When using telnet for remote device maintenance, SSH should be used instead of Telnet because passwords and communications are in plain text and are easily listened by sniffer. The SSH (Secure Shell) Service uses TCP port 22. After the client software initiates a connection request, it accepts the public key from the server and negotiates the encryption method. After successful communication, all communication is encrypted. Currently, Cisco devices only support SSH V1, but not V2.
Cisco implements SSH to provide secure device management connections and does not apply to communication encryption between hosts and hosts. Cisco recommends using IPsec as the end-to-end communication encryption solution. 1. configuration of iOS devices (such as 6500 msfc, 8500, And 7500: A) software requirements IOS 12.0. (10) s and later versions contain IPSec 56 feature We recommend that you use IOS 12.2 IP plus IPSec 56C or a later version. Basically, all Cisco vrouters are supported, but you may need to upgrade the hardware to run the software of the specified version. B) define users User Mize pass nnwh@163.net D) define a domain name IP domain-name mize.myrice.com // required to configure SSH E) generate a key Crypto key generate RSA modulus 2048 Execution result: The name for the keys will be: 6509-mize.myrice.com % The Key modulus size is 2048 bits Generating RSA keys... [OK] F) specifies the source IP address of the host that can log on to the system using SSH. Access-List 90 remark hosts allowed to SSH in // earlier versions may not support remark keywords Access-List 90 permit 10.10.1.100 Access-List 90 permit 10.10.1.101 G) restrict Logon Line con 0 Login local Line vty 0 4 Login local // Log On with the user name and password defined locally Transport input SSH // only SSH logon is allowed (Note: Telnet and session from the swap engine are prohibited !) Access-class 90 in // only allow the specified source host to log on 2. configuration of CatOS (such as 6500/4000 switching engine: A) software requirements The 6500/4000 swap engine running CatOS provides SSH services that require a 6.1 or more "K9" version of software such as: cat6000-sup2cvk9.7-4-3.bin and cat4000-k9.6-3-3a.bin. 8540/8510 the above 12.1 (12c) ey software is required to support SSH for vswitches. 3550 SSH support for vswitches requires software later than 12.1 (11) ea1. Other switches may not support SSH. B) generate a key Set crypto key RSA 2048 It takes 1-2 minutes to generate the key. After the command is executed, run show crypto key to view the generated key. C) Restrict the management workstation address Set IP permit 10.10.1.100 SSH // workstation that only allows SSH Login Set IP permit 10.10.1.101 SSH Set IP permit enable SSH // check the source address of the SSH connection Set IP permit Enable telnet // check the source address of the Telnet connection Set IP permit Enable SNMP // check the source address of the SNMP request If the service IP permit is in the disable status, all connections will be allowed (of course, services such as telnet may include user authentication mechanisms ). If the IP address permit of the specified service is in the enable State, the management workstation address must be defined by the set IP permit <management workstation IP address> [Optional subnet mask] [service types allowed (ssh/Telnet/snmp)] in advance. Run the show IP permit command to check the IP permit configuration. Some services may have security vulnerabilities (such as HTTP) or the Protocol is designed to be insecure (such as SNMP and telnet ). If the service is not necessary, it can be closed. if the service is necessary, measures should be taken to ensure that these services are only provided to legal users: 6500/4000 exchange engine: Set ip http server disable // disable HTTP service Set IP permit Enable SNMP // restrict the SNMP Source Address Set SNMP comm. Read-Only // clear the Default SNMP comm word Set SNMP comm. read-write Set SNMP comm. read-write-all IOS devices such as 8500, 7500, and msfc: No ip http server // disable HTTP service No SNMP // disable the SNMP service No service DHCP // disable the DHCP service No IP finger // disable the Finger service No service TCP-small-server // disable Basic TCP services No service UDP-small-server // disable Basic UDP services Service password-encryption // enable the plaintext encryption service 3. SSH client A) log on from the management workstation Only terminal simulation programs supporting SSH V1 protocol can be used to manage devices using SSH protocol. We recommend using secure CRT 3.3 or free putty. the following describes how to use secure CRT to log on to an SSH device: Run the secure CRT program and select File-quick connect... Set the following parameters: Protocol (Protocol): SSH1 hostname (host name): 10.10.1.1 port (port): 22 username (username): Mize ciper (encryption method): 3DES authentication (authentication method): Password click Connect. You may be prompted to accept the encrypted public key from the device. Select accept once (only once) or accept & Save (Save the key for next use ). Due to protocol implementation problems, ssh Buffer Overflow may occur. If you receive a message indicating that the key is greater than 16 KB, try again. The connection is normal. Enter the password to log on to the system. For the second login, click File-connect and connect to 10.10.1.1. B) log on to other devices using SSH protocol from IOS devices An iOS device can also initiate an SSH connection request (as an SSH client) to log on to an iOS device supporting 3DES from an iOS device. Run the following command (-L specifies the user name ): Ssh-l Mize 10.10.3.3 To log on to iOS devices that support des (56-bit), run the following command (-C des specifies the 1 DES encryption mode ): Ssh-C des-l Mize 10.10.5.5 Log on to a CatOS supporting 3DES from an iOS device, such as the 6509/4006 switch engine. Run the following command (no user name is required ): SSH 10.10.6.6 4. Restrict the Telnet Source Address For devices that do not support SSH, You can restrict the Telnet source address to enhance security. In order not to add an administrator address, you must modify the configurations of all devices. You can use the relay device method, that is, the controlled device only allows Telnet access from the relay device, the relay device allows multiple administrators to log on in a safer way (such as SSH. Set the relay device: Inter lO 0 IP address 10.10.1.100 255.255.255.255 IP Telnet source-interface loopback0 // the source address that initiates Telnet Set controlled devices: Access-list 91 remark hosts allowed to telnet in Access-list 91 permit 10.10.1.100 Access-list 91 permit 10.10.1.101 Line con 0 Password XXXXXXXX Line vty 0 4 R> password XXXXXXXX Access-class 91 in
|