Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
303
Views
6
Helpful
5
Replies

hardening SSH on FMC and FTD

tato386
Level 6
Level 6

‎06-01-2025 08:36 AM

Qualys scans of our FMC and FTD are flagging older SSH protocols and algorithms that we need to turn off.  I looked into enabling UCAPL/CC mode but the one-way nature of this change kind of scares me.  Besides, I feel like all I need is to tweak the /etc/ssh/sshd_config file a bit and if there are any ill effects it would be easy to roll back.  What I need is this:

on FMC: remove host key algorithm ssh-rsa

on FTD: remove  host key algorithm ssh-rsa, MAC hmac-sha1, key exchange diffie-hellman-group14-sha1

The FTDs are running v7.4.2 and the FMC is at v7.6.0

Has anybody played around with this?  Should I open a TAC case?  Thoughts?

TIA,

0 Helpful
5 Replies 5

marce1000
Hall of Fame
Hall of Fame

‎06-01-2025 09:23 AM

 

  - Note  that the FTD CLI has a command configure ssh-access-list to limit the IP addresses from which an FTD device will accept SSH connections on its management interface  , which is always good practice for network managers (management)

  M.



-- Each morning when I wake up and look into the mirror I always say ' Why am I so brilliant ? '
    When the mirror will then always repond to me with ' The only thing that exceeds your brilliance is your beauty! '

Rob Ingram
VIP
VIP

‎06-01-2025 09:54 AM

@tato386 I am not sure there is an officially supported way of doing this, it's probably best contacting TAC to confirm.

You can limit the attack surface by disabling SSH on data interfaces (FTD) and only allow SSH access on the management interface, restricting access using the ACL as already mentioned.

Aref Alsouqi
VIP
VIP

‎06-01-2025 10:15 AM

I agree with @Rob Ingram, probably the safest way would be to raise this with TAC. However, if you have a console connection to the devices to revert back the applied changes then I can't see why you shouldn't give it a try.

With regard to CC/UCAPL, you're right, once you enable them you wouldn't be able to revert back. However, I think TAC could still be able to do that for you.

tato386
Level 6
Level 6

‎06-01-2025 10:42 AM

These suggestions are valid and useful but in our situation the Qualys scanner is located *inside* our firewall and has access to management interfaces.  With the FTD I can use the platform settings to limit SSH to individual IPs which is annoying but doable.  The FMC has no platform settings and I don't see anything in the config screen to restrict inbound SSH.  For these reasons I think it's just more efficient to disable the deprecated protocols at the OS level and be done with it.  No IPs lists to manage or extra settings, etc.. 

0 Helpful

tato386
Level 6
Level 6

‎06-01-2025 11:07 AM

quick update:  just realized I can use "access list" in FMC config to limit SSH by IP.  I would still prefer to simply disable these older algorithms but I guess for now that's probably the best option.  Thanks all

Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card