Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Community Member

IOS SSH server hardening

What aditional can be done to protect the router from bruteforce attacks, trying to guess the username/password combination.Last two days in the log files, I noticed several consecutive login attempts on port 22 in 15 seconds from various IP addresses.After some research on the Internet I realized that the Ip addresses belong to well know botnets.Using Cisco 1812 router with IOS 12.4(6)T.

Here is some of the router configuration relevant to my question:

aaa new-model

aaa authentication login lineauth local

username ***** password *****

login block-for 60 attempts 4 within 15

login on-failure

ip ssh version 2

1 REPLY
Community Member

Re: IOS SSH server hardening

you can also put a delay into the login sequence "login delay 5" this will slow the login attempts as well (might not be applicable to you if they are every 15 sec). You can put an access-list on your VTY lines only allowing certain hosts to ssh in. http://www.cisco.com/en/US/docs/ios/security/configuration/guide/sec_cntrl_acc_vtl.html#wp1049991

You can use a rotary to change the ssh port on the vty lines to something less common.

http://www.cisco.com/en/US/docs/ios/12_2t/12_2t2/feature/guide/ftrevssh.html#wp1017378

You can add an acl to the outside of your router blocking that address after you see it.

you can be proactive and block some bad addresses ahead of time.

A few lists are:

http://www.spamhaus.org/drop/

http://feeds.dshield.org/block.txt

Hope some of this helps.

668
Views
0
Helpful
1
Replies
CreatePlease to create content