Vulnerability scanners are reporting that ssh version 1 is on by default for Cisco IPS units. It is fairly simple to turn this off on the IPS if you have service level privilege.
First get into the service level account. This is essentially the linux shell under the IPS.
Once you are ssh’d in, issue these commands.
|
Change the line that says:
#Protocol 2,1
Uncomment it and take out the ‘,1’ so it looks like this:
Protocol 2
Save the file and exit out of vi.
Restart the ssh daemon. (Warning: This may cause a failover if these are IPSMs in a failover pair)
/etc/init.d/S60ssh restart
Now you can test ssh’ing into your device and you should see this error:
|
Voila, ssh version 1 is now disabled!
Comments