Security Basics mailing list archives

Re: Cisco PIX with SSH enabled on external port for maintenance

From: <Steve.Cummings () barclayscapital com>
Date: Tue, 15 Nov 2005 17:56:51 -0000

It's a firewall do you really want anyone attaching to it?
 

-----Original Message-----
From: Chris Largret <largret () gmail com>
To: Cam Fischer <camfischer () gmail com>
CC: security-basics () securityfocus com <security-basics () securityfocus com>
Sent: Thu Nov 10 22:02:39 2005
Subject: Re: Cisco PIX with SSH enabled on external port for maintenance

On Wed, 2005-11-09 at 19:01 -0700, Cam Fischer wrote:

I am looking for some reasons why I should not be allowing SSH on the
external side of my Cisco PIX firewall. It would be great for
management, but what are the risks associated with this?


SSH brute force attacks (and guessing schemes) have been on-going for a
while. Take a look at http://www.agleia.de/luser2 for a list of
usernames that were used in one attack.

If you DO allow access to SSH to the outside world, there are a few
things you can do to make it more secure:

1. Use a non-standard port
2. Use only the strongest algorithms that SSH supports
3. Change the passwords regularly
4. Allow only strong passwords
5. Limit which IP addresses can connect

It is possible to keep an SSH server secure, but it does take work. If
someone gains access through SSH, it is generally only a matter of time
until they have full control over the system. If they can get inside the
firewall, the other computers on the network could be equally
compromised if your security model doesn't protect computers from others
on the same network.

--
Chris Largret <http://daga.dyndns.org>



------------------------------------------------------------------------
For more information about Barclays Capital, please
visit our web site at http://www.barcap.com.


Internet communications are not secure and therefore the Barclays 
Group does not accept legal responsibility for the contents of this 
message.  Although the Barclays Group operates anti-virus programmes, 
it does not accept responsibility for any damage whatsoever that is 
caused by viruses being passed.  Any views or opinions presented are 
solely those of the author and do not necessarily represent those of the 
Barclays Group.  Replies to this email may be monitored by the Barclays 
Group for operational or business reasons.

------------------------------------------------------------------------

Current thread:

Cisco PIX with SSH enabled on external port for maintenance Cam Fischer (Nov 10)
- Re: Cisco PIX with SSH enabled on external port for maintenance Alloishus BeauMains (Nov 15)
- Re: Cisco PIX with SSH enabled on external port for maintenance Chris Largret (Nov 15)
  - Re: Cisco PIX with SSH enabled on external port for maintenance John Maher (Nov 16)
    - Re: Cisco PIX with SSH enabled on external port for maintenance Alloishus BeauMains (Nov 17)
    - Re: Cisco PIX with SSH enabled on external port for maintenance Cory Stoker (Nov 21)
    - Re: Cisco PIX with SSH enabled on external port for maintenance Alloishus BeauMains (Nov 21)
- Re: Cisco PIX with SSH enabled on external port for maintenance John Maher (Nov 15)
- <Possible follow-ups>
- Re: Cisco PIX with SSH enabled on external port for maintenance Steve.Cummings (Nov 15)
  - ActivX execution with PowerUser Privilege Marco Spennato (Nov 16)
  - Re: Cisco PIX with SSH enabled on external port for maintenance Cory Stoker (Nov 16)