dynamic knock permit tcp any any eq 3389 22 log-input
deny ip any any

@jh2010
I still have the CPU screenshot of what my first attempt at leaving my SSH port open to the world at large looked like,
plus the logfiles to back it up.... fun times indeed.

@nosx
Wanna give a breakdown of what each line of that config does? Some of the commands I've never seen before.
But it looks interesting...

Regards

reply to Network Guy
If you are being attacked you need to setup some ACLs.

This is a sample from one of my routers. We have a /24 that is used for our support group, management servers, snmp, etc. So I just created a single ACL for everything like SSH, SNMP etc and then allow access only from that one /24.

access-list 50 remark remote-access
access-list 50 permit 216.x.x.0 0.0.0.255
access-list 50 deny any

line vty 0 4
access-class 50 in
exec-timeout 120 0
--
I do not, have not, and will not work for AT&T/Comcast/Verizon/Charter or similar sized company.

The attacks seem to be done and over with from what I can see in the NAT stats and the ACL lists. I setup this 1841 last week for the first time ever. I created the ACL keeping in mind that if I opened 22 over the WAN that it would equate to hanging meat for the piranhas, but I forgot to apply it to the VTY lines.

What I should do is log any attempts that match the ACL rules applied to the VTY lines just to see what's going on.

So far from what I can see, it's been relatively quiet.


Extended IP access list 100
10 deny ip 10.17.12.0 0.0.0.255 10.18.12.24 0.0.0.7 (4272 matches)
20 permit ip 10.17.12.0 0.0.0.255 any (38774 matches)
Extended IP access list 101 ---- This is the one applied to VTY lines ----
10 permit tcp host xxx any eq 22 (8 matches) ---- This is for my access from work ----
20 permit tcp 10.17.12.0 0.0.0.255 any eq 22 (4 matches)
30 deny ip any any (39 matches)
Extended IP access list 110
5 permit tcp 10.17.12.0 0.0.0.255 10.18.12.24 0.0.0.7
10 permit ip 10.17.12.0 0.0.0.255 10.18.12.24 0.0.0.7
router#


reply to Network Guy
Another option is to enable some of the enhanced security features mentioned in this document

Basically these features allow you to deny logins after a certain number of failed logins as well as insert a delay between login attempts.

The quiet-mode can be accomplished with the commands:

login block-for X attempts Y within Z

An access-list can also be created that allows logins from certain network(s) during the quiet-mode time. The configuration for this looks like:

login quiet-mode access-class ACL

The delay is accomplished with the command:

login delay X

I wrote a blog post about this as well if you're looking for a slightly more wordy version

Interesting you post this now. I'm reading a Cisco Press book to get my CCNA Security and I just read past this very same topic explaining that command.

Cool stuff

reply to nschlutter
Thanks for that as well nschlutter