SSH Restricted Source IP

tdale1987 · ‎07-22-2017

Hello,

I'm trying to restrict SSH access to one source ip as i noticed my switch is starting to get some load due to bruteforce attempts. Unfortunately, I don't have the luxury of changing the port due to my switch's latest IOS.

ip access-list extended ssh
permit tcp host xxx.xxx.xxx.1 eq 22 any

line vty 5 15
access-class ssh in
exec-timeout 15 0
login local
transport input ssh
transport output all
!

I have 0-4 without the access-class so i don't lose access for now. So what ive done is connected to my same switch multiple times so the next vty would be above 4 and when i try to use the ip in the access list to connect it says refused.

Any ideas?

This is a 4948 on 15.2.SG11

Thanks in advance!

Karsten Iwen · ‎07-23-2017

You ACL is wrong. It has to be:

permit tcp host xxx.xxx.xxx.1 any eq 22

Predrag Jovic · ‎07-24-2017

Generally you can use standard access list and limit vty access protocol to ssh.

access-list 70 permit xxx.xxx.xxx.1
!
vty line 0 4
access-class 70 [in|out]
transport input ssh
transport output ssh

Predrag Jovic · ‎07-24-2017

Also to change access port for ssh you can try:

ip ssh port 2022 rotary 1
!
ip access-list extended VTY
deny tcp host xxx.xxx.xxx.1 any eq 22
permit tcp host xxx.xxx.xxx.1 any eq 2022
deny ip any any log
!
line vty 0 15
access-class VTY in
rotary 1