LImit max number of SSH sessions to FTD?

CiscoBrownBelt · ‎03-23-2023

Is there a way to limit the amount of SSH sessions to the FTD CLI?

balaji.bandi · ‎03-23-2023

Not that i have seen any Limit ( we configured session timeout for 60seconds idle) - even we had 15 users we did not see limitation access alll.

But most FTD case its managed by FMC, you do not need many SSH connection, and not suggested to change any config when the device managed by FMC.

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

CiscoBrownBelt · ‎03-24-2023

Thanks! So I basically do not want ability to have many SSH sessions opened up on the terminal (DDoS attack, etc.). You are saying there is no way to limit that on the FTD?

MHM Cisco World · ‎03-24-2023

try using control-plane ACL and allow only specific host to SSH to your FTD
this can limit the SSH to only specific users

Marvin Rhoads · ‎03-24-2023

An FTD device does not typically have management enabled on its Internet-facing interfaces. In that case, there is no listener for tcp port 22 (ssh).

If you do have the Internet-facing outside interface enabled for management (or your management interface is directly Internet-connected), you can use "configure ssh access-list" (which is one of the few things configured from the cli) to restrict acceptance of incoming ssh sessions to authorized addresses.

https://www.cisco.com/c/en/us/td/docs/security/firepower/command_ref/b_Command_Reference_for_Firepower_Threat_Defense/c_3.html#wp4200953591

MHM Cisco World · ‎03-24-2023

@Marvin Rhoads suggest is better than what I suggest
the SSH ACL is override the control-plane ACL so from my side I prefer use SSH ACL as @Marvin Rhoads suggest
thanks

CiscoBrownBelt · ‎03-24-2023

Great thanks. I actually mean remote access for internal connections.

balaji.bandi · ‎03-25-2023

I actually mean remote access for internal connections. <--- Do you mean remote access VPN ?

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

CiscoBrownBelt · ‎03-27-2023

No, just mean accessing it not via console. Accessing via an internal IP/subnet.

Marvin Rhoads · ‎03-27-2023

You cannot limit the number of ssh sessions but you can limit the addresses that are allowed to initiate with the "configure ssh access-list" command I mentioned earlier. That applies to any interface for which management access via ssh is permitted.

CiscoBrownBelt · ‎03-27-2023

RIght, looks like best option. If SSH is only established to Mgmt interface then that is only interace where the ACL would need to be applied correct?

Marvin Rhoads · ‎03-27-2023

This configuration command is not like a traditional ACL on an ASA where it is applied to an interface. Rather it applies to all management plane ssh connections to the device. Those include the management interface only by default (and any others explicitly configured for management access).

balaji.bandi · ‎03-27-2023

yes correct

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

balaji.bandi · ‎03-24-2023

(DDoS attack, etc.) - Generally we allow only Mamanger access to login (based on the IP ) - not suggested to Open for any IP to try SSH and DoS attack,

you need to look more of hardening steps :

https://www.cisco.com/c/en/us/td/docs/security/firepower/640/hardening/ftd/FTD_Hardening_Guide_v64.html

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help