https://community.cisco.com/t5/network-security/ssh-disable/m-p/1540126#M66057 <P>Hi,</P><P></P><P>I would like to disable SSH in AIP SSM 10 ips module since it's showing vaulanrability so please help me.</P><P></P><P>Thanks.</P> Sun, 10 Mar 2019 12:11:44 GMT Karthikeyan Shanmugam 2019-03-10T12:11:44Z https://community.cisco.com/t5/network-security/ssh-disable/m-p/1540126#M66057 <P>Hi,</P><P></P><P>I would like to disable SSH in AIP SSM 10 ips module since it's showing vaulanrability so please help me.</P><P></P><P>Thanks.</P> Sun, 10 Mar 2019 12:11:44 GMT https://community.cisco.com/t5/network-security/ssh-disable/m-p/1540126#M66057 Karthikeyan Shanmugam 2019-03-10T12:11:44Z https://community.cisco.com/t5/network-security/ssh-disable/m-p/1540127#M66058 <HTML><HEAD></HEAD><BODY><P></P><P>You probably want to disable ssh1 to stop being flagged as insecure. Disabling sshv1 on the sensor is tracked with bug CSCsk84977.</P><P>The workaround to disable it is</P><P></P><P>Create a service account (if one does not already exist) using the CLI, then log in using that account and enter the following commands:</P><P></P><PRE __jive_macro_name="quote" class="jive_text_macro jive_macro_quote"><P>su -</P><P>cd /etc/ssh</P><P>cp sshd_config sshd_config.old</P><P>sed -r '/^#?Protocol /cProtocol 2' sshd_config.old &gt; sshd_config</P><P></P><P>## to apply the changes do:</P><P>/etc/init.d/cids reboot</P></PRE><P>.</P><P></P><P>I hope it helps.</P><DIV>PK</DIV><P></P></BODY></HTML> Tue, 30 Nov 2010 16:43:19 GMT https://community.cisco.com/t5/network-security/ssh-disable/m-p/1540127#M66058 Panos Kampanakis 2010-11-30T16:43:19Z https://community.cisco.com/t5/network-security/ssh-disable/m-p/1540128#M66059 <HTML><HEAD></HEAD><BODY><P>Wow!!&nbsp; This has to be one of the most helpful posts I've read in a while.&nbsp; I had no idea SSHv1 could be disabled - thought it just wasn't configurable on the IDSMs.&nbsp; Thanks very much.</P><P></P><P>Can we use a similar procedure to lock down SSH in other ways?&nbsp; For example, I'd like to set the ssh timeout value to 30 or 60 seconds, as well as limiting the ssh login attempts to a maximum of 3.</P><P></P><P>Is there a method for implementing that configuration?</P></BODY></HTML> Wed, 01 Dec 2010 00:35:18 GMT https://community.cisco.com/t5/network-security/ssh-disable/m-p/1540128#M66059 mikecrowe4ICS_2 2010-12-01T00:35:18Z https://community.cisco.com/t5/network-security/ssh-disable/m-p/1540129#M66060 <HTML><HEAD></HEAD><BODY><P>Thanks for your reponce. please let me know where i have to put the command since i tried from the IPS sensor configuration mode but the command is invalid.</P><P></P><P>Thanks.</P></BODY></HTML> Wed, 01 Dec 2010 07:01:21 GMT https://community.cisco.com/t5/network-security/ssh-disable/m-p/1540129#M66060 Karthikeyan Shanmugam 2010-12-01T07:01:21Z https://community.cisco.com/t5/network-security/ssh-disable/m-p/1540130#M66061 <HTML><HEAD></HEAD><BODY><P>You need to create a service type user to be able to use the commands.</P><P>Other users will not be able to make these changes.</P><P></P><P>I hope it helps.</P><P></P><P>PK</P></BODY></HTML> Wed, 01 Dec 2010 14:46:42 GMT https://community.cisco.com/t5/network-security/ssh-disable/m-p/1540130#M66061 Panos Kampanakis 2010-12-01T14:46:42Z https://community.cisco.com/t5/network-security/ssh-disable/m-p/1540131#M66062 <HTML><HEAD></HEAD><BODY><P>Note that the changes will not remain after an upgrade.</P><P></P><P>As for changing the timeouts and retries, I am not sure. If there are corresponding values in the /etc/ssh/sshd_config file you might be able to do it, but I haven't done it in the past.</P><P></P><P>PK</P></BODY></HTML> Wed, 01 Dec 2010 14:49:22 GMT https://community.cisco.com/t5/network-security/ssh-disable/m-p/1540131#M66062 Panos Kampanakis 2010-12-01T14:49:22Z https://community.cisco.com/t5/network-security/ssh-disable/m-p/1540132#M66063 <HTML><HEAD></HEAD><BODY><P>Folks;</P><P></P><P>&nbsp; I'd like to add some clarification here on the use of the service account available in Cisco IPS sensors.&nbsp; From the IPS configuration guides:</P><P></P><P><SPAN class="content"></SPAN></P><P class="pB1_Body1"><SPAN style="font-family: andale mono,times;">The service account is a support and troubleshooting tool that enables&nbsp; TAC to log in to a native operating system shell rather than the CLI&nbsp; shell. It does not exist on the sensor by default. You must create it so&nbsp; that it is available for TAC to use for troubleshooting your sensor. </SPAN></P><SPAN style="font-family: andale mono,times;"><A name="wp1113111"></A></SPAN><P class="pB1_Body1"><SPAN style="font-family: andale mono,times;"> Only one service account is allowed per sensor and only one account is&nbsp; allowed a service role.<BR /></SPAN></P><SPAN style="font-family: andale mono,times;"><A name="wp1113112"></A></SPAN><P class="pB1_Body1"><SPAN style="font-family: andale mono,times;"> <STRONG>The service account is not intended to be used for configuration&nbsp; purposes.</STRONG> Only modifications made to the sensor through the service&nbsp; account under the direction of TAC are supported. Cisco Systems does not&nbsp; support the addition and/or running of an additional service to the&nbsp; operating system through the service account, because it affects proper&nbsp; performance and proper functioning of the other IPS services. TAC does&nbsp; not support a sensor on which additional services have been added. </SPAN></P><P class="pB1_Body1"></P><P class="pB1_Body1">&nbsp;&nbsp; Any changes made via the service account will not survive a software upgrade.&nbsp; Making unsupported changes via the service account may also require re-imaging the sensor to factory defaults to allow effective troubleshooting to occur during a TAC service request.</P><P class="pB1_Body1"></P><P class="pB1_Body1">Scott</P><P></P></BODY></HTML> Wed, 01 Dec 2010 15:41:53 GMT https://community.cisco.com/t5/network-security/ssh-disable/m-p/1540132#M66063 Scott Fringer 2010-12-01T15:41:53Z https://community.cisco.com/t5/network-security/ssh-disable/m-p/1540133#M66064 <HTML><HEAD></HEAD><BODY><P>Thanks for the heads-up, Scott.&nbsp; I was about to make the changes, but I'm holding off for now.</P><P></P><P>To clarify, if I make the changes listed by "pkampana", will my IDSM-2 still be supported by the TAC?</P><P></P><P>I can accept the risk of potential re-imaging for support, as well as the loss of those changes after upgrades.&nbsp; I just want to make sure it won't prevent getting TAC support AT ALL.</P><P></P><P>Also, by software upgrade, you mean system images, but not signature updates, correct?&nbsp; For example, an upgrade from 7.0(3)E4 to 7.0(4)E4?</P></BODY></HTML> Thu, 02 Dec 2010 05:38:11 GMT https://community.cisco.com/t5/network-security/ssh-disable/m-p/1540133#M66064 mikecrowe4ICS_2 2010-12-02T05:38:11Z https://community.cisco.com/t5/network-security/ssh-disable/m-p/1540134#M66065 <HTML><HEAD></HEAD><BODY><P>Michael;</P><P></P><P>&nbsp; The module will still be supported; but it will most likely be necessary to revert the module to factory defaults (re-image) early in the process to ensure it is not an unsupported change that is causing issue.</P><P></P><P>&nbsp; It is possible, depending on the changes implemented, that a signature update could revert a change; that is why the service account should not be utilized for direct or long-term configuration changes.&nbsp; Most changes performed via the service account are under TAC direction, and are usually reverted when the troubleshooting is completed.</P><P></P><P>Scott</P></BODY></HTML> Thu, 02 Dec 2010 12:06:11 GMT https://community.cisco.com/t5/network-security/ssh-disable/m-p/1540134#M66065 Scott Fringer 2010-12-02T12:06:11Z