Articles Tagged ‘ssh’

Enabling & Configuring SSH on Cisco Routers. Restrict SSH for Management & Enable AAA Authentication for SSH Sessions

cisco-routers-ssh-support-configuration-rsa-key-generation-01This article shows how to configure and setup SSH for remote management of Cisco IOS Routers. We’ll show you how to check if SSH is supported by your IOS version, how to enable it, generate an RSA key for your router and finally configure SSH as the preferred management protocol under the VTY interfaces.

Secure Shell (SSH) provides a secure and reliable mean of connecting to remote devices. It’s an encrypted network protocol that allows users to safely access equipment via command line interface sessions. SSH makes use of TCP port 22 which’s assigned to secure logins, file transfer and port forwarding.

SSH uses public key for authenticating the remote device and encrypt all data between that device and the workstation which makes it the best choice for public networks, unlike (telnet) which transmits data in plain text which subjects it to security threats, this makes (telnet) recommended for private networks only to keep the data uncompromised.

 

Verifying SSH Support on your Router

The first step involves examining whether your Cisco router’s IOS supports SSH or not. Most modern Cisco routers support SSH, so this shouldn’t be a problem.

Products with (K9) in the image name e.g c2900-universalk9-mz.SPA.154-3.M2.bin, support strong encryption with 3DES/AES while (K8) IOS bundles support weak encryption with the outdated DES.

To check, simply enter privilege mode and use the show ip ssh command:

R1# show ip ssh
SSH Disabled - version 1.99
%Please create RSA keys to enable SSH (and of atleast 768 bits for SSH v2).
Authentication timeout: 120 secs; Authentication retries: 3
Minimum expected Diffie Hellman key size : 1024 bits
IOS Keys in SECSH format(ssh-rsa, base64 encoded): NONE

In the above output, the system is showing SSH support, but it’s currently disabled as no RSA key has been generated.  It is also worth noting that a key of at least 768 bits must be generated to enable SSHv2.

 

Securing Access to Router

It’s always a good idea to first restrict access to the Cisco router before enabling SSH. This is very important especially when the device has an interface facing public networks e.g Internet, Public Hotspot.

We first create user credentials for the device and then enable Athentication, Authorization & Accounting Services (AAA).  Finally, ensure a secret password is set to protect access to privilege mode, along with the service password-encryption command to ensure all clear-text passwords are encrypted:

Router (config)# username admin privilege 15 secret Firewall.cx
Router (config)# aaa new-model
Router (config)# aaa authentication login default local
Router (config)# enable secret $FirewAll.cx!
Router (config)# service password-encryption

Next, it is highly recommended to restrict remote access via the SSH protocol only. This will ensure that insecure services such as Telnet cannot be used to access the router. Telnet sends all information unencrypted, including username/password, and is therefore considered a security risk.

We’ll use the transport input ssh command under the VTY section to restrict remote access using SSH only. Note that we can also use Access-lists to restrict SSH connections to our router:

R1(config)# line vty 0 4
R1(config-line)# transport input ssh
R1(config-line)# login authentication default
R1(config-line)# password $Cisco!

Note: the password command used under line vty 0 4 section is completely optional and not used in our case because of the login authentication default command which forces the router to use the AAA mechanism for all user authentication.

 

Generating Our Router’s RSA Key – Digital Certificate

OpenMosix- Linux Supercomputer

Most of us dream of using a Linux Supercomputer, something with so much raw processing power and memory that operations get completed in nanoseconds rather than minutes. With hardware becoming cheaper, most of us are accustomed to working on machines with 4-8 GB of RAM, and occasionally even using dual or quad core processors.

However, what if we told you that there's a simple way to build your own supercomputer. That too, using nothing more than GNU/Linux and any old hardware you happen to have lying around. The basic idea is to cluster multiple systems together, and use their combined CPU power and combined RAM as if it is one system.

This concept of multiple physical machines contributing their processing power and behaving like a single system is known as 'Single System Image' clustering. In other words, the cluster behaves like a normal single system to the end-user.

The key to doing this is to use a system known as 'openMosix' in conjuction with Linux. OpenMosix is an extension to the Linux kernel that allows for seamless clustering and load balancing of processing power over systems on a network. This means that you can have say 5 low-end machines with 256 MB RAM, install an openMosix enhanced Linux kernel on them, and effectively have a system that has 5 CPUs and 1,280 MB RAM! This idea scales very nicely, imagine a setup with 10 systems, each with 512 MB RAM... you can cluster them, and get an extremely powerful 10 CPU, 5 GB RAM monster to play with!

Anyway, now that we've got you drooling, we'll show you the simplest way to set up your own GNU/Linux cluster, explain the technology behind it, show you how to optimize it, and finally give you a couple of interesting ideas on what to do with your behemoth cluster.

Before we start, let's take a quick look at what we've got covered in the following pages for you:

  • Section 1: Understanding OpenMosix.
  • Section 2: Building An OpenMosix Cluster.
    • 2.1: Getting & Installing OpenMosix.
    • 2.2: Installing from Source.
    • 2.3: Installing from RPM.
    • 2.4: Installing in Debian.
  • Section 3: Using Cluster Knoppix.
  • Section 4: Starting Up Your Cluster.
  • Section 5: Testing Your Cluster.
  • Section 6: Controlling Your Cluster.
  • Section 7: Openmosix File System.
  • Section 8: Using SSH Keys Instead of Passwords.
  • Section 9: Interesting Ideas.
    • 9.1: Distributed Password Cracking
    • 9.2: Clustered Audio Encoding

This is a great project to take up as there are lots of practical uses for clusters, especially in scenarios where you suddenly require a large amount of processing power (sudden mail server load? ;) ).

Having a basic knowledge of Linux will make things easier for you to understand, since we'll be patching and compiling the kernel, but we've written this tutorial so that it will be accessible to newbies as well.

So, without any more delay, lets start going through this awesome tutorial!

 

Articles To Read Next:

CCENT/CCNA

Cisco Routers

  • SSL WebVPN
  • Securing Routers
  • Policy Based Routing
  • Router on-a-Stick

VPN Security

  • Understand DMVPN
  • GRE/IPSec Configuration
  • Site-to-Site IPSec VPN
  • IPSec Modes

Cisco Help

  • VPN Client Windows 8
  • VPN Client Windows 7
  • CCP Display Problem
  • Cisco Support App.

Windows 2012

  • New Features
  • Licensing
  • Hyper-V / VDI
  • Install Hyper-V

Linux

  • File Permissions
  • Webmin
  • Groups - Users
  • Samba Setup