[Ach] bettercrypto.org document
Aaron Zauner
azet at azet.org
Thu Jan 2 19:31:49 CET 2014
On 02 Jan 2014, at 09:11, mario.zabrocki at evonik.com wrote:
> I read the document "Applied-Crypto-Hardening.pdf" at bettercrypto.org and found that the provided configuration for CISCO ASA SSH hardening (2.2.2. page 18) is not correct:
>
> line vty 0 4
> transport input ssh
>
> ...is only applicable on IOS devices but not on ASA firewalls. On ASA firewalls SSH access must be explicitly granted per IP or IP range via "ssh 1.1.1.1 255.255.255.255 <interface-name>" command. Please move the mentioned line-commands to section "2.2.3. Cisco IOS”.
Removed accordingly. Thanks.
https://git.bettercrypto.org/ach-master.git/commitdiff/0ef5e8b9dd68e0821ebd34417623d3de16fe9d38
BTW: what I usually do is to regard SSH like telnet on firewalls and for that reason just connect management ports to unrouted vLANs. Should we write something in there explicitly? There have been quite a few issues with remote management of Cisco devices over the years and some exploits.
Aaron
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 1091 bytes
Desc: Message signed with OpenPGP using GPGMail
URL: <http://lists.cert.at/pipermail/ach/attachments/20140102/46a785bf/attachment.sig>
More information about the Ach
mailing list