August 2, 2005

Cisco Tip of the day

How to setup SSH access on a non standard (alternate) port.

There is two steps to setup ssh on a non standard port.

1. Declare which port SSH will be on and what rotary group it is in.

2. Configure vty’s to accept ssh and to use the rotary group created in step one.

Step one – This command defines what port the router will be monitoring for incoming ssh sessions. The rotary group is needed for grouping this command with a vty line. Until the vty is configured to refer to the rotary group, this command has no effect.
ip ssh port 2222 rotary 1

Step Two – These commands just allow local login, specify the password, what rotary group to bind to, and to turn on ssh only. No telnet here. Without the rotary command, ssh would normally be running on port 22, which if you are running NAT at home, it would intercept your attemped ssh sessions into your *nix boxes. Once you give it the rotary command, the vty interface will take on the properties of that rotary group. In this case, what we defined in step one.
line vty 0 4
login
password 0 blah
rotary 1
transport input ssh
transport output all

* Filed by RawCode at 3:31 am under Cisco, Networking, Security
Comments Off

July 20, 2005

Cisco tip of the day

Did you know you can also remotely control your router to some degree via SNMP? Here is how you protect your device from being read and written via SNMP.

When you declare your SNMP community, you can restrict access to the community by appending the number of an access-list.


RouterA(config)#snmp-server community Rand0mstr1ng 23

Anyone who tries to access the community “Rand0mstr1ng” will have to match access-list 23. Pretty easy way to keep people out of your router’s SNMP.

* Filed by RawCode at 1:37 am under Cisco, Security
Comments Off

July 19, 2005

Cisco Tip of the day

Limiting telnet and shell access is a good first step security measure. By specifying an access-class on your vty lines, it will compare the attempted connection to the contents of your access-list.

In this example, whenever anyone attempts to connect via telnet, it will compare the connection to access-list 20.


line vty 0 4
access-class 20 in
password 0 blarg

Just make sure you keep your access-list up to snuff to control what IP’s will be able to connect.

* Filed by RawCode at 2:04 am under Cisco, Security
Comments Off