IOS SSH server hardening

Unanswered Question
Mar 18th, 2009
User Badges:

What aditional can be done to protect the router from bruteforce attacks, trying to guess the username/password combination.Last two days in the log files, I noticed several consecutive login attempts on port 22 in 15 seconds from various IP addresses.After some research on the Internet I realized that the Ip addresses belong to well know botnets.Using Cisco 1812 router with IOS 12.4(6)T.

Here is some of the router configuration relevant to my question:


aaa new-model

aaa authentication login lineauth local

username ***** password *****

login block-for 60 attempts 4 within 15

login on-failure

ip ssh version 2


  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Jesse Wiener Wed, 03/18/2009 - 08:34
User Badges:

you can also put a delay into the login sequence "login delay 5" this will slow the login attempts as well (might not be applicable to you if they are every 15 sec). You can put an access-list on your VTY lines only allowing certain hosts to ssh in. http://www.cisco.com/en/US/docs/ios/security/configuration/guide/sec_cntrl_acc_vtl.html#wp1049991


You can use a rotary to change the ssh port on the vty lines to something less common.

http://www.cisco.com/en/US/docs/ios/12_2t/12_2t2/feature/guide/ftrevssh.html#wp1017378



You can add an acl to the outside of your router blocking that address after you see it.


you can be proactive and block some bad addresses ahead of time.

A few lists are:

http://www.spamhaus.org/drop/

http://feeds.dshield.org/block.txt



Hope some of this helps.


Actions

This Discussion