cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
739
Views
0
Helpful
4
Replies

ssh banner available

CHRIS PAGE
Level 1
Level 1

Hi All

We've just had a security survey carried out and one of the issues raised is that my routers and pix's both reveal the ssh version number, if you telnet to them on port 22. Apparently this could aid an attacker by providing information on server version and vendor.

eg

telnet router.com 22

SSH-1.99-Cisco-1.25

Any ideas as to how to prevent this?

Thanks in advance

Chris

1 Accepted Solution

Accepted Solutions

Danilo Dy
VIP Alumni
VIP Alumni

Remote administration of network devices should only permit IP Address of authorized personnel and use encrypted connection across untrusted network (e.g. internet). An ACL should be in place to permit only IP Address of authorized personnel. Knowing the version is irrelevant as they are the administrator of the device.

If you don't put ACL to permit only IP Addresses of authorized personnel, even if the version is NOT shown, it doesn't matter to hackers.

View solution in original post

4 Replies 4

Danilo Dy
VIP Alumni
VIP Alumni

Remote administration of network devices should only permit IP Address of authorized personnel and use encrypted connection across untrusted network (e.g. internet). An ACL should be in place to permit only IP Address of authorized personnel. Knowing the version is irrelevant as they are the administrator of the device.

If you don't put ACL to permit only IP Addresses of authorized personnel, even if the version is NOT shown, it doesn't matter to hackers.

That's a very good point.

now all i have to do is find out what idiot put this line in my config:-

ssh 0.0.0.0 0.0.0.0 outside

Which certainly should not have been there. Now i've taken that out all is fine.

Thanks very much for your help.

"SSH-1.99-Cisco-1.25", if that output is really from your equipment, then it is currently supporting both SSH v1 and v2. You should at least hard code it to only respond via v2.

"ip ssh version 2" for IOS.

"ssh version 2" for ASA.

Another good point. Thank you I have now done that.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: