Configuring SSH
Secure Shell (SSH) is a protocol that provides a secure and
encrypted connection between a client and a host. It uses TCP port 22 for all
communication. SSH provides a method of providing secure and encrypted
communications for such diverse protocols as X-Windows, Telnet, rlogin, and
others. For the purposes of configuring the Cisco IDS sensors in this
discussion, it will be used as a replacement for Telnet.
There are two different versions of SSH at this time, version 1
(SSH-1) and version 2 (SSH-2) and they are not compatible. The differences in
the protocol are significant. The SSH-1 protocol is monolithic and encompasses a
variety of functions within this single protocol. SSH-2 consists of three
protocols that work together in a modular form. These protocols are:
-
SSH Transport Layer Protocol (SSH-TRANS)
-
SSH Connection Protocol (SSH-CONN)
-
SSH Authentication Protocol (SSH-AUTH)
Each of these protocols is specified in separate Internet drafts
and are available from the Secure Shell (secsh) working group's section of the
IETF Web site (www.ietf.org). A fourth Internet draft discusses the overall
architecture of the SSH-2 protocol (SSH Protocol Architecture). Most Cisco
products only support SSH-1. While there are known vulnerabilities in the SSH-1
protocol, it still provides a significantly more secure communication channel
than using plaintext Telnet. Furthermore, even with these known vulnerabilities,
the SSH-1 protocol provides a substantial hurdle for an attacker to overcome in
order to gain access to the communication data stream.
Whether the IDS sensor was a new purchase or an upgrade to a
currently deployed and supported IDS appliance, the first step that must be
completed is an initial configuration of the device. This is achieved either by
connecting a keyboard, mouse, or monitor to the device or by connecting to the
device through a serial console. The initial configuration of the IDS was
covered in a previous chapter. For the purposes of this discussion, it is
assumed that the IDS sensor has been configured with a hostname of sensor as
well as an IP address of 192.168.50.51 and a subnet mask of 255.255.255.0 or
/24.
This section focuses on connecting into the IDS sensor and
performing the initial configuration through the serial console. The back panel
configurations for the IDS-4215 and the IDS-4235/4250 appliances are shown in Figures
5.1 and 5.2, respectively. Both the 4215 and the 4235/4250
models have serial console ports located on the back panel. The command and
control interface for every IDS sensor appliance is the int1 interface.
The procedure to connect to the serial connector on the back of
the IDS sensor appliance is as follows:
For the IDS-4215:
-
Connect a nine-pin serial RJ-45 adapter
(also known as the M.A.S.H.) to the back of a computer.
-
Using the rolled cable supplied with the IDS sensor, connect
one end of the cable to the RJ-45 console port on the IDS and the other end into
the M.A.S.H adapter. If a terminal server is being used for serial port access,
connect the other end of the rolled cable to one of the ports on the terminal
server.
The serial port on the computer should be configured as shown in
Table
5.1.
Table 5.1: Serial Port Settings for an IDS
Console
|
Parameter |
Setting |
|
Baud Rate |
9600 |
|
Data |
8 bit |
|
Parity |
None |
|
Stop |
1 bit |
|
Flow Control |
Hardware or RTS/CTS |
For the IDS-4210/4235/4250:
-
Connect the M.A.S.H. to the COM1 port on the back of the IDS
sensor.
-
Connect one end of the 180/rolled cable supplied with the
IDS sensor to the RJ-45 port of the M.A.S.H. Connect the other end either to a
port on a terminal server (as discussed earlier) or to the RJ-45 port of a
M.A.S.H. attached to a computer. If a computer is being used to provide a serial
connection to the IDS sensor, the serial port settings should be set to the
values shown in Table 5.1.
Once the serial connection to the IDS has been established, access
to the IDS "console" is now possible. For the purposes of this discussion, it
will be assumed that the IDS serial port is connected to a terminal server.
To connect to the serial port of the IDS sensor, simply Telnet to
the proper port on the terminal server, as shown in Figure 5.3.
Cisco IDS
Software v3
To configure Secure Shell under IDS software version 3.0 and
3.1, log in to the sensor appliance as root. Once logged into
the sensor, the sysconfig-sensor utility can be used to
configure and start up Secure Shell.
-
Log in to the sensor as root.
-
Start the sysconfig-sensor utility. A
text-based menu will be displayed providing various options as shown next:
Cisco IDS Sensor Initial Configuration Utility
Select options 1 through 10 to initially configure the sensor.
1 - IP Address
2 - IP Netmask
3 - IP Host Name
4 - Default Route
5 - Network Access Control
6 - Communications Infrastructure
7 - Date/Time and Time Zone
8 - Passwords
9 - Secure Communications
10 - Display
x - Exit
Selection:
-
Select option 9 on the menu. This opens
the Secure Communications sub-menu, shown next.
Secure Communications
1 - IPSec Communications
2 - Secure Shell Communications
x - Exit
Selection:
-
Select option 2 in the Secure
Communications submenu to configure Secure Shell.
Secure Shell Communications
1 - Security Level (currently LOW)
2 - Manage Secure Shell Known Hosts
3 - Host Key Operations
x - Exit
Selection:
-
Select option 1 to change the security
level of the sensor. By default, the security level is set to 3 (Low), which
allows Secure Shell, Telnet, and FTP access to the sensor.
Security Level
## The Sensor always provides Secure Shell services (including
## scp). Increase the security of the Sensor by disabling two
## services that allow clear text password authentication:
## Telnet and FTP. For maximum security disable both.
The current setting is LOW.
Select the new security level:
1 - High (Telnet and FTP disabled)
2 - Medium (Telnet disabled)
3 - Low (insecure services available)
x - Exit
Selection:
-
Select options 1, 2, or
3. It is highly recommended that the
sensor's security level be set to 1 because of the role of the
IDS sensor in the overall network security architecture. Once the security level
has been set, select x to exit the Security Level
sub-menu.
-
Select option 3 in the
Secure Shell Communications menu. This displays the Host Key Operations
sub-menu.
Host Key Operations
The system has a host key with fingerprint: 1024
6c:00:fa:53:5b:16:83:24:6e:f0:f4:68:21:22:bd:7c root@CISCO_IDS
Select an option:
1 - Delete host key and generate a new one
2 - Delete host key
3 - Exit
Selection:
-
Select either 1 to delete the current host
key and generate a new one, or 2 to simply delete the current
host key. Changing the host key may result in difficulty in connecting to the
SSH server on the IDS sensor. SSH clients cache the host key of the servers that
they connect to. When the client connects to an SSH server, it compares the host
key of the server to the one stored in the cache. A change in a server's host
key may indicate a problem. Either the host key was changed by an administrator
or the client is connecting to a host that may be impersonating the server (a
man-in-the-middle attack). In the case of a server host key that was re-created
by an administrator, the old host key should be cleared out of the client's
cache so that the new key will be written in its place.
-
Once the host key has been generated, exit out of the Secure
Communications submenus by selecting x until the main menu of
the configuration utility has been reached.
Cisco IDS
Software v4.0
IDS software v4.0 and later changed the way the
administrator managed the IDS sensor. With their release, Cisco switched the
underlying operating system from Solaris 8 to Red Hat Linux 8. Additionally, IDS
4.0 provides an "IOS-like" command line interface to configure the IDS sensor
appliance. Like IOS, the command line interface for the IDS 4.0 software is
broken down into submenus that the administrator must use to configure various
features in the IDS sensor.
The default administrative account username/password combination
for Cisco's IDS software 4.0 and later is: Cisco /Cisco.
Cisco Systems developers realized the weakness of this username/password
combination and required that the default password for the Cisco account be changed upon first login. Once the default
password for the Cisco account has been changed, the user
is logged in and the command line shell is started.
In order to have the proper time and date stamp placed on your log
files, and for various security certifications to work properly if they are
time-based, we need to configure the sensor to have the correct time and
maintain that time. The following steps, shown in Figure 5.4, easily
accomplish this:
The next step is to configure the Secure Shell server on the IDS
sensor. Figure 5.5 shows how this is done. We will use the
ssh generate-key command from the top-level prompt. Once
the key has been generated, the sensor must be rebooted. After the sensor
reboots, it can be accessed directly through SSH.
Once the sensor has finished rebooting, the next step is to
configure the allowed hosts which can connect to the SSH server on the sensor.
This can be accomplished as follows:
-
Log in to the sensor using the cisco
account.
-
Enter configuration mode using the configure terminal command at the CLI prompt.
-
Enter the host service sub-menu using the service host command.
-
Select the network parameters sub-menu using the networkParams command.
-
Using the accessList command, enter
the IP address and netmask of the hosts or subnets that will be allowed access
to the IDS sensor through the network interface. The format of this command is:
accessList ipAddress <A.B.C.D> [netmask <A.B.C.D>].
-
Once all of the IP addresses or IP address ranges have been
entered into the access-list, use the show settings
command to verify them. This is shown in Figure 5.6.
Figure 5.6:
Access-List Configuration on IDS Sensor
-
Exit the networkParams sub-menu and return to the host
service menu. Upon exiting the host service sub-menu, the IDS will request
confirmation that the changes be applied to the sensor. Press Enter to select the default response of Yes. Otherwise, type No and press Enter .
-
Exit the host service sub-menu and the configuration
menu.
Once the access-lists have been configured, the IDS sensor can be
accessed using Secure Shell over the network.
The sensor needs to connect to hosts, which are SSH servers for
software upgrades, signature updates, and file copying as well as other hosts,
such as Cisco routers, PIX Firewalls, and Catalyst switches. In order to
facilitate that communication, the SSH host keys of the hosts that the sensor
can communicate with must be added to the known_hosts list. The following steps
can be used to add hosts to this list:
-
Log in to the sensor using the cisco
account.
-
Enter configuration mode using the configure terminal command from the CLI prompt.
-
Use the ssh host-key command to enter
the IP address of the host whose SSH host key will be added to the known_hosts
list. This is shown in Figure 5.7.
Figure 5.7: Adding
the SSH Host Key to the Known Hosts List
-
When asked if the key of the host should be added to the
known hosts table, press Enter to select the default response
of Yes. Otherwise, type No and press Enter.
-
To verify the SSH keys in the known hosts list on the
sensor, use the service sshKnownHosts command at the
top-level configure prompt.
-
Use the show settings command to list
the hosts in the known hosts list, as shown in Figure 5.8.
Figure 5.8:
Displaying the SSH Known Hosts List
-
Exit the service sshKnownHosts
sub-menu and return to the top-level configure menu.
-
Exit configure mode.
When we need to remove an entry, we use the following command:
sensor(config-SshKnownHosts)# no rsalkeys
The <ip_address> parameter is the
known host that we want removed from the rsa key ring. We see in the following
sample how this command works:
(config-SshKnownHosts)# no rsalKeys id 192.168.0.20
The host 192.168.0.20 is removed from the SSH known hosts list. To
verify the removal, we can use the command:
sensor(config-SshKnownHosts)# show settings
rsa1Keys (min: 0, max: 500, current: 0)
-----------------------------------------------
-----------------------------------------------
-----------------------------------------------
sensor(config-SshKnownHosts)#
Configuring
SSH Using IDM
The IDS sensors SSH server can also be configured through
the Web interface of the sensor. The configuration of SSH is accessible under
the Device | Sensor Setup menu, shown in Figure 5.9.
To generate a new SSH host key for the IDS sensor, select the Generate Key link in the table of contents (TOC) menu at the left
of the browser window. This will bring up the Generate Key page, as shown in Figure
5.10. To generate a new host key, select the Apply to
Sensor link at the bottom right of the Generate Host Key menu in the middle
of the page.
To add host keys to the sensor for use in updating the IDS
software or signature packs, select the Known Host Keys link
in the TOC menu at the left of the browser window. If a host key is already in
the known hosts list, it will be displayed in the table in the middle of the
window, as shown in Figure 5.11. To add a host key to the table, select
the Add link at the bottom right of the table.
Selecting this link brings up the next page, which asks you to add
the host key of the host that the IDS will communicate with. Fill in the IP
address as well as the key modulus length, public exponent, and public modulus
of the host key. The values for the key modulus length, public exponent, and
public modulus can be obtained from the ssh_host_key.pub file. An example of
such a host key is shown in Figure 5.12. Here the public exponent is 35, the key
modulus length is 1024, and the public modulus is the long number between the
public exponent value and the name identifier at the end of the host key.
The first number, 1024, is the Public
Exponent. The second number, 35, is the Key Modulus
Length. The final set of numbers is the Public Modulus
number. All of this can be found in the /etc/ssh/ssh_host_key.pub file. This example was from Red Hat
7.2, but most flavors of Unix/Linux will follow the same format. For a Windows
ssh client like Tera Term, you will find this information in the C:\program files\teraterm\ssh_known_hosts file.
Using the values in the SSH host key, fill in the required fields
in the Adding Known Host Keys page, as shown in Figure
5.13. Select Apply to Sensor. The host key is added to the
known_hosts list.
The final option in configuring SSH through IDM is entering
the individual user SSH keys. This allows for public key authentication rather
than using passwords as a means of accessing the IDS sensors. To enter the
necessary information, use a key generation tool such as ssh-keygen on
Unix/Linux systems to generate a public/private key pair for the user on the
client where the private key is going to reside. Then, display the generated
public key as a set of three numbers (Key Modulus Length, Public Exponent,
Public Modulus) and enter those numbers in the proper fields.
Compatible
Secure Shell Protocol Clients
There are many SSH clients that can be used
to access the IDS sensors. An SSH client that supports the SSH-1 protocol should
be used in order to access the IDS sensor CLI. The following SSH clients have
been tested by Cisco and verified to work with the SSH server in the IDS sensor
software.
For Windows clients:
For Unix/Linux clients:
Sections
Comments (0 posted)
Syndication
