Leaflet
103
OL-11615-01
Console> (enable) set authentication login local disable telnet
local login authentication set to disable for telnet session.
Console> (enable)
Console> (enable) set ip permit 172.16.0.0 255.255.0.0 ssh
172.16.0.0 with mask 255.255.0.0 added to telnet permit list.
Console> (enable)
Console> (enable) set ip permit enable ssh
SSH permit list enabled.
Console> (enable)
Console> (enable) set logout 3
Sessions will be automatically logged out after 3 minutes of idle time.
Console> (enable)
Interactive Access in Cisco IOS
In Cisco IOS software, all interactive access mechanisms involve sessions or lines. The local console
uses a standard line, known as CTY, while remote network connections use virtual TTYs, called VTYs.
Regardless of their type, both CTYs and VTYs need to be configured according to security best
practices.
The first best practice consists in restricting the type of protocols accepted in each line. Prior to Cisco
IOS software Release 11.1, all VTY lines were configured using the transport input all command by
default, allowing all type of connections to the VTY lines. Starting in Cisco IOS software Release 11.1,
no connections are permitted to VTY lines, unless an incoming protocol or all the protocols are specified
using the transport input command.
Every VTYs must be configured to accept connections only from the expected protocols, which can be
done by using the transport input command. For example, a VTY that is expected to receive only Telnet
sessions must be configured with transport input telnet, while a VTY permitting both Telnet and SSH
sessions should have transport input telnet ssh.
Another good practice is the use of the access-class command to restrict the IP addresses from which
the VTY will accept connections. By default, after an access protocol is enabled for a VTY line any host
can initiate a connection using that protocol. The access-class command defines a list of hosts or
networks from which access will be allowed, which prevents unauthorized access from untrusted
sources. This practice also helps mitigate a denial-of-service attack on the VTY lines.
Cisco IOS software devices have only a limited number of VTY lines, usually five. When all of the VTYs
are in use, no more remote interactive connections can be established and this creates an opportunity for
a denial-of-service attack. If an attacker can open remote sessions to all the VTYs on the system, the
legitimate administrator might not be able to log in. The attacker does not have to log in to do this, the
sessions can simply be left at the login prompt.
One way to protect against this attack is to configure a restrictive access-class configuration on the last
VTY in the system. The last VTY, usually VTY 4, can be restricted to accept connections only from a
single, specific administrative workstation, whereas the other VTYs might accept connections from any
address in a corporate network.
Another useful tactic is to decrease the VTY timeouts using the exec-timeout command. This prevents
an idle session from consuming a VTY indefinitely. By default, a VTY session has a 10-minute timeout.
Although the effectiveness of this technique against deliberate attacks is relatively limited, it also
provides some protection against sessions accidentally left idle. Similarly, enabling TCP keepalives on
incoming connections (using the service tcp-keepalives-in command) can help to guard against
malicious attacks and orphan sessions caused by remote system crashes. By default, keepalives are not
enabled for incoming connections.