Showing posts with label SSH. Show all posts
Showing posts with label SSH. Show all posts

Saturday, December 5, 2020

SSH in RHEL 8

 Configuring SSH
- Hardening the SSH server
- Using other useful sshd options
- Configuring Key-Based authentication with passphrases

Hardening the SSH Server
Dictionary attacks are common against an SSH server. 
The default SSH settings on Linux server uses port 22 and the Linux box has a root account. 

Fortunately, you can take some measures to protect SSH servers against these kinds of attacks:
- Disable root login
- Disable password login
- Configure a nondefault port for SSH to listen on
- Allow specific users only to log in on SSH

Limiting Root Access
The Linux servers by default have root login enabled. 
Disabling root login is easy.
- Modify the PermitRootLogin parameter in /etc/ssh/sshd_config
- Reload
- Restart the service by running systemctl reload servicename command
- Some services pick up changes only after a systemctl restart servicename command

To log in to a remote server using ssh, use one of these commands:
ssh user@servername
ssh -l user servername

Configuring Alternative Ports
Linux server attacker can use port scan to scan all the 65,535 ports and most of the port scans focus on known ports only, and SSH port 22 is always among these ports.
To protect against port scans, you can configure SSH server to listen on another port.

Posted by at No comments:
Labels:

Saturday, May 21, 2011

Basic ASA Configuration



Configure ASA hostname
   ASA# config t
   ASA(config)# hostname TestASA

Configure enable password
   TestASA(config)# enable password THISISPASSWORDTEXT
Configure DNS on ASA
   TestASA(config)# domain-name MyTest.com

Configure uploading ASDM image on ASA and enabling access to ASDM
   TestASA(config)# asdm image disk0:/asdm-524.bin
   TestASA(config)# http server enable

Configure the interfaces
   TestASA# config t
   TestASA(config)# interface Vlan1
   TestASA(config-if)# nameif inside
   TestASA(config-if)# security-level 100
   TestASA(config-if)# ip address 192.168.2.1 255.255.255.0
   TestASA(config-if)# no shutdown
   TestASA(config-if)# exit
   TestASA(config)# interface Vlan2
   TestASA(config-if)# nameif outside
   TestASA(config-if)# security-level 0
   TestASA(config-if)# ip address 192.168.1.254 255.255.255.0
   TestASA(config-if)# no shutdown
   TestASA(config-if)# exit

Assign physical interface ETH0/0 to VLAN2 or Outside interface
   TestASA(config)# interface ethernet 0/0
   TestASA(config-if)# switchport access vlan 2

The rest of the physical interfaces are assigned to VLAN1 by default

Configure access to ASA device, for SSH please read this link.
   TestASA(config)# username USER_1 password PASSWORD_1 privilege 15
   TestASA(config)# username USER_2 password PASSWORD_2 privilege 5
   TestASA(config)# aaa authenticate ssh console LOCAL
   TestASA(config)# aaa authenticate telnet console LOCAL
   TestASA(config)# aaa authenticate http console LOCAL
   TestASA(config)# crypto key generate rsa modulus 1024
   !- generates an RSA key pair which is required for SSH
   TestASA(config)# ssh 192.168.2.0 255.255.255.0 inside
   TestASA(config)# ssh timeout 30
   !- allow putty to connect using SSH
   TestASA(config)# telnet 192.168.2.0 255.255.255.0 inside
  TestASA(config)# telnet timeout 30
   !- allow putty to connect using Telnet
   TestASA(config)# http 192.168.2.0 255.255.255.0 inside
   !- allow user to connect using ASDM

Configure clock
   TestASA(config)# clock set hh:mm:ss {month day} year

--------------------------------------------------------------------------------Good CLI to use:
   # show curpriv

Posted by at No comments:
Labels: , , ,

Tuesday, April 26, 2011

SSH configuration on ASA 5500

Here is the configuration on how to enable SSH on ASA device.

ASA# config t
ASA(config)# enable password EPICPASSWORD
!--Enable password is necessary to enable ssh access

ASA(config)# username box password boxpasswordonly
!--Username and password for connecting using SSH

ASA(config)# aaa authentication ssh console LOCAL
!--We specified LOCAL authentication with usernamea & password above

ASA(config)# ssh 192.168.x.x 255.255.255.0 inside
!--This line allow the user with the right username and password
!--from this specific subnet (reside locally) to access the ASA
!--ssh (Outside IP) (Outside Subnet) outside
!--This is to allow user from the outside IP to access the ASA

ASA(config)# domain-name WOW.LOCAL
!--Domain name of your company.  RSA key is generated usig DOMAIN NAME
!--plus FIREWALL name combination

ASA(config)# crypto key generate rsa modulus 1024
!--ASA generate RSA key

The firewall is now ready for SSH connection.

Additional reading for ASA 8.3 configuration from Cisco site.
Posted by at No comments:
Labels: ,
Subscribe to: Posts (Atom)