A Cisco router’s architecture can be categorized into three operational planes:
* Management plane: The management plane is concerned with the management of the device. For example, an administrator connecting to a router through a Secure
Shell (SSH) connection through one of the router’s VTY lines would be a management plane operation.
* Control plane: The control plane is concerned with making packet-forwarding decisions. For example, routing protocol operation would be a control plane function.
* Data plane: The data plane is concerned with the forwarding of data through a router. For example, end-user traffic traveling from a user’s PC to a web server on a
different network would go across the data plane.
Below are some approach in securing the Management plane on a Cisco router.
Secure Shell Versus Telnet
Cisco strongly recommends using Secure Shell (SSH) instead of Telnet. The issue with Telnet is that it sends data (including passwords) across a network in clear text. This opens the door for a malicious user to launch a man-in-middle attack and use packet capture software to read the contents of the Telnet session’s packets. Fortunately, SSH encrypts this traffic. So, even if a malicious user did capture packets from the SSH session, the packets would be unreadable.
Password Encryption
Ideally, all passwords associated with your routers would be stored on an external AAA server; however, it is often necessary to locally store passwords on a router. If someone were to see that router’s running configuration, she would be able to see any of those passwords, if they were in clear text. Therefore, a best-practice security recommendation is to encrypt any passwords appearing in a router’s configuration. Cisco IOS has a few different passwords that you might want to encrypt (or represent as a hash value), including the enable secret password, line password, and username password.
Unicast Reverse Path Forwarding
One approach to preventing malicious traffic from entering a network is to use Unicast Reverse Path Forwarding (uRPF) . Specifically, uRPF can help block packets having a spoofed IP address. The way that uRPF works is to check the source IP address of a packet arriving on an interface and determine whether that IP address is reachable, based on the router’s Forwarding Information Base (FIB) used by Cisco Express Forwarding (CEF). Optionally, the router can also check to see whether the packet is arriving on the interface the router would use to send traffic back to that IP address.
Note: CEF must be enabled on a router to use uRPF.
You can choose between three modes of operation for uRPF:
* Strict mode: With strict mode operation, a router not only checks to make sure that the source IP address of an arriving packet is reachable, based on the router’s FIB,
but the packet must also be arriving on the same interface the router would use to send traffic back to that IP address.
* Loose mode: With loose mode operation, a router only verifies that the source IP address of a packet is reachable, based on the router’s FIB.
* VRF mode: Virtual Routing and Forwarding (VRF) is a technology that allows a router to have multiple IP routing table instances, thus allowing overlapping IP
addresses to be used. uRPF operating in VRF mode (also known as uRPF version 3 or uRPFv3 ) is similar to loose mode operation in that source IP addresses are checked against the FIB for a specific VRF.
Authentication, Authorization, and Accounting (AAA)
Enforcing router login security in larger networks can be challenging if you have to manage multiple user databases (for example, having a separate user database locally configured on each router of your network). Fortunately, with AAA (authentication, authorization, and accounting) services, you can have a single repository for user credentials. Then, when a network engineer attempts to log in to, for example, a router, the credentials that she supplies can be authenticated against a centralized AAA database.
Three services are offered by a AAA server, as follows:
* Authentication: The authentication service can check a user’s credentials to confirm
he is who he claims to be.
* Authorization: After being authenticated, the authorization service determines what
that user is allowed to do.
* Accounting: The accounting service can collect and store information about a user’s
login. This information can be used, for example, to keep an audit trail of what a
user did on the network.
SNMP Security
SNMP offers security against malicious users attempting to collect information from a managed device, changing the configuration of a managed device, or intercepting information being sent to an NMS. However, the security integrated with SNMPv1 and SNMPv2c is considered weak. Specifically, SNMPv1 and SNMPv2c use community strings to gain read-only or read-write access to a managed device. You can think of a community string as being much like a password.
If you do need to secure an SNMPv1 or SNMPv2c environment, you should change the community strings to nondefault values and possibly reference an ACL. The ACL could match a trusted subnet of management stations or a specific IP address of a management station.
SNMPv3 offers three primary security enhancements:
* Integrity: Using hashing algorithms, SNMPv3 ensures that an SNMP message was
not modified in transit.
* Authentication: Hashing allows SNMPv3 to validate the source of an SNMP
message.
* Encryption: Using the DES, 3DES, or AES encryption algorithm, SNMPv3 provides
privacy for SNMP messages, making them unreadable by an attacker who might capture
SNMP packets.
NTP Authentication
To mitigate the risk of having a rogue NTP device advertise false time to your network routers, you can configure NTP authentication. This authentication should be configured on your router that is providing NTP information and on your routers receiving NTP information.
* Management plane: The management plane is concerned with the management of the device. For example, an administrator connecting to a router through a Secure
Shell (SSH) connection through one of the router’s VTY lines would be a management plane operation.
* Control plane: The control plane is concerned with making packet-forwarding decisions. For example, routing protocol operation would be a control plane function.
* Data plane: The data plane is concerned with the forwarding of data through a router. For example, end-user traffic traveling from a user’s PC to a web server on a
different network would go across the data plane.
Below are some approach in securing the Management plane on a Cisco router.
Secure Shell Versus Telnet
Cisco strongly recommends using Secure Shell (SSH) instead of Telnet. The issue with Telnet is that it sends data (including passwords) across a network in clear text. This opens the door for a malicious user to launch a man-in-middle attack and use packet capture software to read the contents of the Telnet session’s packets. Fortunately, SSH encrypts this traffic. So, even if a malicious user did capture packets from the SSH session, the packets would be unreadable.
Password Encryption
Ideally, all passwords associated with your routers would be stored on an external AAA server; however, it is often necessary to locally store passwords on a router. If someone were to see that router’s running configuration, she would be able to see any of those passwords, if they were in clear text. Therefore, a best-practice security recommendation is to encrypt any passwords appearing in a router’s configuration. Cisco IOS has a few different passwords that you might want to encrypt (or represent as a hash value), including the enable secret password, line password, and username password.
Unicast Reverse Path Forwarding
One approach to preventing malicious traffic from entering a network is to use Unicast Reverse Path Forwarding (uRPF) . Specifically, uRPF can help block packets having a spoofed IP address. The way that uRPF works is to check the source IP address of a packet arriving on an interface and determine whether that IP address is reachable, based on the router’s Forwarding Information Base (FIB) used by Cisco Express Forwarding (CEF). Optionally, the router can also check to see whether the packet is arriving on the interface the router would use to send traffic back to that IP address.
Note: CEF must be enabled on a router to use uRPF.
You can choose between three modes of operation for uRPF:
* Strict mode: With strict mode operation, a router not only checks to make sure that the source IP address of an arriving packet is reachable, based on the router’s FIB,
but the packet must also be arriving on the same interface the router would use to send traffic back to that IP address.
* Loose mode: With loose mode operation, a router only verifies that the source IP address of a packet is reachable, based on the router’s FIB.
* VRF mode: Virtual Routing and Forwarding (VRF) is a technology that allows a router to have multiple IP routing table instances, thus allowing overlapping IP
addresses to be used. uRPF operating in VRF mode (also known as uRPF version 3 or uRPFv3 ) is similar to loose mode operation in that source IP addresses are checked against the FIB for a specific VRF.
Authentication, Authorization, and Accounting (AAA)
Enforcing router login security in larger networks can be challenging if you have to manage multiple user databases (for example, having a separate user database locally configured on each router of your network). Fortunately, with AAA (authentication, authorization, and accounting) services, you can have a single repository for user credentials. Then, when a network engineer attempts to log in to, for example, a router, the credentials that she supplies can be authenticated against a centralized AAA database.
Three services are offered by a AAA server, as follows:
* Authentication: The authentication service can check a user’s credentials to confirm
he is who he claims to be.
* Authorization: After being authenticated, the authorization service determines what
that user is allowed to do.
* Accounting: The accounting service can collect and store information about a user’s
login. This information can be used, for example, to keep an audit trail of what a
user did on the network.
SNMP Security
SNMP offers security against malicious users attempting to collect information from a managed device, changing the configuration of a managed device, or intercepting information being sent to an NMS. However, the security integrated with SNMPv1 and SNMPv2c is considered weak. Specifically, SNMPv1 and SNMPv2c use community strings to gain read-only or read-write access to a managed device. You can think of a community string as being much like a password.
If you do need to secure an SNMPv1 or SNMPv2c environment, you should change the community strings to nondefault values and possibly reference an ACL. The ACL could match a trusted subnet of management stations or a specific IP address of a management station.
SNMPv3 offers three primary security enhancements:
* Integrity: Using hashing algorithms, SNMPv3 ensures that an SNMP message was
not modified in transit.
* Authentication: Hashing allows SNMPv3 to validate the source of an SNMP
message.
* Encryption: Using the DES, 3DES, or AES encryption algorithm, SNMPv3 provides
privacy for SNMP messages, making them unreadable by an attacker who might capture
SNMP packets.
NTP Authentication
To mitigate the risk of having a rogue NTP device advertise false time to your network routers, you can configure NTP authentication. This authentication should be configured on your router that is providing NTP information and on your routers receiving NTP information.
R1#conf t
Enter
configuration commands, one per line.
End with CNTL/Z.
R1(config)#interface
loop 0
R1(config-if)#
*Jul 22
10:28:00.927: %LINEPROTO-5-UPDOWN: Line protocol on Interface Loopback0,
changed state to up
R1(config-if)#ip
address 192.168.1.1 255.255.255.0
R1(config-if)#
R1(config-if)#interface
serial 2/0
R1(config-if)#ip
address 10.1.1.1 255.255.255.252
R1(config-if)#no
shut
R1(config-if)#
*Jul 22
10:28:51.455: %LINK-3-UPDOWN: Interface Serial2/0, changed state to up
R1(config-if)#
*Jul 22
10:28:52.463: %LINEPROTO-5-UPDOWN: Line protocol on Interface Serial2/0,
changed state to up
R1(config)#ip
route 0.0.0.0 0.0.0.0 10.1.1.2
R1(config-if)#end
R1#
R2#conf t
Enter
configuration commands, one per line.
End with CNTL/Z.
R2(config)#interface
serial 2/0
R2(config-if)#ip
address 10.1.1.2 255.255.255.252
R2(config-if)#no
shut
R2(config-if)#
*Jul 22
10:29:39.883: %LINK-3-UPDOWN: Interface Serial2/0, changed state to up
R2(config-if)#
*Jul 22
10:29:40.891: %LINEPROTO-5-UPDOWN: Line protocol on Interface Serial2/0,
changed state to up
R2(config-if)#do
ping 10.1.1.1
Type
escape sequence to abort.
Sending
5, 100-byte ICMP Echos to 10.1.1.1, timeout is 2 seconds:
!!!!!
Success
rate is 100 percent (5/5), round-trip min/avg/max = 16/24/36 ms
R2(config-if)#
R2(config-if)#interface
serial 2/1
R2(config-if)#ip
address 10.2.2.1 255.255.255.252
R2(config-if)#no
shut
R2(config-if)#
*Jul 22
10:30:04.363: %LINK-3-UPDOWN: Interface Serial2/1, changed state to up
R2(config-if)#
*Jul 22
10:30:05.371: %LINEPROTO-5-UPDOWN: Line protocol on Interface Serial2/1,
changed state to up
R2(config)#ip
route 192.168.1.0 255.255.255.0 10.1.1.1
R2(config)#ip
route 192.168.3.0 255.255.255.0 10.2.2.2
R2(config-if)#end
R2#
R3#conf t
Enter
configuration commands, one per line.
End with CNTL/Z.
R3(config)#interface
loop 0
R3(config-if)#
*Jul 22
10:30:28.911: %LINEPROTO-5-UPDOWN: Line protocol on Interface Loopback0,
changed state to up
R3(config-if)#ip
address 192.168.3.1 255.255.255.0
R3(config-if)#
R3(config-if)#interface
serial 2/1
R3(config-if)#ip
address 10.2.2.2 255.255.255.252
R3(config-if)#no
shut
R3(config-if)#
*Jul 22
10:30:54.671: %LINK-3-UPDOWN: Interface Serial2/1, changed state to up
R3(config-if)#
*Jul 22
10:30:55.679: %LINEPROTO-5-UPDOWN: Line protocol on Interface Serial2/1,
changed state to up
R3(config)#ip
route 0.0.0.0 0.0.0.0 10.2.2.1
R3(config-if)#end
R3#
R1#tclsh // VERIFY REMOTE CONNECTIVITY ON R1
R1(tcl)#foreach
address {
+>(tcl)#192.168.1.1
+>(tcl)#10.1.1.1
+>(tcl)#10.1.1.2
+>(tcl)#10.2.2.1
+>(tcl)#10.2.2.2
+>(tcl)#192.168.3.1
+>(tcl)#}
{ ping $address }
Type
escape sequence to abort.
Sending
5, 100-byte ICMP Echos to 192.168.1.1, timeout is 2 seconds:
!!!!!
Success
rate is 100 percent (5/5), round-trip min/avg/max = 4/5/8 ms
Type
escape sequence to abort.
Sending
5, 100-byte ICMP Echos to 10.1.1.1, timeout is 2 seconds:
!!!!!
Success
rate is 100 percent (5/5), round-trip min/avg/max = 40/43/44 ms
Type
escape sequence to abort.
Sending
5, 100-byte ICMP Echos to 10.1.1.2, timeout is 2 seconds:
!!!!!
Success
rate is 100 percent (5/5), round-trip min/avg/max = 12/24/44 ms
Type
escape sequence to abort.
Sending
5, 100-byte ICMP Echos to 10.2.2.1, timeout is 2 seconds:
!!!!!
Success
rate is 100 percent (5/5), round-trip min/avg/max = 12/13/16 ms
Type
escape sequence to abort.
Sending
5, 100-byte ICMP Echos to 10.2.2.2, timeout is 2 seconds:
!!!!!
Success
rate is 100 percent (5/5), round-trip min/avg/max = 8/20/36 ms
Type
escape sequence to abort.
Sending
5, 100-byte ICMP Echos to 192.168.3.1, timeout is 2 seconds:
!!!!!
Success
rate is 100 percent (5/5), round-trip min/avg/max = 12/16/20 ms
R1#conf t
Enter
configuration commands, one per line.
End with CNTL/Z.
R1(config)#security
?
authentication Authentication security CLIs
passwords Password security CLIs
R1(config)#security
passwords ?
min-length
Minimum length of passwords
R1(config)#security
passwords min-length ?
<0-16>
Minimum length of all user/enable passwords
R1(config)#security passwords
min-length 10 // PASSWORD LENGTH POLICY TO MITIGATE BRUTE FORCE PASSWORD ATTACK
R1(config)#enable
secret class123
% Invalid
Password length - must contain 10 to 25 characters. Password configuration
failed
R1(config)#enable secret
class12345
R1(config)#
R1(config)#line
?
<0-6>
First Line number
aux
Auxiliary line
console
Primary terminal line
vty
Virtual terminal
R1(config)#line console 0
R1(config-line)#password
ciscoconpass
R1(config-line)#?
Line
configuration commands:
absolute-timeout Set absolute timeout for line
disconnection
access-class Filter connections based on an
IP access list
activation-character Define the activation character
autocommand Automatically execute an EXEC
command
autocommand-options Autocommand options
autohangup Automatically hangup when
last connection closes
autoselect Set line to autoselect
buffer-length Set DMA buffer length
data-character-bits Size of characters being handled
databits Set number of data bits per
character
default Set a command to its
defaults
disconnect-character Define the disconnect character
dispatch-character Define the dispatch character
dispatch-machine Reference a TCP dispatch state
machine
dispatch-timeout Set the dispatch timer
domain-lookup Enable domain lookups in show
commands
editing Enable command line
editing
escape-character Change the current line's escape
character
exec Configure EXEC
exec-banner Enable the display of the EXEC
banner
exec-character-bits Size of characters to the command exec
exec-timeout Set the EXEC timeout
exit Exit from line
configuration mode
flowcontrol Set the flow control
flush-at-activation Clear input stream at activation
full-help Provide help to unprivileged
user
help Description of the
interactive help system
history Enable and control the
command history function
hold-character Define the hold character
insecure Mark line as 'insecure' for
LAT
international Enable international 8-bit
character support
ip IP options
ipv6 IPv6 options
length Set number of lines on a
screen
location Enter terminal location
description
lockable Allow users to lock a line
logging Modify message logging
facilities
login Enable password checking
logout-warning Set Warning countdown for
absolute timeout of
line
modem Configure the Modem
Control Lines
monitor Copy debug output to the
current terminal line
motd-banner Enable the display of the MOTD
banner
no Negate a command or
set its defaults
notify Inform users of output
from concurrent sessions
ntp Configure NTP
padding Set padding for a
specified output character
parity Set terminal parity
password Set a password
prc PRC commands
private Configuration options that
user can set will
remain in effect
between terminal sessions
privilege Change privilege level for
line
refuse-message Define a refuse banner
rotary Add line to a rotary
group
rxspeed Set the receive speed
script specify event related
chat scripts to run on the
line
session-disconnect-warning Set warning countdown for session-timeout
session-limit Set maximum number of sessions
session-timeout Set interval for closing
connection when there is
no input traffic
special-character-bits Size of the escape (and other special)
characters
speed Set the transmit and
receive speeds
start-character Define the start character
stop-character Define the stop character
stopbits Set async line stop bits
telnet Telnet protocol-specific
configuration
terminal-type Set the terminal type
timeout Timeouts for the line
transport Define transport protocols
for line
txspeed Set the transmit speed
vacant-message Define a vacant banner
width Set width of the display
terminal
x25 X25 protocol-specific
configuration
R1(config-line)#exec-timeout
?
<0-35791> Timeout in minutes
R1(config-line)#exec-timeout
5 ?
<0-2147483> Timeout in seconds
<cr>
R1(config-line)#exec-timeout
5 0 // LOG OUT CONSOLE AFTER 5 MINS INACTIVITY
R1(config-line)#login
R1(config-line)#logging
?
synchronous
Synchronized message output
R1(config-line)#logging
synchronous // PREVENTS BREAKING COMMAND LINE INPUT
R1(config-line)#exit
R1(config)#line vty 0 4
R1(config-line)#password
ciscovtypass
R1(config-line)#exec-timeout
5 0
R1(config-line)#login
R1(config-line)#
R1(config-line)#exit
R1(config)#line aux 0 // LEGACY PORT FOR MODEM BACKDOOR ACCESS (HARDLY USED IN MODERN NETWORK)
R1(config-line)#no exec // DISABLE AUX PORT
R1(config-line)#end
R1#
R1#show
run // PERFORM A PASSWORD RECOVERY IF ROUTER PASSWORDS ARE FORGOTTEN
Building
configuration...
Current
configuration : 1636 bytes
!
! Last
configuration change at 10:40:05 UTC Sun Jul 22 2018
upgrade
fpd auto
version
15.2
service
timestamps debug datetime msec
service
timestamps log datetime msec
no service password-encryption
!
hostname
R1
!
boot-start-marker
boot-end-marker
!
!
security
passwords min-length 10
enable secret 5
$1$bUHZ$pb3d2iZ7jbGCk/tYo7VSz0
!
no aaa
new-model
no ip
icmp rate-limit unreachable
!
!
!
!
!
!
no ip
domain lookup
ip cef
no ipv6
cef
!
multilink
bundle-name authenticated
!
!
!
!
!
!
!
!
!
!
redundancy
!
!
ip tcp
synwait-time 5
!
!
!
!
!
!
!
!
!
!
interface
Loopback0
ip address 192.168.1.1 255.255.255.0
!
interface
FastEthernet0/0
no ip address
shutdown
duplex half
!
interface
FastEthernet1/0
no ip address
shutdown
duplex auto
speed auto
!
interface
FastEthernet1/1
no ip address
shutdown
duplex auto
speed auto
!
interface
Serial2/0
ip address 10.1.1.1 255.255.255.252
serial restart-delay 0
!
interface
Serial2/1
no ip address
shutdown
serial restart-delay 0
!
interface
Serial2/2
no ip address
shutdown
serial restart-delay 0
!
interface
Serial2/3
no ip address
shutdown
serial restart-delay 0
!
ip
forward-protocol nd
no ip
http server
no ip
http secure-server
!
!
ip route
0.0.0.0 0.0.0.0 10.1.1.2
!
no cdp
log mismatch duplex
!
!
!
control-plane
!
!
!
mgcp
profile default
!
!
!
gatekeeper
shutdown
!
!
line con
0
exec-timeout 5 0
privilege level 15
password ciscoconpass
logging synchronous
login
stopbits 1
line aux
0
exec-timeout 0 0
privilege level 15
logging synchronous
no exec
stopbits 1
line vty
0 4
exec-timeout 5 0
password ciscovtypass
login
transport input all
!
!
end
R1#conf t
Enter
configuration commands, one per line.
End with CNTL/Z.
R1(config)#service
?
alignment Control alignment correction and
logging
call-home Enable call-home service
compress-config Compress the nvram configuration file
config TFTP load config files
counters Control aging of interface
counters
dhcp Enable DHCP server and relay
agent
disable-ip-fast-frag Disable IP particle-based fast fragmentation
exec-callback Enable exec callback
exec-wait Delay EXEC startup on noisy lines
finger Allow responses to finger
requests
hide-telnet-addresses Hide destination addresses in telnet command
linenumber enable line number banner for each
exec
nagle Enable Nagle's congestion
control algorithm
old-slip-prompts Allow old scripts to operate with
slip/ppp
pad Enable PAD commands
password-encryption Encrypt system passwords
prompt Enable mode specific prompt
pt-vty-logging Log significant VTY-Async events
sequence-numbers Stamp logger messages with a sequence
number
slave-log Enable log capability of slave
IPs
tcp-keepalives-in Generate keepalives on idle incoming
network
connections
tcp-keepalives-out Generate keepalives on idle outgoing
network
connections
tcp-small-servers Enable small TCP servers (e.g., ECHO)
telnet-zeroidle Set TCP window 0 when connection is
idle
timestamps Timestamp debug/log messages
udp-small-servers Enable small UDP servers (e.g., ECHO)
R1(config)#service
password-encryption // TYPE 7 (VIGENERE) WEAK CIPHER TO AVOID SHOULDER SURFING
R1(config)#
R1(config)#do
show run
Building
configuration...
Current
configuration : 1665 bytes
!
! Last
configuration change at 10:40:05 UTC Sun Jul 22 2018
upgrade
fpd auto
version
15.2
service
timestamps debug datetime msec
service
timestamps log datetime msec
service
password-encryption
!
hostname
R1
!
boot-start-marker
boot-end-marker
!
!
security
passwords min-length 10
enable
secret 5 $1$bUHZ$pb3d2iZ7jbGCk/tYo7VSz0
!
no aaa
new-model
no ip
icmp rate-limit unreachable
!
!
!
!
!
!
no ip
domain lookup
ip cef
no ipv6
cef
!
multilink
bundle-name authenticated
!
!
!
!
!
!
!
!
!
!
redundancy
!
!
ip tcp
synwait-time 5
!
!
!
!
!
!
!
!
!
!
interface
Loopback0
ip address 192.168.1.1 255.255.255.0
!
interface
FastEthernet0/0
no ip address
shutdown
duplex half
!
interface
FastEthernet1/0
no ip address
shutdown
duplex auto
speed auto
!
interface
FastEthernet1/1
no ip address
shutdown
duplex auto
speed auto
!
interface
Serial2/0
ip address 10.1.1.1 255.255.255.252
serial restart-delay 0
!
interface
Serial2/1
no ip address
shutdown
serial restart-delay 0
!
interface
Serial2/2
no ip address
shutdown
serial restart-delay 0
!
interface
Serial2/3
no ip address
shutdown
serial restart-delay 0
!
ip
forward-protocol nd
no ip
http server
no ip
http secure-server
!
!
ip route
0.0.0.0 0.0.0.0 10.1.1.2
!
no cdp
log mismatch duplex
!
!
!
control-plane
!
!
!
mgcp
profile default
!
!
!
gatekeeper
shutdown
!
!
line con
0
exec-timeout 5 0
privilege level 15
password 7 13061E01080307252534292026
logging synchronous
login
stopbits 1
line aux
0
exec-timeout 0 0
privilege level 15
logging synchronous
no exec
stopbits 1
line vty
0 4
exec-timeout 5 0
password 7 05080F1C2243581D0015160118
login
transport input all
!
!
end
R1(config)#banner
?
LINE c banner-text c, where 'c' is a
delimiting character
config-save Set message for saving configuration
exec Set EXEC process creation banner
incoming Set incoming terminal line banner
login Set login banner
motd Set Message of the Day banner
prompt-timeout Set Message for login authentication timeout
slip-ppp Set Message for SLIP/PPP
R1(config)#banner motd $ Unauthorized access prohibited! $ // BANNER MOTD APPEARS BEFORE LOGIN PROMPT
R1(config)#
R1(config)#do
show run
Building
configuration...
Current
configuration : 1713 bytes
!
! Last
configuration change at 10:40:05 UTC Sun Jul 22 2018
upgrade
fpd auto
version
15.2
service
timestamps debug datetime msec
service
timestamps log datetime msec
service
password-encryption
!
hostname
R1
!
boot-start-marker
boot-end-marker
!
!
security
passwords min-length 10
enable
secret 5 $1$bUHZ$pb3d2iZ7jbGCk/tYo7VSz0
!
no aaa
new-model
no ip
icmp rate-limit unreachable
!
!
!
!
!
!
no ip
domain lookup
ip cef
no ipv6
cef
!
multilink
bundle-name authenticated
!
!
!
!
!
!
!
!
!
!
redundancy
!
!
ip tcp
synwait-time 5
!
!
!
!
!
!
!
!
!
!
interface
Loopback0
ip address 192.168.1.1 255.255.255.0
!
interface
FastEthernet0/0
no ip address
shutdown
duplex half
!
interface
FastEthernet1/0
no ip address
shutdown
duplex auto
speed auto
!
interface
FastEthernet1/1
no ip address
shutdown
duplex auto
speed auto
!
interface
Serial2/0
ip address 10.1.1.1 255.255.255.252
serial restart-delay 0
!
interface
Serial2/1
no ip address
shutdown
serial restart-delay 0
!
interface
Serial2/2
no ip address
shutdown
serial restart-delay 0
!
interface
Serial2/3
no ip address
shutdown
serial restart-delay 0
!
ip
forward-protocol nd
no ip
http server
no ip
http secure-server
!
!
ip route
0.0.0.0 0.0.0.0 10.1.1.2
!
no cdp
log mismatch duplex
!
!
!
control-plane
!
!
!
mgcp
profile default
!
!
!
gatekeeper
shutdown
!
banner motd ^C Unauthorized
access prohibited! ^C
!
line con
0
exec-timeout 5 0
privilege level 15
password 7 13061E01080307252534292026
logging synchronous
login
stopbits 1
line aux
0
exec-timeout 0 0
privilege level 15
logging synchronous
no exec
stopbits 1
line vty
0 4
exec-timeout 5 0
password 7 05080F1C2243581D0015160118
login
transport input all
!
!
end
R1#exit
R1 con0
is now available
Press
RETURN to get started.
Unauthorized access prohibited!
User
Access Verification
Password: <ciscoconpass>
R1#
R3#conf t
Enter
configuration commands, one per line.
End with CNTL/Z.
R3(config)#security
passwords min-length 10
R3(config)#enable
secret class12345
R3(config)#line
console 0
R3(config-line)#password
ciscoconpass
R3(config-line)#exec-timeout
5 0
R3(config-line)#login
R3(config-line)#logging
synchronous
R3(config-line)#
R3(config-line)#line
vty 0 4
R3(config-line)#password
ciscovtypass
R3(config-line)#exec-timeout
5 0
R3(config-line)#login
R3(config-line)#
R3(config-line)#line
aux 0
R3(config-line)#no
exec
R3(config-line)#
R3(config-line)#service
password-encryption
R3(config)#
R3(config)#banner
motd $Unauthorized access prohibited!$
R3(config)#end
R3#
*Jul 22
10:53:26.323: %SYS-5-CONFIG_I: Configured from console by console
R3#
R3#show
run
Building
configuration...
Current
configuration : 1711 bytes
!
! Last
configuration change at 10:53:26 UTC Sun Jul 22 2018
upgrade
fpd auto
version
15.2
service
timestamps debug datetime msec
service
timestamps log datetime msec
service
password-encryption
!
hostname
R3
!
boot-start-marker
boot-end-marker
!
!
security
passwords min-length 10
enable
secret 5 $1$PTKC$bjUGuy4YkvJ8U/lX1GYAC1
!
no aaa
new-model
no ip
icmp rate-limit unreachable
!
!
!
!
!
!
no ip
domain lookup
ip cef
no ipv6
cef
!
multilink
bundle-name authenticated
!
!
!
!
!
!
!
!
!
!
redundancy
!
!
ip tcp
synwait-time 5
!
!
!
!
!
!
!
!
!
!
interface
Loopback0
ip address 192.168.3.1 255.255.255.0
!
interface
FastEthernet0/0
no ip address
shutdown
duplex half
!
interface
FastEthernet1/0
no ip address
shutdown
duplex auto
speed auto
!
interface
FastEthernet1/1
no ip address
shutdown
duplex auto
speed auto
!
interface
Serial2/0
no ip address
shutdown
serial restart-delay 0
!
interface
Serial2/1
ip address 10.2.2.2 255.255.255.252
serial restart-delay 0
!
interface
Serial2/2
no ip address
shutdown
serial restart-delay 0
!
interface
Serial2/3
no ip address
shutdown
serial restart-delay 0
!
ip
forward-protocol nd
no ip
http server
no ip
http secure-server
!
!
ip route
0.0.0.0 0.0.0.0 10.2.2.1
!
no cdp
log mismatch duplex
!
!
!
control-plane
!
!
!
mgcp
profile default
!
!
!
gatekeeper
shutdown
!
banner
motd ^CUnauthorized access prohibited!^C
!
line con
0
exec-timeout 5 0
privilege level 15
password 7 094F471A1A0A141D051C053938
logging synchronous
login
stopbits 1
line aux
0
exec-timeout 0 0
privilege level 15
logging synchronous
no exec
stopbits 1
line vty
0 4
exec-timeout 5 0
password 7 03075218050037585719181604
login
transport input all
!
!
end
R1#conf t
Enter
configuration commands, one per line.
End with CNTL/Z.
R1(config)#username
?
WORD
User name
R1(config)#username
jr-admin ?
aaa AAA directive
access-class Restrict access by access-class
algorithm-type Algorithm to use for hashing the
plaintext secret for
the user
autocommand Automatically issue a command after
the user logs in
callback-dialstring Callback dialstring
callback-line Associate a specific line with this
callback
callback-rotary Associate a rotary group with this
callback
dnis Do not require password when
obtained via DNIS
nocallback-verify Do not require authentication after
callback
noescape Prevent the user from using an
escape character
nohangup Do not disconnect after an
automatic command
nopassword No password is required for the user
to log in
one-time Specify that the username/password
is valid for only one
time
password Specify the password for the user
privilege Set user privilege level
secret Specify the secret for the user
user-maxlinks Limit the user's number of inbound
links
view Set view name
<cr>
R1(config)#username
jr-admin secret ?
0
Specifies an UNENCRYPTED secret will follow
5
Specifies a MD5 HASHED secret will follow
8
Specifies a PBKDF2 HASHED secret will follow
9
Specifies a SCRYPT HASHED secret will follow
LINE
The UNENCRYPTED (cleartext) user secret
R1(config)#username jr-admin
secret class12345 // SECRET PASSWORD ENCRYPTION LEVEL 4 (SHA256)
R1(config)#username admin secret
class54321
R1(config)#
R1(config)#line console 0
R1(config-line)#login
?
local
Local password checking
<cr>
R1(config-line)#login local
R1(config-line)#
R1(config-line)#line vty 0 4
R1(config-line)#login local
R1(config-line)#end
R1#
R3#conf t
Enter
configuration commands, one per line.
End with CNTL/Z.
R3(config)#username
jr-admin secret class12345
R3(config)#username
admin secret class54321
R3(config)#line
console 0
R3(config-line)#login
local
R3(config-line)#
R3(config-line)#line
vty 0 4
R3(config-line)#login
local
R3(config-line)#end
R3#
R3#telnet
10.1.1.1
Trying
10.1.1.1 ... Open
Unauthorized access prohibited!
User
Access Verification
Username:
admin
Password: <class54321>
R1>
R1#conf t
Enter
configuration commands, one per line.
End with CNTL/Z.
R1(config)#aaa
?
new-model
Enable NEW access control commands and functions.(Disables OLD
commands.)
R1(config)#aaa
new-model // ENABLE AAA (AUTHENTICATION, AUTHORIZATION, ACCOUNTING)
R1(config)#
R1(config)#radius
?
filter
Packet filter configuration
server
Server configuration
R1(config)#radius
server ?
WORD
Name for the radius server configuration
R1(config)#radius server RADIUS // CONFIGURE RADIUS SERVER
R1(config-radius-server)#?
RADIUS
server sub-mode commands:
address Specify the radius server address
automate-tester Configure server automated testing.
backoff Retry backoff pattern(Default is
retransmits with constant
delay)
exit Exit from RADIUS server
configuration mode
key Per-server encryption key
no Negate a command or set its
defaults
non-standard Attributes to be parsed that violate
RADIUS standard
pac Protected Access Credential key
retransmit Number of retries to active server
(overrides default)
timeout Time to wait (in seconds) for this
radius server to reply
(overrides default)
R1(config-radius-server)#address
?
ipv4
IPv4 Address
ipv6
IPv6 Address
R1(config-radius-server)#address
ipv4 192.168.1.101
R1(config-radius-server)#key
?
0
Specifies an UNENCRYPTED key will follow
7
Specifies HIDDEN key will follow
LINE
The UNCRYPTED (cleartext) shared key
R1(config-radius-server)#key
cisco123
R1(config-radius-server)#exit
R1(config)#aaa
?
accounting Accounting configurations parameters.
attribute AAA attribute definitions
authentication Authentication configurations parameters.
authorization Authorization configurations parameters.
cache AAA cache definitions
configuration Authorization configuration parameters.
dnis Associate certain AAA parameters
to a specific DNIS number
group AAA group definitions
local AAA Local method options
max-sessions Adjust initial hash size for estimated max
sessions
memory AAA memory parameters
nas NAS specific configuration
new-model Enable NEW access control commands and
functions.(Disables
OLD commands.)
password Configure password/secret related
settings
pod POD processing
policy AAA policy parameters
route Static route downloading
server Local AAA server
service-profile Service-Profile parameters
session-id AAA Session ID
session-mib AAA session MIB options
traceback Traceback recording
user AAA user definitions
R1(config)#aaa
group ?
server
AAA Server group definitions
R1(config)#aaa
group server ?
ldap
Ldap server-group definition
radius
Radius server-group definition
tacacs+
Tacacs+ server-group definition
R1(config)#aaa
group server radius ?
WORD
Server-group name
R1(config)#aaa group server
radius RADIUS_GROUP
R1(config-sg-radius)#?
RADIUS
Server-group commands:
accounting Specify a RADIUS attribute filter for
accounting
attribute Customize selected radius attributes
authorization Specify a RADIUS attribute filter for
authorization
backoff Retry backoff pattern (Default is
retransmits with constant
delay)
cache cached DB profile configuration
deadtime Specify time in minutes to ignore an
unresponsive server
default Set a command to its defaults
domain-stripping Strip the domain from the username
exit Exit from RADIUS server-group
configuration mode
ip Internet Protocol config
commands
ipv6 IPv6 config commands
key-wrap Configure RADIUS key-wrap feature
load-balance Server group load-balancing options.
mac-delimiter MAC Delimiter for Radius Compatibility
Mode
no Negate a command or set its
defaults
server Specify a RADIUS server
server-private Define a private RADIUS server (per group)
subscriber Configures MAC Filtering RADIUS
Compatibility mode
throttle Throttle requests to radius server
R1(config-sg-radius)#server
?
Hostname or A.B.C.D IP address of RADIUS server
name Name of radius server
R1(config-sg-radius)#server
name ?
WORD
Radius server name
R1(config-sg-radius)#server name
RADIUS
R1(config-sg-radius)#exit
R1(config)#aaa
authentication ?
arap Set authentication lists for arap.
attempts Set the maximum number of
authentication attempts
banner Message to use when starting
login/authentication.
dot1x Set authentication lists for IEEE
802.1x.
enable Set authentication list for enable.
eou Set authentication lists for
EAPoUDP
fail-message Message to use for failed
login/authentication.
login Set authentication lists for
logins.
onep Set authentication lists for ONEP
password-prompt Text to use when prompting for a password
ppp Set authentication lists for ppp.
sgbp Set authentication lists for sgbp.
suppress Do not send access request for a
specific type of user.
username-prompt Text to use when prompting for a username
R1(config)#aaa
authentication login ?
WORD
Named authentication list (max 31 characters, longer will be
rejected).
default
The default authentication list.
R1(config)#aaa
authentication login default ?
cache
Use Cached-group
enable
Use enable password for authentication.
group
Use Server-group
krb5
Use Kerberos 5 authentication.
krb5-telnet
Allow logins only if already authenticated via Kerberos V
Telnet.
line
Use line password for authentication.
local
Use local username authentication.
local-case
Use case-sensitive local username authentication.
none
NO authentication.
passwd-expiry
enable the login list to provide password aging support
R1(config)#aaa
authentication login default group ?
WORD
Server-group name
ldap
Use list of all LDAP hosts.
radius
Use list of all Radius hosts.
tacacs+
Use list of all Tacacs+ hosts.
R1(config)#aaa
authentication login default group RADIUS_GROUP ?
cache
Use Cached-group
enable
Use enable password for authentication.
group
Use Server-group
krb5
Use Kerberos 5 authentication.
line
Use line password for authentication.
local
Use local username authentication.
local-case
Use case-sensitive local username authentication.
none
NO authentication.
<cr>
R1(config)#aaa authentication
login default group RADIUS_GROUP local // LOGIN USING RADIUS THEN FALLBACK TO LOCAL DATABASE
R1(config)#
R1(config)#aaa authentication
login TELNET group RADIUS_GROUP local-case // LOGIN IS CASE SENSITIVE
R1(config)#
R1(config)#line
vty 0 4
R1(config-line)#login
authentication ?
WORD
Use an authentication list with this name.
default
Use the default authentication list.
R1(config-line)#login
authentication TELNET
R3#conf t
Enter
configuration commands, one per line.
End with CNTL/Z.
R3(config)#aaa
new-model
R3(config)#radius
server RADIUS
R3(config-radius-server)#address
ipv4 192.168.1.101
R3(config-radius-server)#key
cisco123
R3(config-radius-server)#exit
R3(config)#aaa
authentication login default group RADIUS_GROUP local
R3(config)#
*Jul 22 11:06:23.627:
%AAAA-4-SERVUNDEF: The server-group "RADIUS_GROUP" is not defined.
Please define it.
R3(config)#aaa
group server radius RADIUS_GROUP
R3(config-sg-radius)#server
name RADIUS
R3(config-sg-radius)#exit
R3(config)#
R3(config)#aaa
authentication login default group RADIUS_GROUP local
R3(config)#
R3(config)#aaa
authentication login TELNET group RADIUS_GROUP local-case
R3(config)#
R3(config)#line
vty 0 4
R3(config-line)#login
authentication TELNET
R3(config-line)#end
R3#
R3#telnet
10.1.1.1
Trying
10.1.1.1 ... Open
Unauthorized access prohibited!
User
Access Verification
Username:
ADMIN
Password: <class54321>
% Authentication failed // NO 'ADMIN' CONFIGURED IN LOCAL DATABSE (CASE SENSTIVE)
Username:
admin // CORRECT LOCAL LOGIN ACCOUNT
Password: <class54321>
R1>enable
Password:
<class12345>
R1#conf t
Enter
configuration commands, one per line.
End with CNTL/Z.
R1(config)#ip
domain-name lab.com // SSH REQUIRES HOSTNAME AND DOMAIN NAME CONFIGURED
R1(config)#crypto
?
call
Configure Crypto Call Admission Control
ctcp
Configure cTCP encapsulation
dynamic-map
Specify a dynamic crypto map template
engine
Enter a crypto engine configurable menu
gdoi
Configure GDOI policy
identity
Enter a crypto identity list
ipsec
Configure IPSEC policy
isakmp
Configure ISAKMP policy
key
Long term key operations
keyring
Key ring commands
logging
logging messages
map
Enter a crypto map
mib
Configure Crypto-related MIB Parameters
pki
Public Key components
provisioning
Secure Device Provisioning
vpn
Configure crypto vpn commands
wui
Crypto HTTP configuration interfaces
xauth
X-Auth parameters
R1(config)#crypto
key ?
decrypt
Decrypt a keypair.
encrypt
Encrypt a keypair.
export
Export keys
generate
Generate new keys
import
Import keys
move
Move keys
pubkey-chain
Peer public key chain management
storage
default storage location for keypairs
zeroize
Remove keys
R1(config)#crypto
key zeroize ?
ec
Remove EC keys
pubkey-chain
Remove peer's cached public key
rsa
Remove RSA keys
<cr>
R1(config)#crypto
key zeroize rsa // OPTIONAL TO ERASE EXISTING KEY PAIR (WEAK KEYS)
% No Signature Keys found in
configuration.
R1(config)#crypto
key generate ?
ec
Generate EC keys for ECDSA
rsa
Generate RSA keys
R1(config)#crypto
key generate rsa ?
encryption
Generate a general purpose RSA key pair for signing and
encryption
exportable
Allow the key to be exported
general-keys
Generate a general purpose RSA key pair for signing and
encryption
label
Provide a label
modulus
Provide number of modulus bits on the command line
on
create key on specified device.
redundancy
Allow the key to be synced to high-availability peer
signature
Generate a general purpose RSA key pair for signing and
encryption
storage
Store key on specified device
usage-keys
Generate separate RSA key pairs for signing and encryption
<cr>
R1(config)#crypto
key generat rsa general-keys ?
exportable
Allow the key to be exported
label
Provide a label
modulus
Provide number of modulus bits on the command line
on
create key on specified device.
redundancy
Allow the key to be synced to high-availability peer
storage
Store key on specified device
<cr>
R1(config)#crypto
key generat rsa general-keys modulus ?
<360-4096> size of the key modulus [360-4096]
R1(config)#crypto key generat
rsa general-keys modulus 1024
The name for the keys will be:
R1.lab.com
% The key
modulus size is 1024 bits
%
Generating 1024 bit RSA keys, keys will be non-exportable...
[OK]
(elapsed time was 2 seconds)
R1(config)#
*Jul 22
11:13:28.443: %SSH-5-ENABLED: SSH 1.99 has been enabled // SSHv 1.99 IS KNOWN AS COMPATIBILITY MODE WHICH SUPPORTS BOTH SSH VERSION 1 AND VERSION 2
R1(config)#ip
ssh ?
authentication-retries Specify number of authentication retries
break-string break-string
dh Diffie-Hellman
dscp IP DSCP value for SSH
traffic
logging Configure logging for SSH
maxstartups Maximum concurrent sessions
allowed
port Starting (or only) Port
number to listen on
precedence IP Precedence value for SSH
traffic
pubkey-chain pubkey-chain
rsa Configure RSA keypair name
for SSH
source-interface Specify interface for source address in
SSH
connections
stricthostkeycheck Enable SSH Server Authentication
time-out Specify SSH time-out interval
version Specify protocol version to be
supported
R1(config)#ip
ssh version ?
<1-2>
Protocol version
R1(config)#ip ssh version 2 // SSHv2 OFFERS BETTER SECURITY THAN SSHv1 (HAS KNOWN VULNERABILITIES)
R1(config)#
R1(config)#line
vty 0 4
R1(config-line)#transport
?
input
Define which protocols to use when connecting to the terminal
server
output
Define which protocols to use for outgoing connections
preferred
Specify the preferred protocol to use
R1(config-line)#transport
input ?
all
All protocols
mop
DEC MOP Remote Console Protocol
none
No protocols
pad
X.3 PAD
rlogin
Unix rlogin protocol
ssh
TCP/IP SSH protocol
telnet
TCP/IP Telnet protocol
udptn
UDPTN async via UDP protocol
v120
Async over ISDN
R1(config-line)#transport input
ssh // CONFIGURE VTY LINES TO ACCEPT SSH ONLY (DISABLE TELNET)
R1(config-line)#end
R1#
*Jul 22
11:14:53.307: %SYS-5-CONFIG_I: Configured from console by admin on console
R1#
R1#show ip ssh
SSH Enabled - version 2.0
Authentication
timeout: 120 secs; Authentication retries: 3
Minimum expected Diffie Hellman
key size : 1024 bits
IOS Keys
in SECSH format(ssh-rsa, base64 encoded):
ssh-rsa
AAAAB3NzaC1yc2EAAAADAQABAAAAgQDCGpbfQvNg2kvJtFw6W4J/XjzHKPZgPwXgLYZT+kQz
wdLUpL2uhJjZYsq8iqT5i6eXEEDpny+x+UQ3dXb5e9j8bnVYS7BKWI4LYFw16wRK63Ngfk8d4b4irTrv
HjhkJxY2wPWUMfLcpnmssX1C+kFG6ZzHk1O8+Fp5lBgZZV3VJQ==
R3#conf t
Enter
configuration commands, one per line.
End with CNTL/Z.
R3(config)#ip
domain-name lab.com
R3(config)#crypto
key zeroize rsa
% No Signature Keys found in
configuration.
R3(config)#crypto
key generate rsa general-keys modulus 1024
The name for the keys will be:
R3.lab.com
% The key
modulus size is 1024 bits
%
Generating 1024 bit RSA keys, keys will be non-exportable...
[OK]
(elapsed time was 2 seconds)
R3(config)#
*Jul 22
11:19:34.079: %SSH-5-ENABLED: SSH 1.99 has been enabled
R3(config)#ip
ssh version 2
R3(config)#line
vty 0 4
R3(config-line)#transport
input ssh
R3(config-line)#end
R3#
*Jul 22
11:19:48.187: %SYS-5-CONFIG_I: Configured from console by admin on console
R3#
R3#show
ip ssh
SSH Enabled - version 2.0
Authentication
timeout: 120 secs; Authentication retries: 3
Minimum
expected Diffie Hellman key size : 1024 bits
IOS Keys
in SECSH format(ssh-rsa, base64 encoded):
ssh-rsa
AAAAB3NzaC1yc2EAAAADAQABAAAAgQC0lTdQgZfiGM5pyJV8X/Mf6Z+bGhXuXhnSG2n9Vgw1
3AYmPpZH3kpesZFN6IDs194wTtLKidpIWzWWSpkKTJSZppFumHexxfmYdkGBHLu8qmwx78QoVWOkImF3
w0M7wX3LfL6mDWydCZvKkhm09+0/6CQ9ouDek7+1vYYtrIRouw==
R3#ssh -l
admin 10.1.1.1
Password: <class54321>
Unauthorized access prohibited! R1>enable
Password: <class12345>
R1#
No comments:
Post a Comment