Surprisingly, most of the world’s routers and switches are controlled and configured via the old and insecure Telnet protocol. The problem with Telnet is that it flies unencrypted across a computer network. And that makes it simple for even an inexperienced hacker to steal passwords and control network devices. Once they take control, a hacker can redirect any traffic to themselves, through a firewall or simply turn it all off. The only hacking tool needed to steal these passwords is a network sniffer or password mining software. Many such programs are available for free download on the Internet. Rather than using telnet, network administrators use Secure Shell to manage their equipment because it provides an encrypted tunnel to network equipment that is nearly impossible for hackers to break into.
What is SSH?
The Secure Sockets Layer (SSH) protocol has many great features, but the most important is the encrypted telnet format, which uses routes and switches. Here are some simple steps to configure SSH access on Cisco routers and switches.
Steps to Setting Up a Secure Shell on a Router or Switch
Write code or firmware
In Cisco’s default software, or code as many network administrators call it, Cisco ships in its equipment does not support SSH access, so it can be upgraded. Historically, Cisco has objected to this type of software because they had to include their own encryption libraries, but a version of Cisco’s code that does just SSH encryption has become available for several routers and switches in the last few years. This version will not be able to do other IPsec tricks like building VPN tunnels.
The simplest way to tell if you have the code right is to do show version so you can see the code you’re currently running. You will have the K9 code name somewhere in it if you can use SSH. Also, the router or gateway will not accept the SSH command if it does not support that code. Look at the line that starts with:Image file:
RouterA>show version
File system is “bootflash:cat4500-ipbasek9-mz.122-31.SGA3.bin”
See K9 on ipbaseK9. That means this path is ready for SSH upgrade.
SSH requires a username and password combination for authentication rather than a password. Without configuring an authentication username/password of some kind, you will not be able to connect to the network device. Here are some notes about configuring authentication if the device is not already configured for authentication. If it supports SSH authentication and already has authentication, then completing the SSH configuration is quick.
RouterA#configure terminal
Enter the configuration menu
RouterA(aboutconfig)#hostname MyRouter
RouterA(aboutconfig)#ip domain-name thisdomain.com
Encryption keys are known as DNS
RouterA(aboutconfig)#generate crypto key rsa
How many pieces in the module [512] 1024
Choose 1024 because most customers will settle for nothing
RouterA(aboutconfig)#ip ssh timeout 120
This command limits the authentication time to 120 seconds. You need to type your username and password in two minutes
RouterA(aboutconfig)#ip ssh authentication-retries 3
This number of connection attempts failed
RouterA(aboutconfig)#service tcp-guard-in
RouterA(aboutconfig)#service tcp-guardian
This keeps your SSH sessions from getting suspended
RouterA(config)#line vty 0 4
RouterA (config-line)# SSH input port
This limits incoming management access to SSH only. Route or transit telnet connections will not be accepted at this point, so you probably want to test before issuing this command.
Now that SSH is configured, the network passwords are protected from hackers.
