cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

5971
Views
14
Helpful
11
Replies
pemasirid
Beginner

how to disable ssh ver 1 on IPS

Hi,

We want disable ssh ver 1.0 on Cisco IPS and appreciate if some one can advise how we can do that. It's not feacible/available through IDM or CLI perhaps possible on root using service account..?

Thanks

11 REPLIES 11
Jennifer Halim
Cisco Employee

Yes, you are right, it needs to be disabled via the service account.

Here is the steps:

1) Assuming that you already have a service account created. Pls login via the service account.

2) Login to it's super user: su

then type in the password.

3) Modify sshd_config: vi /etc/ssh/sshd_config

Delete '#' and ',1' --> from the line: #Protocol 2,1

4) You should only see: Protocol 2

(NB: it was: #Protocol 2,1 before)

5) Save the changes.

6) Restart the SSH service: check under:  /etc/init.d/ directory, you should see an ssh service.

To restart: /etc/init.d/ restart

7) Delete the version key file.

The above steps will disable SSH version 1 on IPS. Hope that helps.

There is a command to disable sshv1 now if you are on 7.1(8).

SSP10-41(config-hos-net)# sshv1-fallback ?

enabled      Enable the sshv1 fallback on the sensor.

disabled     Disable the sshv1 fallback on the sensor

I tried to run the below commands given to me by TAC and after the reboot six of our ASA SSP IPS' failed totally requiring an RMA!

If you'd like to risk it on your own equipment here are the commands.

++++++++++++++++++++++++++++++++++++++++++++++++++++++++

Create a service account (if one does not already exist) using the CLI, then log in using that account and enter the following commands:

su -

cd /etc/ssh

cp sshd_config sshd_config.old

sed -r '/^#?Protocol /cProtocol 2' sshd_config.old > sshd_config

To apply the changes do:

/etc/init.d/cids reboot

+++++++++++++++++++++++++++++++++++++++++++++++++++++++

None of the other commands in this thread worked on the ASA module.

How to revert back the config of #Protocol 2,1?

mikecrowe4ICS_2
Beginner

There have been a few threads on this previously, and they are definitely worth a read if you're looking to implement this configuration.

https://supportforums.cisco.com/message/487418#487418

(Part of an "Ask The Experts" thread)

https://supportforums.cisco.com/message/3202434

(specifically mentions bug id CSCsk84977)

Definitely read the one here:

https://supportforums.cisco.com/message/3237672

This thread discusses some of the concerns/issues regarding changes made using the service account.  Specifically, Scott Fringer's responses are highly informative.

https://supportforums.cisco.com/message/3238202#3238202

https://supportforums.cisco.com/message/3239089#3239089

From Scott's reponses:

   Any changes made via the service account will not survive a software upgrade.  Making unsupported changes via the service account may also require re-imaging the sensor to factory defaults to allow effective troubleshooting to occur during a TAC service request.

and:

The module will still be supported; but it will most likely be necessary to revert the module to factory defaults (re-image) early in the process to ensure it is not an unsupported change that is causing issue.

  It is possible, depending on the changes implemented, that a signature update could revert a change; that is why the service account should not be utilized for direct or long-term configuration changes.  Most changes performed via the service account are under TAC direction, and are usually reverted when the troubleshooting is completed.

Just some food for thought ...

Hi,

Thanks for all your valuable responses. Also just want to know is there any impact or service disruptions etc doing this, as we have many IPS deployed and all are currently on live network.

thanks

It should be no service impacting as only the SSH daemon needs to be restarted. However, if you are performing the change via SSH session, it will kill the session when restart is being performed.

Message was edited by: Jennifer Halim

Some of the comments regarding this change, such as this one, indicate that only the SSH daemon needs to be restarted, using this command:

/etc/rc.d/init.d/sshd restart

This would include Jennifer's comment above.

Other comments, such as this one, indicate restarting the "cids" process.  You will probably need to try the configuration to see which method works for you, either on a test machine, or one that will not impact network traffic.

Hello,

Will the steps provided survive an IPS reboot and/or an IPS upgrade?

Thanks.

It will survive an IPS reboot, however, as changes were being done via service account, it will not survive an IPS upgrade.

Here is an enhancement request that you can track to only allow SSHv2 via normal IPS command line: CSCsk84977

http://tools.cisco.com/Support/BugToolKit/search/getBugDetails.do?method=fetchBugDetails&bugId=CSCsk84977

Jennifer,

Can you provide us a time frame on this enhancement?  Seems to me if you can easily disable SSHv1 on an ASA you should be able to on an IPS.  Please have your development team prioritize this.

Thanks.

Unfortunately i don't have time frame for this enhancement. You would want to get in touch with your cisco account rep for this, or alternatively open a TAC case so it can be linked as the more people who request it, the more priority it will get.

Content for Community-Ad