How to secure switch management by disabling Telnet and Http and enabling SSH and SSL

These are some of the options that are available for securing switch and router management

  1. Using SSH for accessing the switch management
  2. Accessing through VPN
  3. Limiting the IPs that can access the switch management using access lists
  4. Forcing Telnet/SSH to authenticate by username/password instead of password only

It is possible to use two or more of the above methods together.

How to enable SSH and SSL on Brocade switches (Core switches)

# crypto key generate rsa

# user “username” privilege 0 password “thepassword” # aaa authentication login default local

# no telnet server
# ip ssh port xxxx
# ip ssh scp enable
# no web-management http
# web-management https
# crypto-ssl certificate generate
# aaa authentication web-server default local

In order to directly log into Privileged Exec mode without the need to enter “enable” password” we use the following command:

# aaa authentication login privilege-mode

SSH keys  and SSL certificate are stored as separate files in the flash. To view a list of files we use the following command.

SSH@core1#show dir

808 [9122] $$ssh8rsahost.key

1740 [05a3] $$sshdsaclient.key

643 [3702] $$sshdsapub.key

1564 [3888] $$sshrsaclient.key

435 [aa0e] $$sshrsapub.key

2672 [c4ed] $$ssl.cert

9630282 [0000] primary

7254436 [0000] secondary

7383 [dd2a] startup-config

7269 [b9c3] startup-config.backup

16907232 bytes 10 File(s)

47579136 bytes free

To view the contents of a key or certificate we use the following command:

SSH@core1#copy flash console $$sshdsapub.key

In order to delete a key we use the following command:

SSH@core1#crypto key client zeroize rsa

SSH@core1#show dir

808 [9122] $$ssh8rsahost.key

1740 [05a3] $$sshdsaclient.key

643 [3702] $$sshdsapub.key

2672 [c4ed] $$ssl.cert

9630282 [0000] primary

7254436 [0000] secondary

7383 [dd2a] startup-config

7269 [b9c3] startup-config.backup

16905233 bytes 8 File(s)

47841280 bytes free

SSH@core1(config)#crypto key client zeroize dsa

SSH@core1(config)#show dir

808 [9122] $$ssh8rsahost.key

2672 [c4ed] $$ssl.cert

9630282 [0000] primary

7254436 [0000] secondary

7383 [dd2a] startup-config

7269 [b9c3] startup-config.backup

16902850 bytes 6 File(s)

48103424 bytes free

The command “crypto key generate rsa” generates the file  $$ssh8rsahost.key and in order to delete it we use the command  “crypto key zeroize rsa ”

The command  “crypto-ssl certificate generate” creates the file $$ssl.cert and in order to delete it we use the command “crypto-ssl certificate zeroize”

The command “crypto key client generate rsa”   creates the files $$sshrsaclient.key and $$sshrsapub.key which are private and public key pair for SSH client.

In order to import a public SSH key for public key authentication the command is

# ip ssh pub-key-file tftp  <tftp server IP address>  <public key file name>

———————————————————————————————————–

How to enable SSH on HP switches

(It is easier to create the self-signed SSL certificate from web interface before shutting down http server click on Security tab and then SSL. If we do this then the commands in the parenthesis are not necessary)

# crypto key generate ssh

# ip ssh

# ip ssh port xxxx

# ip ssh version 2

After making sure that SSH connection works, we can disable Telnet and HTTP.

# no telnet-server

# no web-management plaintext

We can also enable SCP/SFTP and public-key authentication:

# ip ssh filetransfer

# aaa authenticatiin ssh login public-key none

Although secondary SSH login method is “none” it is still possible to use SSH with password.

The commands for SSL certificate and keys

# crypto key zeroize cert
# crypto key generate cert 1024
# crypto host-cert generate self-signed
# web-management ssl
# show crypto host-cert # show crypto host-public-key

Commands to show or kill a SSH session.

# show ip ssh
# show telnet
# kill <1-4> (SSH session number)

Dell PowerConnect 6224/6248  Switches

For SSH to work both RSA and DSA keys have to be created.

# crypto key generate rsa

# crypto key generate dsa

# ip ssh server

# ip ssh port xxxx

# ip telnet server disable

# username Dell password Dell1234 level 15

# ip https authentication local

# crypto certificate 1 generate

(config-crypto-cert)#key-generate

(config-crypto-cert)#exit

# ip https server

# ip https certificate

# no ip http server

# show crypto certificate ?

# show crypto key ?

# show authentication methods

Login Authentication Method Lists ——————————— defaultList         :  none
networkList         :  local

Enable Authentication Method Lists ———————————- enableList          :  none

Line     Login Method List    Enable Method List ——-  —————–    ——————
Console defaultList          enableList
Telnet   networkList          enableList
SSH      networkList          enableList

HTTPS       :local
HTTP        :local
Dot1X       :

# aaa authentication ?

dot1x                    Create or delete authentication list.
enable                  Define authentication method lists for accessing higher privilege levels.
login                    Create or delete authentication list.

Dell N4032

SSH commands are similar to Dell PowerConnect 6224, but HTTPS commands are different.

# crypto key generate rsa

# crypto key generate dsa

# ip ssh server

# ip ssh port xxxx

# ip ssh protocol 2

# ip telnet server disable

# crypto certificate 1 generate # ip http secure-certificate ?

# ip http secure-server # ip http secure-session soft-timeout 30 # no ip http server

 

Dell PowerConnect 3348 Switch

Enabling SSH

# crypto key generate rsa

# ip ssh server

# ip ssh port xxxx

Disabling Telnet and Http

# management  access-list  no-telnet-http

# permit service ssh

# permit service https

# deny service telnet

# deny service http

# management access-class  no-telnet-http