Cisco routers use many methods in configuration. Using SSH instead of Telnet cisco makes it easier for us to understand the configuration of cisco routers and other knowledge points.
Replacing Telnet with cisco router configuration using SSH
The Telnet protocol is a member of the TCP/IP protocol family and is the standard protocol and main method of the Internet remote login service. It provides users with the ability to complete remote host work on local computers. Use the telnet program on the terminal user's computer to connect to the server. End users can enter commands in the telnet program. These commands will run on the server, just as they are directly entered on the server console.
Telnet to the Cisco router for remote management is the choice of many network management, but the data transmitted through Telnet is in plain text, so this login method has a great security risk. A malicious user may use a Sniffer tool like Sniffer to perform local monitoring on the Administrator host or an appropriate interface to obtain the Administrator's password for logging on to the Cisoc router.
1. Security Testing
I installed sniffer locally and used Telnet to log on to the Cisco router. Stop sniffing and decode it. 1 shows that the user logs on to the vro in user mode and global mode. The entered passwords are displayed in plain text. Although the password is split into two parts, an experienced attacker may combine them to obtain the logon password of the Cisco router. In fact, more than that, all the commands entered on the router by the sniffer tool administrator will be sniffed. In this way, even if the Administrator has changed the vro password and encrypted it, it can be obtained through sniffing.
From the last line of Data above: the next C indicates the First password we entered. Then we can see the password of the Telnet Data packet. This is especially insecure for our network.
2. ssh Security
The full name of ssh is Secure Shell, which is developed by a Finnish company. Ssh is composed of software on the client and server. There are two incompatible versions: 1.x and 2.x. Ssh is powerful. It can replace Telnet and provide a secure "channel" for FTP, POP3, and PPP ". Ssh can be used to encrypt all transmitted data. Even if someone intercepts the data, they cannot obtain useful information. At the same time, data is compressed to greatly speed up transmission. Its default connection port is 22. By using ssh, all transmitted data can be encrypted, which is not possible in the "man-in-the-middle" attack mode above, and can also prevent DNS and IP spoofing. In addition, it also has an additional advantage that the transmitted data is compressed, so it can speed up transmission.
3. ssh deployment
Based on the above tests and ssh security features, it is necessary to use ssh instead of Telnet for security management of Cisco routers. Of course, to implement security management of CISOC over ssh, you also need to set up on the vro. The following describes how to deploy and connect ssh in a virtual environment.
(1). Cisco Configuration
The following are commands and instructions for configuring ssh on Cisco:
R2 (config) # ip domain-name Cisco.com configure a domain name
R2 (config) # crypto key generate rsa general-keys modulus 1024 // generate an rsa algorithm key with a key of 1024 bits
(Note: In Cisoc, rsa supports 360-2048 bits. The principle of this algorithm is that the host distributes its own public key to the relevant client, when the client accesses the host, it uses the public key of the host to encrypt the data, and the host uses its own private key to decrypt the data, so as to implement host key authentication, determine the client's reliable identity .)
The name for the keys will be: R2.Cisco.com
% The key modulus size is 1024 bits
% Generating 1024 bit RSA keys, keys will be non-exportable... [OK]
R2 (config )#
* Mar 1 00:09:46. 607: % ssh-5-ENABLED: ssh 1.99 has been enabled
R2 (config) # Set the ssh time to 120 seconds for ip ssh time 120
R2 (config) # ip ssh authentication 4 sets the number of ssh authentication retries to 4, which can be selected between 0 and 5
R2 (config) # line vty 0 4
R2 (config-line) # transport input ssh sets the logon mode of vty to ssh. By default, all logon modes are allowed.
R2 (config-line) # login
R2 (config-line )#
After the configuration is complete, you cannot telnet to the Cisoc router.
Set the logon mode and click "Open ".
Here is the certificate issued to us.
R2 (config) # aaa new-model enable AAA
R2 (config) # aaa authentication login default local enable aaa authentication, set authentication on the local server
R2 (config) # username Cisco pass Cisco create a user Cisco and set its password to Cisco for ssh client login
R2 (config) # line vty 0 4
R2 (config-line) # login authentication default setting uses AAA's default for authentication
R2 (config-line) # exit
R2 (config )#
Now you can use ssh to log on.
(2). ssh Login
After the preceding settings are complete, you cannot Telnet to Cisco. You must use a dedicated ssh client for remote logon. To verify the security of ssh logon, we enable network packet capture software for sniffing during logon.
The ssh client I used is PuTTY. Start the software and enter the IP address of the vro 172.16.1.1. Then, a dialog box will pop up for the two clients. Let's select whether to use the ssh key we just set, click "yes" to enter the logon command line. Enter the ssh Login User and the password Cisco set on the vro in turn. You can see that the logon is successful to the vro.
Then, we checked the packet capture result of the sniffer tool, and all the data was encrypted, so we could not see sensitive information such as injection of users and passwords. We can see that using ssh can ensure the security of remote logon to the Cisco router.
Conclusion: In fact, ssh can be used not only for security management of routers. We can deploy ssh-based Remote Management in practical applications such as remote system management and remote server maintenance. In addition, the current ssh tools include not only command line tools, but also some GUI tools. Network management, security first, ssh can greatly prevent attacks from "man-in-the-middle". I hope this article will help you improve the security of network management.
Start building with 50+ products and up to 12 months usage for Elastic Compute Service
1 on 1 presale consultation
24/7 Technical Support 6 Free Tickets per Quarter Faster Response
Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.
A comprehensive suite of global cloud computing services to power your business
Payment Methods We Support
