Solutions Fast Track

Solutions Fast Track

Configuring SSH

  • Use the ssh generate command to make a key. This requires a reboot of the IDS sensor but once it is rebooted, it can be accessed through SSH.

  • To create an access-list to limit who and what can have access to your IDS sensor by SSH, use the ssh host-key command to start the process, or use the IDM. The Public Exponent, the Key Modulus Length, and the Public Modulus will be needed to configure the ssh known hosts.

  • From within the (sensor config-SshKnownHosts) prompt, use the show settings command to verify that the known host has been added.

  • The Public Exponent, Key Modulus Length, and the Public Modulus can be found in the /etc/ssh directory on most Unix/Linux computers, or in the application directory on Windows computers.

Configuring Remote Access

  • To access a version 3.0 or 3.1 on either a 4210, 4220, or 4230 IDS sensor remotely, changes in the BIOS need to be made to allow the sensor to redirect output to the serial or console port by default.

  • In version 4.x, Telnet is disabled by default so you can use the setup command or the telnet-server command from the command line to enable Telnet access.

  • In version 3.x, the default security level setting is Low, which allows Telnet and FTP. To adjust this, use either Medium (Telnet disabled) or High (Telnet and FTP disabled) from the sysconfig-sensor utility.

Applying the Sensor Configuration

  • When you upgrade from version 3.x to 4.x sensor code, you need to switch the cables on the monitoring interface and the command and control interface.

  • Make sure the monitoring interfaces are in Group 0 for the interfaces to be able to see the network traffic.

Configuring Logging

  • Event logging is available only in 3.x software; this feature was dropped in version 4.x software. IP logging is the same in both versions of software.

  • The sensor can be configured to automatically export event log files by FTP through the IDM. To do so, choose Configuration | Logging | Export Event Logs. The IP address, directory, FTP username, and FTP password, will need to be input.

  • To configure IP logging, use the IDM and choose Configuration | Logging | IP Logging, then enter the IP address by clicking Add.

  • To configure IP logging from the command line, use the following iplog command: iplog 0 192.168.50.14. The 0 is the group. The IP address to be logged must be supplied.

Upgrading the Sensor

  • The installation CD of 4.x software from Cisco is needed to upgrade from 3.x to 4.x software.

  • Existing information can be retained by using the IDM, choosing Administration | Diagnostics, and selecting Run Diagnostics. Select Menu | Save As to save the results.

  • The upgrade CD will automatically start when the sensor boots and you will have the choice of either upgrading through the serial port or through the local keyboard and monitor. The upgrade does not require any more user intervention until it's complete, whereupon the CD must be removed before rebooting.

  • The new username and password is Cisco/Cisco. The user will be prompted to change the password upon the first login to the newly upgraded sensor