Protecting the serial and vty connections

  • 2 October 2017
  • 2 replies

Userlevel 1
Is there a way with Cumulus Linux to protect the serial and vty connections as is possible with Cisco IOS? Example from a Catalyst switch:
Line con 0
exec-timeout 30 0
password 7 XXXXX
Line vty 0 4
access-class in
exec-timeout 30 0
password 7 XXXXX
logging synchronous
length 0
transport input ssh
transport output none

2 replies

Userlevel 5
"exec-timeout 30 0" is equivalent to setting the following two lines in the SSHd_config file:
# /etc/ssh/sshd_config
# Sets the SSH Timeout to 30 mins
# (60 sec * 30 mins = 1800 sec)
ClientAliveInterval 1800
ClientAliveCountMax 0

Some other SSHd_config options that might be of interest:
# Amount of time we'll wait for a user to complete the login
LoginGraceTime 120
# Max Concurrent SSH Sessions
MaxSessions 2
# Max Number of Unauthenticated SSH Sessions
MaxStartups 10:30:60
# 10: Number of unauthenticated connections before we start dropping
# 30: Percentage chance of dropping once we reach 10 (increases linearly for more than 10)
# 60: Maximum number of connections at which we start dropping everything

To apply the settings. Modify the /etc/ssh/sshd_config file with the options as you like above then restart ssh to affect all future SSH sessions.
sudo systemctl restart sshd

In linux, once a user account is created, it is available for all login methods by default. So the password xxxxxx line is unneeded.

ACL Docs are here
ACLs can be set to protect SSH using the "input chain" like this.

# /etc/cumulus/acl/policy.d/90new.rules
-t filter -A INPUT -s -p tcp --dport 22 -j DROP

sudo cl-acltool -i

"Term length 0" is the default in linux.
There is no equivalent to the logging synchronous flag that I'm aware of.
Userlevel 1
Thank you Eric for the quick reply