Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1300
Views
0
Helpful
4
Replies

ssh banner available

Go to solution
CHRIS PAGE
Level 1
Level 1

‎07-07-2009 12:18 AM - edited ‎03-09-2019 10:25 PM

Hi All

We've just had a security survey carried out and one of the issues raised is that my routers and pix's both reveal the ssh version number, if you telnet to them on port 22. Apparently this could aid an attacker by providing information on server version and vendor.

eg

telnet router.com 22

SSH-1.99-Cisco-1.25

Any ideas as to how to prevent this?

Thanks in advance

Chris

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Danilo Dy
VIP Alumni
VIP Alumni

‎07-07-2009 01:07 AM

Remote administration of network devices should only permit IP Address of authorized personnel and use encrypted connection across untrusted network (e.g. internet). An ACL should be in place to permit only IP Address of authorized personnel. Knowing the version is irrelevant as they are the administrator of the device.

If you don't put ACL to permit only IP Addresses of authorized personnel, even if the version is NOT shown, it doesn't matter to hackers.

View solution in original post

0 Helpful
4 Replies 4

Go to solution
Danilo Dy
VIP Alumni
VIP Alumni

‎07-07-2009 01:07 AM

Remote administration of network devices should only permit IP Address of authorized personnel and use encrypted connection across untrusted network (e.g. internet). An ACL should be in place to permit only IP Address of authorized personnel. Knowing the version is irrelevant as they are the administrator of the device.

If you don't put ACL to permit only IP Addresses of authorized personnel, even if the version is NOT shown, it doesn't matter to hackers.

0 Helpful

Go to solution
CHRIS PAGE
Level 1
Level 1
In response to Danilo Dy

‎07-07-2009 04:45 AM

That's a very good point.

now all i have to do is find out what idiot put this line in my config:-

ssh 0.0.0.0 0.0.0.0 outside

Which certainly should not have been there. Now i've taken that out all is fine.

Thanks very much for your help.

0 Helpful

Go to solution
srue
Level 7
Level 7
In response to CHRIS PAGE

‎07-07-2009 05:29 AM

"SSH-1.99-Cisco-1.25", if that output is really from your equipment, then it is currently supporting both SSH v1 and v2. You should at least hard code it to only respond via v2.

"ip ssh version 2" for IOS.

"ssh version 2" for ASA.

0 Helpful

Go to solution
CHRIS PAGE
Level 1
Level 1
In response to srue

‎07-07-2009 05:56 AM

Another good point. Thank you I have now done that.

0 Helpful
Customers Also Viewed These Support Documents