Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

ssh banner available

Hi All

We've just had a security survey carried out and one of the issues raised is that my routers and pix's both reveal the ssh version number, if you telnet to them on port 22. Apparently this could aid an attacker by providing information on server version and vendor.

eg

telnet router.com 22

SSH-1.99-Cisco-1.25

Any ideas as to how to prevent this?

Thanks in advance

Chris

1 ACCEPTED SOLUTION

Accepted Solutions

Re: ssh banner available

Remote administration of network devices should only permit IP Address of authorized personnel and use encrypted connection across untrusted network (e.g. internet). An ACL should be in place to permit only IP Address of authorized personnel. Knowing the version is irrelevant as they are the administrator of the device.

If you don't put ACL to permit only IP Addresses of authorized personnel, even if the version is NOT shown, it doesn't matter to hackers.

4 REPLIES

Re: ssh banner available

Remote administration of network devices should only permit IP Address of authorized personnel and use encrypted connection across untrusted network (e.g. internet). An ACL should be in place to permit only IP Address of authorized personnel. Knowing the version is irrelevant as they are the administrator of the device.

If you don't put ACL to permit only IP Addresses of authorized personnel, even if the version is NOT shown, it doesn't matter to hackers.

New Member

Re: ssh banner available

That's a very good point.

now all i have to do is find out what idiot put this line in my config:-

ssh 0.0.0.0 0.0.0.0 outside

Which certainly should not have been there. Now i've taken that out all is fine.

Thanks very much for your help.

Gold

Re: ssh banner available

"SSH-1.99-Cisco-1.25", if that output is really from your equipment, then it is currently supporting both SSH v1 and v2. You should at least hard code it to only respond via v2.

"ip ssh version 2" for IOS.

"ssh version 2" for ASA.

New Member

Re: ssh banner available

Another good point. Thank you I have now done that.

167
Views
0
Helpful
4
Replies
CreatePlease login to create content