Saturday, July 6, 2019

Securing Cisco Router Management Plane

A Cisco router’s architecture can be categorized into three operational planes:

* Management plane: The management plane is concerned with the management of the device. For example, an administrator connecting to a router through a Secure
Shell (SSH) connection through one of the router’s VTY lines would be a management plane operation.

* Control plane: The control plane is concerned with making packet-forwarding decisions. For example, routing protocol operation would be a control plane function.

* Data plane: The data plane is concerned with the forwarding of data through a router. For example, end-user traffic traveling from a user’s PC to a web server on a
different network would go across the data plane.

Below are some approach in securing the Management plane on a Cisco router.


Secure Shell Versus Telnet

Cisco strongly recommends using Secure Shell (SSH) instead of Telnet. The issue with Telnet is that it sends data (including passwords) across a network in clear text. This opens the door for a malicious user to launch a man-in-middle attack and use packet capture software to read the contents of the Telnet session’s packets. Fortunately, SSH encrypts this traffic. So, even if a malicious user did capture packets from the SSH session, the packets would be unreadable.


Password Encryption

Ideally, all passwords associated with your routers would be stored on an external AAA server; however, it is often necessary to locally store passwords on a router. If someone were to see that router’s running configuration, she would be able to see any of those passwords, if they were in clear text. Therefore, a best-practice security recommendation is to encrypt any passwords appearing in a router’s configuration. Cisco IOS has a few different passwords that you might want to encrypt (or represent as a hash value), including the enable secret password, line password, and username password.


Unicast Reverse Path Forwarding

One approach to preventing malicious traffic from entering a network is to use Unicast Reverse Path Forwarding (uRPF) . Specifically, uRPF can help block packets having a spoofed IP address. The way that uRPF works is to check the source IP address of a packet arriving on an interface and determine whether that IP address is reachable, based on the router’s Forwarding Information Base (FIB) used by Cisco Express Forwarding (CEF). Optionally, the router can also check to see whether the packet is arriving on the interface the router would use to send traffic back to that IP address.

Note: CEF must be enabled on a router to use uRPF.

You can choose between three modes of operation for uRPF:

* Strict mode: With strict mode operation, a router not only checks to make sure that the source IP address of an arriving packet is reachable, based on the router’s FIB,
but the packet must also be arriving on the same interface the router would use to send traffic back to that IP address.

* Loose mode: With loose mode operation, a router only verifies that the source IP address of a packet is reachable, based on the router’s FIB.

* VRF mode: Virtual Routing and Forwarding (VRF) is a technology that allows a router to have multiple IP routing table instances, thus allowing overlapping IP
addresses to be used. uRPF operating in VRF mode (also known as uRPF version 3 or uRPFv3 ) is similar to loose mode operation in that source IP addresses are checked against the FIB for a specific VRF.


Authentication, Authorization, and Accounting (AAA)

Enforcing router login security in larger networks can be challenging if you have to manage multiple user databases (for example, having a separate user database locally configured on each router of your network). Fortunately, with AAA (authentication, authorization, and accounting) services, you can have a single repository for user credentials. Then, when a network engineer attempts to log in to, for example, a router, the credentials that she supplies can be authenticated against a centralized AAA database.

Three services are offered by a AAA server, as follows:

* Authentication: The authentication service can check a user’s credentials to confirm
he is who he claims to be.

* Authorization: After being authenticated, the authorization service determines what
that user is allowed to do.

* Accounting: The accounting service can collect and store information about a user’s
login. This information can be used, for example, to keep an audit trail of what a
user did on the network.


SNMP Security

SNMP offers security against malicious users attempting to collect information from a managed device, changing the configuration of a managed device, or intercepting information being sent to an NMS. However, the security integrated with SNMPv1 and SNMPv2c is considered weak. Specifically, SNMPv1 and SNMPv2c use community strings to gain read-only or read-write access to a managed device. You can think of a community string as being much like a password.

If you do need to secure an SNMPv1 or SNMPv2c environment, you should change the community strings to nondefault values and possibly reference an ACL. The ACL could match a trusted subnet of management stations or a specific IP address of a management station.

SNMPv3 offers three primary security enhancements:

* Integrity: Using hashing algorithms, SNMPv3 ensures that an SNMP message was
not modified in transit.

* Authentication: Hashing allows SNMPv3 to validate the source of an SNMP
message.

* Encryption: Using the DES, 3DES, or AES encryption algorithm, SNMPv3 provides
privacy for SNMP messages, making them unreadable by an attacker who might capture
SNMP packets.


NTP Authentication

To mitigate the risk of having a rogue NTP device advertise false time to your network routers, you can configure NTP authentication. This authentication should be configured on your router that is providing NTP information and on your routers receiving NTP information.


R1#conf t
Enter configuration commands, one per line.  End with CNTL/Z.
R1(config)#interface loop 0
R1(config-if)#
*Jul 22 10:28:00.927: %LINEPROTO-5-UPDOWN: Line protocol on Interface Loopback0, changed state to up
R1(config-if)#ip address 192.168.1.1 255.255.255.0
R1(config-if)#
R1(config-if)#interface serial 2/0
R1(config-if)#ip address 10.1.1.1 255.255.255.252
R1(config-if)#no shut
R1(config-if)#
*Jul 22 10:28:51.455: %LINK-3-UPDOWN: Interface Serial2/0, changed state to up
R1(config-if)#
*Jul 22 10:28:52.463: %LINEPROTO-5-UPDOWN: Line protocol on Interface Serial2/0, changed state to up
R1(config)#ip route 0.0.0.0 0.0.0.0 10.1.1.2
R1(config-if)#end
R1#


R2#conf t
Enter configuration commands, one per line.  End with CNTL/Z.
R2(config)#interface serial 2/0
R2(config-if)#ip address 10.1.1.2 255.255.255.252
R2(config-if)#no shut
R2(config-if)#
*Jul 22 10:29:39.883: %LINK-3-UPDOWN: Interface Serial2/0, changed state to up
R2(config-if)#
*Jul 22 10:29:40.891: %LINEPROTO-5-UPDOWN: Line protocol on Interface Serial2/0, changed state to up
R2(config-if)#do ping 10.1.1.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.1.1.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 16/24/36 ms
R2(config-if)#
R2(config-if)#interface serial 2/1
R2(config-if)#ip address 10.2.2.1 255.255.255.252
R2(config-if)#no shut
R2(config-if)#
*Jul 22 10:30:04.363: %LINK-3-UPDOWN: Interface Serial2/1, changed state to up
R2(config-if)#
*Jul 22 10:30:05.371: %LINEPROTO-5-UPDOWN: Line protocol on Interface Serial2/1, changed state to up
R2(config)#ip route 192.168.1.0 255.255.255.0 10.1.1.1
R2(config)#ip route 192.168.3.0 255.255.255.0 10.2.2.2
R2(config-if)#end
R2#


R3#conf t
Enter configuration commands, one per line.  End with CNTL/Z.
R3(config)#interface loop 0
R3(config-if)#
*Jul 22 10:30:28.911: %LINEPROTO-5-UPDOWN: Line protocol on Interface Loopback0, changed state to up
R3(config-if)#ip address 192.168.3.1 255.255.255.0
R3(config-if)#
R3(config-if)#interface serial 2/1
R3(config-if)#ip address 10.2.2.2 255.255.255.252
R3(config-if)#no shut
R3(config-if)#
*Jul 22 10:30:54.671: %LINK-3-UPDOWN: Interface Serial2/1, changed state to up
R3(config-if)#
*Jul 22 10:30:55.679: %LINEPROTO-5-UPDOWN: Line protocol on Interface Serial2/1, changed state to up
R3(config)#ip route 0.0.0.0 0.0.0.0 10.2.2.1
R3(config-if)#end
R3#


R1#tclsh       // VERIFY REMOTE CONNECTIVITY ON R1
R1(tcl)#foreach address {
+>(tcl)#192.168.1.1
+>(tcl)#10.1.1.1
+>(tcl)#10.1.1.2
+>(tcl)#10.2.2.1
+>(tcl)#10.2.2.2
+>(tcl)#192.168.3.1
+>(tcl)#} { ping $address }
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.1.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 4/5/8 ms
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.1.1.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 40/43/44 ms
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.1.1.2, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 12/24/44 ms
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.2.2.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 12/13/16 ms
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.2.2.2, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 8/20/36 ms
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.3.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 12/16/20 ms


R1#conf t
Enter configuration commands, one per line.  End with CNTL/Z.
R1(config)#security ?
  authentication  Authentication security CLIs
  passwords       Password security CLIs

R1(config)#security passwords ?
  min-length  Minimum length of passwords

R1(config)#security passwords min-length ?
  <0-16>  Minimum length of all user/enable passwords

R1(config)#security passwords min-length 10     // PASSWORD LENGTH POLICY TO MITIGATE BRUTE FORCE PASSWORD ATTACK
R1(config)#enable secret class123
% Invalid Password length - must contain 10 to 25 characters. Password configuration failed
R1(config)#enable secret class12345
R1(config)#
R1(config)#line ?
  <0-6>    First Line number
  aux      Auxiliary line
  console  Primary terminal line
  vty      Virtual terminal

R1(config)#line console 0
R1(config-line)#password ciscoconpass
R1(config-line)#? 
Line configuration commands:
  absolute-timeout            Set absolute timeout for line disconnection
  access-class                Filter connections based on an IP access list
  activation-character        Define the activation character
  autocommand                 Automatically execute an EXEC command
  autocommand-options         Autocommand options
  autohangup                  Automatically hangup when last connection closes
  autoselect                  Set line to autoselect
  buffer-length               Set DMA buffer length
  data-character-bits         Size of characters being handled
  databits                    Set number of data bits per character
  default                     Set a command to its defaults
  disconnect-character        Define the disconnect character
  dispatch-character          Define the dispatch character
  dispatch-machine            Reference a TCP dispatch state machine
  dispatch-timeout            Set the dispatch timer
  domain-lookup               Enable domain lookups in show commands
  editing                     Enable command line editing
  escape-character            Change the current line's escape character
  exec                        Configure EXEC
  exec-banner                 Enable the display of the EXEC banner
  exec-character-bits         Size of characters to the command exec
  exec-timeout                Set the EXEC timeout
  exit                        Exit from line configuration mode
  flowcontrol                 Set the flow control
  flush-at-activation         Clear input stream at activation
  full-help                   Provide help to unprivileged user
  help                        Description of the interactive help system
  history                     Enable and control the command history function
  hold-character              Define the hold character
  insecure                    Mark line as 'insecure' for LAT
  international               Enable international 8-bit character support
  ip                          IP options
  ipv6                        IPv6 options
  length                      Set number of lines on a screen
  location                    Enter terminal location description
  lockable                    Allow users to lock a line
  logging                     Modify message logging facilities
  login                       Enable password checking
  logout-warning              Set Warning countdown for absolute timeout of
                              line
  modem                       Configure the Modem Control Lines
  monitor                     Copy debug output to the current terminal line
  motd-banner                 Enable the display of the MOTD banner
  no                          Negate a command or set its defaults
  notify                      Inform users of output from concurrent sessions
  ntp                         Configure NTP
  padding                     Set padding for a specified output character
  parity                      Set terminal parity
  password                    Set a password
  prc                         PRC commands
  private                     Configuration options that user can set will
                              remain in effect between terminal sessions
  privilege                   Change privilege level for line
  refuse-message              Define a refuse banner
  rotary                      Add line to a rotary group
  rxspeed                     Set the receive speed
  script                      specify event related chat scripts to run on the
                              line
  session-disconnect-warning  Set warning countdown for session-timeout
  session-limit               Set maximum number of sessions
  session-timeout             Set interval for closing connection when there is
                              no input traffic
  special-character-bits      Size of the escape (and other special) characters
  speed                       Set the transmit and receive speeds
  start-character             Define the start character
  stop-character              Define the stop character
  stopbits                    Set async line stop bits
  telnet                      Telnet protocol-specific configuration
  terminal-type               Set the terminal type
  timeout                     Timeouts for the line
  transport                   Define transport protocols for line
  txspeed                     Set the transmit speed
  vacant-message              Define a vacant banner
  width                       Set width of the display terminal
  x25                         X25 protocol-specific configuration

R1(config-line)#exec-timeout ?
  <0-35791>  Timeout in minutes

R1(config-line)#exec-timeout 5 ?
  <0-2147483>  Timeout in seconds
  <cr>

R1(config-line)#exec-timeout 5 0       // LOG OUT CONSOLE AFTER 5 MINS INACTIVITY
R1(config-line)#login
R1(config-line)#logging ?
  synchronous  Synchronized message output

R1(config-line)#logging synchronous     // PREVENTS BREAKING COMMAND LINE INPUT
R1(config-line)#exit
R1(config)#line vty 0 4
R1(config-line)#password ciscovtypass
R1(config-line)#exec-timeout 5 0    
R1(config-line)#login
R1(config-line)#
R1(config-line)#exit
R1(config)#line aux 0     // LEGACY PORT FOR MODEM BACKDOOR ACCESS (HARDLY USED IN MODERN NETWORK)
R1(config-line)#no exec       // DISABLE AUX PORT
R1(config-line)#end
R1#

R1#show run           // PERFORM A PASSWORD RECOVERY IF ROUTER PASSWORDS ARE FORGOTTEN
Building configuration...

Current configuration : 1636 bytes
!
! Last configuration change at 10:40:05 UTC Sun Jul 22 2018
upgrade fpd auto
version 15.2
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname R1
!
boot-start-marker
boot-end-marker
!
!
security passwords min-length 10
enable secret 5 $1$bUHZ$pb3d2iZ7jbGCk/tYo7VSz0     
!
no aaa new-model
no ip icmp rate-limit unreachable
!
!
!        
!
!
!
no ip domain lookup
ip cef
no ipv6 cef
!
multilink bundle-name authenticated
!
!
!
!
!
!
!
!
!
!
redundancy
!
!
ip tcp synwait-time 5
!        
!
!
!
!
!
!
!
!
!
interface Loopback0
 ip address 192.168.1.1 255.255.255.0
!
interface FastEthernet0/0
 no ip address
 shutdown
 duplex half
!
interface FastEthernet1/0
 no ip address
 shutdown
 duplex auto
 speed auto
!        
interface FastEthernet1/1
 no ip address
 shutdown
 duplex auto
 speed auto
!
interface Serial2/0
 ip address 10.1.1.1 255.255.255.252
 serial restart-delay 0
!
interface Serial2/1
 no ip address
 shutdown
 serial restart-delay 0
!
interface Serial2/2
 no ip address
 shutdown
 serial restart-delay 0
!
interface Serial2/3
 no ip address
 shutdown
 serial restart-delay 0
!
ip forward-protocol nd
no ip http server
no ip http secure-server
!
!
ip route 0.0.0.0 0.0.0.0 10.1.1.2
!
no cdp log mismatch duplex
!
!
!
control-plane
!
!
!
mgcp profile default
!
!
!
gatekeeper
 shutdown
!
!
line con 0
 exec-timeout 5 0
 privilege level 15
 password ciscoconpass
 logging synchronous
 login
 stopbits 1
line aux 0
 exec-timeout 0 0
 privilege level 15
 logging synchronous
 no exec
 stopbits 1
line vty 0 4
 exec-timeout 5 0
 password ciscovtypass
 login
 transport input all
!
!
end


R1#conf t
Enter configuration commands, one per line.  End with CNTL/Z.
R1(config)#service ?
  alignment              Control alignment correction and logging
  call-home              Enable call-home service
  compress-config        Compress the nvram configuration file
  config                 TFTP load config files
  counters               Control aging of interface counters
  dhcp                   Enable DHCP server and relay agent
  disable-ip-fast-frag   Disable IP particle-based fast fragmentation
  exec-callback          Enable exec callback
  exec-wait              Delay EXEC startup on noisy lines
  finger                 Allow responses to finger requests
  hide-telnet-addresses  Hide destination addresses in telnet command
  linenumber             enable line number banner for each exec
  nagle                  Enable Nagle's congestion control algorithm
  old-slip-prompts       Allow old scripts to operate with slip/ppp
  pad                    Enable PAD commands
  password-encryption    Encrypt system passwords
  prompt                 Enable mode specific prompt
  pt-vty-logging         Log significant VTY-Async events
  sequence-numbers       Stamp logger messages with a sequence number
  slave-log              Enable log capability of slave IPs
  tcp-keepalives-in      Generate keepalives on idle incoming network
                         connections
  tcp-keepalives-out     Generate keepalives on idle outgoing network
                         connections
  tcp-small-servers      Enable small TCP servers (e.g., ECHO)
  telnet-zeroidle        Set TCP window 0 when connection is idle
  timestamps             Timestamp debug/log messages
  udp-small-servers      Enable small UDP servers (e.g., ECHO)

R1(config)#service password-encryption    // TYPE 7 (VIGENERE) WEAK CIPHER TO AVOID SHOULDER SURFING
R1(config)#
R1(config)#do show run
Building configuration...

Current configuration : 1665 bytes
!
! Last configuration change at 10:40:05 UTC Sun Jul 22 2018
upgrade fpd auto
version 15.2
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname R1
!
boot-start-marker
boot-end-marker
!
!
security passwords min-length 10
enable secret 5 $1$bUHZ$pb3d2iZ7jbGCk/tYo7VSz0
!
no aaa new-model
no ip icmp rate-limit unreachable
!
!
!        
!
!
!
no ip domain lookup
ip cef
no ipv6 cef
!
multilink bundle-name authenticated
!
!
!
!
!
!
!
!
!
!
redundancy
!
!
ip tcp synwait-time 5
!        
!
!
!
!
!
!
!
!
!
interface Loopback0
 ip address 192.168.1.1 255.255.255.0
!
interface FastEthernet0/0
 no ip address
 shutdown
 duplex half
!
interface FastEthernet1/0
 no ip address
 shutdown
 duplex auto
 speed auto
!        
interface FastEthernet1/1
 no ip address
 shutdown
 duplex auto
 speed auto
!
interface Serial2/0
 ip address 10.1.1.1 255.255.255.252
 serial restart-delay 0
!
interface Serial2/1
 no ip address
 shutdown
 serial restart-delay 0
!
interface Serial2/2
 no ip address
 shutdown
 serial restart-delay 0
!
interface Serial2/3
 no ip address
 shutdown
 serial restart-delay 0
!
ip forward-protocol nd
no ip http server
no ip http secure-server
!
!
ip route 0.0.0.0 0.0.0.0 10.1.1.2
!
no cdp log mismatch duplex
!
!
!
control-plane
!
!
!
mgcp profile default
!
!
!
gatekeeper
 shutdown
!
!
line con 0
 exec-timeout 5 0
 privilege level 15
 password 7 13061E01080307252534292026
 logging synchronous
 login
 stopbits 1
line aux 0
 exec-timeout 0 0
 privilege level 15
 logging synchronous
 no exec
 stopbits 1
line vty 0 4
 exec-timeout 5 0
 password 7 05080F1C2243581D0015160118
 login
 transport input all
!
!
end      


R1(config)#banner ? 
  LINE            c banner-text c, where 'c' is a delimiting character
  config-save     Set message for saving configuration
  exec            Set EXEC process creation banner
  incoming        Set incoming terminal line banner
  login           Set login banner
  motd            Set Message of the Day banner
  prompt-timeout  Set Message for login authentication timeout
  slip-ppp        Set Message for SLIP/PPP

R1(config)#banner motd  $ Unauthorized access prohibited! $            // BANNER MOTD APPEARS BEFORE LOGIN PROMPT
R1(config)#
R1(config)#do show run
Building configuration...

Current configuration : 1713 bytes
!
! Last configuration change at 10:40:05 UTC Sun Jul 22 2018
upgrade fpd auto
version 15.2
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname R1
!
boot-start-marker
boot-end-marker
!
!
security passwords min-length 10
enable secret 5 $1$bUHZ$pb3d2iZ7jbGCk/tYo7VSz0
!
no aaa new-model
no ip icmp rate-limit unreachable
!
!
!        
!
!
!
no ip domain lookup
ip cef
no ipv6 cef
!
multilink bundle-name authenticated
!
!
!
!
!
!
!
!
!
!
redundancy
!
!
ip tcp synwait-time 5
!        
!
!
!
!
!
!
!
!
!
interface Loopback0
 ip address 192.168.1.1 255.255.255.0
!
interface FastEthernet0/0
 no ip address
 shutdown
 duplex half
!
interface FastEthernet1/0
 no ip address
 shutdown
 duplex auto
 speed auto
!        
interface FastEthernet1/1
 no ip address
 shutdown
 duplex auto
 speed auto
!
interface Serial2/0
 ip address 10.1.1.1 255.255.255.252
 serial restart-delay 0
!
interface Serial2/1
 no ip address
 shutdown
 serial restart-delay 0
!
interface Serial2/2
 no ip address
 shutdown
 serial restart-delay 0
!
interface Serial2/3
 no ip address
 shutdown
 serial restart-delay 0
!
ip forward-protocol nd
no ip http server
no ip http secure-server
!
!
ip route 0.0.0.0 0.0.0.0 10.1.1.2
!
no cdp log mismatch duplex
!
!
!
control-plane
!
!
!
mgcp profile default
!
!
!
gatekeeper
 shutdown
!
banner motd ^C Unauthorized access prohibited! ^C
!
line con 0
 exec-timeout 5 0
 privilege level 15
 password 7 13061E01080307252534292026
 logging synchronous
 login
 stopbits 1
line aux 0
 exec-timeout 0 0
 privilege level 15
 logging synchronous
 no exec
 stopbits 1
line vty 0 4
 exec-timeout 5 0
 password 7 05080F1C2243581D0015160118
 login
 transport input all
!
!        
end


R1#exit

R1 con0 is now available


Press RETURN to get started.


 Unauthorized access prohibited!

User Access Verification

Password:  <ciscoconpass>
R1#


R3#conf t
Enter configuration commands, one per line.  End with CNTL/Z.
R3(config)#security passwords min-length 10
R3(config)#enable secret class12345
R3(config)#line console 0
R3(config-line)#password ciscoconpass
R3(config-line)#exec-timeout 5 0
R3(config-line)#login
R3(config-line)#logging synchronous
R3(config-line)#
R3(config-line)#line vty 0 4
R3(config-line)#password ciscovtypass
R3(config-line)#exec-timeout 5 0
R3(config-line)#login
R3(config-line)#
R3(config-line)#line aux 0
R3(config-line)#no exec
R3(config-line)#
R3(config-line)#service password-encryption
R3(config)#
R3(config)#banner motd $Unauthorized access prohibited!$
R3(config)#end
R3#
*Jul 22 10:53:26.323: %SYS-5-CONFIG_I: Configured from console by console
R3#
R3#show run
Building configuration...

Current configuration : 1711 bytes
!
! Last configuration change at 10:53:26 UTC Sun Jul 22 2018
upgrade fpd auto
version 15.2
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname R3
!
boot-start-marker
boot-end-marker
!
!
security passwords min-length 10
enable secret 5 $1$PTKC$bjUGuy4YkvJ8U/lX1GYAC1
!
no aaa new-model
no ip icmp rate-limit unreachable
!
!
!        
!
!
!
no ip domain lookup
ip cef
no ipv6 cef
!
multilink bundle-name authenticated
!
!
!
!
!
!
!
!
!
!
redundancy
!
!
ip tcp synwait-time 5
!        
!
!
!
!
!
!
!
!
!
interface Loopback0
 ip address 192.168.3.1 255.255.255.0
!
interface FastEthernet0/0
 no ip address
 shutdown
 duplex half
!
interface FastEthernet1/0
 no ip address
 shutdown
 duplex auto
 speed auto
!        
interface FastEthernet1/1
 no ip address
 shutdown
 duplex auto
 speed auto
!
interface Serial2/0
 no ip address
 shutdown
 serial restart-delay 0
!
interface Serial2/1
 ip address 10.2.2.2 255.255.255.252
 serial restart-delay 0
!
interface Serial2/2
 no ip address
 shutdown
 serial restart-delay 0
!
interface Serial2/3
 no ip address
 shutdown
 serial restart-delay 0
!
ip forward-protocol nd
no ip http server
no ip http secure-server
!
!
ip route 0.0.0.0 0.0.0.0 10.2.2.1
!
no cdp log mismatch duplex
!
!
!
control-plane
!
!
!
mgcp profile default
!
!
!
gatekeeper
 shutdown
!
banner motd ^CUnauthorized access prohibited!^C
!
line con 0
 exec-timeout 5 0
 privilege level 15
 password 7 094F471A1A0A141D051C053938
 logging synchronous
 login
 stopbits 1
line aux 0
 exec-timeout 0 0
 privilege level 15
 logging synchronous
 no exec
 stopbits 1
line vty 0 4
 exec-timeout 5 0
 password 7 03075218050037585719181604
 login
 transport input all
!
!        
end


R1#conf t
Enter configuration commands, one per line.  End with CNTL/Z.
R1(config)#username ?
  WORD  User name

R1(config)#username jr-admin ?
  aaa                  AAA directive
  access-class         Restrict access by access-class
  algorithm-type       Algorithm to use for hashing the plaintext secret for
                       the user
  autocommand          Automatically issue a command after the user logs in
  callback-dialstring  Callback dialstring
  callback-line        Associate a specific line with this callback
  callback-rotary      Associate a rotary group with this callback
  dnis                 Do not require password when obtained via DNIS
  nocallback-verify    Do not require authentication after callback
  noescape             Prevent the user from using an escape character
  nohangup             Do not disconnect after an automatic command
  nopassword           No password is required for the user to log in
  one-time             Specify that the username/password is valid for only one
                       time
  password             Specify the password for the user
  privilege            Set user privilege level
  secret               Specify the secret for the user
  user-maxlinks        Limit the user's number of inbound links
  view                 Set view name
  <cr>

R1(config)#username jr-admin secret ?
  0     Specifies an UNENCRYPTED secret will follow
  5     Specifies a MD5 HASHED secret will follow
  8     Specifies a PBKDF2 HASHED secret will follow
  9     Specifies a SCRYPT HASHED secret will follow
  LINE  The UNENCRYPTED (cleartext) user secret

R1(config)#username jr-admin secret class12345        // SECRET PASSWORD ENCRYPTION LEVEL 4 (SHA256)
R1(config)#username admin secret class54321
R1(config)#
R1(config)#line console 0
R1(config-line)#login ?
  local  Local password checking
  <cr>

R1(config-line)#login local
R1(config-line)#
R1(config-line)#line vty 0 4
R1(config-line)#login local
R1(config-line)#end
R1#


R3#conf t
Enter configuration commands, one per line.  End with CNTL/Z.
R3(config)#username jr-admin secret class12345
R3(config)#username admin secret class54321
R3(config)#line console 0
R3(config-line)#login local
R3(config-line)#
R3(config-line)#line vty 0 4
R3(config-line)#login local
R3(config-line)#end
R3#


R3#telnet 10.1.1.1
Trying 10.1.1.1 ... Open
 Unauthorized access prohibited!

User Access Verification

Username: admin
Password:  <class54321>
R1>


R1#conf t
Enter configuration commands, one per line.  End with CNTL/Z.
R1(config)#aaa ?
  new-model  Enable NEW access control commands and functions.(Disables OLD
             commands.)

R1(config)#aaa new-model      // ENABLE AAA (AUTHENTICATION, AUTHORIZATION, ACCOUNTING)
R1(config)#
R1(config)#radius ?
  filter  Packet filter configuration
  server  Server configuration

R1(config)#radius server ?
  WORD  Name for the radius server configuration

R1(config)#radius server RADIUS      // CONFIGURE RADIUS SERVER
R1(config-radius-server)#?
RADIUS server sub-mode commands:
  address          Specify the radius server address
  automate-tester  Configure server automated testing.
  backoff          Retry backoff pattern(Default is retransmits with constant
                   delay)
  exit             Exit from RADIUS server configuration mode
  key              Per-server encryption key
  no               Negate a command or set its defaults
  non-standard     Attributes to be parsed that violate RADIUS standard
  pac              Protected Access Credential key
  retransmit       Number of retries to active server (overrides default)
  timeout          Time to wait (in seconds) for this radius server to reply
                   (overrides default)

R1(config-radius-server)#address ?
  ipv4  IPv4 Address
  ipv6  IPv6 Address

R1(config-radius-server)#address ipv4 192.168.1.101
R1(config-radius-server)#key ?
  0     Specifies an UNENCRYPTED key will follow
  7     Specifies HIDDEN key will follow
  LINE  The UNCRYPTED (cleartext) shared key

R1(config-radius-server)#key cisco123
R1(config-radius-server)#exit
R1(config)#aaa ?
  accounting       Accounting configurations parameters.
  attribute        AAA attribute definitions
  authentication   Authentication configurations parameters.
  authorization    Authorization configurations parameters.
  cache            AAA cache definitions
  configuration    Authorization configuration parameters.
  dnis             Associate certain AAA parameters to a specific DNIS number
  group            AAA group definitions
  local            AAA Local method options
  max-sessions     Adjust initial hash size for estimated max sessions
  memory           AAA memory parameters
  nas              NAS specific configuration
  new-model        Enable NEW access control commands and functions.(Disables
                   OLD commands.)
  password         Configure password/secret related settings
  pod              POD processing
  policy           AAA policy parameters
  route            Static route downloading
  server           Local AAA server
  service-profile  Service-Profile parameters
  session-id       AAA Session ID
  session-mib      AAA session MIB options
  traceback        Traceback recording
  user             AAA user definitions

R1(config)#aaa group ?
  server  AAA Server group definitions

R1(config)#aaa group server ?
  ldap     Ldap server-group definition
  radius   Radius server-group definition
  tacacs+  Tacacs+ server-group definition

R1(config)#aaa group server radius ?
  WORD  Server-group name

R1(config)#aaa group server radius RADIUS_GROUP
R1(config-sg-radius)#? 
RADIUS Server-group commands:
  accounting        Specify a RADIUS attribute filter for accounting
  attribute         Customize selected radius attributes
  authorization     Specify a RADIUS attribute filter for authorization
  backoff           Retry backoff pattern (Default is retransmits with constant
                    delay)
  cache             cached DB profile configuration
  deadtime          Specify time in minutes to ignore an unresponsive server
  default           Set a command to its defaults
  domain-stripping  Strip the domain from the username
  exit              Exit from RADIUS server-group configuration mode
  ip                Internet Protocol config commands
  ipv6              IPv6 config commands
  key-wrap          Configure RADIUS key-wrap feature
  load-balance      Server group load-balancing options.
  mac-delimiter     MAC Delimiter for Radius Compatibility Mode
  no                Negate a command or set its defaults
  server            Specify a RADIUS server
  server-private    Define a private RADIUS server (per group)
  subscriber        Configures MAC Filtering RADIUS Compatibility mode
  throttle          Throttle requests to radius server

R1(config-sg-radius)#server ?
  Hostname or A.B.C.D  IP address of RADIUS server
  name                 Name of radius server

R1(config-sg-radius)#server name ?
  WORD  Radius server name

R1(config-sg-radius)#server name RADIUS
R1(config-sg-radius)#exit
R1(config)#aaa authentication ?
  arap             Set authentication lists for arap.
  attempts         Set the maximum number of authentication attempts
  banner           Message to use when starting login/authentication.
  dot1x            Set authentication lists for IEEE 802.1x.
  enable           Set authentication list for enable.
  eou              Set authentication lists for EAPoUDP
  fail-message     Message to use for failed login/authentication.
  login            Set authentication lists for logins.
  onep             Set authentication lists for ONEP
  password-prompt  Text to use when prompting for a password
  ppp              Set authentication lists for ppp.
  sgbp             Set authentication lists for sgbp.
  suppress         Do not send access request for a specific type of user.
  username-prompt  Text to use when prompting for a username

R1(config)#aaa authentication login ?
  WORD     Named authentication list (max 31 characters, longer will be
           rejected).
  default  The default authentication list.

R1(config)#aaa authentication login default ?
  cache          Use Cached-group
  enable         Use enable password for authentication.
  group          Use Server-group
  krb5           Use Kerberos 5 authentication.
  krb5-telnet    Allow logins only if already authenticated via Kerberos V
                 Telnet.
  line           Use line password for authentication.
  local          Use local username authentication.
  local-case     Use case-sensitive local username authentication.
  none           NO authentication.
  passwd-expiry  enable the login list to provide password aging support

R1(config)#aaa authentication login default group ?
  WORD     Server-group name
  ldap     Use list of all LDAP hosts.
  radius   Use list of all Radius hosts.
  tacacs+  Use list of all Tacacs+ hosts.

R1(config)#aaa authentication login default group RADIUS_GROUP ?
  cache       Use Cached-group
  enable      Use enable password for authentication.
  group       Use Server-group
  krb5        Use Kerberos 5 authentication.
  line        Use line password for authentication.
  local       Use local username authentication.
  local-case  Use case-sensitive local username authentication.
  none        NO authentication.
  <cr>

R1(config)#aaa authentication login default group RADIUS_GROUP local      // LOGIN USING RADIUS THEN FALLBACK TO LOCAL DATABASE
R1(config)#
R1(config)#aaa authentication login TELNET group RADIUS_GROUP local-case     // LOGIN IS CASE SENSITIVE
R1(config)#
R1(config)#line vty 0 4
R1(config-line)#login authentication ?
  WORD     Use an authentication list with this name.
  default  Use the default authentication list.

R1(config-line)#login authentication TELNET


R3#conf t
Enter configuration commands, one per line.  End with CNTL/Z.
R3(config)#aaa new-model
R3(config)#radius server RADIUS
R3(config-radius-server)#address ipv4 192.168.1.101
R3(config-radius-server)#key cisco123
R3(config-radius-server)#exit
R3(config)#aaa authentication login default group RADIUS_GROUP local
R3(config)#
*Jul 22 11:06:23.627: %AAAA-4-SERVUNDEF: The server-group "RADIUS_GROUP" is not defined. Please define it.
R3(config)#aaa group server radius RADIUS_GROUP
R3(config-sg-radius)#server name RADIUS
R3(config-sg-radius)#exit
R3(config)#
R3(config)#aaa authentication login default group RADIUS_GROUP local
R3(config)#                                                        
R3(config)#aaa authentication login TELNET group RADIUS_GROUP local-case
R3(config)#
R3(config)#line vty 0 4
R3(config-line)#login authentication TELNET
R3(config-line)#end
R3#

R3#telnet 10.1.1.1
Trying 10.1.1.1 ... Open
 Unauthorized access prohibited!
User Access Verification

Username: ADMIN
Password:  <class54321>

% Authentication failed        // NO 'ADMIN' CONFIGURED IN LOCAL DATABSE (CASE SENSTIVE)

Username: admin         // CORRECT LOCAL LOGIN ACCOUNT
Password:  <class54321>

R1>enable
Password: <class12345>


R1#conf t
Enter configuration commands, one per line.  End with CNTL/Z.
R1(config)#ip domain-name lab.com        // SSH REQUIRES HOSTNAME AND DOMAIN NAME CONFIGURED
R1(config)#crypto ?             
  call          Configure Crypto Call Admission Control
  ctcp          Configure cTCP encapsulation
  dynamic-map   Specify a dynamic crypto map template
  engine        Enter a crypto engine configurable menu
  gdoi          Configure GDOI policy
  identity      Enter a crypto identity list
  ipsec         Configure IPSEC policy
  isakmp        Configure ISAKMP policy
  key           Long term key operations
  keyring       Key ring commands
  logging       logging messages
  map           Enter a crypto map
  mib           Configure Crypto-related MIB Parameters
  pki           Public Key components
  provisioning  Secure Device Provisioning
  vpn           Configure crypto vpn commands
  wui           Crypto HTTP configuration interfaces
  xauth         X-Auth parameters

R1(config)#crypto key ?
  decrypt       Decrypt a keypair.
  encrypt       Encrypt a keypair.
  export        Export keys
  generate      Generate new keys
  import        Import keys
  move          Move keys
  pubkey-chain  Peer public key chain management
  storage       default storage location for keypairs
  zeroize       Remove keys

R1(config)#crypto key zeroize ?
  ec            Remove EC keys
  pubkey-chain  Remove peer's cached public key
  rsa           Remove RSA keys
  <cr>

R1(config)#crypto key zeroize rsa      // OPTIONAL TO ERASE EXISTING KEY PAIR (WEAK KEYS)
% No Signature Keys found in configuration.

R1(config)#crypto key generate ? 
  ec   Generate EC keys for ECDSA
  rsa  Generate RSA keys

R1(config)#crypto key generate rsa ?
  encryption    Generate a general purpose RSA key pair for signing and
                encryption
  exportable    Allow the key to be exported
  general-keys  Generate a general purpose RSA key pair for signing and
                encryption
  label         Provide a label
  modulus       Provide number of modulus bits on the command line
  on            create key on specified device.
  redundancy    Allow the key to be synced to high-availability peer
  signature     Generate a general purpose RSA key pair for signing and
                encryption
  storage       Store key on specified device
  usage-keys    Generate separate RSA key pairs for signing and encryption
  <cr>

R1(config)#crypto key generat rsa general-keys ?
  exportable  Allow the key to be exported
  label       Provide a label
  modulus     Provide number of modulus bits on the command line
  on          create key on specified device.
  redundancy  Allow the key to be synced to high-availability peer
  storage     Store key on specified device
  <cr>

R1(config)#crypto key generat rsa general-keys modulus ?
  <360-4096>  size of the key modulus [360-4096]

R1(config)#crypto key generat rsa general-keys modulus 1024
The name for the keys will be: R1.lab.com

% The key modulus size is 1024 bits
% Generating 1024 bit RSA keys, keys will be non-exportable...
[OK] (elapsed time was 2 seconds)

R1(config)#
*Jul 22 11:13:28.443: %SSH-5-ENABLED: SSH 1.99 has been enabled      // SSHv 1.99 IS KNOWN AS COMPATIBILITY MODE WHICH SUPPORTS BOTH SSH VERSION 1 AND VERSION 2
R1(config)#ip ssh ?
  authentication-retries  Specify number of authentication retries
  break-string            break-string
  dh                      Diffie-Hellman
  dscp                    IP DSCP value for SSH traffic
  logging                 Configure logging for SSH
  maxstartups             Maximum concurrent sessions allowed
  port                    Starting (or only) Port number to listen on
  precedence              IP Precedence value for SSH traffic
  pubkey-chain            pubkey-chain
  rsa                     Configure RSA keypair name for SSH
  source-interface        Specify interface for source address in SSH
                          connections
  stricthostkeycheck      Enable SSH Server Authentication
  time-out                Specify SSH time-out interval
  version                 Specify protocol version to be supported

R1(config)#ip ssh version ?
  <1-2>  Protocol version

R1(config)#ip ssh version 2    // SSHv2 OFFERS BETTER SECURITY THAN SSHv1 (HAS KNOWN VULNERABILITIES)
R1(config)#
R1(config)#line vty 0 4
R1(config-line)#transport ?
  input      Define which protocols to use when connecting to the terminal
             server
  output     Define which protocols to use for outgoing connections
  preferred  Specify the preferred protocol to use

R1(config-line)#transport input ?
  all     All protocols
  mop     DEC MOP Remote Console Protocol
  none    No protocols
  pad     X.3 PAD
  rlogin  Unix rlogin protocol
  ssh     TCP/IP SSH protocol
  telnet  TCP/IP Telnet protocol
  udptn   UDPTN async via UDP protocol
  v120    Async over ISDN

R1(config-line)#transport input ssh       // CONFIGURE VTY LINES TO ACCEPT SSH ONLY (DISABLE TELNET)
R1(config-line)#end
R1#
*Jul 22 11:14:53.307: %SYS-5-CONFIG_I: Configured from console by admin on console
R1#
R1#show ip ssh
SSH Enabled - version 2.0
Authentication timeout: 120 secs; Authentication retries: 3
Minimum expected Diffie Hellman key size : 1024 bits
IOS Keys in SECSH format(ssh-rsa, base64 encoded):
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAAAgQDCGpbfQvNg2kvJtFw6W4J/XjzHKPZgPwXgLYZT+kQz
wdLUpL2uhJjZYsq8iqT5i6eXEEDpny+x+UQ3dXb5e9j8bnVYS7BKWI4LYFw16wRK63Ngfk8d4b4irTrv
HjhkJxY2wPWUMfLcpnmssX1C+kFG6ZzHk1O8+Fp5lBgZZV3VJQ== 


R3#conf t
Enter configuration commands, one per line.  End with CNTL/Z.
R3(config)#ip domain-name lab.com
R3(config)#crypto key zeroize rsa
% No Signature Keys found in configuration.

R3(config)#crypto key generate rsa general-keys modulus 1024
The name for the keys will be: R3.lab.com

% The key modulus size is 1024 bits
% Generating 1024 bit RSA keys, keys will be non-exportable...
[OK] (elapsed time was 2 seconds)

R3(config)#
*Jul 22 11:19:34.079: %SSH-5-ENABLED: SSH 1.99 has been enabled
R3(config)#ip ssh version 2
R3(config)#line vty 0 4
R3(config-line)#transport input ssh
R3(config-line)#end
R3#
*Jul 22 11:19:48.187: %SYS-5-CONFIG_I: Configured from console by admin on console
R3#
R3#show ip ssh
SSH Enabled - version 2.0
Authentication timeout: 120 secs; Authentication retries: 3
Minimum expected Diffie Hellman key size : 1024 bits
IOS Keys in SECSH format(ssh-rsa, base64 encoded):
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAAAgQC0lTdQgZfiGM5pyJV8X/Mf6Z+bGhXuXhnSG2n9Vgw1
3AYmPpZH3kpesZFN6IDs194wTtLKidpIWzWWSpkKTJSZppFumHexxfmYdkGBHLu8qmwx78QoVWOkImF3
w0M7wX3LfL6mDWydCZvKkhm09+0/6CQ9ouDek7+1vYYtrIRouw==  

R3#ssh -l admin 10.1.1.1
Password:  <class54321>
 Unauthorized access prohibited! R1>enable
Password:  <class12345>
R1#


No comments:

Post a Comment