Enhance Remote Management Security of Cisco routers through SSH (1)

Source: Internet
Author: User

Telnet to the Cisco router for remote management is the choice of many network management, but the data transmitted through Telnet is in plain text, so this login method has a great security risk. A malicious user may use a Sniffer tool like Sniffer to perform local monitoring on the Administrator host or an appropriate interface to obtain the Administrator's password for logging on to the Cisoc router.

1. Security Testing

I installed sniffer locally and used Telnet to log on to the Cisco router. Stop sniffing and decode it. 1 shows that the user logs on to the vro in user mode and global mode. The entered passwords are displayed in plain text. Although the password is split into two parts, an experienced attacker may combine them to obtain the logon password of the Cisco router. In fact, more than that, all the commands entered on the router by the sniffer tool administrator will be sniffed. In this way, even if the administrator changes the vro password and encrypts it, it can be sniffed. (Figure 1)


2. SSH Security

SSH is called Secure Shell in English, and its default connection port is 22. By using SSH, all transmitted data can be encrypted, which is not possible in the "man-in-the-middle" attack mode above, and can also prevent DNS and IP spoofing. In addition, it also has an additional advantage that the transmitted data is compressed, so it can speed up transmission.

3. SSH deployment

Based on the above tests and SSH security features, it is necessary to use SSH instead of Telnet for security management of Cisco routers. Of course, to implement security management of CISOC over SSH, you also need to set up on the vro. The following describes how to deploy and connect SSH in a virtual environment.

(1). Cisco Configuration

The following are commands and instructions for configuring SSH on Cisco:

Ra # config terminalra (config) # ip domain-name ctocio.com.cn//configure a domain name ra (config) # crypto key generate rsa general-keys modulus 1024 // generate an rsa algorithm key with a key of 1024 bits

(Note: In Cisoc, rsa supports 360-2048 bits. The principle of this algorithm is that the host distributes its own public key to the relevant client, when the client accesses the host, it uses the public key of the host to encrypt the data. The host uses its own private key to decrypt the data, so as to implement host key authentication and determine the reliable identity of the client.

Ra (config) # ip ssh time 120 // set the ssh time to 120 seconds ra (config) # ip ssh authentication 4 // set the number of ssh authentication retries to 4, you can select ra (config) # line vty 0 4 between 0 and 5 // enter vty mode ra (config-line) # transport input ssh // set the logon mode of vty to ssh, by default, all is allowed to log on to ra (config-line) # login

After the configuration is complete, you cannot telnet to the Cisoc router. (Figure 3)

Ra (config-line) # exitra (config) # aaa authentication login default local // enable aaa authentication and set ra (config-line) authentication on the local server) # username ctocio password ctocio // create a user ctocio and set its password to ctocio for SSH client login

In this way, the CISCO configuration for SSH is complete.


Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.