closing ssh port

espmolina · ‎09-18-2007

I need to close down SSH access to pass a pre-deployment security scan to our 3845 running c3845-spservicesk9-mz.124-9.T4.bin.

I have defined an ACL and applied on the inbound interface;

access-list 105 deny tcp any any eq 22

access-list 105 deny udp any any eq 22

I have also removed ssh and left only telnet for the transport on the virtual terminals.

line vty 0 4

privilege level 15

transport input telnet

line vty 5 15

privilege level 15

transport input telnet

!

Any idea would be appreciated.

John

Richard Burts · ‎09-19-2007

John

Specifying transport input telnet (and leaving out ssh) should be effective in eliminating SSH access to the router.

As far as the access list is concerned I have these comments:

- while I think the access list is not necessary because of the transport input specification it may be desirable to also configure the access list to make management feel better about the restriction.

- denying UDP is not necessary. SSH uses TCP.

- when the access list specifies deny tcp any any eq 22, it not only denies SSH to the router but it denies any SSH passing through the router. That may or may not be an issue depending on your particular situation. To prevent SSH to the router but allow SSH to go through you would want the access list to deny tcp any host eq 22.

HTH

Rick

HTH

Rick

mfreijser · ‎09-21-2007

Hello John,

It seems kind of strange to me that you have to turn off SSH instead of turning off Telnet.

You can use SSH to do anything you might typically do with telnet and with the assurance that your password and other sensitive information are secure. Prefect for a security scan!

Regarding your question: Entering the command 'transport input telnet' on the vty lines is enough to disable telnet. If you want to be sure you can also remove the general-purpose-key that you need for using SSH.

Regards,

Michael