Prevent ASA 5505 SSH server from revealing version number

Posted on 2012-09-07
Last Modified: 2013-03-01

Can anyone please advise if it is possilble to modify/restrict the advertised SSH version information when connecting to an ASA 5505 (with an IPS module).  The purpose of this is to prevent a potential attacker taking advantage of identifying the version of SSH and then launcing a targeted exploit.
The ASA does restrict the source IP range of where SSH connections can originate from.

The ASA is running version 8.4 code.


Question by:PhilMacavity
    1 Comment
    LVL 14

    Accepted Solution

    I believe you cannot change the advertised version, but cisco asa have increased security on ssh, as it is stated in 8.4 release notes:

    "Increased SSH security; the SSH default username is no longer supported—Starting in 8.4(2), you can no longer connect to the ASA using SSH with the pix or asa username and the login password. To use SSH, you must configure AAA authentication using the aaa authentication ssh console LOCAL command (CLI) or Configuration > Device Management > Users/AAA > AAA Access > Authentication (ASDM); then define a local user by entering the username command (CLI) or choosing Configuration > Device Management > Users/AAA > User Accounts (ASDM). If you want to use a AAA server for authentication instead of the local database, we recommend also configuring local authentication as a backup method."

    Basically this means that attacker won't be able to exploit an attack by trying password of the previous default user (e.g. "pix"), but has got to guess what user account you have configured (try avoiding the usual "Administrator", "admin" and the like).
    Besides, as you have written, you can as well limit the range of outside sources allowed to connect by configuring the ssh command (i.e.: ssh outside).

    hope this helps

    Featured Post

    Looking for New Ways to Advertise?

    Engage with tech pros in our community with native advertising, as a Vendor Expert, and more.

    Join & Write a Comment

    Getting hacked is no longer a matter or "if you get hacked" — the 2016 cyber threat landscape is now titled "when you get hacked." When it happens — will you be proactive, or reactive?
    Phishing is at the top of most security top 10 efforts you should be pursuing in 2016 and beyond. If you don't have phishing incorporated into your Security Awareness Program yet, now is the time. Phishers, and the scams they use, are only going to …
    In this sixth video of the Xpdf series, we discuss and demonstrate the PDFtoPNG utility, which converts a multi-page PDF file to separate color, grayscale, or monochrome PNG files, creating one PNG file for each page in the PDF. It does this via a c…
    Get a first impression of how PRTG looks and learn how it works.   This video is a short introduction to PRTG, as an initial overview or as a quick start for new PRTG users.

    729 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    19 Experts available now in Live!

    Get 1:1 Help Now