Protecting the serial and vty connections


Userlevel 1
Is there a way with Cumulus Linux to protect the serial and vty connections as is possible with Cisco IOS? Example from a Catalyst switch:
Line con 0
exec-timeout 30 0
password 7 XXXXX
Line vty 0 4
access-class in
exec-timeout 30 0
password 7 XXXXX
logging synchronous
length 0
transport input ssh
transport output none

2 replies

Userlevel 5
"exec-timeout 30 0" is equivalent to setting the following two lines in the SSHd_config file:
# /etc/ssh/sshd_config
# Sets the SSH Timeout to 30 mins
# (60 sec * 30 mins = 1800 sec)
ClientAliveInterval 1800
ClientAliveCountMax 0

Some other SSHd_config options that might be of interest:
# Amount of time we'll wait for a user to complete the login
LoginGraceTime 120
# Max Concurrent SSH Sessions
MaxSessions 2
# Max Number of Unauthenticated SSH Sessions
MaxStartups 10:30:60
# 10: Number of unauthenticated connections before we start dropping
# 30: Percentage chance of dropping once we reach 10 (increases linearly for more than 10)
# 60: Maximum number of connections at which we start dropping everything

To apply the settings. Modify the /etc/ssh/sshd_config file with the options as you like above then restart ssh to affect all future SSH sessions.
sudo systemctl restart sshd

In linux, once a user account is created, it is available for all login methods by default. So the password xxxxxx line is unneeded.

ACL Docs are here https://docs.cumulusnetworks.com/display/DOCS/Netfilter+-+ACLs#Netfilter-ACLs-PolicingControlPlanean...
ACLs can be set to protect SSH using the "input chain" like this.

# /etc/cumulus/acl/policy.d/90new.rules
[iptables]
-t filter -A INPUT -s 1.1.1.1 -p tcp --dport 22 -j DROP

sudo cl-acltool -i

"Term length 0" is the default in linux.
There is no equivalent to the logging synchronous flag that I'm aware of.

Userlevel 1
Thank you Eric for the quick reply

Reply