Separate the configuration of the virtual terminal, or, reserve two virtual terminal access from external networks and three from the internal network.
line vty 0 1
line vty 2 4
Keep the outdoor can be accessed only via SSH, and telnet from the internal network or via SSH.
Not address the technical issues of the SSH protocol, the network is filled with good explanations. Just know that at the moment. SSH (Secure Shell) is a protocol that allows to establish an encrypted remote session (all data from the client until they reach the terminal is encrypted or not traveling light as telnet).
line vty 0 1
transport input ssh
line vty 2 4
transport input telnet ssh
Then set up access via SSH.
Meanwhile, make sure that the domain name and hostname are configured. Serves as the basis to generate a cryptographic key. If your router is not set a hostname or the hostname you default, you should change it.
hostname MyRouter
While the domain name using the following command.
IP domain-name example.com
We generate our key with which the data will be encrypted.
crypto key generate rsa
Once given us this command will be asked to choose the “size” of the key. It is good practice to leave the default value (512), which is more than enough for 99% of all cases.
After the key generation receive confirmation that SSH is enabled and that is version 1.5.
To clarify, there is no verisone SSH 1.5, Cisco is the way in which we indicate that SSH1 is enabled on the router. In case this information is available to the command:
show ip ssh
If SSH indicates 1.99, means that both the SSH1 SSH2 are enabled on your router, and if it is shown SSH 2.0 means that the router accepts only the SSH2 connection.
Let us now restrict access to vty on which you can access via telnet.
Create an access list to the vty apply:
access-list 15 permit 10.10.10.0 0.0.0.255 log
Suppose that both the internal network 10.10.10.10/24 and apply the access list.
line vty 2 4
access-class 15 in
If now we try to remotely access the router via telnet, our request will time-out.
If we try to access the router via SSH response us, and we can establish our connection.
The next step is to limit connections only to version 2.0 of the protocol and demonstrate some trifles.
ip ssh time-out 60
ip ssh authentication-retries 5
ip ssh source-interface ATM0.1
ip ssh version 2
Indicate the range of time-out for the SSH protocol and set it to 60 seconds. After denote the maximum number of authentication attempts, choose the interface they generated responses SSH server and we pass the external interface, then, the last command indicates the version of the SSH protocol to use.
The following two commands are very important:
login on-failure log
log login on-success
The first command enables logging of connection attempts to the router that did not go well, while the other ones went through.
Let the routers to block IP addresses that violate a particular rule. Here it is
login block-for 300 3 Within 30 Attempts
Basically tells the router to block an IP address for 5 minutes if that makes more than three authentication attempts within 30 seconds.
With this access to the router is solved.