Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2226
Views
5
Helpful
5
Replies

SSH Access-List Question

Matthew Martin
Level 5
Level 5

‎05-15-2019 12:03 PM

Hello All,

We're doing some security hardening of our Routers and Switches. One of the steps I'm taking is to only enable SSH for the devices (*I believe this ONLY allows SSH as a possible connection type?):

line vty 0 4
 transport input  ssh
 ....

Also, I'm adding an Access-List for SSH to only allow access from internal IP Addresses:

ip access-list standard SSH_ACCESS
 permit 10.0.0.0 0.255.255.255 log
 permit 192.168.0.0 0.0.255.255 log
 deny   any log
!
!...
!
line vty 0 4
 transport input ssh
 access-class SSH_ACCESS in
 ...

I included the Explicit deny any at the end of the ACL, because I read in a Cisco doc which stated its a good idea to include the explicit deny any so you can view the hit count on the deny.

Is it a good or bad idea to include the "log" for that deny statement? Wasn't sure if it was possible for someone trying to SSH in that gets denied by that statement to overload the device with log messages like a DoS attack...?

 

Thanks in Advance,

Matt

Labels:
0 Helpful
5 Replies 5

Rob Ingram
VIP
VIP

‎05-15-2019 01:00 PM

Hi,

Yes, "transport input ssh" only permits ssh, not telnet.

 

When using the "log" option on an ACL the CPU takes a hit, so yes potentially this could be exploited and also be a DoS. If you need to log the denies you can rate-limit the number of log entries, more info here.

 

HTH

Matthew Martin
Level 5
Level 5
In response to Rob Ingram

‎05-15-2019 01:23 PM

Thank for the reply RJI, much appreciated.

Yea, that makes sense... I'll probably disable the logging function of that deny.
0 Helpful

Richard Burts
Hall of Fame
Hall of Fame

‎05-15-2019 01:04 PM

Matt

 

Yes

line vty 0 4
 transport input  ssh

means that ssh is the only remote access protocol that will be accepted. Note that you must enable ssh by generating keys to encrypt the ssh traffic (and that will require that you have configured a device name and domain name). 

 

You might think about whether you want to accept both ssh version 1 and version 2 (which is the default) or accept only a single version.

 

You should also be aware that while line vty 0 4 has been the standard for a long time, that there are many Cisco devices which have more than 5 vty ports (frequently there are also line vty 5 15) so you should check each device to verify how many vty it has and modify your configuration accordingly.

 

I generally do not use the log parameter when I am configuring access lists for access-class. I do not feel that the information provided is useful enough to justify the effort of generating the log messages.

 

HTH

 

Rick

HTH

Rick
0 Helpful

Matthew Martin
Level 5
Level 5
In response to Richard Burts

‎05-15-2019 01:29 PM

Thanks for the reply Richard.

Sorry, didn't include the other commands I added when doing this. Was more concerned about the "log" function.

But, with this, I had also added the commands:

ip ssh version 2 
ip ssh time-out 60
ip ssh authentication-retries 3

ip scp server enable
no ip http server

Also, the ISR these commands were added to only has vty 0-4... But, the attached 2960X has vty 5 through 15 as well. So I did already add that "transport input ssh" command to that as well. Thanks for the heads up though.

And after seeing yours and RJI's comments, I'm going to remove the "log" portion of the ACL.

 

Thanks Again,

Matt

0 Helpful

Richard Burts
Hall of Fame
Hall of Fame
In response to Matthew Martin

‎05-16-2019 05:06 AM

Matt

 

Thanks for the update. I am glad to know that our suggestions about the log parameter were helpful. Good to know that you had anticipated my other suggestions.

 

HTH

 

Rick

HTH

Rick
0 Helpful
Customers Also Viewed These Support Documents