Configuring SSH
Secure Shell (SSH) is a agreement that provides a defended and encrypted affiliation amid a applicant and a host. It uses TCP anchorage 22 for all communication. SSH provides a adjustment of accouterment defended and encrypted communications for such assorted protocols as X-Windows, Telnet, rlogin, and others. For the purposes of configuring the Cisco IDS sensors in this discussion, it will be acclimated as a backup for Telnet.
There are two altered versions of SSH at this time, adaptation 1 (SSH-1) and adaptation 2 (SSH-2) and they are not compatible. The differences in the agreement are significant. The SSH-1 agreement is caked and encompasses a array of functions aural this distinct protocol. SSH-2 consists of three protocols that assignment calm in a modular form. These protocols are:
*
SSH Transport Layer Agreement (SSH-TRANS)
*
SSH Affiliation Agreement (SSH-CONN)
*
SSH Authentication Agreement (SSH-AUTH)
Each of these protocols is defined in abstracted Internet drafts and are accessible from the Defended Shell (secsh) alive group's area of the IETF Web armpit (www.ietf.org). A fourth Internet abstract discusses the all-embracing architectonics of the SSH-2 agreement (SSH Agreement Architecture). Most Cisco articles alone abutment SSH-1. While there are accepted vulnerabilities in the SSH-1 protocol, it still provides a decidedly added defended advice approach than application plaintext Telnet. Furthermore, alike with these accepted vulnerabilities, the SSH-1 agreement provides a abundant hurdle for an antagonist to affected in adjustment to accretion admission to the advice abstracts stream.
Whether the IDS sensor was a new acquirement or an advancement to a currently deployed and accurate IDS appliance, the aboriginal footfall that charge be completed is an antecedent agreement of the device. This is accomplished either by abutting a keyboard, mouse, or adviser to the accessory or by abutting to the accessory through a consecutive console. The antecedent agreement of the IDS was covered in a antecedent chapter. For the purposes of this discussion, it is affected that the IDS sensor has been configured with a hostname of sensor as able-bodied as an IP abode of 192.168.50.51 and a subnet affectation of 255.255.255.0 or /24.
This area focuses on abutting into the IDS sensor and assuming the antecedent agreement through the consecutive console. The aback animate configurations for the IDS-4215 and the IDS-4235/4250 accessories are apparent in Figures 5.1 and 5.2, respectively. Both the 4215 and the 4235/4250 models accept consecutive animate ports amid on the aback panel. The command and ascendancy interface for every IDS sensor apparatus is the int1 interface.
Click To expand
Figure 5.1: IDS-4215 Aback Panel
Click To expand
Figure 5.2: IDS 4235/4250 Aback Panel
The action to affix to the consecutive adapter on the aback of the IDS sensor apparatus is as follows:
For the IDS-4215:
1.
Affix a nine-pin consecutive RJ-45 adapter (also accepted as the M.A.S.H.) to the aback of a computer.
2.
Application the formed cable supplied with the IDS sensor, affix one end of the cable to the RJ-45 animate anchorage on the IDS and the added end into the M.A.S.H adapter. If a terminal server is actuality acclimated for consecutive anchorage access, affix the added end of the formed cable to one of the ports on the terminal server.
The consecutive anchorage on the computer should be configured as apparent in Table 5.1.
Table 5.1: Consecutive Anchorage Settings for an IDS Console
Parameter
Setting
Baud Rate
9600
Data
8 bit
Parity
None
Stop
1 bit
Flow Control
Hardware or RTS/CTS
For the IDS-4210/4235/4250:
1.
Affix the M.A.S.H. to the COM1 anchorage on the aback of the IDS sensor.
2.
Affix one end of the 180/rolled cable supplied with the IDS sensor to the RJ-45 anchorage of the M.A.S.H. Affix the added end either to a anchorage on a terminal server (as discussed earlier) or to the RJ-45 anchorage of a M.A.S.H. absorbed to a computer. If a computer is actuality acclimated to accommodate a consecutive affiliation to the IDS sensor, the consecutive anchorage settings should be set to the ethics apparent in Table 5.1.
Once the consecutive affiliation to the IDS has been established, admission to the IDS "console" is now possible. For the purposes of this discussion, it will be affected that the IDS consecutive anchorage is affiliated to a terminal server.
To affix to the consecutive anchorage of the IDS sensor, artlessly Telnet to the able anchorage on the terminal server, as apparent in Figure 5.3.
Start Figure
###########################################################
This arrangement is for accustomed users only
All users will accept their activities monitored and recorded
by the aegis personnel.
###########################################################
User Admission Verification
Username: user-1
Password: ***********
Ciscoids-1
Ciscoids-1: login:
End Figure
Figure 5.3: Telnet Server Admission to IDS Sensor Consecutive Console
Cisco IDS Software v3
To configure Defended Shell beneath IDS software adaptation 3.0 and 3.1, log in to the sensor apparatus as root. Once logged into the sensor, the sysconfig-sensor account can be acclimated to configure and alpha up Defended Shell.
1.
Log in to the sensor as root.
2.
Alpha the sysconfig-sensor utility. A text-based card will be displayed accouterment assorted options as apparent next:
Cisco IDS Sensor Antecedent Agreement Utility
Baddest options 1 through 10 to initially configure the sensor.
1 - IP Address
2 - IP Netmask
3 - IP Host Name
4 - Absence Route
5 - Arrangement Admission Control
6 - Communications Infrastructure
7 - Date/Time and Time Zone
8 - Passwords
9 - Defended Communications
10 - Display
x - Exit
Selection:
3.
Baddest advantage 9 on the menu. This opens the Defended Communications sub-menu, apparent next.
Defended Communications
1 - IPSec Communications
2 - Defended Shell Communications
x - Exit
Selection:
4.
Baddest advantage 2 in the Defended Communications submenu to configure Defended Shell.
Defended Shell Communications
1 - Aegis Akin (currently LOW)
2 - Manage Defended Shell Accepted Hosts
3 - Host Key Operations
x - Exit
Selection:
5.
Baddest advantage 1 to change the aegis akin of the sensor. By default, the aegis akin is set to 3 (Low), which allows Defended Shell, Telnet, and FTP admission to the sensor.
Aegis Level
## The Sensor consistently provides Defended Shell casework (including
## scp). Increase the aegis of the Sensor by disabling two
## casework that acquiesce bright argument countersign authentication:
## Telnet and FTP. For best aegis attenuate both.
The accepted ambience is LOW.
Baddest the new aegis level:
1 - High (Telnet and FTP disabled)
2 - Medium (Telnet disabled)
3 - Low (insecure casework available)
x - Exit
Selection:
6.
Baddest options 1, 2, or 3. It is awful recommended that the sensor's aegis akin be set to 1 because of the role of the IDS sensor in the all-embracing arrangement aegis architecture. Once the aegis akin has been set, baddest x to avenue the Aegis Akin sub-menu.
7.
Baddest advantage 3 in the Defended Shell Communications menu. This displays the Host Key Operations sub-menu.
Host Key Operations
The arrangement has a host key with fingerprint: 1024
6c:00:fa:53:5b:16:83:24:6e:f0:f4:68:21:22:bd:7c root@CISCO_IDS
Baddest an option:
1 - Annul host key and accomplish a new one
2 - Annul host key
3 - Exit
Selection:
8.
Baddest either 1 to annul the accepted host key and accomplish a new one, or 2 to artlessly annul the accepted host key. Changing the host key may aftereffect in adversity in abutting to the SSH server on the IDS sensor. SSH audience accumulation the host key of the servers that they affix to. When the applicant connects to an SSH server, it compares the host key of the server to the one stored in the cache. A change in a server's host key may announce a problem. Either the host key was afflicted by an ambassador or the applicant is abutting to a host that may be impersonating the server (a man-in-the-middle attack). In the case of a server host key that was re-created by an administrator, the old host key should be austere out of the client's accumulation so that the new key will be accounting in its place.
9.
Once the host key has been generated, avenue out of the Defended Communications submenus by selecting x until the capital card of the agreement account has been reached.