I've decided to dedicate a separate blog describing my lab and journal its upgrade. I've started to realize the value of owning real network equipment as opposed to doing remote lab or GNS3 emulation. It teaches me the intricacies of networking and a deep understanding of the technology. This also trains me to become better in network design and physical troubleshooting, which is needed if someone wants to attempt any CCIE lab exam.
I'm halfway through with FIREWALL and beginning to miss routing and switching. So I've spent a night trying to secure my 871w router. This would also serve as my CCNA Security 101 review.
Device hardening is an essential task that a networking professional must never overlook. It involves implementing methods for securing the router's administrative access using the command-line interface (CLI) as well as the web graphical user interface (GUI).
Some of these methods involve securing administrative access, including maintaining passwords, configuring enhanced virtual login features, and implementing Secure Shell (SSH). Because not all networking personnel should have the same level of access to devices, defining administrative roles is another important aspect of securing infrastructure devices.
Many of the router services are enabled by default for historical (legacy) reasons but are no longer required in today's network. Securing the management and reporting features of Cisco IOS device is also important.
Minimum Character Length
It is strongly recommended that the minimum password length be set at least 10 characters to eliminate common passwords that are short and prevalent on most networks, such as "lab" and "cisco."
871W(config)#security passwords min-length ?
<0-16> Minimum length of all user/enable passwords
871W(config)#security passwords min-length 10
871W(config)#enable secret cisco
% Password too short - must be at least 10 characters. Password not configured.
Disable Unattended Connections
By default, a login session stays active and logged in for 10 minutes after the last session activity. After that, the interface times out and logs out of the session.
871W(config-line)#exec-timeout ?
<0-35791> Timeout in minutes
871W(config-line)#exec-timeout 5
Encrypt All Passwords
By default, some passwords are shown in plaintext in the Cisco IOS software configuration. With the exception of the enable secret password, all other plaintext passwords in the configuration file can be encrypted in the configuration file using the service password-encryption command.
This is a weak encryption (type 7) and it is primarily used to prevent someone from doing a "shoulder surf" while the you're logged in to a device.
871W#show running-config
Building configuration...
Current configuration : 513 bytes
!
version 12.4
no service timestamps log datetime msec
no service timestamps debug datetime msec
no service password-encryption
!
hostname 871W
!
!
!
enable password ciscocisco
871W#configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
871W(config)#service password-encryption
871W(config)#end
%SYS-5-CONFIG_I: Configured from console by console
871W#show running-config
Building configuration...
Current configuration : 537 bytes
!
version 12.4
no service timestamps log datetime msec
no service timestamps debug datetime msec
service password-encryption
!
hostname 871W
!
!
!
enable password 7 0822455D0A16
Configuring Enhanced Security for Virtual Logins
The Cisco IOS login enhancements feature provides more security when creating a virtual connection, such as Telnet, SSH or HTTP, by slowing down dictionary attacks and stopping DoS attacks. To better configure security for virtual login connections, the login process should be configured with specific parameters:
* Delays between successive login attempts
* Login shutdown if DoS attacks are suspected
* Generation of system logging messages for login detection
871W(config)#login ?
block-for Set quiet-mode active time period
delay Set delay between successive fail login
on-failure Set options for failed login attempt
on-success Set options for successful login attempt
quiet-mode Set quiet-mode options
871W(config)#login block-for ?
<1-65535> Time period in seconds
871W(config)#login block-for 30 ?
attempts Set max number of fail attempts
871W(config)#login block-for 30 attempts 5 ?
within Watch period for fail attempts
871W(config)#login block-for 30 attempts 5 within ?
<1-65535> Time period in seconds
871W(config)#login block-for 30 attempts 5 within 60
871W(config)#login quiet-mode ?
access-class Set access class
871W(config)#login quiet-mode access-class ?
<1-199> IP access list
<1300-2699> IP expanded access list
WORD Access-list name
871W(config)#login quiet-mode access-class 10
871W(config)#login delay ?
<1-10> Time period in seconds
871W(config)#login delay 5
871W(config)#login on-success log
871W(config)#login on-failure log
871W(config)#do show login
A login delay of 5 seconds is applied.
Quiet-Mode access list 10 is applied.
All successful login is logged.
All failed login is logged.
Router enabled to watch for login Attacks.
If more than 5 login failures occur in 60 seconds or less,
logins will be disabled for 30 seconds.
Router presently in Normal-Mode.
Current Watch Window
Time remaining: 37 seconds.
Login failures for current window: 0.
Total login failures: 0.
871W(config)#do terminal monitor
871W(config)#
*May 19 23:10:17.402 UTC: %SEC_LOGIN-4-LOGIN_FAILED: Login failed [user: asdf] [Source: 192.168.1.11] [localport: 23] [Reason: Login Authentication Failed - BadUser] at 23:10:17 UTC Wed May 19 2010
871W(config)#
*May 19 23:10:25.151 UTC: %SEC_LOGIN-4-LOGIN_FAILED: Login failed [user: asdf] [Source: 192.168.1.11] [localport: 23] [Reason: Login Authentication Failed - BadUser] at 23:10:25 UTC Wed May 19 2010
871W(config)#
*May 19 20:10:09.241 UTC: %SEC_LOGIN-5-LOGIN_SUCCESS: Login Success [user: admin] [Source: 192.168.1.12] [localport: 23] at 20:10:09 UTC Wed May 19 2010
871W(config)#do show login failures
Total failed logins: 2
Detailed information about last 50 failures
Username SourceIPAddr lPort Count TimeStamp
asdf 192.168.1.12 23 2 20:12:03 UTC Wed May 19 2010
Banner
A device banner is generally used to warn users against unauthorized access attempts, display maintenance-related information or reminders for all administrators.
Tokens are optional and can be used within the banner message:
$(hostname) - Displays the host name for the router
$(domain) - Displays the domain name for the router
$(line) - Displays the vty or tty (asynchronous) line
$(line-desc) - Displays the description that is attached to the line
871W(config)#banner ?
LINE c banner-text c, where 'c' is a delimiting character
exec Set EXEC process creation banner
incoming Set incoming terminal line banner
login Set login banner
motd Set Message of the Day banner
prompt-timeout Set Message for login authentication timeout
slip-ppp Set Message for SLIP/PPP
871W(config)#banner login # This equipment $(hostname) is privately owned and access is logged. Disconnect immediately if you are not an authorized user. Violators will be prosecuted to the fullest extent of the law. #
No comments:
Post a Comment