If you admin your routers over the internet you probably know you should be using SSH. Telnet being sent in clear text is easily sniffed and your passwords captured.
However Cisco routers use the standard TCP port 22 for their SSH service. As soon as you open this up to the world and turn on SSH access logging you will start to see hundreds of IP's connecting to your device and running dictionary attacks against you using standard username and password combinations.
The majority of these IP's seem to originate from China or Russia and they find your open port extremely quickly. This is very anoying it fills up your log files with these attacks and uses up your system resources dealing with them. I believe they are simply running scans for any open TCP port 22.
For this reason I decided I could cut down the amount of attacks by moving the SSH port to a different number.
One thing you should know before we start is that there is no way to actually change the SSH port number on the Cisco. What we can do is make it listen for SSH on another port as well.
The command you need to input is...
ip ssh port 1234 rotary 1
This creates a rotary group called 1 which listens on TCP port 1234.
You then apply the rotary group to the vty lines like so...
line vty 0 4
rotary 1
Now if you SSH to this port on your routers IP you should find you can connect on TCP 1234. You will also find however that you can still reach it on TCP port 22.
All you should do now is change your external ACL to allow 1234 and let 22 be blocked by the default deny ip any any
ip access-list extended INTERNET_IN
permit tcp any host x.x.x.x eq 1234 log
deny ip any any
Now this isn't making SSH any more secure than it was before. Nmap will still find the port and enumerate is correctly as Cisco SSH. All this does is make it less obvious. People scanning for an open TCP 22 will pass it by. Only if they targeted you with a full scan (which is less likely as it would slow their mass portscans down) would they notice it.
It's a simple trick but your would be amazed how much it cuts down on the number of rogue connection attempts to your router.
However Cisco routers use the standard TCP port 22 for their SSH service. As soon as you open this up to the world and turn on SSH access logging you will start to see hundreds of IP's connecting to your device and running dictionary attacks against you using standard username and password combinations.
The majority of these IP's seem to originate from China or Russia and they find your open port extremely quickly. This is very anoying it fills up your log files with these attacks and uses up your system resources dealing with them. I believe they are simply running scans for any open TCP port 22.
For this reason I decided I could cut down the amount of attacks by moving the SSH port to a different number.
One thing you should know before we start is that there is no way to actually change the SSH port number on the Cisco. What we can do is make it listen for SSH on another port as well.
The command you need to input is...
ip ssh port 1234 rotary 1
This creates a rotary group called 1 which listens on TCP port 1234.
You then apply the rotary group to the vty lines like so...
line vty 0 4
rotary 1
Now if you SSH to this port on your routers IP you should find you can connect on TCP 1234. You will also find however that you can still reach it on TCP port 22.
All you should do now is change your external ACL to allow 1234 and let 22 be blocked by the default deny ip any any
ip access-list extended INTERNET_IN
permit tcp any host x.x.x.x eq 1234 log
deny ip any any
Now this isn't making SSH any more secure than it was before. Nmap will still find the port and enumerate is correctly as Cisco SSH. All this does is make it less obvious. People scanning for an open TCP 22 will pass it by. Only if they targeted you with a full scan (which is less likely as it would slow their mass portscans down) would they notice it.
It's a simple trick but your would be amazed how much it cuts down on the number of rogue connection attempts to your router.
Comments
Post a Comment