Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
727
Views
0
Helpful
0
Replies

cEdge Control plane security

Axel Robbe
Level 1
Level 1

‎10-31-2019 02:06 AM - edited ‎10-31-2019 02:06 AM

Hi all,

 

Another question regarding SD-WAN as I'm finding it hard to find relevant documentation. Put simply, I want to implement an ACL limiting access to SSH functionality of our devices. We're currently in a PoC and working on getting the overlay and routing up. However, I can barely do any work on these devices, because the Viptela 100 routers cannot seem to handle the amount of login attempts and kick me out every once in a while. This often happens before i can even get to a commit and then all work is lost. The ISRs seem to handle this better, but it floods the logging and makes it next to impossible to find anything useful in there.

 

I have been able to compose an ACL of sorts through the CLI in the policy config, but I think it will apply to all protocols. I'm hesitant to apply it and lose control of the router.

  1. Are there any resources out there that would allow us to secure our gear and work in peace (regarding ssh sessions)?

 

  1. Also, linked to this. How do I turn of the banner after entering a username? We're advertising our gear + version out there to anyone trying to access the IP. This stuff is not in the config file. Also, try some usernames and you'll get a confirmation that the account exists.

Example:

Login in with root (as many try and apparently this account exists):

login as: root
Pre-authentication banner message from server:
| viptela 18.3.0
|
End of banner message from server
Keyboard-interactive authentication prompts from server:
| Account locked due to 65534 failed logins
| Password:

 

 

With an account that does not exist (and i entered 20 random strings as password to get it to "lock"):

login as: try
Pre-authentication banner message from server:
| viptela 18.3.0
|
End of banner message from server
Keyboard-interactive authentication prompts from server:
| Password:
End of keyboard-interactive prompts from server
Access denied
Keyboard-interactive authentication prompts from server:
| Password:

 

This shows that there is a root account and it's worth trying. The "try" account doesn't show this message, even though the router disconnect me a few times after entering multiple random strings as password. I can replicate this with other existing (local) accounts. I think this is a giveaway in terms of info. 

How can we secure this?

 

Kr

0 Helpful
0 Replies 0
Customers Also Viewed These Support Documents

Review Cisco Networking for a $25 gift card