Tuesday, 21 February 2012

Configuring SSH Security

To enable SSH on the router, the following parameters must be configured:

    Hostname

    Domain name

    Asymmetrical keys

    Local authentication

Optional configuration parameters include:

    Timeouts

    Retries


The following steps configure SSH on a router.

Step 1: Set router parameters

Configure the router hostname with the hostnamehostname command from configuration mode.

Step 2: Set the domain name
A domain name must exist to enable SSH. In this example, enter the ip domain-name cisco.com command from global configuration mode.

Step 3: Generate asymmetric keys
You need to create a key that the router uses to encrypt its SSH management traffic with the crypto keygenerate rsa command from configuration mode. The router responds with a message showing the naming convention for the keys. Choose the size of the key modulus in the range of 360 to 2048 for your General Purpose Keys. Choosing a key modulus greater than 512 may take a few minutes. As a best practice, Cisco recommends using a minimum modulus length of 1024. You should be aware that a longer modulus takes longer to generate and to use, but it offers stronger security.
You can learn more about the crypto key command in the Network Security course.

Step 4: Configure local authentication and vty
You must define a local user and assign SSH communication to the vty lines.

Step 5: Configure SSH timeouts (optional)
Timeouts provide additional security for the connection by terminating lingering, inactive connections. Use the command ip ssh time-outsecondsauthentication-retriesinteger to enable timeouts and authentication retries. Set the SSH timeout to 15 seconds and the amount of retries to 2:

To connect to a router configured with SSH, you have to use an SSH client application such as PuTTY or TeraTerm. You must be sure to choose the SSH option and that it uses TCP port 22.

Using TeraTerm to connect securely to the R2 router with SSH, once the connection is initiated, the R2 displays a username prompt, followed by a password prompt. Assuming that the correct credentials are provided, TeraTerm displays the router R2 user EXEC prompt.

No comments:

Post a Comment

CCNA 3 Final Exam Answers 2012 | CCNA Answers - CCNA Exam - CCNA Exams Headline Animator

Search Here

Search Term:
Yahoo bot last visit powered by MyPagerank.Net
Sign up for PayPal and start accepting credit card payments instantly.

Chitika