| When using telnet for remote device maintenance, SSH should be used instead of Telnet because passwords and communications are in plain text and are easily listened by sniffer. The SSH (Secure Shell) Service uses TCP port 22. After the client software initiates a connection request, it accepts the public key from the server and negotiates the encryption method. After successful communication, all communication is encrypted. Currently, Cisco devices only support SSH V1, but not V2.
Cisco implements SSH to provide secure device management connections and does not apply to communication encryption between hosts and hosts. Cisco recommends using IPsec as the end-to-end communication encryption solution.
1. configuration of iOS devices (such as 6500 msfc, 8500, And 7500:
A) software requirements
IOS 12.0. (10) s and later versions contain IPSec 56 feature
We recommend that you use IOS 12.2 IP plus IPSec 56C or a later version.
Basically, all Cisco vrouters are supported, but you may need to upgrade the hardware to run the software of the specified version.
B) define users
User Mize pass nnwh@163.net
D) define a domain name
IP domain-name mize.myrice.com // required to configure SSH
E) generate a key
Crypto key generate RSA modulus 2048
Execution result:
The name for the keys will be: 6509-mize.myrice.com
% The Key modulus size is 2048 bits
Generating RSA keys...
[OK]
F) specifies the source IP address of the host that can log on to the system using SSH.
Access-List 90 remark hosts allowed to SSH in // earlier versions may not support remark keywords
Access-List 90 permit 10.10.1.100
Access-List 90 permit 10.10.1.101
G) restrict Logon
Line con 0
Login local
Line vty 0 4
Login local // Log On with the user name and password defined locally
Transport input SSH // only SSH logon is allowed (Note: Telnet and session from the swap engine are prohibited !)
Access-class 90 in // only allow the specified source host to log on
2. configuration of CatOS (such as 6500/4000 switching engine:
A) software requirements
The 6500/4000 swap engine running CatOS provides SSH services that require a 6.1 or more "K9" version of software such as: cat6000-sup2cvk9.7-4-3.bin and cat4000-k9.6-3-3a.bin.
8540/8510 the above 12.1 (12c) ey software is required to support SSH for vswitches.
3550 SSH support for vswitches requires software later than 12.1 (11) ea1.
Other switches may not support SSH.
B) generate a key
Set crypto key RSA 2048
It takes 1-2 minutes to generate the key. After the command is executed, run show crypto key to view the generated key.
C) Restrict the management workstation address
Set IP permit 10.10.1.100 SSH // workstation that only allows SSH Login
Set IP permit 10.10.1.101 SSH
Set IP permit enable SSH // check the source address of the SSH connection
Set IP permit Enable telnet // check the source address of the Telnet connection
Set IP permit Enable SNMP // check the source address of the SNMP request
If the service IP permit is in the disable status, all connections will be allowed (of course, services such as telnet may include user authentication mechanisms ). If the IP address permit of the specified service is in the enable State, the management workstation address must be defined by the set IP permit <management workstation IP address> [Optional subnet mask] [service types allowed (ssh/Telnet/snmp)] in advance.
Run the show IP permit command to check the IP permit configuration.
Some services may have security vulnerabilities (such as HTTP) or the Protocol is designed to be insecure (such as SNMP and telnet ). If the service is not necessary, it can be closed. if the service is necessary, measures should be taken to ensure that these services are only provided to legal users: 6500/4000 exchange engine:
Set ip http server disable // disable HTTP service
Set IP permit Enable SNMP // restrict the SNMP Source Address
Set SNMP comm. Read-Only // clear the Default SNMP comm word
Set SNMP comm. read-write
Set SNMP comm. read-write-all IOS devices such as 8500, 7500, and msfc:
No ip http server // disable HTTP service
No SNMP // disable the SNMP service
No service DHCP // disable the DHCP service
No IP finger // disable the Finger service
No service TCP-small-server // disable Basic TCP services
No service UDP-small-server // disable Basic UDP services
Service password-encryption // enable the plaintext encryption service 3. SSH client
A) log on from the management workstation
Only terminal simulation programs supporting SSH V1 protocol can be used to manage devices using SSH protocol. We recommend using secure CRT 3.3 or free putty. the following describes how to use secure CRT to log on to an SSH device:
Run the secure CRT program and select File-quick connect... Set the following parameters: Protocol (Protocol): SSH1 hostname (host name): 10.10.1.1 port (port): 22 username (username): Mize ciper (encryption method): 3DES authentication (authentication method): Password click Connect. You may be prompted to accept the encrypted public key from the device. Select accept once (only once) or accept & Save (Save the key for next use ). Due to protocol implementation problems, ssh Buffer Overflow may occur. If you receive a message indicating that the key is greater than 16 KB, try again. The connection is normal. Enter the password to log on to the system.
For the second login, click File-connect and connect to 10.10.1.1.
B) log on to other devices using SSH protocol from IOS devices
An iOS device can also initiate an SSH connection request (as an SSH client) to log on to an iOS device supporting 3DES from an iOS device. Run the following command (-L specifies the user name ):
Ssh-l Mize 10.10.3.3
To log on to iOS devices that support des (56-bit), run the following command (-C des specifies the 1 DES encryption mode ):
Ssh-C des-l Mize 10.10.5.5
Log on to a CatOS supporting 3DES from an iOS device, such as the 6509/4006 switch engine. Run the following command (no user name is required ):
SSH 10.10.6.6
4. Restrict the Telnet Source Address
For devices that do not support SSH, You can restrict the Telnet source address to enhance security. In order not to add an administrator address, you must modify the configurations of all devices. You can use the relay device method, that is, the controlled device only allows Telnet access from the relay device, the relay device allows multiple administrators to log on in a safer way (such as SSH. Set the relay device:
Inter lO 0
IP address 10.10.1.100 255.255.255.255
IP Telnet source-interface loopback0 // the source address that initiates Telnet
Set controlled devices:
Access-list 91 remark hosts allowed to telnet in
Access-list 91 permit 10.10.1.100
Access-list 91 permit 10.10.1.101
Line con 0
Password XXXXXXXX
Line vty 0 4
R> password XXXXXXXX
Access-class 91 in
|
