From: Victor Cappuccio (victor@ccbootcamp.com)
Date: Fri Feb 16 2007 - 12:24:50 ART
Hi Joe,
Any VTY must be configured to accept connections only with the protocols
actually needed. This is performed with the transport input command. For
example, a VTY that is expected to receive only Telnet sessions is configured
with the transport input telnet command, while a VTY that permits both Telnet
and SSH sessions has the transport input telnet ssh command. If your software
supports an encrypted access protocol such as SSH, then enable only that
protocol, and disable cleartext Telnet. Also, issue the ip access-class
command in order to restrict the IP addresses from which the VTY accepts
connections.
A Cisco IOS device has a limited number, usually five, of VTY lines. When all
of the VTYs are in use, no more remote interactive connections can be
established. This creates the opportunity for a denial-of-service attack. If
an attacker can open remote sessions to all the VTYs on the system, the
legitimate administrator might not be able to log in. The attacker does not
have to log in to do this. The sessions can simply be left at the login
prompt.
there is a nice FAQ about SSH available in this link
http://www.cisco.com/en/US/tech/tk583/tk617/technologies_q_and_a_item09186a00
80267e0f.shtml
for an SSH v1 and V2 comparison please refer to this link
http://www.cisco.com/warp/public/707/ssh.shtml#sshvvs
HTH
thanks,
Victor Cappuccio.
Network Learning Inc - A Cisco Sponsored Organization (SO) YES! We take
Cisco Learning credits!
victor@ccbootcamp.com
http://www.ccbootcamp.com (Cisco Training and Rental Racks)
http://www.ccbootcamp.com/groupstudy.html (groupstudy member discounts!)
Voice: 702-968-5100
FAX: 702-446-8012
-----Original Message-----
From: nobody@groupstudy.com on behalf of Jo Johnson
Sent: Fri 16/02/2007 7:13
To: Cisco certification
Subject: configuring ssh
Hi all,
Can someone give me some feedback on my configuration below. I am trying to
configure ssh and having some trouble understanding the doc cd's
explanation.
If I want to configure ssh on a device and restrict telnet access, I think
I would use the below configuration. Also, what if I wanted to restrict
other access, such as the global config mode, enable mode, etc:
hostname R1
ip domain-name cisco.com
ip ssh version 2
username ccie password cisco
access-list 2 permit 130.10.22.0
line vty 0 4
access-class 2 in
no login
transport input ssh
line vty 5 15
access-class 2 in
no login
transport input ssh
To configure both version 1 and 2 use the, no ip ssh version command and for
version 1 only, ip ssh version 1 command.
Thanks,
Jo
This archive was generated by hypermail 2.1.4 : Thu Mar 01 2007 - 07:38:46 ART