Re: how to disable ssh ver 1 on IPS

pemasirid · ‎04-09-2011

Hi,

We want disable ssh ver 1.0 on Cisco IPS and appreciate if some one can advise how we can do that. It's not feacible/available through IDM or CLI perhaps possible on root using service account..?

Thanks

Jennifer Halim · ‎04-09-2011

Yes, you are right, it needs to be disabled via the service account.

Here is the steps:

1) Assuming that you already have a service account created. Pls login via the service account.

2) Login to it's super user: su

then type in the password.

3) Modify sshd_config: vi /etc/ssh/sshd_config

Delete '#' and ',1' --> from the line: #Protocol 2,1

4) You should only see: Protocol 2

(NB: it was: #Protocol 2,1 before)

5) Save the changes.

6) Restart the SSH service: check under: /etc/init.d/ directory, you should see an ssh service.

To restart: /etc/init.d/ restart

7) Delete the version key file.

The above steps will disable SSH version 1 on IPS. Hope that helps.

nate_newman · ‎11-04-2013

There is a command to disable sshv1 now if you are on 7.1(8).

SSP10-41(config-hos-net)# sshv1-fallback ?

enabled Enable the sshv1 fallback on the sensor.

disabled Disable the sshv1 fallback on the sensor

I tried to run the below commands given to me by TAC and after the reboot six of our ASA SSP IPS' failed totally requiring an RMA!

If you'd like to risk it on your own equipment here are the commands.

++++++++++++++++++++++++++++++++++++++++++++++++++++++++

Create a service account (if one does not already exist) using the CLI, then log in using that account and enter the following commands:

su -

cd /etc/ssh

cp sshd_config sshd_config.old

sed -r '/^#?Protocol /cProtocol 2' sshd_config.old > sshd_config

To apply the changes do:

/etc/init.d/cids reboot

+++++++++++++++++++++++++++++++++++++++++++++++++++++++

None of the other commands in this thread worked on the ASA module.

Erland Medrano · ‎12-07-2015

How to revert back the config of #Protocol 2,1?

mikecrowe4ICS_2 · ‎04-10-2011

There have been a few threads on this previously, and they are definitely worth a read if you're looking to implement this configuration.

https://supportforums.cisco.com/message/487418#487418

(Part of an "Ask The Experts" thread)

https://supportforums.cisco.com/message/3202434

(specifically mentions bug id CSCsk84977)

Definitely read the one here:

https://supportforums.cisco.com/message/3237672

This thread discusses some of the concerns/issues regarding changes made using the service account. Specifically, Scott Fringer's responses are highly informative.

https://supportforums.cisco.com/message/3238202#3238202

https://supportforums.cisco.com/message/3239089#3239089

From Scott's reponses:

Any changes made via the service account will not survive a software upgrade. Making unsupported changes via the service account may also require re-imaging the sensor to factory defaults to allow effective troubleshooting to occur during a TAC service request.

and:

The module will still be supported; but it will most likely be necessary to revert the module to factory defaults (re-image) early in the process to ensure it is not an unsupported change that is causing issue.

It is possible, depending on the changes implemented, that a signature update could revert a change; that is why the service account should not be utilized for direct or long-term configuration changes. Most changes performed via the service account are under TAC direction, and are usually reverted when the troubleshooting is completed.

Just some food for thought ...

pemasirid · ‎04-10-2011

Hi,

Thanks for all your valuable responses. Also just want to know is there any impact or service disruptions etc doing this, as we have many IPS deployed and all are currently on live network.

thanks

Jennifer Halim · ‎04-10-2011

It should be no service impacting as only the SSH daemon needs to be restarted. However, if you are performing the change via SSH session, it will kill the session when restart is being performed.

Message was edited by: Jennifer Halim

mikecrowe4ICS_2 · ‎04-10-2011

Some of the comments regarding this change, such as this one, indicate that only the SSH daemon needs to be restarted, using this command:

/etc/rc.d/init.d/sshd restart

This would include Jennifer's comment above.

Other comments, such as this one, indicate restarting the "cids" process. You will probably need to try the configuration to see which method works for you, either on a test machine, or one that will not impact network traffic.

SecureWorks Device Management · ‎10-03-2012

Hello,

Will the steps provided survive an IPS reboot and/or an IPS upgrade?

Thanks.

Jennifer Halim · ‎10-03-2012

It will survive an IPS reboot, however, as changes were being done via service account, it will not survive an IPS upgrade.

Here is an enhancement request that you can track to only allow SSHv2 via normal IPS command line: CSCsk84977

http://tools.cisco.com/Support/BugToolKit/search/getBugDetails.do?method=fetchBugDetails&bugId=CSCsk84977

SecureWorks Device Management · ‎10-04-2012

Jennifer,

Can you provide us a time frame on this enhancement? Seems to me if you can easily disable SSHv1 on an ASA you should be able to on an IPS. Please have your development team prioritize this.

Thanks.

Jennifer Halim · ‎10-05-2012

Unfortunately i don't have time frame for this enhancement. You would want to get in touch with your cisco account rep for this, or alternatively open a TAC case so it can be linked as the more people who request it, the more priority it will get.