are any of you guys running a centralized SSH server? Curious what products do you like/use... i know a lot of it is preference, and features. So what are you using and why?
Does Putty Commander count?
never used it. Im looking for software that manages all connections in one spot. The clients then pull the config down from the server, so everyone has up to date settings, and new locations.
Well, we kinda almost have that. We use Putty Commander and have a settings file that we share. If the settings update, we have to update manually.
im just surprised there isnt a software for this kind of thing.
We have a "some flavor of" linux server running as a jump box, does that count? Runs well
Does DNS count? All our stuff is in DNS so we just "ssh hostname".
-Otanx
Quote from: Otanx on March 15, 2016, 12:13:05 PM
Does DNS count? All our stuff is in DNS so we just "ssh hostname".
-Otanx
that bad juju, if your DNS box gets hacked you are SoL
I had a network once wwith a Linux jumphost. All device names where in the hosts file, separate from the DNS servers. Also, we could only do SSH and Telnet, nothing more. If we added a device in the network, it was sent to another team or guy that managed the hosts file.
I recommend a central SSH jumphost (and TFTP, and FTP, and SCP,... ) but I don't recommend a hosts file, although 'grep <part-of-name> /etc/hosts' did wonders.
Quote from: ristau5741 on March 15, 2016, 01:19:57 PM
Quote from: Otanx on March 15, 2016, 12:13:05 PM
Does DNS count? All our stuff is in DNS so we just "ssh hostname".
-Otanx
that bad juju, if your DNS box gets hacked you are SoL
I don't know if that is worth not doing it. The benefits I get outweigh any risks. Traceroute shows hostnames for the NOC, SOC gets correct reverse lookups when investigating an IP, I get easy ssh. If my internal DNS gets hacked then we are probably going to be working with laptops and console cables anyway, because who knows what else is compromised. Compared to maintaining host files, or sharing a config file this is easy, works no matter where I log in from, and helps other groups when they are troubleshooting. For that less than 1% of the time DNS isn't working I can guess some IPs, and find what I need with CDP, and route tables.
-Otanx
a linux box is the best and easiest way if you want to force everyone to only go through a central mgt point
- leverage in-built multi-user and access permissions,
- can jail users to their /home or shared directories, prevent app installs, restrict commands to telnet/ssh/ping/trace/ftp/tftp/snmp only etc.
- can log everything on top of config logging from devices themselves
- can tie back into central SSO whether via LDAP or AD or whatever
- downsides: no windows tools and if no desktop environment, no GUI
Though 90% of places I've seen just use a RDP box. The proliferation of windows tools / web GUIs / java plugins (HAHAHAHA SECURITY PRODUCTS HAHAHAHHA) makes this the path of least resistance
personal i like more a linux server, the only disadvantage here is that you will need a second server for gui tools, so this is the reason that rdp server is the most common one.
Now where i work we have a citrix server from where we open all our tools, IE/FF/putty/securecrt/asdm.... also the securecrt uses a shared profile where we have all our devices. Is pretty handy but a bit chaotic. As all the network devices are there from fw/r/sw to voice gateway and who knows what else :D
I am honestly pretty sad that in this day and age there is not a product for this.
@georges
@wintermute
what GUI tools do you use, and which flavor of linux, we are probably going to use centos
I am kinda pushing for one for emergency use
So if someone takes over a box they can just spam it with SSH requests filling up all the VTY lines
I want to make a SSH server that is the only thing that can access vty line 15 to get around that, so even if someone is spamming the box we can still get in without driving over.
Quote from: dlots on March 23, 2016, 10:53:53 AM
I am kinda pushing for one for emergency use
So if someone takes over a box they can just spam it with SSH requests filling up all the VTY lines
I want to make a SSH server that is the only thing that can access vty line 15 to get around that, so even if someone is spamming the box we can still get in without driving over.
huh? :doh: :doh: :doh:
Quote from: LynK on March 23, 2016, 01:07:22 PM
Quote from: dlots on March 23, 2016, 10:53:53 AM
I am kinda pushing for one for emergency use
So if someone takes over a box they can just spam it with SSH requests filling up all the VTY lines
I want to make a SSH server that is the only thing that can access vty line 15 to get around that, so even if someone is spamming the box we can still get in without driving over.
huh? :doh: :doh: :doh:
He wants to connect a modem to the AUX port.
Quote from: dlots on March 23, 2016, 10:53:53 AM
I am kinda pushing for one for emergency use
So if someone takes over a box they can just spam it with SSH requests filling up all the VTY lines
You can limit that with the login feature
https://www.cisco.com/c/en/us/td/docs/ios/sec_user_services/configuration/guide/15_0s/sec_securing_user_services_15_0S_book/sec_login_enhance.html
It automatically goes into silent mode and no longer accepts SSH connections from anywhere except what you define in an ACL. We were testing that today and it works great! Plus you get a nice little syslog with all the details.
kinda
you know you can have an ACL on your line vty 0 15
well you can have 1 ACL for
vty lines 0 14
access-class acl-permit-most-everything
!and another ACL for
vty line 15
access-class acl-permit-1-server
This way when lines 0-14 are hammered by an attacker, you just get into the server and SSH in, hit line 15 and get in to that one that isn't busy.
Didn't know about the ACL thing, thought it just wouldn't accept new SSH sessions, which would be just as bad, very intersting, thanks
Quote from: dlots on March 23, 2016, 02:20:51 PM
Didn't know about the ACL thing, thought it just wouldn't accept new SSH sessions, which would be just as bad, very intersting, thanks
My pleasure! By the way, the quiet period is actually the ACL temporarily applied to your VTY lines. So the net result is the same
Quote from: LynK on March 23, 2016, 07:44:40 AM
@georges
@wintermute
what GUI tools do you use, and which flavor of linux, we are probably going to use centos
All the Cisco security java nonsense, vmware fat client, web client needs flash (for now) + powercli on top of PowerShell.
Most other vendors have seen the light and are pretty much html5 so Linux friendly.
Also, the ability to map rdp drives or user profile drives is a killer feature for moving files around, most places don't have the Linux fu to do A.D. Samba/Kerberos integration on their jumpposts
Quote from: dlots on March 23, 2016, 02:20:51 PM
kinda
you know you can have an ACL on your line vty 0 15
well you can have 1 ACL for
vty lines 0 14
access-class acl-permit-most-everything
!and another ACL for
vty line 15
access-class acl-permit-1-server
This way when lines 0-14 are hammered by an attacker, you just get into the server and SSH in, hit line 15 and get in to that one that isn't busy.
Didn't know about the ACL thing, thought it just wouldn't accept new SSH sessions, which would be just as bad, very intersting, thanks
I would suggest, VTY 1-15 would get hammered, and with the ACL applied to vty 15, the CPU on the device would go up do to all that extra work of dropping all those packets and access would still be denied.
take 10,000 packets during a DOS.
The first 14 packets would clog up the VTY lines 1-14, vty 15 would get packet 15, drop it, packet 16, drop it, and so on.. until the VTY 1-14 connections start timing out , then those would get used. until full, then packets start hitting VTY 15 again, and would get dropped, etc..etc.. vty 15 would never get used until vty 1-14 are used. I think some COPP would take care of the issue, would be a better tool than an ACL
You should still use CoPP, and lines 0-14 should also get an ACL, this is more of an "Oh crap" moment kinda thing, normally you would let a fairly narrow range of stuff into your VTY lines, this would be incase someone managed to get though that ACL and was spamming the crap out of it, so instead make a long trip to the effected site you can still get in remotely to take a look at it.