Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
3364
Views
5
Helpful
16
Replies

How to close port 22 / SSH on external interface

Rastan84
Level 1
Level 1

‎03-17-2023 04:07 AM

Hello. If I check my static external IP address on https://www.yougetsignal.com/tools/open-ports/

It says that port 22 is open on it. 

ISP is plugged to my Cisco 2901. 

How do I make sure the port 22 (SSH) is not open to public? 

I tried following suggestions I found on other discussions here but couldn't succeed. I'm not an expert at all here. 

Could someone please assist? 

1 person had this problem
Labels:
16 Replies 16

MHM Cisco World
VIP
VIP

‎03-17-2023 04:38 AM

you can under VTY config transport telnet 
this will make your R never answer request for SSH/port 22 

Rastan84
Level 1
Level 1
In response to MHM Cisco World

‎03-17-2023 04:49 AM

Would you have the commands how to do it?...

0 Helpful

Rastan84
Level 1
Level 1
In response to MHM Cisco World

‎03-17-2023 04:52 AM

Do you mean it will answer to telnet instead? 

0 Helpful

Rastan84
Level 1
Level 1

‎03-17-2023 04:56 AM

@MHM Cisco World 

I have this running: 

line vty 0 40

transport input none 

But I guess it's wrong coz it didn't help. 

0 Helpful

MHM Cisco World
VIP
VIP
In response to Rastan84

‎03-17-2023 05:00 AM

why ?  Now with this anyone never can access your R with SSH/22 port 
never.

0 Helpful

balaji.bandi
Hall of Fame
Hall of Fame
In response to MHM Cisco World

‎03-17-2023 06:30 AM

My suggestion was outside interface, users can still can access from inside right ? (or am i overthinking ?) - Friday hangover ?

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

0 Helpful

MHM Cisco World
VIP
VIP
In response to balaji.bandi

‎03-17-2023 06:38 AM

I never try but the ACL can not stop traffic direct to interface it stop traffic pass through interface. 
this what I know. 

Configure SSH on Routers and Switches - Cisco
if he want to use SSH he can use then access-class instead of ACL to permit or deny some user.

0 Helpful

MHM Cisco World
VIP
VIP
In response to MHM Cisco World

‎03-17-2023 07:41 AM

I run lab and test @balaji.bandi suggestion 
and it work not issue 
you can use ACL to deny SSH port 22 to access from interface connect to ISP
thanks 
MHM 

Screenshot (398).png

0 Helpful

MHM Cisco World
VIP
VIP
In response to MHM Cisco World

‎03-17-2023 07:54 AM

I use transport input none 
and without using ACL I can not telnet anymore to Router
so I prefer transport input than ACL. 
thanks 
MHM

Screenshot (399).pngScreenshot (400).png

Screenshot (401).png

0 Helpful

balaji.bandi
Hall of Fame
Hall of Fame

‎03-17-2023 04:59 AM

 

How do I make sure the port 22 (SSH) is not open to public?

 

Then you can create ACL and add to external interface.

Example (understand the ACL before apply to the device)

ip access-list extended ssh_deny
10 deny tcp any any eq 22
20 permit ip any any

interface gigx/x (external Interface)
ip access-group ssh_deny in

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

0 Helpful

rhallinan7387
Level 1
Level 1

‎03-17-2023 06:54 AM

Do not take the approach of only allowing telnet in via transport input telnet - telnet should not be allowed on the device at all. You should stick with transport input ssh - but use ACLs to manage this.

In general for ISP facing interfaces you should have an inbound access list blocking more than just SSH. For instance - you would likely want to block any network mgmt protocol related coming in from your ISP side - such as telnet, ssh, ntp, snmp, specific icmp messages, and any other protocols such as RDP that you may need to filter. In addition this access list should block traffic sourced with private IP space in RFC1918, your own IP space, etc. An example list can be found here: https://freenetworktutorials.com/bogon-ipv4-ingress-and-egress-filtering-in-cisco/

0 Helpful

Joseph W. Doherty
Hall of Fame
Hall of Fame
In response to rhallinan7387

‎03-17-2023 09:10 AM

"In general for ISP facing interfaces you should have an inbound access list blocking more than just SSH."

Yup, in fact, I'm an advocate of denying ALL external ingress traffic to Internet "visible" interfaces' IPs, possibly also additional same device or further in device IPs too (such as the device's internal facing or loopback interface IPs - remember this ACL is against traffic entering from outside your network), and then add permits as required.  (BTW, to be clear, this ACL would be "in" on your most external facing interface connecting to the Internet.)

Understand this doesn't control traffic transiting though the interface, just traffic to interfaces' IPs, which often, from the outside, there's limited need.

For the cases where external traffic really does need external access to interfaces' IPs, e.g. tunnels, BGP, your permit ACL's ACEs can be very restrictive, such as such traffic must have a known good source IP and/or the protocol being used.

The above approach just provides an often easy to manage ACL that provide an initial access barrier.  Other security hardening best practices should be considered.  (I recall [?] Cisco has some recommendations along those lines on their main site.)

MHM Cisco World
VIP
VIP
In response to Joseph W. Doherty

‎03-17-2023 09:28 AM

I will send you private message explain some point about the traffic direct to itnerface. 
thanks 
MHM 

0 Helpful
Customers Also Viewed These Support Documents