Generally you can use - Cisco Community

1199

Views

5

Helpful

3

Replies

Hello,

I'm trying to restrict SSH access to one source ip as i noticed my switch is starting to get some load due to bruteforce attempts. Unfortunately, I don't have the luxury of changing the port due to my switch's latest IOS.

ip access-list extended ssh
permit tcp host xxx.xxx.xxx.1 eq 22 any

line vty 5 15
access-class ssh in
exec-timeout 15 0
login local
transport input ssh
transport output all
!

I have 0-4 without the access-class so i don't lose access for now. So what ive done is connected to my same switch multiple times so the next vty would be above 4 and when i try to use the ip in the access list to connect it says refused.

Any ideas?

This is a 4948 on 15.2.SG11

Thanks in advance!

3 Replies 3

You ACL is wrong. It has to be:

permit tcp host xxx.xxx.xxx.1 any eq 22

Generally you can use standard access list and limit vty access protocol to ssh.

access-list 70 permit xxx.xxx.xxx.1
!
vty line 0 4
access-class 70 [in|out]
transport input ssh
transport output ssh

Also to change access port for ssh you can try:

ip ssh port 2022 rotary 1
!
ip access-list extended VTY
deny tcp host xxx.xxx.xxx.1 any eq 22
permit tcp host xxx.xxx.xxx.1 any eq 2022
deny ip any any log
!
line vty 0 15
access-class VTY in
rotary 1

Learn, share, save

Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.

New here? Get started with these tips. How to use Community New member guide

Log in to Community