We want disable ssh ver 1.0 on Cisco IPS and appreciate if some one can advise how we can do that. It's not feacible/available through IDM or CLI perhaps possible on root using service account..?
Yes, you are right, it needs to be disabled via the service account.
Here is the steps:
1) Assuming that you already have a service account created. Pls login via the service account.
2) Login to it's super user: su
then type in the password.
3) Modify sshd_config: vi /etc/ssh/sshd_config
Delete '#' and ',1' --> from the line: #Protocol 2,1
4) You should only see: Protocol 2
(NB: it was: #Protocol 2,1 before)
5) Save the changes.
6) Restart the SSH service: check under: /etc/init.d/ directory, you should see an ssh service.
To restart: /etc/init.d/
7) Delete the version key file.
The above steps will disable SSH version 1 on IPS. Hope that helps.
There is a command to disable sshv1 now if you are on 7.1(8).
SSP10-41(config-hos-net)# sshv1-fallback ?
enabled Enable the sshv1 fallback on the sensor.
disabled Disable the sshv1 fallback on the sensor
I tried to run the below commands given to me by TAC and after the reboot six of our ASA SSP IPS' failed totally requiring an RMA!
If you'd like to risk it on your own equipment here are the commands.
Create a service account (if one does not already exist) using the CLI, then log in using that account and enter the following commands:
cp sshd_config sshd_config.old
sed -r '/^#?Protocol /cProtocol 2' sshd_config.old > sshd_config
To apply the changes do:
None of the other commands in this thread worked on the ASA module.
There have been a few threads on this previously, and they are definitely worth a read if you're looking to implement this configuration.
(Part of an "Ask The Experts" thread)
(specifically mentions bug id CSCsk84977)
Definitely read the one here:
This thread discusses some of the concerns/issues regarding changes made using the service account. Specifically, Scott Fringer's responses are highly informative.
From Scott's reponses:
Any changes made via the service account will not survive a software upgrade. Making unsupported changes via the service account may also require re-imaging the sensor to factory defaults to allow effective troubleshooting to occur during a TAC service request.
The module will still be supported; but it will most likely be necessary to revert the module to factory defaults (re-image) early in the process to ensure it is not an unsupported change that is causing issue.
It is possible, depending on the changes implemented, that a signature update could revert a change; that is why the service account should not be utilized for direct or long-term configuration changes. Most changes performed via the service account are under TAC direction, and are usually reverted when the troubleshooting is completed.
Just some food for thought ...
Thanks for all your valuable responses. Also just want to know is there any impact or service disruptions etc doing this, as we have many IPS deployed and all are currently on live network.
It should be no service impacting as only the SSH daemon needs to be restarted. However, if you are performing the change via SSH session, it will kill the session when restart is being performed.
Message was edited by: Jennifer Halim
Some of the comments regarding this change, such as this one, indicate that only the SSH daemon needs to be restarted, using this command:
This would include Jennifer's comment above.
Other comments, such as this one, indicate restarting the "cids" process. You will probably need to try the configuration to see which method works for you, either on a test machine, or one that will not impact network traffic.
It will survive an IPS reboot, however, as changes were being done via service account, it will not survive an IPS upgrade.
Here is an enhancement request that you can track to only allow SSHv2 via normal IPS command line: CSCsk84977
Can you provide us a time frame on this enhancement? Seems to me if you can easily disable SSHv1 on an ASA you should be able to on an IPS. Please have your development team prioritize this.
Unfortunately i don't have time frame for this enhancement. You would want to get in touch with your cisco account rep for this, or alternatively open a TAC case so it can be linked as the more people who request it, the more priority it will get.