Is it a security hole? - Tech Support

Is it a security hole?: Posted by AM on January 5th, 2005; Hi all,
I have an 837 configured with IPsec tunnel.
I would enable ssh server on the public IP of my 837 to access it if something goes with the tunnel.
Is it possible to enable access only from one IP? And how?
Is it a security hole?

Thanks,
Alex.; Posted by Walter Roberson on January 5th, 2005; In article <9mNCd.15260$_E5.408692@twister2.libero.it>, AM <am@am.am> wrote:
:I have an 837 configured with IPsec tunnel.
:I would enable ssh server on the public IP of my 837 to access it if something goes with the tunnel.
:Is it possible to enable access only from one IP? And how?

You can always set an ACL on the outside interface that permits
ssh only to the outside IP.

:Is it a security hole?

Cisco updates their ssh whenever a security problem is found with it.

On the other hand, the supported SSH might only be version 1.5
(i.e, version 1 modified to not have the big security problem that
affected version 1), and so might only support DES encryption.
How determined are your enemies to break into your 837?
Determined enough to spend tens of thousands of dollars on
building a DES cracker that will run in a reasonable amount
of time?
--
Rump-Titty-Titty-Tum-TAH-Tee -- Fritz Lieber; Posted by AM on January 5th, 2005; Walter Roberson wrote:

Obviously I meant if something goes wrong...

I meant in general.

I was sure Cisco takes care about its products

I looked for ssh's options but I haven't found a key "match" to aplly my ssh's access-list.
How can I apply the ACL to achieve my purpose?

Thanks,
Alex; Posted by PES on January 5th, 2005; AM wrote:
I would say in general, no. However that is relative. Any additional
services that you permit have *SOME* associated risk. I would equate
this to less risk than inbound www, or telnet (far less risk than
telnet). Be sure that you use passwords that have never traversed an
untrusted network as clear text.

That depends on how you are currently blocking it (if you are). You can
apply it to the router's outside interface as an inbound acl, or you can
apply it to the line vty as an access-class * in.

--
-------------------------
Paul Stewart
Lexnet Inc.
Email address is in ROT13; Posted by AM on January 5th, 2005; PES wrote:
Thank you PES.
I apologize for my banal questions, but where have to apply? On interface sub-menu? On vty menu?
Alex.; Posted by rave on January 5th, 2005; type in the following:
line vty 0 4
transport input ssh
access class <access-list-no> in
the second line is only for ssh enabled on the outside interface.

Similar Posts

Adobe security hole... (Computer Security) by Imhotep
New IE6 security hole (Computer Security) by Pascal Vyncke
G-mail Security Hole (Computers & Technology) by Dr. Harvie Wahl-Banghor
Is this a DNS Security hole?? (Computer Security) by Ivan Yonge
Re: DANGEROUS new internet security hole (Virus & Worms) by Laura Fredericks