Home > Cisco > Why and how to configure Secure Shell (SSH) on a Cisco router

Why and how to configure Secure Shell (SSH) on a Cisco router

This was taken from one of my posts I did for TrainSignal. From time to time you’ll see me post articles here that I wrote for TraingSignal.

Security continues to dominate the IT industry and is one of the most important factors to consider when designing and deploying networks. It is, therefore, imperative that we are able to ascertain and prevent most, if not all, vulnerabilities that may exist. One such weakness is Telnet to which SSH is the alternative. We will be taking a deeper look at how you would enable and configure your Cisco Router to use SSH and why we should always use SSH where possible as opposed to using Telnet.

We all know that when it comes to security within the networking universe, Cisco is one of the biggest players. However, just having a Cisco device doesn’t mean that you are secured. The onus is on you to ensure that you’ve configured that device properly to prevent most, if not all, loopholes.

Secure Shell (SSH)

Secure Shell (SSH) improves network security by providing a means of establishing secure connections to networking devices for management, thereby preventing hackers gaining access. Using Digital Certificates, in a Public/Private Key Cryptography,
SSH is able to authenticate clients or servers, thereby ensuring that the device or server you are about to connect to is exactly who they claim to be.

Ok, so now that we have a very brief idea of how SSH secures network traffic, the next step is figuring out where to get this thing we call a digital certificate. Do we have to go into a store to purchase it? Digital Certificates can be acquired in generally three different ways. The most secure (and expensive), requesting it from a trusted company called a CA – Certificate Authorities. An example of one such company is VeriSign, which is highly popular within the CA Industry for their role in providing worldwide trusted certificates; these certificates can cost quite a bit. There are two other ways of requesting a certificate. One is by using an internally trusted CA (trusted within a company) also called an enterprise CA or by generating a self sign certificate on the device itself. The last one is the lease secure form but provides more than enough security to lock down your average network device. This self signed certificate can be generated using the built in commands on your Cisco router.

Like SSH, Telnet can also be used to connect to your router but, the main disadvantage of using Telnet is that it does not encrypt its connections. This means that if a hacker is able to capture packets from a Telnet session, he or she would be able to view information contained within those packets, such as a client’s username and password, and can, therefore, gain access to your router. The diagram below will give you an idea of how this works.

Router Configuration

Now that we’ve gotten an understanding of how SSH works and why we should use SSH as opposed to using Telnet, the next step is actually getting down to configuring the device, which is always my favorite part.

For this exercise I will be using a Cisco 871 series SOHO router with IOS ver. 12.4 software. Depending on whether your router is brand new or currently in a production environment, you’re going to have to either connect via a Console session or through a Telnet session. Have a look at my article on “Configuring a Cisco router to use RADIUS for authentication –
INSERT LINK http://www.trainsignaltraining.com/using-radius-for-authentication/2009-08-20″ for the steps needed to connect via a Console session or you can check this article on Cisco’s website “INSERT LINK http://www-tss.cisco.com/eservice/compass/common/tasks/task_console_port_connect.htm.”

  1. Configure a hostname for the router using these commands.

     

    yourname#configure terminal
    Enter configuration commands, one per line. End with CNTL/Z.

    yourname (config)#hostname LabRouter

    LabRouter(config)#

 

  1. Configure a domain name with the ip domain-name command followed by whatever you would like your domain name to be. I used CiscoLab.com.

     

    LabRouter(config)#ip domain-name CiscoLab.com

 

  1. We generate a certificate that will be used to encrypt the SSH packets using the crypto key generate rsa command. Take note of the message that is displayed right after we enter this command. “The name for the keys will be: LabRouter.CiscoLab.com”. It combines the hostname of the router along with the domain name we configured to get the name of the encryption key generated; this is why it was important for us to, first of all, configure a hostname then a domain name before we generated the keys. Notice also that it asks us to choose a size of modulus for the key we’re about to generate. The higher the modulus, the stronger the encryption of the key. For our example, we’ll use a modulus of 1024.

     

 

  1. Now that we’ve generated the key, our next step would be to configure our vty lines for SSH access and specify which database we are going to use to provide authentication to the device. The local database on the router will do just fine for this example.

     

    LabRouter(config)#line vty 0 4

    LabRouter(config-line)#login local

    LabRouter(config-line)#transport input ssh

  2. You will need to create an account on the local router’s database to be used for authenticating to the device. This can be accomplished with these commands.

     

    LabRouter(config)#username XXXX privilege 15
    secret XXXX

 

Fine Tuning your Configuration.

We’ve pretty much completed all the steps needed to configure and use SSH on your router; however, there are some other configurations that can be made to further secure your device. For one, I would highly recommend you enabling an exec time-out on your router to prevent anyone from gaining access to the device in cases where you forgot to logout or got distracted because of an emergency. This way, the router will automatically log you out after the session has been idle for a set time. You must configure this command on the line interface as depicted below.

LabRouter(config)#line vty 0 4

LabRouter(config-line)#
exec-timeout 5

 

This means that if the session has been idle for 5 minutes, the router will automatically disconnect the session.

 

Use Access Control Lists (ACL) as an added layer of security; this will ensure that only devices with certain IP address are able to connect to the router. Let’s say the IP Subnet for your LAN is 192.168.100.0/24, you would create an acl to permit only traffic from that subnet and apply this acl to the vty lines.

LabRouter(config)#access-list 1 permit 192.168.100.0 0.0.0.255

LabRouter(config)#line vty 0 4

LabRouter(config-line)#access-class 1 in

 

Another crucial point to note is the use of SSH2 as opposed to using SSH1. SSH2 improves on a lot of the weaknesses that existed within SSH1 and for this reason I recommend always using SSH2 where possible. Enable SSH version 2 with this command:

LabRouter(config)#line vty 0 4

LabRouter(config)#ip ssh versopn 2

 

Detailed reading on SSH can be done at RFC 4251 “INSERT LINK
http://www.ietf.org/rfc/rfc4251.txt

Advertisements
Categories: Cisco Tags: , , ,
  1. No comments yet.
  1. No trackbacks yet.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: