Re: Cisco PIX with SSH enabled on external port for maintenance

[Chris Largret <largret () gmail com>]

On Wed, 2005-11-09 at 19:01 -0700, Cam Fischer wrote:
> I am looking for some reasons why I should not be allowing SSH on the
> external side of my Cisco PIX firewall. It would be great for
> management, but what are the risks associated with this?

SSH brute force attacks (and guessing schemes) have been on-going for a
while. Take a look at http://www.agleia.de/luser2 for a list of
usernames that were used in one attack.

If you DO allow access to SSH to the outside world, there are a few
things you can do to make it more secure:

1. Use a non-standard port
2. Use only the strongest algorithms that SSH supports
3. Change the passwords regularly
4. Allow only strong passwords
5. Limit which IP addresses can connect

It is possible to keep an SSH server secure, but it does take work. If
someone gains access through SSH, it is generally only a matter of time
until they have full control over the system. If they can get inside the
firewall, the other computers on the network could be equally
compromised if your security model doesn't protect computers from others
on the same network.

--
Chris Largret <http://daga.dyndns.org>