Cisco - Setting up access using telnet or ssh? - is it safe to use transport input all?

DJMK4

DJMK4

DJMK4

Soldato
Joined
1 Dec 2004
Posts
23,079
Location
S.Wales
Hi,

Abit confused on this, I have set up ssh using generate crypto key rsa, I have created an admin account for use with SSH. However is it safe to use the "transport input all" command to allow telnet, ssh etc etc? or would you stick to using ssh only and disabling telnet?

so....

line vty 0 4
transport input all



or would you just use

line vty 0 4
transport input ssh
 
Personally I dont see much reason to use telnet. SSH clients are free and easily available; telnet is legacy and only useful under certain circumstances.

Other way of looking at is why bother having SSH enabled if you're just letting peole use Telnet anyway, plus its just another open port to abuse. Is this a lab or live?

- Pea0n
 
Pea0n said:
Personally I dont see much reason to use telnet. SSH clients are free and easily available; telnet is legacy and only useful under certain circumstances.

Other way of looking at is why bother having SSH enabled if you're just letting peole use Telnet anyway, plus its just another open port to abuse. Is this a lab or live?

- Pea0n
Click to expand...

Well its the first piece of Cisco kit I have owned and its being used to do internal routing at the moment on my home network.

I have disabled telnet, and just using SSH with a 1024bit crypto key, and an local login:

username: admin (with a password) and privilege 15

This works fine I think.
 
Cool :)

Just a quick question aswel, as I was playing around last night trying to forward SSH ports on my netgear router so I can access this Cisco from the outside world, SSH to my ISP WAN IP, it hits my netgear, see its SSH traffic and forwards it to my Cisco allowing me to login from the outside world.

However I couldn't get it working, is there any access control list objects I need to set-up to allow this?
 
What happens if you do connect at the moment? Does it fail instantly or take about 20 - 30 seconds to fail? Are the any settings on the router that prevent management fro mthe WAN port? Definatly forwarding port 22 tcp through to the Cisco?

- Pea0n
 
If I try to connect to it, it just fails after about 10 seconds I think. I do forward port 22 to the Cisco yes, but it doesnt connect, I have used these online port testers and it still states that port 22 is closed or there is no service at the other end of the forward.

I have tested my netgear firewall which is deffo working, I opened RDP ports and forwarded it to a machine on my LAN, this works fine.

The port forward on my netgear is set-up.

Going to give it another bash tonight.
 
Very possible that the netgear just won't forward certain ports, chances are you'll find the same thing with telnet. Are there any logs available on the netgear? I doubt it but worth asking. Also turn on debugging for SSH and terminal monitor temporarily on the Cisco to see if it actually picks anything up when you try and connect

- Pea0n
 
Pea0n said:
Very possible that the netgear just won't forward certain ports, chances are you'll find the same thing with telnet. Are there any logs available on the netgear? I doubt it but worth asking. Also turn on debugging for SSH and terminal monitor temporarily on the Cisco to see if it actually picks anything up when you try and connect

- Pea0n
Click to expand...

Yeah will have a go later, SSH port forwarding on netgear has never been a problem before, I used to SSH in to my Linux box fine from work when I was running Ubuntu at home.

There are logs available on the Netgear, but I dont think I seen anything useful.
 
you also might want to check that a default route is configured on the cisco box for the internet.

Security wise

If you are coming from the same IP everytime you might want to create an ACL and apply your source IP's as being allowed to ssh to the box. And maybe change the default user from admin to something else - every bit of security helps esp if connected to the internet
 
jimjamuk said:
you also might want to check that a default route is configured on the cisco box for the internet.

Security wise

If you are coming from the same IP everytime you might want to create an ACL and apply your source IP's as being allowed to ssh to the box. And maybe change the default user from admin to something else - every bit of security helps esp if connected to the internet
Click to expand...

I will double check the default route.

With regards to the IP, no my source IP wont be the same all the time, however the majority of the time I will be connecting from work, id say 80% of the time.

I could change the priv 15 user I created from admin to my first initial and last name.
 
that would be good - the users admin and cisco are prime for a brute force password attack if found by a scanner on the net (along with some other vendor standard usernames).

Also for added security do you need to go straight to priv 15 - I know it means another password but it all helps in the long run
 
jimjamuk said:
that would be good - the users admin and cisco are prime for a brute force password attack if found by a scanner on the net (along with some other vendor standard usernames).

Also for added security do you need to go straight to priv 15 - I know it means another password but it all helps in the long run
Click to expand...

I could set it to 0 I guess, then login with read only, then enter priv mode from there, how would I go about doing this? never done this before.
 
OK, to clarify, here is my config, I am going to make a few changes tonight, my primary goal tonight is get it accessable from the outside, I can VPN in to a box in work and try getting in from there.

Can someone check my config to see if it looks ok so far? Its a very very basic config, nothing jazzy done with it yet, need to get this remote SSH working.

login as: admin
Using keyboard-interactive authentication.
Password:

Morandarouter1#show running-config
Building configuration...

Current configuration : 834 bytes
!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname Morandarouter1
!
boot-start-marker
boot-end-marker
!
enable secret 5 $1hahsiohsidhidhwdosdijf'ajif;rqwef;qerwogferw
!
no aaa new-model
mmi polling-interval 60
no mmi auto-configure
no mmi pvc
mmi snmp-timeout 180
!
!
!
!
ip cef
ip domain name moranda.net
ip auth-proxy max-nodata-conns 3
ip admission max-nodata-conns 3
!
!
!
!
username admin privilege 15 secret 5 $BLa ha hah ha a
!
!
!
!
!
!
interface Ethernet0
no ip address
shutdown
half-duplex
!
interface FastEthernet0
ip address 192.168.0.2 255.255.255.0
speed auto
!
ip forward-protocol nd
no ip http server
no ip http secure-server
!
!
!
!
!
!
control-plane
!
!
line con 0
line aux 0
line vty 0 4
login local
transport input ssh
!
end

Morandarouter1#
Morandarouter1#
Click to expand...
 
Last edited:
OK well:

Bring up a second interface
Sort out some routing (even a default route)
Have a Google about disabling un needed services

Give that a go first :)

- Pea0n
 
I will give that a go now, however I have a slight issue, I can SSH in to the box over the LAN no problems, login, priv mode fine, if I exit or end the session, try to log in it times out

I am going to buy a serial/USB console cable tomorrow I think! Cant be bothered to keep taking it in to work when no machine at home have a serial port.
 
Chances are you're not disconnecting properly. "Exit" back to the priv exec mode then type "quit". Try logging in straight after than and see what happens

- Pea0n
 
You must log in or register to reply here.
Back
Top Bottom