How to configure  ssh  for maximum security with in  IOS. Cisco has started to include the  ability not only to select ssh version ( version #2 is the default btw for most items ) but the ability to  set the RSA key size and the DHGRP.


Here's the bare minimum that you should do when security ssh on a cisco router and for a interface that must face the  untrusted internet

1: Set the version to sshv2

ip ssh version 2

2: specify the  dhgrp size to a minimum of 2K or 4K bits

ip ssh dh min size 2048

3: define a RSA key size of at least 2K bits

router#crypto key generate  rsa

% You already have RSA keys defined named  router.mydomain.com

% Do you really want to replace them? [yes/no]: yes

Choose the size of the key modulus in the range of 360 to 4096 for your

  General Purpose Keys. Choosing a key modulus greater than 512 may take

  a few minutes.

How many bits in the modulus [512]: 2048

% Generating 2048 bit RSA keys, keys will be non-exportable...

[OK] (elapsed time was 1 seconds)

Once you have this all done, you should set trusthost ACL for inbound ssh access and  only from networks you deem trust worthly.

config t

access-list 10 permit 192.0.2.0 0.0.0.255

access-list 10 permit  host 1.1.1.1

access-list 10 permit  host 1.1.1.2

!

!

!

line vty 0 15

 access-class 10 in

 transport input ssh

Ken Felix
NSE ( network security expert) and Route/Switching Engineer
kfelix  -----a----t---- socpuppets ---dot---com

     ^      ^
=(  @  @ )=
         o 
        /  \