cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
5206
Views
0
Helpful
6
Replies

Block SSH and allow SFTP

harish.ab
Level 1
Level 1

Hello Guys,

Is there any way to block SSH and allow only SFTP?

Thanks in advance

6 Replies 6

andrew.prince
Level 10
Level 10

No - SSH and SFTP use the same default TCP port of 22.

Now what you can do is change the server to use a different SFTP port instead of TCP/22 - to something else.

HTH>

How do you block ssh version 1 and allow only ssh version 2 across the ASA?

AFAIK - the ASA will not inspect the version of SSH as it passes thru it. If you only want to allow version 2 of SSH - then configure the server to only accept version 2

That is NOT an acceptable solution. Let say that your SSH server is located in the DMZ network and that you want to make it accessible to both Intranet and Internet users. With Intranet users, you want to give them the option to use either ssh version 1 or version 2; however, for Internet users, they are forced to use ssh version 2 for enhanced security. Most people want to it on the firewall which makes sense.

So how do you configure the firewall to filter on the version then, as the version is session based information?

I have not used ASA in a while so I could be wrong here but it can not be done on ASA appliance.

Other vendors such as Juniper and Checkpoint, you can define a service "ssh" and "ssh_version_2". That way, the firewall can look at the initial hand-shake of the ssh connection and determine whether it is an ssh version 1 or ssh version 2 connection. If you specify ssh, it will assume both version 1 and version 2. If you specify ssh version_2, it will only accept only version through the firewall.

For intranet users, you use ssh. For Internet users that require enhanced security, only ssh version 2 is allowed.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: