Password crack
An attacker attempts to access a switch after obtaining the Secure Shell (SSH) port number, and the switch asks the attacker for authentication. Then the attacker cracks the password to pass the authentication and obtain the access right.
Denial of Service (DoS)
The SSH server supports a limited number of users. When the number of login users reaches the upper limit, no more users can log in to the SSH server. This situation may appear when users use the SSH server properly or when the SSH server is attacked.
To defend against the preceding attacks, configure the following security policies on a switch:
Performing password authentication and public key authentication
The SSH server supports password authentication and public key authentication. Only authenticated users can log in to the switch and enter command line views.
Disabling the SSH server
When the SSH server is enabled, the socket service is enabled on the switch. In this case, the switch is prone to scanning by attackers. Therefore, disable the SSH server if it is not needed.
Changing the port number
By default, the SSH server uses port 22, which is a well-known port and prone to scanning and attacks. Configure the SSH server to use a private port to reduce the scanning and attack probability.
Configuring an Access Control List (ACL)
In the user interface view, configure an ACL for Virtual Type Terminal (VTY) channels to limit the client IP addresses that can be used for login.
Specifying a source interface for the SSH server
By default, the SSH server receives login requests from all interfaces, causing low system security. To harden system security, specify a source interface for the SSH server to allow the login of only authorized users.
After the source interface is specified, the system allows users to log in to the SSH server only using the source interface. The setting takes effect for subsequent users but not users who have logged in to the source interface.
Configure password or Rivest-Shamir-Adelman (RSA) authentication.
Password authentication: Set the authentication mode of user testuser to password authentication.
<HUAWEI> system-view [HUAWEI] ssh user testuser [HUAWEI] ssh user testuser authentication-type password
RSA authentication: Set the authentication mode of user testuser to RSA authentication (using a key of 2048 bits or more).
<HUAWEI> system-view [HUAWEI] ssh user testuser [HUAWEI] ssh user testuser authentication-type rsa
Disable the SSH server.
<HUAWEI> system-view [HUAWEI] undo stelnet server enable
Change the port number of the SSH server to 55535.
<HUAWEI> system-view [HUAWEI] ssh server port 55535
Configure ACL 2000 to allow users with the source IP address of 10.1.1.1 to log in to the switch.
<HUAWEI> system-view [HUAWEI] acl 2000 [HUAWEI-acl-basic-2000] rule permit source 10.1.1.1 0 [HUAWEI-acl-basic-2000] quit [HUAWEI] user-interface vty 14 [HUAWEI-ui-vty14] acl 2000 inbound //To prevent users using an IP address or address segment from accessing a switch, use inbound. To prevent users who have successfully accessed a switch from accessing other switches, use outbound. [HUAWEI-ui-vty14] quit
Set the source port of the SSH server to Loopback0.
<HUAWEI> system-view [HUAWEI] ssh server-source -i loopback 0 //A loopback interface must have been created and configured with an IP address before this command is executed.