There are several ways to manage a Cisco device but the two main methods used to remotely manage a Cisco device are Telent or SSH. So what is the difference between Telnet and SSH?
In this article, we will show you how to secure your cisco switch or router by disabling the more unsecure connection method, Telnet and then enabling the more secure method, SSH and setting the username and password.
So let us start with, what si SSH and Telnet? SSH is known as Secure Shell and Telnet is known as TeleNetwork . Both of these protocols are used to manage servers and network components such as routers, switches, etc. remotely. The main difference between SSH and Telnet is in the security which exists on SSH by default but is not on Telnet.
- Telnet Access: Remote management of the device from the network. Gives authenticated Command Line access to the device but the whole communication is not encrypted.
- SSH Access: Remote management of the device form the network (just like Telnet) but the whole traffic is encrypted by the SSH protocol.
Disable Telnet on Cisco Routers/Switches
Because of the weaknesses in the secuirty of the Telnet protocol, it is highly recommended that it is disabled. Here’s how to disable Telnet of both Cisco Routers and Switches.
Each time you access a cisco switch or a router via methods such as Telnet or SSH you connect through something called a VTY line (Virtual Terminal lines). Older Cisco IOS versions (before 12.2) had 5 VTY lines (numbered 0 to 4), whereas newer IOS versions (after 12.2) have 16 VTY lines (numbered 0 to 15).
Therefore, to disable Telnet you need to do this action on all the VTY lines.
The following configuration will disable Telnet and all other remote network access:
CiscoDevice(config)# line vty 0 15 <– configure all 16 VTY lines
CiscoDevice(config-line)# transport input SSH <– disables Telnet and everything else and only enables SSH on all VTY lines
Enable SSH on Cisco Routers/Switches
By enabling SSH and configuring this transport protocol on the VTY lines of the IOS device, it will automatically disable Telnet as well.
To configure SSH on Cisco router, you need to do:
- Enable SSH on Cisco router.
- Set Password for SSH.
- Force remote access to use SSH.
- Enable Password Encryption.
- Add domain name Server (DNS).
- Add Username and Password.
R1> R1>enable R1#configure terminal Enter configuration commands, one per line. End with CNTL/Z. R1(config)# R1(config)#ip domain-name Supertechman.com.au R1(config)#crypto key generate rsa The name for the keys will be: R1.supertechman.com.au Choose the size of the key modulus in the range of 360 to 2048 for your General Purpose Keys. Choosing a key modulus greater than 512 may take a few minutes. How many bits in the modulus : 1024 % Generating 1024 bit RSA keys, keys will be non-exportable...[OK] R1(config)# *Mar 1 0:5:57.974: %SSH-5-ENABLED: SSH 1.99 has been enabled R1(config)# R1(config)#username Admin password SuperTechman R1(config)#line vty 0 4 R1(config-line)#login local R1(config-line)#transport input ssh R1(config-line)#exit R1(config)#ip ssh version 2 R1(config)#ip ssh authentication-retries 3 R1(config)# R1(config)#ip ssh time-out 120 R1(config)#exit R1#
That’s all. Let’s check the process one by one.
- I have set DNS domain name with “IP domain-name” command.
- Then configure the router to use RSA key pair with modulus size of 1024 bites for remote service authentication with “crypto key generate rsa” command.
- Add username “Admin” with Password of “Supertechman” for ssh authentication.
- Enabled ssh with “line vty 0 4” command.
- Configure ssh to use local username and password with “login local” command. Remember that you can set a username and password for ssh with “username Admin password Supertechman” command as well. But here we configure ssh to use local username and password.
- Configure the router to accept only ssh connection with “transport input ssh” command.
- Configure ssh to version 2 using “IP ssh version 2” and set the authentication times to 3 with “IP ssh authentication-retries 3” command.
- Finally set the ssh timeout to 120 seconds with “IP ssh time-out 120” command.