Security Basics mailing list archives
Re: Cisco PIX with SSH enabled on external port for maintenance
From: Chris Largret <largret () gmail com>
Date: Thu, 10 Nov 2005 14:02:39 -0800
On Wed, 2005-11-09 at 19:01 -0700, Cam Fischer wrote:
I am looking for some reasons why I should not be allowing SSH on the external side of my Cisco PIX firewall. It would be great for management, but what are the risks associated with this?
SSH brute force attacks (and guessing schemes) have been on-going for a while. Take a look at http://www.agleia.de/luser2 for a list of usernames that were used in one attack. If you DO allow access to SSH to the outside world, there are a few things you can do to make it more secure: 1. Use a non-standard port 2. Use only the strongest algorithms that SSH supports 3. Change the passwords regularly 4. Allow only strong passwords 5. Limit which IP addresses can connect It is possible to keep an SSH server secure, but it does take work. If someone gains access through SSH, it is generally only a matter of time until they have full control over the system. If they can get inside the firewall, the other computers on the network could be equally compromised if your security model doesn't protect computers from others on the same network. -- Chris Largret <http://daga.dyndns.org>
Current thread:
- Cisco PIX with SSH enabled on external port for maintenance Cam Fischer (Nov 10)
- Re: Cisco PIX with SSH enabled on external port for maintenance Alloishus BeauMains (Nov 15)
- Re: Cisco PIX with SSH enabled on external port for maintenance Chris Largret (Nov 15)
- Re: Cisco PIX with SSH enabled on external port for maintenance John Maher (Nov 16)
- Re: Cisco PIX with SSH enabled on external port for maintenance Alloishus BeauMains (Nov 17)
- Re: Cisco PIX with SSH enabled on external port for maintenance Cory Stoker (Nov 21)
- Re: Cisco PIX with SSH enabled on external port for maintenance Alloishus BeauMains (Nov 21)
- Re: Cisco PIX with SSH enabled on external port for maintenance John Maher (Nov 16)
- <Possible follow-ups>
- Re: Cisco PIX with SSH enabled on external port for maintenance Steve.Cummings (Nov 15)
- ActivX execution with PowerUser Privilege Marco Spennato (Nov 16)
- Re: Cisco PIX with SSH enabled on external port for maintenance Cory Stoker (Nov 16)