IPv6 – Setting up a connection to a Tunnel Broker (Part 6) SSH

Another thing that should be looked into is securing the Tunnel Broker router. In our earlier configuration steps, we had it restricted for just IPv4 but nothing had been done yet for IPv6. This posting will address that. I will assume for this discussion that you don’t have network TACACS+ available. What is outline here is a minimum config to lock the router down from outside access.

! These 4 lines are Cisco recommended best practices for SSH
ip ssh time-out 120
ip ssh authentication-retries 3
service tcp-keepalives-out
service tcp-keepalives-in
! Another thing you should configure SSH on the router to accept version 2
! SSH traffic only. Minimizes possible SSH vulnerabilities
ip ssh version 2
! This is an additional step that is worth considering. You can automatically
! make the router ignore SSH login attempts for 900 seconds if it receives
! 5 bad attempts within 120 seconds. If you want to always allow access
! from specific workstations/devices, you can use the following command
! login quiet-mode access-class with a named ACL for with the
! ip addresses of those specific workstations/devices
login block-for 900 attempts 5 within 120
login delay 3
! I recommend create an account such as follows with the privilege 15 set
! This will allow you to not have to enter an enable password when you login
username admin privilege 15 secret 5 $1$0uPG$FJTff5BhDu6je7RSZAUIX1
! IPv6 access requires a separate ACL. Unlike IPv4 ACL’s, you
! only have extended ACL’s available. I tried setting up a “standard”
! ACL but the command syntax wasnt in the version of IOS for IPv6 that
! I have on the router. In this case, I used the range on the LAN
! segment of my Tunnel Broker router
ipv6 access-list IPv6-Remote-Admin
remark IPv6 Remote Admin ACL
permit ipv6 2001:0db8:1F11:102::/64 any
deny ipv6 any any
! These three lines will lock down remote access on IPv6 access
! to the addresses on the referenced ACL
line vty 0 4
ipv6 access-class IPv6-Remote-Admin in
privilege 15
login local

I still have several things to post in this series but wanted to get this one addressed while I was thinking about it now that the Tunnel Router is up and running.

Send to Kindle
This entry was posted in Blog Entries and tagged . Bookmark the permalink.