topic Re: SSH redirection? in Network Security

SSH redirection?

kirm — Thu, 24 Dec 2020 19:11:52 GMT

Hi all,

I have a security question if you'd like to chime in. First, here's my VTY and ACL config:

ip access-list extended SSH_Access_Control
permit tcp 192.168.1.0 0.0.0.255 any eq 22
deny tcp any any eq 22 log

line vty 0 4
access-class SSH_Access_Control in

transport preferred none
transport input ssh
transport output ssh

I'm using aaa.

I cut out what I consider to be extraneous info but please let me know if you need to know more.

Now here's the log:

Dec 23 20:37:18 local 270: Dec 23 20:37:17.687: %SEC-6-IPACCESSLOGP: list SSH_Access_Control denied tcp 81.161.63.103(35532) -> 33.252.197.152(22), 1 packet

And there are lots of these.

So 81.161.63.103, which is either a Chinese or Russian hacker, is...redirecting...I'm not sure...SSH to a US gov server(33.252.197.152) using my 2901?!?!

Man, I hope not.

Two questions if I may:

Is "transport output ssh" necessary?

And what's going on with that log?

And a bonus question:

Why doesn't this work:

5 permit tcp 192.168.1.0 0.0.0.255 host 192.168.1.254 eq 22 (2 matches)

If I put the host in like above I can't SSH to the router.

Let me know if you have any other input please.

You know, the wider you open your eyes the more you wish you would have kept them shut. My router is just getting hammered by Chinese and Russian IPs. Yikes.

Thanks,

Re: SSH redirection?

balaji.bandi — Fri, 25 Dec 2020 01:02:12 GMT

Try below config ( always make changes from console)

ine vty 0 4
access-class SSH_Access_Control in

no transport preferred none
transport input ssh
no transport output ssh ( you do not need this , since this is used to use from this device to ssh to outside)

since SSH enable listen all interface, if you like to restrict you can do with source interface.

(config)# ip ssh ?
 authentication-retries Specify number of authentication retries
 Port                   Starting (or only) port number to listen
                        on
 Rsa                    Configure RSA keypair name for SSH  
 source-interface       Specify interface for source address in SSH
                        connections
 time-out               Specify SSH time-out interval

Re: SSH redirection?

kirm — Fri, 25 Dec 2020 22:28:54 GMT

No, transport preferred none should be that way.

Transport output SSH has been shut down and I'm still getting those log entries.

ip ssh source-interface, doesn't seem to have anything to do with it.

From another user response: "The command "ip ssh source-interface" controls the sessions that are initiated *from* your switch/router. They don't change how you ssh to that device."

Thanks

Re: SSH redirection?

Marvin Rhoads — Sat, 26 Dec 2020 02:42:05 GMT

The "SSH_Access_Control denied tcp" log entries are the ACL doing its job. Logging any intern-facing ACL will always give you a long list of attempts by scripts from all around the world trying to access your system or (as you observed) use it to access other systems.

You may want to refer here for best practices:

https://www.cisco.com/c/en/us/support/docs/ip/access-lists/13608-21.html

This is a good third party site with some sample configs:

http://www.techspacekh.com/security-hardening-cisco-router/

Re: SSH redirection?

balaji.bandi — Sat, 26 Dec 2020 09:10:35 GMT

yes agreed, only trying to tweak my best to see if any security hole to fix. not to use your device as transit to connect to other devices.

Then ACL is the correct and the outside interface is blocking the connection - that is expected, just like any other Firewall. (if this is connected directly to interface on wan side interface - this is expected.)