Protecting the serial and vty connections

  • 1
  • Question
  • Updated 6 months ago
Is there a way with Cumulus Linux to protect the serial and vty connections as is possible with Cisco IOS? Example from a Catalyst switch: 
Line con 0
  exec-timeout 30 0
  password 7 XXXXX
Line vty 0 4
  access-class <ACL name> in
  exec-timeout 30 0
password 7 XXXXX
  logging synchronous
  length 0
  transport input ssh
  transport output none
Photo of RichardD


  • 464 Points 250 badge 2x thumb

Posted 6 months ago

  • 1
Photo of Eric Pulvino

Eric Pulvino, Official Rep

  • 3,868 Points 3k badge 2x thumb
"exec-timeout 30 0" is equivalent to setting the following two lines in the SSHd_config file:
# /etc/ssh/sshd_config
# Sets the SSH Timeout to 30 mins
# (60 sec * 30 mins = 1800 sec)
ClientAliveInterval 1800
ClientAliveCountMax 0

Some other SSHd_config options that might be of interest:
# Amount of time we'll wait for a user to complete the login
LoginGraceTime 120
# Max Concurrent SSH Sessions
MaxSessions 2
# Max Number of Unauthenticated SSH Sessions
MaxStartups 10:30:60
# 10: Number of unauthenticated connections before we start dropping
# 30: Percentage chance of dropping once we reach 10 (increases linearly for more than 10)
# 60: Maximum number of connections at which we start dropping everything

To apply the settings. Modify the /etc/ssh/sshd_config file with the options as you like above then restart ssh to affect all future SSH sessions.
sudo systemctl restart sshd

In linux, once a user account is created, it is available for all login methods by default. So the password xxxxxx line is unneeded.

ACL Docs are here
ACLs can be set to protect SSH using the "input chain" like this.

# /etc/cumulus/acl/policy.d/90new.rules
-t filter -A INPUT -s -p tcp --dport 22 -j DROP

sudo cl-acltool -i

"Term length 0" is the default in linux.
There is no equivalent to the logging synchronous flag that I'm aware of.
Photo of RichardD


  • 464 Points 250 badge 2x thumb
Thank you Eric for the quick reply