< Home

Login Through SSH

Overview

Attack Methods

  • Brute force cracking

    After obtaining an SSH port number, an attacker attempts to access a device using the SSH port. When the device requests authentication information, the attacker may crack the password, pass the authentication, and obtain the access permission.

  • DoS attack

    An SSH server supports only a limited number of users. If the number of login users reaches a specified upper limit, subsequent users cannot access the server. This situation may occur when the server is attacked.

Security Hardening Policy

  • Authentication

    The SSH server supports password authentication and public-key authentication. Only authenticated users can log in to a device and enter the CLI.

  • Disabling services

    When the SSH service is enabled, the socket service is also automatically enabled. This means that the device is prone to scanning by attackers. To prevent such a risk, disable the SSH service and its port when the SSH service is not required.

  • Changing the port number

    By default, the SSH server uses port 22, which is a well-known port number and is prone to scanning and attacks. You can modify the SSH server port number to an unknown port number, reducing the probability of being scanned.

  • ACL

    ACLs can be configured for VTY user interfaces to control the login of clients with a specified IP address or in a specified IP address segment.

Impact on the System

None

Procedure

  1. Configure password or Rivest-Shamir-Adelman (RSA) authentication.

    • Password authentication: Set the authentication mode of a user named testuser to password authentication.

      • Enter the system view.
        system-view
      • Create an SSH user.
        ssh user testuser
      • Configure an authentication mode for the SSH user.
        ssh user testuser authentication-type password

    • RSA authentication: Set the authentication mode of a user named testuser to RSA authentication (using keys each of 2048 bits or more).

      • Enter the system view.
        system-view
      • Create an SSH user.
        ssh user testuser
      • Configure an authentication mode for the SSH user.
        ssh user testuser authentication-type rsa
  2. Configure a user service mode.
    ssh user testuser service-type stelnet
  3. Enable the stelnet service. The stelnet service is disabled by default.
    stelnet server enable
  4. Change the SSH server port to 53555.
    ssh server port 53555
  5. Configure ACL-based access control.
    1. Create a numbered basic ACL and enter the basic ACL view.
      acl [ number ] acl-number
    2. Configure an ACL rule.
      rule [ rule-id ] { deny | permit } [ logging | source { source-ip-address { 0 | source-wildcard  } | address-setaddress-set-name | any } | time-rangetime-name ] * [ descriptiondescription ]
    3. Exit the ACL view.
      quit
    4. Enter the VTY user interface view.
      user-interface vty first-ui-number [ last-ui-number ]

      All VTY user interfaces involved in SSH login must be covered in the user-interface vty first-ui-number [ last-ui-number ] command.

    5. Configure ACL-based access control.
      acl acl-number | { inbound | outbound }

      To control the permission to log in to the device from a specified IP address or from a specified IP address segment, specify inbound in the command.

      To prevent users who have already logged in to a device from logging in to other devices, specify outbound in the command.

Parent Topic: Device Login Security
Copyright © Huawei Technologies Co., Ltd.
Copyright © Huawei Technologies Co., Ltd.
< Previous topic Next topic >