Topic 'Re: Who keeps their router's SSH port open?' in forum 'Cisco' - dslreports.com

Re: Who keeps their router's SSH port open?

Fri, 01 Feb 2013 10:54:31 EDT

HELLFIRE posted : Thanks for that as well nschlutter

Cisco refers to the second feature as “quiet mode” and also includes an option to specify an access-list which is exempted during the block period.

The second line of configuration will reference the access-list created above to never block the specified networks.

A bit vague, then again some stuff on how Cisco does it is vague... till you put it into practice. I'm not referring to
the way you write it up nschlutter , it's just personal experience with the way Cisco writes up the way
their commands (are supposed) to work.

Also, a bit of a personal gripe... why'd it take Cisco till 12.4T to introduce this command...

Regards

Re: Who keeps their router's SSH port open?

Thu, 31 Jan 2013 13:19:05 EDT

Network Guy posted : Interesting you post this now. I'm reading a Cisco Press book to get my CCNA Security and I just read past this very same topic explaining that command.

Cool stuff :D

Re: Who keeps their router's SSH port open?

Thu, 31 Jan 2013 10:25:01 EDT

nschlutter posted : Another option is to enable some of the enhanced security features mentioned in this document

Basically these features allow you to deny logins after a certain number of failed logins as well as insert a delay between login attempts.

The quiet-mode can be accomplished with the commands:

login block-for X attempts Y within Z

An access-list can also be created that allows logins from certain network(s) during the quiet-mode time. The configuration for this looks like:

login quiet-mode access-class ACL

The delay is accomplished with the command:

login delay X

I wrote a blog post about this as well if you're looking for a slightly more wordy version

Re: Who keeps their router's SSH port open?

Wed, 30 Jan 2013 10:32:34 EDT

Network Guy posted : The attacks seem to be done and over with from what I can see in the NAT stats and the ACL lists. I setup this 1841 last week for the first time ever. I created the ACL keeping in mind that if I opened 22 over the WAN that it would equate to hanging meat for the piranhas, but I forgot to apply it to the VTY lines.

What I should do is log any attempts that match the ACL rules applied to the VTY lines just to see what's going on.

So far from what I can see, it's been relatively quiet.


Extended IP access list 100
    10 deny ip 10.17.12.0 0.0.0.255 10.18.12.24 0.0.0.7 (4272 matches)
    20 permit ip 10.17.12.0 0.0.0.255 any (38774 matches)
Extended IP access list 101 ---- This is the one applied to VTY lines ----
    10 permit tcp host xxx any eq 22 (8 matches) ---- This is for my access from work ----
    20 permit tcp 10.17.12.0 0.0.0.255 any eq 22 (4 matches)
    30 deny ip any any (39 matches)
Extended IP access list 110
    5 permit tcp 10.17.12.0 0.0.0.255 10.18.12.24 0.0.0.7
    10 permit ip 10.17.12.0 0.0.0.255 10.18.12.24 0.0.0.7
router#

Re: Who keeps their router's SSH port open?

Wed, 30 Jan 2013 09:42:56 EDT

battleop posted : If you are being attacked you need to setup some ACLs.

This is a sample from one of my routers. We have a /24 that is used for our support group, management servers, snmp, etc. So I just created a single ACL for everything like SSH, SNMP etc and then allow access only from that one /24.

access-list 50 remark remote-access
access-list 50 permit 216.x.x.0 0.0.0.255
access-list 50 deny any

line vty 0 4
access-class 50 in
exec-timeout 120 0
--
I do not, have not, and will not work for AT&T/Comcast/Verizon/Charter or similar sized company.

Re: Who keeps their router's SSH port open?

Wed, 30 Jan 2013 00:09:27 EDT

HELLFIRE posted : @jh2010
I still have the CPU screenshot of what my first attempt at leaving my SSH port open to the world at large looked like,
plus the logfiles to back it up.... fun times indeed.

@nosx
Wanna give a breakdown of what each line of that config does? Some of the commands I've never seen before.
But it looks interesting...

Regards

Re: Who keeps their router's SSH port open?

Tue, 29 Jan 2013 19:42:03 EDT

nosx posted : For SSH its simpler to avoid scans by using the rotary feature to move ssh to a new port other than 22.

Additional security through obscurity is available by using a "knock" rotary configuration for your router. You have to "knock"/authenticate on a given TCP port, and then you can initiate a new SSH session for the next say 60 seconds (dynamic ACL knock entry). This is useful to prevent scan / attack of hosts behind your router that you may want to NAT to ssh/rdp/vnc/whatever to.

ip ssh port 2222 rotary 1
username knock secret 5 $1$whatever
username knock autocommand access-enable host timeout 1
ip access-list extended ACL_PROTECT_WAN_IN
dynamic knock permit tcp any any eq 3389 22 log-input
deny ip any any

Re: Who keeps their router's SSH port open?

Tue, 29 Jan 2013 12:42:01 EDT

jh2010 posted : If you leave SSH open to the Internet, then it is possible to get dos'ed if all lines are kept open. You will not be able to login(except via the console).

Re: Who keeps their router's SSH port open?

Tue, 29 Jan 2013 00:00:02 EDT

HELLFIRE posted : I do. Control Plane Policing gets alot of the ones set to connect at too high a rate, thought I should probably
retune my thresholds lower now.

Are you logging your SSH attempts? Ones that just don't get the hint I nullroute to the bit bucket (and
their subnet too) for a very permanent solution. Sending emails to their ISP's abuse email is the highlight
of the day.

@cramer
I'll have to try your idea as well and see how it goes.

Regards

Re: Who keeps their router's SSH port open?

Mon, 28 Jan 2013 11:48:25 EDT

TomS_ posted : Im thinking the same thing. My FreeBSD box is constantly being "attacked" from all over the place. This could be quite amusing. :-)

Re: Who keeps their router's SSH port open?

Mon, 28 Jan 2013 09:45:24 EDT

Network Guy posted :

said by cramer:

I do when I'm bored. :-) And I create a priv level 0 user named "root" with password "root"... sit back and watch their scripts fail. None of these idiots know what to do when they find something that's not tHe LiNuX.

(generally, NEVER leave port 22 open to the internet. Even if it's not an SSH server.)

I should do this for kicks. My 1841 at home isn't all that busy as it is. :D

Re: Who keeps their router's SSH port open?

Sun, 27 Jan 2013 23:40:08 EDT

DaSneaky1D posted : Nothing wrong with leaving it open to the world. Just have to keep a proper access list.

It'll be much safer if you only allow a specific range of IPs access to the router(s).

Re: Who keeps their router's SSH port open?

Sun, 27 Jan 2013 23:03:59 EDT

cramer posted : I do when I'm bored. :-) And I create a priv level 0 user named "root" with password "root"... sit back and watch their scripts fail. None of these idiots know what to do when they find something that's not tHe LiNuX.

(generally, NEVER leave port 22 open to the internet. Even if it's not an SSH server.)

Re: Who keeps their router's SSH port open?

Sun, 27 Jan 2013 22:25:10 EDT

Network Guy posted : Doh! I checked the VTY lines. I created the ACL but forgot to set it to the lines.

The script kiddie from China is no longer in my NAT statistics table. :D

Re: Who keeps their router's SSH port open?

Sun, 27 Jan 2013 22:16:02 EDT

Network Guy posted : Yes. I only allow local internal subnet and one IP address from my job to access all VTY lines.

The only thing that worries me is that in order to get the ACL to work I had to allow to any that equals 22 and apply it inbound to the VTY lines. I wanted to specify an IP address in the destination but as far as I know, you can't set an IP address to a VTY line.

Re: Who keeps their router's SSH port open?

Sun, 27 Jan 2013 22:11:56 EDT

state posted : No access lists?

Who keeps their router's SSH port open?

Sun, 27 Jan 2013 22:05:21 EDT

Network Guy posted : My 1841 is apparently falling victim to a dictionary attack via SSH. I happened to check the NAT statistics and see there's an IP address from China making a large number of inbound connections to my router via SSH.

Yes, I have SSH open for my convenience. Apparently, I probably should only SSH into my router via VPN.

Who keeps their router's SSH port open to the world?