Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1341
Views
0
Helpful
7
Replies

Cisco IDS 4250XL - SSH protocol versions supported

nickbruno
Level 1
Level 1

‎05-25-2005 09:17 AM - edited ‎03-10-2019 01:28 AM

I recently had a vulnerability scan completed and "SSH protocol versions supported" showed up in it for my IDS. Has anyone come across this and if so, how am I able to mitigate it. Is there a way to change the SSH version on the device?

Labels:
0 Helpful
7 Replies 7

Jeffrey Bollinger
Cisco Employee
Cisco Employee

‎05-26-2005 10:11 AM

Looks like the sensor allows incoming protocols 1 and 2. See /etc/ssh/sshd_config on the sensor.

You can probably change it to only allow SSH protocol 2, but I don't know for sure if that will have other ramifications.

0 Helpful

nickbruno
Level 1
Level 1
In response to Jeffrey Bollinger

‎05-26-2005 11:35 AM

Is there a way to find out before I go and make any changed. This is a requirement to comply with a vulnerability assessment that was done on my network. Any information would be great on if it can be changed and if not just a reason why so that I can submit that.

Thanks,

0 Helpful

brhamon
Level 1
Level 1
In response to nickbruno

‎05-26-2005 01:13 PM

What vulnerability is being asserted in the OpenSSH implementation of SSH protocol version 1?

I have not seen a new problem discovered in more than three years in the SSH protocol version 1. OpenSSH-3.7.1p2 contains all the fixes for all vulnerabilities that I am aware.

When a vulnerability assessment recommends shutting down SSH protocol version 1, they need to back it up with some facts to show that SSH1 as implemented in the IDS 4.x sensor is insecure.

=====

That having been said, you can disable SSH protocol version 1 by editing /etc/ssh/sshd_config and restarting the service. What you will lose is the ability to manage keys in the IDS CLI. So you cannot use authorized keys to log into the sensor.

The "copy scp:..." and "upgrade scp:..." commands will fail. When you start an SSH2 client, it will refuse to connect to the remote server because it won't trust the host key.

You also won't be able to manange network devices to perform blocking using the SSH protocol.

0 Helpful

nickbruno
Level 1
Level 1
In response to brhamon

‎05-27-2005 04:03 AM

The only item that showed up on the assessment is that multiple SSH versions are supported. The recommendation is to lock it down to one version.

So basically you are saying that SSH2 will not work or provide the functionality that I get with SSH1. What version is on the IPS 5.0?

Thank you again for the information.

0 Helpful

brhamon
Level 1
Level 1
In response to nickbruno

‎06-01-2005 08:16 AM

As shipped, the SSH server will allow SSH1 and SSH2 clients to connect to the sensor. You can disable one or the other using the service account, and editing /etc/ssh/sshd_config. For example, to disable SSH2, change the line:

#Protocol 2,1

to

Protocol 1

All SSH clients started by the sensor software are restricted to SSH1.

IPS 5.0(2) includes the same openssh-3.7.1p2 as IDS 4.1(4). We will be upgrading to openssh-4.0p1 in a future release of IDS 4.1 and IPS 5.0.

0 Helpful

nickbruno
Level 1
Level 1
In response to brhamon

‎06-01-2005 09:34 AM

Thanks. So if I change this line item to just 1, I should not see anything different in the functionally of the device? Right?

Thanks again,

0 Helpful

nickbruno
Level 1
Level 1
In response to brhamon

‎06-01-2005 09:38 AM

This is a read only fire that is trying to be edited. How do I make this file editable on the device?

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card