Cisco router disable SSH?

J

Jonjolt

[H]ard|Gawd
Joined
Jan 6, 2002
Messages
1,514
Just had a remote network fail a PCI compliance test, the cause SSH... I happened to misplace the password so console is no go. My only way in is through Cisco CCP as the password is saved on there. :(

Is there an option to disable it I can't seem to find it. Running CCP 2.4
 
You can enter the CLI through CCP.

Go into the CLI. Here's the commands:
enable
conf t
line vty 0 4
no transport input ssh
transport input telnet


Then save your running-config.

While you are in there, change your console password so you can console in.
 
Last edited:
don't disable ssh just setup acl to only allow access from internal subnet, that will make ssh inaccessible from the outside so PCI scan won't detect it
 
Disabling ssh and using telnet instead is a really, really bad idea; I would fire you in a heartbeat if you worked for me and did that.
 
Fint said:
Disabling ssh and using telnet instead is a really, really bad idea; I would fire you in a heartbeat if you worked for me and did that.
Click to expand...

Agreed.

Disable telnet, leave SSH on but create an ACL so that only the internal network can SSH in.
 
if ssh is causing a PCI Scan to fail, how the hell would using clear-text telnet be any better?

what's the failure reason?
I've been dealing with a bunch of this kind of stuff recently.
 
PCI is anal about outside facing open ports, they usually have requirements on minimum supported encryption ciphers etc, You have open ports, ie ftp, web server etc they just have to be properly secured with no weak encryption cipher support etc.
If he doesn't use ssh to access the router from outside his best bet is simple ACL to lock out access from external subnets.
 
PCI DSS also states you shouldn't use unsecure stuff like ftp vs sftp, telnet vs ssh. So switching to telnet over ssh wouldn't help you one bit

I too have to follow PCI DSS, and I think everything it wants it good. Yes it can be a pain in the ass, but it is forcing you to do things the right way instead of half assing your security.
 
You must log in or register to reply here.
Back
Top