Cisco - Setting up access using telnet or ssh? - is it safe to use transport input all?

DJMK4 · 17 Feb 2011 at 10:03

Hi,

Abit confused on this, I have set up ssh using generate crypto key rsa, I have created an admin account for use with SSH. However is it safe to use the "transport input all" command to allow telnet, ssh etc etc? or would you stick to using ssh only and disabling telnet?

so....

line vty 0 4
transport input all

or would you just use

line vty 0 4
transport input ssh

DJMK4 · 17 Feb 2011 at 10:29

Pea0n said:
Personally I dont see much reason to use telnet. SSH clients are free and easily available; telnet is legacy and only useful under certain circumstances.

Other way of looking at is why bother having SSH enabled if you're just letting peole use Telnet anyway, plus its just another open port to abuse. Is this a lab or live?

- Pea0n

Well its the first piece of Cisco kit I have owned and its being used to do internal routing at the moment on my home network.

I have disabled telnet, and just using SSH with a 1024bit crypto key, and an local login:

username: admin (with a password) and privilege 15

This works fine I think.

DJMK4 · 17 Feb 2011 at 10:49

Cool

Just a quick question aswel, as I was playing around last night trying to forward SSH ports on my netgear router so I can access this Cisco from the outside world, SSH to my ISP WAN IP, it hits my netgear, see its SSH traffic and forwards it to my Cisco allowing me to login from the outside world.

However I couldn't get it working, is there any access control list objects I need to set-up to allow this?

DJMK4 · 17 Feb 2011 at 11:13

If I try to connect to it, it just fails after about 10 seconds I think. I do forward port 22 to the Cisco yes, but it doesnt connect, I have used these online port testers and it still states that port 22 is closed or there is no service at the other end of the forward.

I have tested my netgear firewall which is deffo working, I opened RDP ports and forwarded it to a machine on my LAN, this works fine.

The port forward on my netgear is set-up.

Going to give it another bash tonight.

DJMK4 · 17 Feb 2011 at 11:30

Pea0n said:
Very possible that the netgear just won't forward certain ports, chances are you'll find the same thing with telnet. Are there any logs available on the netgear? I doubt it but worth asking. Also turn on debugging for SSH and terminal monitor temporarily on the Cisco to see if it actually picks anything up when you try and connect

- Pea0n

Yeah will have a go later, SSH port forwarding on netgear has never been a problem before, I used to SSH in to my Linux box fine from work when I was running Ubuntu at home.

There are logs available on the Netgear, but I dont think I seen anything useful.

DJMK4 · 17 Feb 2011 at 14:28

jimjamuk said:
you also might want to check that a default route is configured on the cisco box for the internet.

Security wise

If you are coming from the same IP everytime you might want to create an ACL and apply your source IP's as being allowed to ssh to the box. And maybe change the default user from admin to something else - every bit of security helps esp if connected to the internet

I will double check the default route.

With regards to the IP, no my source IP wont be the same all the time, however the majority of the time I will be connecting from work, id say 80% of the time.

I could change the priv 15 user I created from admin to my first initial and last name.

DJMK4 · 17 Feb 2011 at 14:40

jimjamuk said:
that would be good - the users admin and cisco are prime for a brute force password attack if found by a scanner on the net (along with some other vendor standard usernames).

Also for added security do you need to go straight to priv 15 - I know it means another password but it all helps in the long run

I could set it to 0 I guess, then login with read only, then enter priv mode from there, how would I go about doing this? never done this before.

DJMK4 · 17 Feb 2011 at 18:59

OK, to clarify, here is my config, I am going to make a few changes tonight, my primary goal tonight is get it accessable from the outside, I can VPN in to a box in work and try getting in from there.

Can someone check my config to see if it looks ok so far? Its a very very basic config, nothing jazzy done with it yet, need to get this remote SSH working.

login as: admin
Using keyboard-interactive authentication.
Password:

Morandarouter1#show running-config
Building configuration...

Current configuration : 834 bytes
!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname Morandarouter1
!
boot-start-marker
boot-end-marker
!
enable secret 5 $1hahsiohsidhidhwdosdijf'ajif;rqwef;qerwogferw
!
no aaa new-model
mmi polling-interval 60
no mmi auto-configure
no mmi pvc
mmi snmp-timeout 180
!
!
!
!
ip cef
ip domain name moranda.net
ip auth-proxy max-nodata-conns 3
ip admission max-nodata-conns 3
!
!
!
!
username admin privilege 15 secret 5 $BLa ha hah ha a
!
!
!
!
!
!
interface Ethernet0
no ip address
shutdown
half-duplex
!
interface FastEthernet0
ip address 192.168.0.2 255.255.255.0
speed auto
!
ip forward-protocol nd
no ip http server
no ip http secure-server
!
!
!
!
!
!
control-plane
!
!
line con 0
line aux 0
line vty 0 4
login local
transport input ssh
!
end

Morandarouter1#
Morandarouter1#

DJMK4 · 17 Feb 2011 at 19:25

I will give that a go now, however I have a slight issue, I can SSH in to the box over the LAN no problems, login, priv mode fine, if I exit or end the session, try to log in it times out

I am going to buy a serial/USB console cable tomorrow I think! Cant be bothered to keep taking it in to work when no machine at home have a serial port.

DJMK4 · 17 Feb 2011 at 19:30

DJMK4 · 17 Feb 2011 at 21:34

Sorted out the user name issue, deleted admin and set my own one, put a little cheeky route in there and I can ping out on to the t'web from the router.

I have also woken Ethernet0

Morandarouter1#show running-config
Building configuration...

Current configuration : 887 bytes
!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname Morandarouter1
!
boot-start-marker
boot-end-marker
!
enable secret 5 $1$uhuiasufasdfsudfdsfsdiuhfiasgdflasgdu
!
no aaa new-model
mmi polling-interval 60
no mmi auto-configure
no mmi pvc
mmi snmp-timeout 180
!
!
!
!
ip cef
ip domain name moranda.net
ip auth-proxy max-nodata-conns 3
ip admission max-nodata-conns 3
!
!
!
!
username dm0rand4 privilege 15 secret 5 $uhiufhiufhisuf;laudialuh
!
!
!
!
!
!
interface Ethernet0
ip address 192.168.1.2 255.255.255.0
half-duplex
!
interface FastEthernet0
ip address 192.168.0.2 255.255.255.0
speed auto
!
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 192.168.0.1
no ip http server
no ip http secure-server
!
!
!
!
!
!
control-plane
!
!
line con 0
line aux 0
line vty 0 4
login local
transport input ssh
!
end

Morandarouter1#

DJMK4 · 21 Feb 2011 at 18:56

jimjamuk said:
you could add an exec-timeout parameter on the vty line to time your session out if you disconnect or idle too long.

I would agree that priv 15 should be removed - go in a 0 and the enable up to 15.

if you still have an issue with the timeout - create a second username to test and try to connect with that - you shoul have multiple vty lines that you should be able to connect to if one is being held open. To confirm do a shop ip ssh to check open sessions

Whats the best way to set this up?, I dont want to go creating multiple accounts as its just me, so what I want to do is for this to happen

usera goes to log in with credentials

username: usera
password: passworda

login successful, "usera" now has privilege 0

I then type "enable" and I am asked to enter a password which jumps me up to privilege 15

How would I do this?

DJMK4 · 22 Feb 2011 at 12:45

Ahh of course!! Can't believe I forgot that

enable secret password is usually the first or second thing I do when I am starting a config. I am pretty sure I done it with this one too :\ I last noticed it working though when I was consoled in to it before I got the interfaces up and SSH working, I haven't noticed it working since.

DJMK4 · 22 Feb 2011 at 20:19

Done

my own user account has 0, login with that, enable (enter different password) and bam your in

DJMK4 · 22 Feb 2011 at 21:57

Pea0n said:
Awesome, you can try replacing it with

usename <username> secret <password>

That provides proper encryption on your account password (MD5 rather than the Cisco proprietary encryption )

Wha'ts your next objective?

- Pea0n

Cool will do

We'll I still need to get access from the WAN in via SSH, then I am going to start disabling services I dont need, add a dhcp server to interfaces, what else would you recommend at this stage?

DJMK4 · 22 Feb 2011 at 23:18

Pinging the web is fine, I added the route a while ago. I'm going to write up a few ideas.

DJMK4 · 26 Feb 2011 at 10:36

It's a 1721

I have had a bit of a break with this at the moment, I did start disabling un-needed services but I gave a break for abit as work was getting a bit mad, we are just starting a huge migration of our customers over to a new service. So I needed some down time before the fun begins