Category: network

Enabling SSH on Cisco Catalyst Switches

Enabling SSH on Cisco Catalyst Switches

There are several ways to configure or monitoring a Cisco Device: console line (which requires a local cable, hence physical address), vty lines (via telnet or ssh), SNMP, and http/https access.

Since traffic through Telnet protocol travels in clear (non-encrypted) text, it’s best to configure remote access through a secure (encrypted) channel.

Before you proceed, verify your Cisco Device supports encryption. To check whether your device allows encryption issue the following command:

show version

Look for the line System image file and verify whether your IOS version have a “k9” substring in the file name. This indicates the version supports encryption.

Configuration Steps

  • Set a hostname and a domain name
  • Enable password encryption and create required usernames and passwords
  • Generate an encryption key
  • Restrict vty lines to use ssh
  • Restrict vty lines to allow incoming ssh traffic only from certain IP addresses (optional)
  • Block IP addresses after a certain number of failed attempts (optional)
Set a hostname and a domain name

A hostname is already set but you should change it to something more descriptive for your environment. A domain is not set by default and you must set this value to match your business infrastructure.

Change to enable mode, if you’re not already on it.

switch>enable
Password: < type your password >

Set your hostname and domain-name according to your own network.

switch#configure terminal
switch(config)#
switch(config)# hostname myswitch01
switch(config)# ip domain-name mydomain.com
switch(config)#exit
Enable password encryption and create usernames and passwords

The service password-encryption allows for ahem.. the encryption of every password (enable, username passwords) on the device. Issue it if you haven’t before (you probably have, though). Also create the users who can access your device and with which privileges. In this example the user database is local.

switch(config)#service password-encryption
switch(config)# username name privilege privilege# secret passwordtype# password  
switch(config)#exit

where
name: the user name
privilege#: 15 for enable permissions; 1 for normal user permissions
passwordtype#:

  • 0 if you’re going to type an unencrypted password;
  • 5 if you’re going to type an already encrypted password.

password: the actual password

The following example creates the user khaxan with enable permissions

switch(config)# username khaxan privilege 15 secret 0 G3tDHck0uT0H$re
Generating a crypto key

The Cisco device must create an encryption key before ssh could be enabled.

switch(config)# crypto key generate rsa general-keys modulus modulus_size

You can choose a modulus size up to 2048. The longer the better so:

switch(config)# crypto key generate rsa general-keys modulus 2048

Wait a bit while the system creates the key.

Restricting vty lines to use only ssh (don’t allow telnet)

In configuration mode allow only incoming ssh connections with the command transport input ssh (by default lines don’t allow any connections), and indicate the authentication is taking place against the local database (the users you created before).

switch(config)# line vty 0 4
switch(config-line)# transport input ssh
switch(config-line)# login local
Restricting vty lines to only allow ssh from certain subnets (Optional)

If you want to add a bit of extra security, you can create a list of IP addresses which are allowed to connect via ssh to the Cisco device.

The following example creates the standard access list 1 to permit traffic from the subnet 10.10.10.0 with logging enabled.  A deny statement is implicit in the ACL so technically the second access-list line is not needed unless you want to log unauthorized connection attempts (Always check who’s trying to connect to your server!).

Apply that ACL to the vty lines accepting SSH.

switch(config)# access-list 1 permit 10.10.10.0 0.0.0.255 log
switch(config)# access-list 1 deny any log
switch(config-line)# line vty 0 4
switch(config-line)# access-class 1 in
Block IP addresses after a certain number of failed attempts (optional)

Also, if you want to prevent the casual attacker you can block their IP addresses for a period of time use the command login block-for; this will prevent brute force attacks to the device.

The example below blocks for 1 hour (3600 seconds) an IP address with 5 failed login attempts within 50 seconds.  Important: Choose carefully the proper times for your environment. If you select a very low fail-attempt-threshold like 2 failed login attempts within 60 seconds then you might be blocking yourself if you accidentally type a wrong password 2 times in 1 minute.

switch(config)# login block-for 3600 attempts 5 within 50

That’s it. You should be able to connect to your device via your favorite SSH client.

Configuring a NTP server in different Linux distributions

To configure a Linux computer as a basic NTP server, we need to go through the following steps:

Installing the NTP package

For CentOs, RedHat and Fedora distributions
yum install ntp

For Ubuntu and Debian distributions
apt-get install ntp
or
sudo apt-get install ntp

Configuring the NTP service

With your favorite text editor open the file /etc/ntp.conf to perform the following:

Specifying OUR external server for time synchronization

Our Time source (or sources) are specified in the lines starting with server. These are the servers to which our local server synchronizes. Here is an example:

server 0.centos.pool.ntp.org iburst
server 1.centos.pool.ntp.org iburst
server 2.centos.pool.ntp.org iburst
server 3.centos.pool.ntp.org iburst

Default server addresses vary according to the Linux distribution. You can use the default ones or specify the NTP server of your preference.  It is recommended to use the servers for your country or region specified in pool.ntp.org Server link: http://support.ntp.org/bin/view/Servers/NTPPoolServers.

It is recommended than more than one ntp server is present for redundancy in case one of the servers fail.

You might have noticed the word iburst in every line. The iburst option reduces the time in the initial synchronization and it is the default option.

The specified servers are used in a round-robin fashion. If you wish you to use one server above others, add the options prefer at the end of the server line like this:

server 0.centos.pool.ntp.org prefer

Allow clients restricted time synchronization with our time server

If  you want to allow any client to synchronize to your NTP server just add the line

restrict default kod nomodify notrap nopeer noquery

  • default: every client
  • kod: if access is denied, send a “kiss of death” packet. It’s used to prevent abuse of the server. See more here.
  • nomodify: client can not modify the server
  • notrap: prevents ntpdc control message protocol traps
  • nopeer: deny packets trying to establish a peer association
  • noquery: clients can not query status information from our server (like our Operating System or NTP server version); however, they can still get time sync from our NTP server. If you want to block time synchronization you should add the option noserve.

Allow localhost IP to perform any function in the NTP server

The localhost ip 127.0.0.1 is often used for administrative functions; hence, to bypass the “default” restrict policy, add:

restrict 127.0.0.1
restrict ::1

The above lines give the localhost IP address unrestricted access to the NTP server operations.

Specifying the Location of the Drift File

The driftfile keeps track of clock deviations.

driftfile /var/lib/ntp/ntp.drift

That’s pretty much it for a basic configuration, but let’s just add some extra features for security. (This post doesn’t cover advanced security options like authentication).

Allow only specific clients to synchronize with our NTP server

If you added the noserve option in the restrict default line you might want to add specif hosts or networks which will be allowed to synchronize with your server. They usually are hosts or networks in your LAN, or otherwise known devices. For example:

If you want to allow the network 10.10.10.0/24 to query your NTP server add the following line:

restrict 10.10.10.0 mask 255.255.255.0 nomodify notrap nopeer 

If you want to allow the specific host 10.10.10.2 to query your NTP server add the following line:

restrict 10.10.10.2 nomodify notrap nopeer                -> mask 255.255.255.255 is assumed

That network and that host would be able to query your server for time sync and get status information from your server.

Using Local Clock as Backup

In case your server loses access to the Internet, it’s a good idea to failover to the server internal clock.

server 127.127.1.0                                   -> NTP server’s own pseudo address
fudge 127.127.1.0 stratum 12

Use stratum 10 to 15 so it’s never used unless no external server is reachable.

Configuring Logging Parameters

Specify a file path for the logs, although no mandatory it is very useful for debugging:

logfile /var/log/ntp.log

 

A complete basic /etc/ntp.conf should look like this (As you can imagine the -6 lines, are intended for IPv6 protocol) :

 

server 127.127.1.0                                  
fudge 127.127.1.0 stratum 12               

server 0.pool.ntp.org iburst
server 1.pool.ntp.org iburst
server 2.pool.ntp.org iburst
server 3.pool.ntp.org iburst

restrict default kod nomodify notrap nopeer noquery
restrict -6 default kod nomodify notrap nopeer noquery

restrict 127.0.0.1
restrict -6 ::1

driftfile /var/lib/ntp/ntp.drift
logfile /var/log/ntp.log

 

Starting the NTP Service

For  CentOs and RHEL/RedHat  distributions
/etc/init.d/ntpd start
or
service ntpd start

For Debian and Ubuntu  distributions (notice there’s a d missing)
/etc/init.d/ntp start
or
service ntp start

For Fedora and CentOS/Redhat/RHEL 7 distributions
 systemctl start ntpd.service

The system will start synchronizing.

Verifying the NTP operation

Enter the command:
# ntpq -p

And you’ll see an output similar as the follow:

ntpq

Values will be moving through time. The entry marked with the * is the server currently in use. If you see errors or no server association in a few minutes, probably the NTP service has not started. Review the log file to obtain more information.

Sync the local clock with the external NTP server for the first time

Issue the following command:
ntpdate –u 18.26.4.105                        -> or any server your NTP server is syncing to

Make the NTP service start when the computer boots

To add the ntp service to the list of daemons which start at startup:

For  CentOs and RHEL/RedHat  distributions
chkconfig ntpd on 

For Debian and Ubuntu  distributions (notice there’s a d missing)
systemctl enable ntp.service
o for Debian Jessie (Debian 8)
systemctl enable ntp

For Fedora and CentOS/Redhat/RHEL 7 distributions
systemctl enable ntpd

 

Configuring Linux NTP client in different distributions

To configure a Linux computer as a basic NTP client, we need to go through the following steps:

Installing the NTP package

For CentOs, RedHat and Fedora distributions
yum install ntp

For Ubuntu and Debian distributions
apt-get install ntp
or
sudo apt-get install ntp

Configuring the NTP service

With your favorite text editor, make sure these lines are present in the file /etc/ntp.conf

server 0.centos.pool.ntp.org iburst
server 1.centos.pool.ntp.org iburst
server 2.centos.pool.ntp.org iburst
server 3.centos.pool.ntp.org iburst

It is also wise to make sure the log file is established:

logfile /var/log/ntp.log

Server addresses vary according to the Linux distribution. You can use the default ones or specify your own time server or a public NTP server of your preference.  You can find a list of public ntp servers in this link: http://support.ntp.org/bin/view/Servers/NTPPoolServers.

It is recommended than more than one ntp server is present for redundancy in case one of the servers fail.

You might have noticed the word iburst in every line. The iburst option reduces the time in the initial synchronization and it is the default option.

The specified servers are used in a round-robin fashion. If you wish you to use one server above others, add the options prefer at the end of the server line like this:

server 0.centos.pool.ntp.org prefer

Starting the NTP Service

For  CentOs and RHEL/RedHat  distributions
/etc/init.d/ntpd start
or
service ntpd start

For Debian and Ubuntu  distributions (notice there’s a d missing)
/etc/init.d/ntp start
or
service ntp start

For Fedora and CentOS/Redhat/RHEL 7 distributions
 systemctl start ntpd.service

The system will start synchronizing.

Verifying the NTP operation

Enter the command:
# ntpq -p

And you’ll see an output similar as the follow:

ntpq

Values will be moving through time. The entry marked with the * is the server currently in use. If you see errors or no server association in a few minutes, probably the NTP service has not started. Review the log file to obtain more information.

Sync the local clock with the NTP server for the first time

Issue the following command:
ntpdate –u 18.26.4.105                        -> or any server your computer is syncing to

Make the NTP service start when the computer boots

To add the ntp service to the list of daemons which start at startup:

For  CentOs and RHEL/RedHat  distributions
chkconfig ntpd on 

For Debian and Ubuntu  distributions (notice there’s a d missing)
systemctl enable ntp.service
o for Debian Jessie (Debian 8)
systemctl enable ntp

For Fedora and CentOS/Redhat/RHEL 7 distributions
systemctl enable ntpd

I know, I know, I wish everybody could standardize. Feel free to comment with any possible correction or suggestions to this post.

Configuring NTP client on a Cisco Catalyst Switch

NTP (Network Time Protocol) is a protocol used for clock synchronization among different devices. Enabling NTP in your network devices will cause that they all have the same time so operations flow smoothly and log analysis can be actually useful. I can’t stress enough how important it is.

So, let’s configure the NTP on a standard Cisco Catalyst Switch so the switch can synchronize to a NTP Server. The procedure below is a BASIC NTP configuration for a Cisco Catalyst switch but it can be used also in older routers (No ASR or Nexus, where the config is slightly different). We’ll discuss advanced NTP topics in further posts.

Before starting the configuration, you need a Time Server already up and running, which it can be your own server or a free public one. You can find a list of public ntp servers in this link:

Configuring the NTP association

switch#config terminal
switch(config)# ntp server ip_address_of_ntp_server

and optionally if you want logs about the NTP operation (e.g.,failed to reach the time server)

switch(config)# ntp logging
switch(config)#end

Save your changes

switch#copy running-config startup-config

Now, when you see your configuration you will notice something like this

switch#show running-config | incl ntp
ntp logging
ntp server x.x.x.x
ntp clock-period some_numeric_value    

The value is automatically calculated by the switch to compensate the time differences between the ntp client and the ntp server. Do not remove or modify this line.

Note: For redundancy, it’s best to specify more than one ntp server. In the scenario that the first NTP server fails our can’t be reached, your devices would get clock sync from the next server. To accomplish this, simply add another line like this.

switch(config)# ntp server ip_address_of_ntp_server1
switch(config)# ntp server ip_address_of_ntp_server2

And that’s it.

Verifying the NTP association is working

To verify your device it’s connected properly to the time server, use the following command:

switch#show ntp status

You should see an output like this:

Clock is synchronized, stratum number, reference is ip_address_of_ntp_server
and more information about the clock offset and the precision of the sync.

You’re all set! Good luck.