Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
383
Views
0
Helpful
5
Replies

Controlling Where SSH enters

LADONNA EVANS-DUHART
Level 1
Level 1

‎12-16-2013 06:59 AM - edited ‎03-04-2019 09:52 PM

I am interested and only allow SSH traffic from entering from a lan interface and not my outside public facing interface.  I am noticiing random user accounts with the show users account.  I see the ip address that it comes from.  they only show being in for 2 and 3 seconds.  I use the clear line vty command to kill the session but they come right back within seconds.  When I look at the config there are two username/password commands that I've created.  How is this occuring?

Labels:
0 Helpful
5 Replies 5

Richard Burts
Hall of Fame
Hall of Fame

‎12-16-2013 07:48 AM

We do not have enough information to understand or to explain to you how this is happening. If you want to give us enough information to work with then we can try to provide explanation to you.

In the meantime I will give you 2 suggestions about things you can do to help control this (assuming that you have not already done them):

1) you can configure an access list (usually a standard access list is better for this than an extended access list) to control what addresses can establish remote access to the router. You assign the access list to the vty lines using the command access-class in

2) you can use an access list applied inbound on the public facing interface to deny tcp any any eq 22.

HTH

Rick

HTH

Rick
0 Helpful

John Blakley
VIP Alumni
VIP Alumni
In response to Richard Burts

‎12-16-2013 07:59 AM

Rick,

Would this/could this be one of those situations where you could use the control plane to block it as well? Setting the control plane to only allow management on the internal interface?

control-plane host

management-interface allow ssh

HTH,
John

*** Please rate all useful posts ***

HTH, John *** Please rate all useful posts ***
0 Helpful

Richard Burts
Hall of Fame
Hall of Fame
In response to John Blakley

‎12-17-2013 11:25 AM

John

This is an interesting idea. I believe that access-class or access list on an interface address the issue more directly. But using control plane processes is quite interesting.

HTH

Rick

HTH

Rick
0 Helpful

Collin Clark
VIP Alumni
VIP Alumni
In response to Richard Burts

‎12-17-2013 07:51 PM

Control Plane Protection (CPPr) restricts what interface(s) SSH sessions can be established on. Either of the solutions  from you guys would work, but both of them together....now we're talking.

0 Helpful

SOcchiogrosso
Level 4
Level 4

‎12-17-2013 07:59 PM

As mention, I'd create an ACL to limit what addresses can access the VTY lines. Include CoPP just because to not exclude important protocols from the policy.

I would also tweak your SSH config make sure you utilize version 2 specify a source interface. Configure the login block feature as well and definitely specify a quiet mode ACL so you lose management of your own device.

All that should get you in a good position.

Maybe place a deny any any log entry at the of the your ACLs if you still notice the connections attempts.

Sent from Cisco Technical Support iPhone App

-- CCNP, CCIP, CCDP, CCNA: Security/Wireless Blog: http://ccie-or-null.net/
0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card