Chapter16 Security Audit
Fix It Page
16-24
Cisco Router and Security Device Manager Version 2.2 Users Guide
OL-4015-08
access-class <std-acl-num>
Enable SSH for Access to the Router
If the Cisco IOS image running on the router is a crypto image (an image that uses
56-bit Data Encryption Standard (DES) encryption and is subject to export
restrictions), then Security Audit will implement the following configurations to
secure Telne t access whenever possible:
Enable Secure Shell (SSH) for Telnet access. SSH makes Telnet access much
more secure.
Set the SSH timeout value to 60 seconds, causing incomplete SSH
connections to shut down after 60 seconds.
Set the maximum number of unsuccessful SSH login attempts to two befo re
locking access to the router.
The configuration that will be delivered to the router to secure access and file
transfer functions is as follows:
ip ssh time-out 60
ip ssh authtication-retries 2
!
line vty 0 4
transport input ssh
!
Note After making the configuration changes above, you must specify the SSH
modulus key size and generate a key. Use the SSH page to do so.
Enable AAA
Cisco IOS Authentication, Authorization, and Accounting (AAA) is an
architectural framework for configuring a set of three independent security
functions in a consistent manner. AAA provides a modular way of perfor ming
authentication, authorization, and accounting services.
SDM will perform the following precautionary tasks while enabling AAA to
prevent loss of access to the router: