Cisco SSH Deep Dive: How to Secure, Configure, and Harden Remote Access

Securing network devices is fundamental to maintaining a robust infrastructure. SSH (Secure Shell) provides encrypted remote access to Cisco devices, replacing the insecure Telnet protocol. In this guide, we'll explore comprehensive SSH configuration and hardening techniques.

Before configuring SSH on your Cisco device, ensure you have:

• A Cisco router or switch with an IOS image that supports SSH
• Console or existing administrative access to the device
• Basic understanding of Cisco IOS command-line interface
• A hostname configured on the device

Let's start with the fundamental steps to enable SSH on a Cisco device:

Step 1: Set the hostname and domain name

Router(config)# hostname R1
R1(config)# ip domain-name example.com

Step 2: Generate RSA keys

R1(config)# crypto key generate rsa modulus 2048

The name for the keys will be: R1.example.com
% The key modulus size is 2048 bits
% Generating 2048 bit RSA keys, keys will be non-exportable...
[OK] (elapsed time was 3 seconds)

Step 3: Create a local user account

R1(config)# username admin privilege 15 secret YourStrongPassword123!

Step 4: Configure VTY lines for SSH

R1(config)# line vty 0 4
R1(config-line)# transport input ssh
R1(config-line)# login local
R1(config-line)# exit

Basic configuration is just the start. Let's implement security best practices:

Enable SSH version 2 only

R1(config)# ip ssh version 2

Set SSH timeout and authentication retries

R1(config)# ip ssh time-out 60
R1(config)# ip ssh authentication-retries 3

Implement access control with ACLs

R1(config)# access-list 10 permit 192.168.1.0 0.0.0.255
R1(config)# access-list 10 deny any log
R1(config)# line vty 0 4
R1(config-line)# access-class 10 in

This configuration restricts SSH access to devices on the 192.168.1.0/24 network and logs any denied attempts for security monitoring.

Configure source interface for SSH

R1(config)# ip ssh source-interface Loopback0

Using a loopback interface ensures SSH connections remain reachable even if physical interfaces go down, improving management reliability.

Enable logging for security auditing

R1(config)# login on-failure log
R1(config)# login on-success log

After configuration, verify your SSH setup with these commands:

R1# show ip ssh
R1# show ssh
R1# show crypto key mypubkey rsa
R1# show line vty 0 4

These commands display SSH version, active sessions, RSA keys, and VTY line configuration respectively.

1. Always use strong, unique passwords for each device
2. Regularly rotate passwords and SSH keys
3. Implement AAA (Authentication, Authorization, and Accounting) for centralized user management
4. Use ACLs to restrict SSH access to known management networks
5. Enable logging and regularly review authentication logs
6. Keep IOS firmware updated to patch security vulnerabilities
7. Consider implementing port security and DHCP snooping for additional layer 2 protection

Common SSH issues and solutions:

Connection refused: Verify that SSH is enabled with show ip sshand check if the VTY lines are configured correctly.

Authentication failed: Ensure local user accounts are properly configured and login local is set on VTY lines.

RSA key generation fails: Verify that both hostname and domain name are configured before generating keys.

Proper SSH configuration is essential for secure network device management. By following these guidelines, you've implemented a robust SSH setup that protects your infrastructure while maintaining administrative access. Remember to regularly review and update your security configurations as threats evolve.