My Network Security Journal

Friday, December 5, 2025

Configure Cisco SSH Diffie Hellman Size

Here's a Cisco link to improve SSH protocol in a Cisco device. One of our Cisco switch was flagged for using a weak SSH protocol. I hardened it using SSH version 2 and a Diffie Hellman key size of 2048. You can safely reconfigure SSH settings on the fly and it won't break your current remote SSH session.

Switch#show ip ssh

SSH Enabled - version 1.99 // SSH VERSION 1

Authentication methods:publickey,keyboard-interactive,password

Encryption Algorithms:aes128-ctr,aes192-ctr,aes256-ctr,aes128-cbc,3des-cbc,aes192-cbc,aes256-cbc

MAC Algorithms:hmac-sha1,hmac-sha1-96

Authentication timeout: 120 secs; Authentication retries: 3

Minimum expected Diffie Hellman key size : 1024 bits

IOS Keys in SECSH format(ssh-rsa, base64 encoded):

ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCdoqJ5UlIngWqSE/OJ6KMdkWKnRNEhodLg9yr3oEnD

7RFvLOu1SA7+/h0lJ1bctxsIfhwuRyiGm+9pKNtQ/b6xSkt0ZA3USBxvsUBPlp5ZXcW3LbLKi3is1234

Switch#configure terminal

Enter configuration commands, one per line. End with CNTL/Z.

Switch(config)#crypto key generate rsa general-keys modulus 2048

% You already have RSA keys defined named Switch.lab.com.

% They will be replaced.

% The key modulus size is 2048 bits

% Generating 2048 bit RSA keys, keys will be non-exportable...

[OK] (elapsed time was 10 seconds)

Switch(config)#ip ssh version 2

Switch(config)#ip ssh time-out 60

Switch(config)#ip ssh authentication-retries 3

Switch(config)#end

The DH key size is still 1024 bits. You need to configure the additional command ip ssh dh min size 2048 in order enforce it.

Switch#sh ip ssh

SSH Enabled - version 2.0

Authentication methods:publickey,keyboard-interactive,password

Encryption Algorithms:aes128-ctr,aes192-ctr,aes256-ctr,aes128-cbc,3des-cbc,aes192-cbc,aes256-cbc

MAC Algorithms:hmac-sha1,hmac-sha1-96

Authentication timeout: 60 secs; Authentication retries: 3

Minimum expected Diffie Hellman key size : 1024 bits

IOS Keys in SECSH format(ssh-rsa, base64 encoded):

ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCdoqJ5UlIngWqSE/OJ6KMdkWKnRNEhodLg9yr3oEnD

7RFvLOu1SA7+/h0lJ1bctxsIfhwuRyiGm+9pKNtQ/b6xSkt0ZA3USBxvsUBPlp5ZXcW3LbLKi3is1234

Switch#configure terminal

Enter configuration commands, one per line. End with CNTL/Z.

Switch(config)#ip ssh ?

authentication-retries Specify number of authentication retries

break-string break-string

client Configuration for client

dh Diffie-Hellman

dscp IP DSCP value for SSH traffic

logging Configure logging for SSH

maxstartups Maximum concurrent sessions allowed

port Starting (or only) Port number to listen on

precedence IP Precedence value for SSH traffic

pubkey-chain pubkey-chain

rekey Configure rekey values

rsa Configure RSA keypair name for SSH

server Configuration for server

source-interface Specify interface for source address in SSH connections

stricthostkeycheck Enable SSH Server Authentication

time-out Specify SSH time-out interval

version Specify protocol version to be supported

Switch(config)#ip ssh dh ?

min minimum

Switch(config)#ip ssh dh min ?

size key size

Switch(config)#ip ssh dh min size ?

1024 Diffie Group 1 1024-bit key

2048 Diffie Group 14 2048-bit key

4096 Diffie Group 16 4096-bit key

Switch(config)#ip ssh dh min size 2048

Switch(config)#end

Switch#write memory

Building configuration...

Compressed configuration from 14884 bytes to 7248 bytes[OK]

Switch#show ip ssh

SSH Enabled - version 2.0

Authentication methods:publickey,keyboard-interactive,password

Encryption Algorithms:aes128-ctr,aes192-ctr,aes256-ctr,aes128-cbc,3des-cbc,aes192-cbc,aes256-cbc

MAC Algorithms:hmac-sha1,hmac-sha1-96

Authentication timeout: 60 secs; Authentication retries: 3

Minimum expected Diffie Hellman key size : 2048 bits

IOS Keys in SECSH format(ssh-rsa, base64 encoded):

ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCdoqJ5UlIngWqSE/OJ6KMdkWKnRNEhodLg9yr3oEnD

7RFvLOu1SA7+/h0lJ1bctxsIfhwuRyiGm+9pKNtQ/b6xSkt0ZA3USBxvsUBPlp5ZXcW3LbLKi3is1234

Friday, October 3, 2025

Configure SSH Key in Cisco Nexus Switch

Here's a Cisco link to properly configure SSH in a Cisco Nexus switch. The Nexus switch use a default 1024 bit SSH/RSA key. The correct way to configure a stronger SSH bit level key in a Cisco Nexus switch is using the ssh key rsa 2048 command. However, you can only do this in a new Nexus switch.

To reconfigure a new SSH key, you'll need to disable SSH feature first. If you're doing this remotely or without a console access, it's advisable to enable Telnet for remote access.

Nexus# configure terminal

Enter configuration commands, one per line. End with CNTL/Z.

Nexus(config)# feature telnet

Open a new Telnet session to the Nexus switch, disable SSH, generate a new RSA key, re-enable SSH and disable Telnet.

Nexus# configure terminal

Enter configuration commands, one per line. End with CNTL/Z.

Nexusconfig)# no feature ssh

XML interface to system may become unavailable since ssh is disabled

Nexus(config)# no ssh key

Nexus(config)# ssh key rsa 2048 force

generating rsa key(2048 bits).....

generated rsa key

Nexus(config)# feature ssh

Nexus(config)# no feature telnet

Couldn't disable telnet: Current user is logged in though telnet // OPEN A NEW SSH SESSION

Open a new SSH session to the Nexus switch to disable Telnet.

Nexus# configure terminal

Enter configuration commands, one per line. End with CNTL/Z.

Nexus(config)# no feature telnet

Nexus# copy run start

[########################################] 100%

Copy complete.

Nexus# show ssh server

ssh version 2 is enabled // SSH VERSION 2 ENABLED BY DEFAULT

Nexus# show ssh key

**************************************

rsa Keys generated:Fri Sep 19 07:20:22 2025

ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCfzzzzz

bitcount:2048

fingerprint:

b1:36:76:0f:e7:fe:79:2f:ee:e3:77:da:3c:1234:56

**************************************

could not retrieve dsa key information

bitcount: 0

**************************************

Saturday, September 6, 2025

Disconnect SSH Session in Cisco ASA

The Cisco ASA firewall supports up to 5 concurrent SSH login or users. I've received a report that some users couldn't login to the ASA and encountered a connection refused error.

svr01 ~]$ ssh 192.168.1.254

ssh: connect to host 192.168.1.254 port 22: Connection refused

You can use the show ssh session command to view SSH users. Notice there's no available SSH session left.

ciscoasa# show ssh session

SID Client IP Version Mode Encryption Hmac State Username

0 svr02 2.0 IN aes128-ctr sha1 SessionStarted admin1

OUT aes128-ctr sha1 SessionStarted admin1

1 svr01 1.99 IN aes128-ctr sha1 SessionStarted admin2

OUT aes128-ctr sha1 SessionStarted admin2

2 svr01 1.99 IN aes128-ctr sha1 SessionStarted admin3

OUT aes128-ctr sha1 SessionStarted admin3

3 svr01 1.99 IN aes128-ctr sha1 SessionStarted admin4

OUT aes128-ctr sha1 SessionStarted admin4

4 svr01 1.99 IN aes128-ctr sha1 SessionStarted admin5

OUT aes128-ctr sha1 SessionStarted admin5

You can manually disconnect an SSH user using ssh disconnect <SESSION ID> privilege command. I was using SID 0 (admin1) so I can't disconnect my own SSH session.

ciscoasa# ssh ?

disconnect Specify SSH session id to be disconnected after this keyword

ciscoasa# ssh disconnect ?

<0-2147483647> SSH session id to be disconnected

ciscoasa# ssh disconnect 1

ciscoasa# ssh disconnect 2

ciscoasa# ssh disconnect 3

ciscoasa# ssh disconnect 4

ciscoasa# show ssh session

SID Client IP Version Mode Encryption Hmac State Username
0 svr02 2.0 IN aes128-ctr sha1 SessionStarted admin1
OUT aes128-ctr sha1 SessionStarted admin1

<BLANK>

Sunday, August 3, 2025

Cisco ASA Firewall Global ACL

Refer to this link regarding the Global ACL in a Cisco ASA firewall and below are some its caveats.

Global access policies are network policies that are applied to all the interfaces on an ASA. These policies are only applied to inbound network traffic. You can create a global access policy to ensure that a set of rules is applied uniformly to all the interfaces on an ASA.

Only one global access policy can be configured on an ASA. However, a global access policy can have more than one rule assigned to it, just like any other policy.

This is the order of rule-processing on the ASA:

Interface access rules
Bridge Virtual Interface (BVI) access rules
Global access rules
Implicit deny rules

ciscoasa(config)# access-list MY_GLOBAL_ACL extended permit ip any any

ciscoasa(config)# access-group MY_GLOBAL_ACL ?

configure mode commands/options:

global For traffic on all interfaces

in For input traffic

out For output traffic

<cr>

ciscoasa(config)# access-group MY_GLOBAL_ACL global

Wednesday, July 2, 2025

Factory Reset a Cisco ASA Firewall in Mutiple Context

To factory reset a Cisco ASA firewall in Multiple context mode, you'll need to issue a "write erase" then "reload" under the "system" context. You can verify the current ASA mode using the "show mode" CLI command.

ciscoasa/admin# changeto system

ciscoasa# show mode

Security context mode: multiple

ciscoasa# write erase

Erase configuration in flash memory? [confirm]

[OK]

ciscoasa# reload

Proceed with reload? [confirm]

***

*** --- START GRACEFUL SHUTDOWN ---

Shutting down isakmp

Shutting down webvpn

Shutting down sw-module

Shutting down License Controller

Shutting down File system

***

*** --- SHUTDOWN NOW ---

Process shutdown finished

Rebooting... (status 0x9)

You'll need to convert the ASA back to Single mode using the "mode single" global config command. It will auto reboot after the confirmation.

ciscoasa> enable

Password: <ENTER>

ciscoasa# show mode

Security context mode: multiple

ciscoasa# configure terminal

ciscoasa(config)# mode ?

configure mode commands/options:

multiple Multiple mode; mode with security contexts

noconfirm Do not prompt for confirmation

single Single mode; mode without security contexts

ciscoasa(config)# mode single

WARNING: This command will change the behavior of the device

WARNING: This command will initiate a Reboot

Proceed with change mode? [confirm]

Security context mode: single

ciscoasa(config)#

***

*** --- START GRACEFUL SHUTDOWN ---

***

*** Message to all terminals:

***

*** change mode

Shutting down isakmp

Shutting down sw-module

Shutting down License Controller

Shutting down File system

***

*** --- SHUTDOWN NOW ---

***

*** Message to all terminals:

***

*** change mode

Process shutdown finished

ERROR: MIGRATION - Could not get the startup configuration.

Cryptochecksum (changed): d41d8cd9 8f00b204 e9800998 ecf8427e

INFO: converting 'fixup protocol dns maximum-length 512' to MPF commands

ERROR: Inspect configuration of this type exists, first remove

that configuration and then add the new configuration

INFO: converting 'fixup protocol ftp 21' to MPF commands

INFO: converting 'fixup protocol h323_h225 1720' to MPF commands

INFO: converting 'fixup protocol h323_ras 1718-1719' to MPF commands

INFO: converting 'fixup protocol ip-options 1' to MPF commands

INFO: converting 'fixup protocol netbios 137-138' to MPF commands

INFO: converting 'fixup protocol rsh 514' to MPF commands

INFO: converting 'fixup protocol rtsp 554' to MPF commands

INFO: converting 'fixup protocol sip 5060' to MPF commands

INFO: converting 'fixup protocol skinny 2000' to MPF commands

INFO: converting 'fixup protocol smtp 25' to MPF commands

INFO: converting 'fixup protocol sqlnet 1521' to MPF commands

INFO: converting 'fixup protocol sunrpc 111' to MPF commands

INFO: converting 'fixup protocol sunrpc_udp 111' to MPF commands

INFO: converting 'fixup protocol tftp 69' to MPF commands

INFO: converting 'fixup protocol sip udp 5060' to MPF commands

INFO: converting 'fixup protocol xdmcp 177' to MPF commands

INFO: Power-On Self-Test in process.

.......................................................................

INFO: Power-On Self-Test complete.

INFO: Starting HW-DRBG health test...

INFO: HW-DRBG health test passed.

INFO: Starting SW-DRBG health test...

INFO: SW-DRBG health test passed.

Pre-configure Firewall now through interactive prompts [yes]? CXSC module is no longer supported and was prevented from booting

Consider uninstalling the unsupported CXSC module with the command â€˜sw-module module cxsc uninstall'

Firewall Mode [Routed]: <CTRL+C>

User enable_1 logged in to ciscoasa

Logins over the last 1 days: 1.

Failed logins since the last login: 0.

Type help or '?' for a list of available commands.

ciscoasa> enable

Password:

ciscoasa# show mode

Security context mode: single

Thursday, June 5, 2025

Hardening a FortiGate Firewall using Copilot AI

I used the Microsoft Copilot AI tool to help generate a list or steps in "hardening" a FortiGate firewall. Below are the results of this query.

Hardening a FortiGate firewall involves configuring it to maximize security, reduce attack surfaces, and ensure best practices are followed. Here's a comprehensive guide to help you harden your FortiGate firewall:

🔐 1. Update Firmware

Always run the latest stable firmware to patch known vulnerabilities.
Regularly check Fortinet’s support site for updates.

🔧 2. Disable Unused Services

Disable services like Telnet, HTTP, SNMP, and FTP if not in use.
Use secure alternatives (e.g., SSH instead of Telnet, HTTPS instead of HTTP).

🔒 3. Secure Administrative Access

Restrict access to the management interface by IP.
Use HTTPS and SSH only for admin access.
Change default ports for admin access (e.g., from 443 to a non-standard port).
Enable two-factor authentication (2FA) for all admin accounts.
Limit login attempts and enable account lockout.

🛡️ 4. Configure Firewall Policies Carefully

Use the principle of least privilege—only allow necessary traffic.
Enable logging on all policies for auditing.
Use application control, web filtering, and IPS where appropriate.

🧱 5. Enable Intrusion Prevention System (IPS)

Apply IPS profiles to relevant policies.
Regularly update IPS signatures.

🧬 6. Use Antivirus and Anti-Malware

Enable antivirus scanning on applicable policies.
Use FortiGuard services for real-time protection.

🌐 7. DNS and Web Filtering

Use FortiGuard DNS filtering to block malicious domains.
Apply web filtering profiles to control access to risky or inappropriate content.

📊 8. Monitor and Log Activity

Enable logging to a remote syslog server or FortiAnalyzer.
Regularly review logs for suspicious activity.
Set up alerts for critical events.

🧾 9. Backup Configuration

Regularly back up your configuration.
Store backups securely and offline if possible.

🧰 10. Use Virtual Domains (VDOMs)

Segment networks using VDOMs for better isolation and control.

Saturday, May 3, 2025

Enable Overlap IP Address in a FortiGate VDOM

Here's a Fortinet link to enable an overlap IP address in a FortiGate VDOM. I've subnetted a public IP address range and allocated a /31 subnet for the point-to-point WAN link to an ISP. I wasn't able to configure the /31 public IP address since it had a subnet overlap in another interface.

FGT (interface) # edit "npu0_vlink0.10"
new entry 'npu0_vlink0.10' added

FGT (npu0_vlink0.10) # set vdom "isp"

FGT (npu0_vlink0.10) # set ip 46.40.14.8 255.255.255.254
Subnets overlap between 'npu0_vlink0.10' with primary IP of 'po1.10'
node_check_object fail! for ip 46.40.14.8 255.255.255.254

value parse error before '255.255.255.254'
Command fail. Return code -54

I had to configure the set allow-subnet-overlap enable command under the VDOM setting and I was able to apply the /31 public WAN IP address afterwards.

FGT # config vdom

FGT(vdom) # edit isp
current vf=isp:4

FGT(isp) # config system setting

FGT(settings) # set allow
allow-linkdown-path     Enable/disable link down path.
allow-subnet-overlap    Enable/disable allowing interface subnets to use overlapping IP addresses.

FGT(settings) # set allow-subnet-overlap
enable     Enable overlapping subnets.
disable    Disable overlapping subnets.

FGT(settings) # set allow-subnet-overlap enable

FGT(settings) # end