It is 2019 and plenty of network devices still rely on old crypto algorithms and functions. Therefore, I decided to write down some best practices for hardening SSH on Cisco routers / switches. I tested these setting on IOS-XE 16.x releases. 

This article is meant as a write-down of picked security practices. You can find more technical deep-dive meaning of the commands by internet research. In fact, when it comes to security, you should do your own research all the time.

SSH server and RSA keys

Use SSH version 2 only with stronger RSA keys – at lease 2048. Logging of ssh related events might be useful too. 

crypto key generate rsa label KEY-SSH modulus 4096
ip ssh rsa keypair-name KEY-SSH

ip ssh version 2

ip ssh logging events

Password encryption

You should stop encrypting your passwords with old Cisco type 4 – 8 functions. Use type 9 = SCRYPT. It is password-based key derivation function which is designed to be strongly resistant to cracking attacks. It is IETF standard getting more and more attention (also among some cryptocurrencies).

enable algorithm-type scrypt secret s3cr3t
username admin algorithm-type scrypt secret s3cr3t

Stronger SSH encryption and integrity

You can choose which ciphers can be used when connecting to network device (ssh server) or making another ssh connection from the device (ssh client). Unwanted algorithms will stay disabled. This is just an example – you can pick stronger ciphers – if available. 

ip ssh server algorithm mac hmac-sha1
ip ssh server algorithm encryption aes256-cbc aes256-ctr
ip ssh server algorithm kex diffie-hellman-group14-sha1

ip ssh client algorithm mac hmac-sha1
ip ssh client algorithm encryption aes256-cbc aes256-ctr
ip ssh client algorithm kex diffie-hellman-group14-sha1

Stronger session keys

SSH session keys are agreed with Diffie-hellman key exchange protocol.  Use higher bit length.

ip ssh dh min size 4096

Custom TCP port

You can change SSH on which is server listening if this is desirable. TCP:22 is default one. Lets change it to 2222.

ip ssh port 2222 rotary 1

line vty 0 4
  rotary 1

VTY lines count and protocols

This should be basic one. Choose how many VTY lines are available for SSH, and disable other protocols as telnet. Also access list limiting SSH clients is crucial and should be defined for every line. 

ip access-list extended ACL-SSH-PERMIT
 permit ip any
 deny  ip any any

line vty 0 4
 access-class ACL-SSH-PERMIT [in vrf-also]
 session-timeout 10 
 exec-timeout 15 0
 transport input ssh
 transport output ssh

Speaking about the lines… Do not forget to apply access-list also for the aux line. By default – Cisco routers are listening also on ports TCP 2001, 4001, 6001 and 9001. These are Cisco management ports. You may be familiar with the first one used for reverse telnet. 

line aux 0
access-class ACL-SSH-PERMIT [in vrf-also]

Limit failed login attempts

Block/limit password-guessing attacks. If someone make 10 unsuccessful attempts to login within 60 seconds, we will block his access for 150 seconds. Authentication retries within session is limited to two. SSH timeout lowered to 60 seconds. Also failed attempts will be logged. 

login block-for 150 attempts 10 within 60
ip ssh authentication-retries 2

ip ssh time-out 60
login on-failure log

Useful links

There are much more interesting when it comes to security hardening. I recommend you to go through following articles.


Leave a Reply