No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>Search

Reminder

To have a better experience, please upgrade your IE browser.

upgrade

ME60 V800R010C10SPC500 Configuration Guide - Security Hardening 01

This is ME60 V800R010C10SPC500 Configuration Guide - Security Hardening
Rate and give feedback:
Huawei uses machine translation combined with human proofreading to translate this document to different languages in order to help you better understand the content of this document. Note: Even the most advanced machine translation cannot match the quality of professional translators. Huawei shall not bear any responsibility for translation accuracy and it is recommended that you refer to the English document (a link for which has been provided).
SSH

SSH

  • Authentication

    An SSH server supports AAA authentication and public-key authentication. Only users that are authenticated can access a device and its command line interface.

  • Service disabling

    After the SSH server function is enabled on a device, the device starts the socket listening function. In this case, attackers can easily scan the device. When the SSH server function is not in use, disable the SSH server function and the relative port.

  • Port number changes

    SSH server port 22 is a well-known port number. This port number is easily scanned and attacked. SSH server port 22 can be changed to a private port number to reduce the possibility of being scanned or attacked. A private port number can be 22 or range from 1025 to 65535.

  • ACLs

    ACLs can be configured for VTY channels in the user-interface view. These ACL rules define IP addresses of clients to which users can log in to using STelnet. These ACL rules do not take effect on login methods, except STelnet.

    An ACL can be configured on a device functioning as an SSH server, not an SSH client. The ACL limits IP addresses of clients that access the device using STelnet, SFTP, SCP or SNETCONF.

  • Source interface allowed to access a device

    Source interfaces allowed to access an SSH server can be specified. Users must use the IP addresses of the specified source interfaces to log in to a device functioning as an SSH server. In this way, the access range is controlled, and device security is enhanced.

  • Source IPv6 address allowed to access a device

    Source IPv6 address allowed to access an SSH server can be specified. Users must use the IPv6 addresses of the specified source interfaces to log in to a device functioning as an SSH server. In this way, the access range is controlled, and device security is enhanced.

Translation
Download
Updated: 2019-01-04

Document ID: EDOC1100059445

Views: 8048

Downloads: 9

Average rating:
This Document Applies to these Products
Related Version
Related Documents
Share
Previous Next