Best Security Practices for SSH (Secure Shell) Remote Access in Cisco

1.Remote access should be via SSH and telnet is disabled

IOS-XR:
no telnet ipv4 server

Nexus OS:
no feature telnet
feature ssh
feature tacacs+

2. SSH should be version 2 or higher. Do not run v1.
IOS-XR:
ssh server v2
ssh server vrf management

Nexus OS:
ssh server v2
ssh server vrf management
ssh timeout 60

3. Configure SSH logging

IOS-XR:
ssh server logging

4. Configure Login Banner

IOS-XR:
banner login ^C

*************************************************************************
        UNAUTHORIZED ACCESS TO THIS DEVICE IS PROHIBITED
You must have explicit, authorized permission to access or configure this
device.Unauthorized attempts and actions to access or use this system may
result in civil and/or criminal penalties.
All activities performed on this device are logged and monitored.
*************************************************************************

^C

Nexus OS:

banner motd ^

*************************************************************************
        UNAUTHORIZED ACCESS TO THIS DEVICE IS PROHIBITED
You must have explicit, authorized permission to access or configure this
device.Unauthorized attempts and actions to access or use this system may
result in civil and/or criminal penalties.
All activities performed on this device are logged and monitored.
*************************************************************************

^

5. Configure   timestamp, login authentication (exec and session) timeout, ssh only transport input, with ACL configured to allow only authorized IPs and secret password in case tacacs/radius is down

IOS-XR:

line default
secret 5 $1$dAr.$win1P9yOuG1CSvO6v8tAL4
login authentication default
timestamp
exec-timeout 5 0
access-class ingress SSH-ACCESS
session-timeout 5
transport input ssh
ipv4 access-list SSH-ACCESS
10 permit tcp host 192.168.1.100 any eq ssh
20 permit tcp host 192.168.1.101 any eq ssh
30 deny ipv4 any any log
Nexus OS:
interface mgmt0
ip access-group SSH-ACCESS in
vrf member management
ip address 192.168.10.100/24

ip access-list SSH-ACCESS
10 permit tcp 192.168.1.100/32 any eq 22
20 permit tcp 192.168.1.101/32 any eq 22
30 deny ip any any log

line vty
exec-timeout 5
access-class SSH-ACCESS in

6. SSH inactivity timeout should be configured
IOS-XR:
ssh timeout 60

7. Enforce 2FA(2-factor authentication) and configure centralized AAA. Complex password/passphrase should be enforce in Tacacs/Radius Servers.

IOS-XR:
aaa authorization exec default group TACACS group tacacs+ none
aaa authorization commands default group TACACS group tacacs+ none
aaa authorization eventmanager default group tacacs+
aaa authentication login default group TACACS group tacacs+ local

aaa group server tacacs+ TACACS
vrf management
server-private 192.168.1.111 port 49
key 7 143413081E1E0B203F3F213A

Nexus OS:

aaa authentication login default group tacacs
aaa authentication login console group tacacs
aaa authorization config-commands default group tacacs local
aaa authorization commands default group tacacs local
aaa accounting default group tacacs

tacacs+ distribute
ip tacacs source-interface mgmt0
tacacs-server host 192.168.1.111 key 7 “enc_ryptedkey”
tacacs+ commit

 

8. Configure control-plane management for SSH if possible

IOS-XR:

control-plane
management-plane
out-of-band
interface MgmtEth0/RP0/CPU0/0
allow SSH peer
address ipv4 192.168.1.100
address ipv4 192.168.1.101

Cisco

best practice Cisco

3 Comments

Leave a Reply

Your email address will not be published. Required fields are marked *