When using the Telnet service, we will find many security risks. To make our network more secure, we will consider using other protocols to replace the use of the Telnet service. Here we will introduce the replacement of the SSH protocol. SSH is an industry standard that replaces the Telnet service and other remote console management applications. SSH commands are encrypted and kept confidential in several ways.
When using SSH, a digital certificate will authenticate the connection between your workstation on the client and your network device on the server, and encrypt the protected password. SSH1 uses the RSA encryption key, and SSH2 uses the digital signature algorithm DSA) to protect the connection and authentication.
Encryption algorithms include Blowfish, Data Encryption Standard DES), and triple DES3DES). SSH protects and helps prevent spoofing, mitm attacks, and packet monitoring.
The first step to implement SSH is to verify that your device supports SSH. log on to your vro or vswitch and check whether you have loaded an IPSec IOS image that supports SSH.
In our example, we will use the Cisco IOS command. Run the following command:
- Router> Show flash
This command displays the name of the loaded IOS image. You can use the result to compare the list of supported features of your vendor.
After you verify that your device supports SSH, make sure that the device has a host name and a correctly configured host domain, as shown below:
- Router> config terminal
- Router (config)# hostname hostname
- Router (config)# ip domain-name domainname
At this time, you can enable the SSH server on the router. To enable the SSH server, you must first use the following command to generate a pair of RSA keys:
- Router (config)# crypto key generate rsa
SSH is automatically enabled when an RSA key is generated on the vro. If you delete the RSA key, the SSH server is automatically disabled.
The last step to implement SSH is to enable authentication, authorization, and audit AAA ). when configuring AAA, specify the user name and password, Session Timeout, and the number of attempts allowed for a connection. run the following command:
- Router (config)# aaa new-model
- Router (config)# username password
- Router (config)# ip ssh time-out
- Router (config)# ip ssh authentication-retries
To verify that you have configured SSH and it is running on your vro, run the following command:
- Router# show ip ssh
After verifying the configuration, you can force the users you add during the AAA configuration process to use SSH instead of the Telnet service. you can also use SSH in the virtual terminal vty connection to achieve the same purpose. here is an example:
- Router (config)# line vty 0 4
- Router (config-line)# transport input SSH
Before closing the existing Telnet Service session, you need an SSH client program to test your configuration. I strongly recommend PuTTY; it is free, and it is an excellent terminal software.
Last thought
After you enable SSH on your vro and vswitch, make sure that you have modified all existing access control lists to allow connections to these devices. you can report to your superiors that you have blocked a huge security vulnerability: all network management sessions are encrypted and protected.
Start building with 50+ products and up to 12 months usage for Elastic Compute Service
1 on 1 presale consultation
24/7 Technical Support 6 Free Tickets per Quarter Faster Response
Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.
A comprehensive suite of global cloud computing services to power your business
Payment Methods We Support
