Configuring STelnet Server Parameters

Procedure

1. Run system-view

   The system view is displayed.

2. Perform one or more operations described in Table 1.

   Table 1 Operations

   Item	Operation	Description
   (Optional) Configure the interval at which key pairs are updated.	Run the ssh server rekey-interval interval command.	When a configured interval arrives, a key pair is automatically updated, improving security.
   (Optional) Configure the timeout period for SSH authentication.	Run the ssh server timeout seconds command.	If a user has not logged in when the timeout period for SSH authentication expires, the system disconnects the current connection to ensure system security.
   (Optional) Configure the number of SSH authentication retries.	Run the ssh server authentication-retries times command.	To prevent unauthorized users' login, configure the number of SSH authentication retries.
   (Optional) Enable an SSH server to lock client IP addresses.	Run the undo ssh server ip-block disable	If an SSH server is enabled to lock client IP addresses, locked client IP addresses fail to pass authentication and are displayed in the display ssh server ip-block list command output. If an SSH server is disabled from locking client IP addresses, the display ssh server ip-block list command does not display any client IP address that is locked because of an authentication failure.
   (Optional) Enable compatibility with earlier SSH versions.	Run the ssh server compatible-ssh1x enable command. To allow clients running SSH1.5 to log in, run the ssh server compatible-ssh1x enable command to enable compatibility with earlier SSH versions. NOTE: If the SSH server is enabled to be compatible with earlier SSH versions, the system prompts a security risk.	SSH versions are classified as SSH1.X (earlier than SSH2.0) or SSH2.0. SSH2.0 has an extended structure and supports more authentication modes and key exchange methods than SSH1.X.
   (Optional) Configure a listening port number for the SSH server.	Run the ssh server port port-number command. If a new listening port number is set, the SSH server ends all established STelnet and SFTP connections and uses the new port number to listen for connection requests.	Attackers may access the default listening port, consuming bandwidth, deteriorating server performance, and causing authorized users unable to log in to the server. After the listening port number of the SSH server is changed, attackers do not know the new listening port number, which prevents attackers from accessing the listening port and improves security.
   (Optional) Configure an ACL for the SSH server.	Run the ssh [ ipv6 ] server acl { acl-number | acl-name } command.	This command controls the clients that can access the SSH server running IPv6. This configuration prevents unauthorized users from accessing the SSH server, ensuring security.
   (Optional) Enable the keepalive feature on the SSH server.	Run the ssh server keepalive enable command.	After this feature is enabled, the SSH server returns keepalive responses to an SSH client to check whether the connection between them is normal, facilitating fast fault detection.
   Specify the source interface or source address for the SSH server.	Run the ssh server-source -i { interface-type interface-number | interface-name } command. Run the ssh server-source all-interface command. Run the ssh ipv6 server-source -a ipv6-address [ -vpn-instance vpn-instance-name ] command. Run the ssh ipv6 server-source all-interface command. Run the ssh server-source physic-isolate -i { interface-type interface-number | interface-name } -a ip-address command. Run the ssh ipv6 server-source physic-isolate -i { interface-type interface-number | interface-name } -a ipv6-address command.	If a source interface is specified, the server allows SSH users to log in using the source interface only and denies access of the SSH users who attempt to log in using other source interfaces. Any interface on the SSH server can be used as its source interface. After the command is run, SSH users can log in to the server through any physical interface configured with an IPv4 address or any created logical interface configured with an IPv4 address. NOTE: If the ssh server-source all-interface command is run, users can log in to the SSH server through all valid interfaces, which increases system security risks. Therefore, running the command is not recommended. If a source IPv6 address is specified, the server allows SSH users to log in through the specified source IPv6 address only and denies access of the SSH users who attempt to log in using other IPv6 addresses. Any IPv6 interface on the SSH server can be used as its source interface. After the command is run, SSH users can log in to the server through any physical interface configured with an IPv6 address or any created logical interface configured with an IPv6 address. NOTE: If the ssh ipv6 server-source all-interface command is run, users can log in to the SSH server through any valid IPv6 interface, which increases system security risks. Therefore, running the command is not recommended. A source IPv4 interface is specified for the SSH server, and the interface isolation attribute is set for the SSH server. A source IPv6 interface is specified for the SSH server, and the interface isolation attribute is set for the SSH server. NOTE: After the interface isolation attribute is set successfully, packets can be sent to the server only through the specified physical interface, and those sent through other interfaces are discarded.
   (Optional) Configure the bogus-list mode of SSH server authentication.	Run the ssh server authentication-method bogus-list disable command.	Disabling the bogus-list mode of SSH server authentication reduces the authentication duration for some clients to log in to the server in password authentication mode.

3. Run commit

   The configuration is committed.