SSH server (terminal emulation)

Started by LynK, March 15, 2016, 10:26:50 AM

Previous topic - Next topic

LynK

Quote from: dlots on March 23, 2016, 10:53:53 AM
I am kinda pushing for one for emergency use
So if someone takes over a box they can just spam it with SSH requests filling up all the VTY lines

I want to make a SSH server that is the only thing that can access vty line 15 to get around that, so even if someone is spamming the box we can still get in without driving over.

huh?  :doh: :doh: :doh:
Sys Admin: "You have a stuck route"
            Me: "You have an incorrect Default Gateway"

icecream-guy

Quote from: LynK on March 23, 2016, 01:07:22 PM
Quote from: dlots on March 23, 2016, 10:53:53 AM
I am kinda pushing for one for emergency use
So if someone takes over a box they can just spam it with SSH requests filling up all the VTY lines

I want to make a SSH server that is the only thing that can access vty line 15 to get around that, so even if someone is spamming the box we can still get in without driving over.

huh?  :doh: :doh: :doh:

He wants to connect a modem to the AUX port.
:professorcat:

My Moral Fibers have been cut.

SimonV

Quote from: dlots on March 23, 2016, 10:53:53 AM
I am kinda pushing for one for emergency use
So if someone takes over a box they can just spam it with SSH requests filling up all the VTY lines

You can limit that with the login feature

https://www.cisco.com/c/en/us/td/docs/ios/sec_user_services/configuration/guide/15_0s/sec_securing_user_services_15_0S_book/sec_login_enhance.html

It automatically goes into silent mode and no longer accepts SSH connections from anywhere except what you define in an ACL. We were testing that today and it works great! Plus you get a nice little syslog with all the details.

dlots

kinda
you know you can have an ACL on your line vty 0 15
well you can have 1 ACL for
vty lines 0 14
access-class acl-permit-most-everything
!and another ACL for
vty line 15
access-class acl-permit-1-server

This way when lines 0-14 are hammered by an attacker, you just get into the server and SSH in, hit line 15 and get in to that one that isn't busy.

Didn't know about the ACL thing, thought it just wouldn't accept new SSH sessions, which would be just as bad, very intersting, thanks

SimonV

Quote from: dlots on March 23, 2016, 02:20:51 PM
Didn't know about the ACL thing, thought it just wouldn't accept new SSH sessions, which would be just as bad, very intersting, thanks

My pleasure! By the way, the quiet period is actually the ACL temporarily applied to your VTY lines. So the net result is the same

wintermute000

#20
Quote from: LynK on March 23, 2016, 07:44:40 AM
@georges
@wintermute

what GUI tools do you use, and which flavor of linux, we are probably going to use centos
All the Cisco security java nonsense, vmware fat client, web client needs flash (for now) + powercli on top of PowerShell.
Most other vendors have seen the light and are pretty much html5  so Linux friendly.
Also, the ability to map rdp drives or user profile drives is a killer feature for moving files around, most places don't have the Linux fu to do A.D. Samba/Kerberos integration on their jumpposts

icecream-guy

Quote from: dlots on March 23, 2016, 02:20:51 PM
kinda
you know you can have an ACL on your line vty 0 15
well you can have 1 ACL for
vty lines 0 14
access-class acl-permit-most-everything
!and another ACL for
vty line 15
access-class acl-permit-1-server

This way when lines 0-14 are hammered by an attacker, you just get into the server and SSH in, hit line 15 and get in to that one that isn't busy.

Didn't know about the ACL thing, thought it just wouldn't accept new SSH sessions, which would be just as bad, very intersting, thanks

I would suggest,  VTY 1-15 would get hammered, and with the ACL applied to vty 15, the CPU on the device would go up do to all that extra work of dropping all those packets and access would still be denied.

take 10,000 packets during a DOS.

The first 14 packets would clog up the VTY lines 1-14,  vty 15 would get packet 15, drop it, packet 16, drop it, and so on.. until  the VTY 1-14 connections start timing out , then those would get used. until full, then packets start hitting VTY 15 again, and would get dropped,  etc..etc.. vty 15 would never get used until vty 1-14 are used.   I think some COPP would take care of the issue, would be a better tool than an ACL
:professorcat:

My Moral Fibers have been cut.

dlots

You should still use CoPP, and lines 0-14 should also get an ACL, this is more of an "Oh crap" moment kinda thing, normally you would let a fairly narrow range of stuff into your VTY lines, this would be incase someone managed to get though that ACL and was spamming the crap out of it, so instead make a long trip to the effected site you can still get in remotely to take a look at it.