I’m not studying for the security track but quite a few security features are in the CCIE R&S exam. Today, I will be demonstrating how to secure a WAN edge router by using a combination of SSH port security and dynamic ACL’s (lock in key). This feature will add some additional security through obscurity.
This will the topology for this example:
Let’s first start by configuring basic SSH on the router.
Alright, let’s test this:
All is good, basic SSH works.
Now let’s add an additional layer of security and change the SSH port to 2222. First, we need to add the rotary command to add an additional access port for SSH (in this case 2222) and then add an ACL on the inbound WAN port to block port 22. If we don’t block port 22, we will be able to SSH through 22 and 2222. Let’s also log any entry through port 2222:
Now we should only be able to SSH through port 2222. Let’s test.
As expected, we cannot SSH through port 22, and can only SSH through port 2222.
At this point, this is pretty secure. Someone can still scan our ports and see 2222 open and try to brute force SSH passwords. Let’s add some more security by restricting access for 300 seconds (5 minutes) if failed 3 attempts within 20 seconds
Awesome, this is looking good but we could add an additional step to obscure and restrict the access even more: a Dynamic ACL. What this feature does is it permits to add an ACL if a telnet login is successful. In this example, we will use it to authenticate through telnet to open the SSH port.
First let’s remove old ACL and change it to new one:
Let’s add the username and password for the dynamic ACL and enable telnet:
We should not be able to SSH to either 22 or 2222 until we telnet into the router and use the authentication username: knock password: knock. Once we have authenticated through that, we should be able to SSH through 2222 only for 60 seconds (after that the port will close again). Let’s test:
Excellent everything seems to be working. There’s one more thing we can do to obscure even more the access, change the port we can telnet on. For this, we already changed it by adding the rotary 1. This changed the telnet port to 3001 and 23. With a deny statement we can block port 23 and only allow 3001.
Change the ACL:
Now let’s test the whole thing:
Success! With this method, you need to authenticate through telnet port 3001 with username knock and password knock; it will then open SSH port 2222. You then need to authenticate through SSH with correct username and credentials. If a hacker can figure this all out, well I guess he deserves to get into that router!
I hope this was informative.