It is 2019 and plenty of network devices still rely on old crypto algorithms and functions. Therefore, I decided to write down some best practices for hardening SSH on Cisco routers / switches. I tested these setting on IOS-XE 16.x releases.
This article is meant as a write-down of picked security practices. You can find more technical deep-dive meaning of the commands by internet research. In fact, when it comes to security, you should do your own research all the time.
SSH server and RSA keys
Use SSH version 2 only with stronger RSA keys – at lease 2048. Logging of ssh related events might be useful too.
crypto key generate rsa label KEY-SSH modulus 4096 ip ssh rsa keypair-name KEY-SSH ip ssh version 2 ip ssh logging events
You should stop encrypting your passwords with old Cisco type 4 – 8 functions. Use type 9 = SCRYPT. It is password-based key derivation function which is designed to be strongly resistant to cracking attacks. It is IETF standard getting more and more attention (also among some cryptocurrencies).
enable algorithm-type scrypt secret s3cr3t username admin algorithm-type scrypt secret s3cr3t
Stronger SSH encryption and integrity
You can choose which ciphers can be used when connecting to network device (ssh server) or making another ssh connection from the device (ssh client). Unwanted algorithms will stay disabled. This is just an example – you can pick stronger ciphers – if available.
ip ssh server algorithm mac hmac-sha1 ip ssh server algorithm encryption aes256-cbc aes256-ctr ip ssh server algorithm kex diffie-hellman-group14-sha1 ip ssh client algorithm mac hmac-sha1 ip ssh client algorithm encryption aes256-cbc aes256-ctr ip ssh client algorithm kex diffie-hellman-group14-sha1
Stronger session keys
SSH session keys are agreed with Diffie-hellman key exchange protocol. Use higher bit length.
ip ssh dh min size 4096
Custom TCP port
You can change SSH on which is server listening if this is desirable. TCP:22 is default one. Lets change it to 2222.
ip ssh port 2222 rotary 1 line vty 0 4 rotary 1
VTY lines count and protocols
This should be basic one. Choose how many VTY lines are available for SSH, and disable other protocols as telnet. Also access list limiting SSH clients is crucial and should be defined for every line.
ip access-list extended ACL-SSH-PERMIT permit ip 10.10.10.0 0.0.0.255 any deny ip any any line vty 0 4 access-class ACL-SSH-PERMIT [in vrf-also] session-timeout 10 exec-timeout 15 0 transport input ssh transport output ssh
Speaking about the lines… Do not forget to apply access-list also for the aux line. By default – Cisco routers are listening also on ports TCP 2001, 4001, 6001 and 9001. These are Cisco management ports. You may be familiar with the first one used for reverse telnet.
line aux 0 access-class ACL-SSH-PERMIT [in vrf-also]
Limit failed login attempts
Block/limit password-guessing attacks. If someone make 10 unsuccessful attempts to login within 60 seconds, we will block his access for 150 seconds. Authentication retries within session is limited to two. SSH timeout lowered to 60 seconds. Also failed attempts will be logged.
login block-for 150 attempts 10 within 60 ip ssh authentication-retries 2 ip ssh time-out 60 login on-failure log
There are much more interesting when it comes to security hardening. I recommend you to go through following articles.
- Why you should be using scrypt for Cisco Router Password Storage
- Guide to better SSH-Security
- Cisco Guide to Harden Cisco IOS Devices