Another useful feature in newer IOSs is 'Cisco IOS login enhancements'. We find it pretty useful. Upon so many failed logins in a certain timeframe, it can fall back to a more restrictive ACL, then go back to the original after so many minutes. http://www.cisco.com/en/US/docs/ios/security/configuration/guide/sec_log in_enhance.html
Chuck -----Original Message----- From: cisco-nsp-boun...@puck.nether.net [mailto:cisco-nsp-boun...@puck.nether.net] On Behalf Of Justin Shore Sent: Sunday, March 22, 2009 11:26 PM To: Charles Wyble Cc: cisco-nsp@puck.nether.net Subject: Re: [c-nsp] Changing SSH Port on IOS Agreed. Never ever put an IOS box up on the Internet with a public IP without at least restricting VTY access. We were directly targetted about 3 years ago right after I came back to the SP. My predecessor hadn't implemented any VTY ACLs. One day I while going through my rediscovery of the network I started noticing that I couldn't get into several devices. The list of devices I couldn't access grew rapidly and within an hour I couldn't log into anything. The attacker pounded every piece of network gear we had from hundreds of remote IPs trying to guess a working userid/password combo. They consumed all VTYs on every device at once. The gear was in 2 states and spread out over many hours of driving so I couldn't visit much of it in person. I spent well over a day getting everything tied down. Fortunately syslog confirmed that we hadn't been compromised. Forgetting the VTY ACL is like forgetting to check you fly being picking up your hot date for the big night or forgetting to turn off your cell phone ringer before showing up at the interview for the perfect job. >> #sh ip ssh >> SSH Enabled - version 1.99 Also, disable SSH version 1 support. Only use SSHv2. ip ssh version 2 Justin Charles Wyble wrote: > Um..... why don't you setup some ACL to limit access? It's generally ill > advised to run dameons with shell access directly connected to the > internet. :) > > I use OpenVPN for all my access, and only run SSH on the private > interface. I realize this isn't always possible, but is a good solution. > > Andy BIERLAIR wrote: >> I'm running s72033-ipservicesk9-mz.122-18.SXF15a with SSH on Port 22. >> >> Due too many bots hammering that well-known port, I wanted to change >> it to >> something else, but somehow I can't: _______________________________________________ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ _______________________________________________ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/