Cisco IOS SSH – changing ports

I’ve happily had IOS devices for many years, coming from a networking background and originally being CCNA trained made the obscure nature of Cisco IOS logical (how on earth did Apple get away with pinching IOS from Cisco as a TLA anyway?)

Devices with external access are limited but sometimes it’s handy to leave SSH around. It’s protected by ACLs and works well enough until now. Attacks on SSH are getting more common and I can see them crossing the various devices I’m responsible for in waves, I was never a big one for changing the port but now it’s necessary I found it’s easy but has a gotcha.

 

It’s a three step process, step 3 being the gotcha:

  1. Tell the SSH to listen on another port (or ports)
  2. Tell the console to use that listener config
  3. Block port 22 in the ACL

The actual commands:

Start in the console and “conf t” then add the new port to listen on (2222 in this case)

ip ssh port 2222 rotary 1

Tell the remote console VTY to use the new config and make sure there’s a suitable ACL

line vty 0 15

 access-class 150 in
 rotary 1

Make sure the ACL blocks port 22

access-list 150 deny tcp any any eq 22

 

My problem was I did all this initial commands from the official guide https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/sec_usr_ssh/configuration/15-s/sec-usr-ssh-15-s-book/sec-ssh-term-line.html but didnt’ spot that changing the listener port doesn’t turn off the default port (22) and didn’t stop the attacks on that port. The ACL fixes that.

Obviously it’s not a full config and there are plenty of other tutorials on that if you can’t get SSH on your Cisco.