Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1382
Views
0
Helpful
4
Replies

Is it enough to logging through SSH-2 RSA only, 1024, password strength 8?

Go to solution
igor.ischuk
Beginner
Beginner

‎11-11-2013 06:58 AM - edited ‎03-10-2019 12:08 AM

Hi everybody,

I should provide the highest level security on C2821-VSEC-CCME/K9.   Is it enough to logging through SSH-2 RSA only, 1024, password strength: 8 symbols, No CAPS letters, numbers, special symbols, password example [sdf^&*89]?

line vty 0 4

exec-timeout 60 0

transport input ssh

line vty 5 15

transport input ssh

Should I create MAC base Access-List on cisco router? 

Should I use login with the highest security level options: SSH-2 RSA only, 2048, password strength: XX symbols,  CAPS and small letters, numbers, special symbols, password example [sdf^&*89Ad@#34s_Ds!@27&#]? 

Is it paranoia which has nothing with real life or it is recommended practice? 

Please, advice.  Thank you very much.

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Tagir Temirgaliyev
Frequent Contributor
Frequent Contributor
In response to igor.ischuk

‎11-12-2013 03:11 AM

to additional protection

I do so

access-list 23 permit any log

line vty 0 4

access-class 23 in

line vty 5 15

access-class 23 in

login on-failure log

login on-success log

this will syslog all connection attempts

archive

log config

  logging enable

  hidekeys

this will syslog all comands


ssh itself can be easyly decoded when man in the midle attack

View solution in original post

0 Helpful
4 Replies 4

Go to solution
Tagir Temirgaliyev
Frequent Contributor
Frequent Contributor

‎11-11-2013 09:39 PM

do you want to connect from LAN or from internet?

0 Helpful

Go to solution
igor.ischuk
Beginner
Beginner
In response to Tagir Temirgaliyev

‎11-12-2013 12:48 AM

I want to connect from Internet in 95%. Thank you.

0 Helpful

Go to solution
Tagir Temirgaliyev
Frequent Contributor
Frequent Contributor
In response to igor.ischuk

‎11-12-2013 03:11 AM

to additional protection

I do so

access-list 23 permit any log

line vty 0 4

access-class 23 in

line vty 5 15

access-class 23 in

login on-failure log

login on-success log

this will syslog all connection attempts

archive

log config

  logging enable

  hidekeys

this will syslog all comands


ssh itself can be easyly decoded when man in the midle attack

0 Helpful

Go to solution
igor.ischuk
Beginner
Beginner
In response to Tagir Temirgaliyev

‎11-12-2013 05:01 AM

ttemirgaliyev, 


Thank you very much.

These options are really essential:

syslog all connection attempts

syslog all comands

What do you think about the  MAC base Access-List for SSH Loggin on a cisco router?

Is it importan also or I should skip this option?

Thank you very much again.

#131104_1413_ i2_nwlVstCisSecConSecShe_ohmg

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents