Tag Archives: ssh

Why using SSH won't secure your network

Posted on by

SSH is a wonderful protocol / tool which I use every day. It allows a user secure communication between hosts. Amongst it’s many features it allows people to securely to execute commands, copy files and tunnel net traffic. Using SSH rather than telnet to configure and access devices is a great step up, and unlike telnet, passwords and secure information is encrypted.

But just because you’ve enabled SSH on all your devices doesn’t mean your network is any more secure. SSH is only one in many changes that need to be changed in order to have a secure network.

Network Management, most network management software still access your devices using insecure techniques (some of which are listed below). What’s the use of using SSH, when you network management polls it every 5 minutes insecurely

Keys
A simple think overlooked in most SSH setups, is that keys are never logged / saved, nor are private/public key authentication. So when you have 500 network devices, when you connect to one, people start getting into the habit of just accepting ssh keys without looking at them. A simple ARP man in the middle attack could allow a user to grab your password without any work.

File Transfer
So you need to upload a config file. Simple I’ll just TFTP or FTP it. Maybe you might even HTTP it across. Well there you go, all the work of installing SSH on all your devices has been wasted. This can easily be fixed with either SCP, HTTPS or FTPS.

SNMP
Commonly used SNMPv2 and v1 has no encryption support. It is common that most devices are setup with SNMPv2 and v1 rather than the SNMPv3 which support encryption. SNMP can be used to monitor, and set configuration options on most devices.

Vulnerabilities in software
Sounds pretty stupid, but why would an attacker bother with SSH when they can just exploit a page. It’s annoying, but IOS and other software need to stay updated.

Routing Protocols
Routing protocols really need to stay on routed links. Having OSPF running on general access VLANs is not a good idea. Very easy to make a man in the middle attack.

Spanning Tree
Spanning Tree can easily be disturbed, and be used for malicious activities. BPDU GUARD really needs to be enabled on access ports, otherwise you’ll be in trouble.

Theses simple fixes will in fact make your network more secure than SSH would.

HTTPS and SSH on the same port

Posted on by

I like SSH and I like HTTPS, but some times I want SSH to run on port 443 (HTTPS port) so I can use it to get over corporate firewalls and/or school firewalls, depending on the time of year, which used to mean getting https, taking it up a steep hill and sacrificing it to the gods, while SSH was taking a spa in it’s $1.2 Billion luxury apartment.

Although today SSH and HTTPS have become friends with the help of sslh, which allows you to take the best of both worlds and run SSH and HTTPS on the same port with a little bit of haxing.

sslh can be downloaded from http://www.rutschle.net/tech/sslh.shtml and there is also a perl one, which isn’t all that good, that can be downloaded from http://search.cpan.org/~book/Net-Proxy-0.07/script/sslh .

The setup was pretty easy, however I did have a problem that took me longer than it should have to fix. I used my modem to change port 443 on the outside world to port 22 on the inside world and forgot to remove that rule, which ended up confusing the shit out of me.

Problems aside I now have SSL and HTTPS runing side by side without a problem and for a final note, yes this has been the most exciting thing that has happened to me in the last week, not including the job of installing and configuring 27 Cisco 8 port 3560 switches.