Secure Access And Passwords :
________________________________________
Follow us on Facebook
Follow us on Google+
________________________________________
Disable the reset passwords :
In some cases, it may be necessary to disable the service that allows you to reset the password on a router. It is important to note here that this deactivation can have serious consequences, for example, the obligation to return to the default configuration base (factory) router.
R1(config)# no service passwords-recovery
In case of loss of password, it will be impossible to reset the password of the super user. This command is part of the hidden commands Cisco IOS. I suggest you use it only if you do not have sufficient security level control physical access to your router.
Set the minimum length of a password :
R1(config)# security passwords min-length 10
The router does not accept passwords less than 10 characters.
Limit the number of failed login attempts :
To prevent dictionary attacks and brute force passwords, limit the number of unsuccessful login attempts on your router (in our example, this number is 4).
R1(config)# security authentication failure rate 4 log
After four unsuccessful login attempts within one minute, the information will be recorded in the event log.
R1(config)# login block-for 60 attempts 4 within 10
After four unsuccessful login attempts within an interval of 10 seconds, another attempt will be possible after 60 seconds, because the router will remain silent during this period.
During this period, it will be impossible to connect to the router. Which could affect administrators router with rights. To avoid this, it will create an ACL that allows administrators to log in during this period of silence (quiet-mode).
During this period, it will be impossible to connect to the router. Which could affect administrators router with rights. To avoid this, it will create an ACL that allows administrators to log in during this period of silence (quiet-mode).
R1(config)# ip access-list standard login-permit-adm
R1(config-std-nac)# permit 172.16.20.0 0.0.0.255
R1(config)# exit
R1(config)# login quiet-mode access-class login-permit-adm
R1(config-std-nac)# permit 172.16.20.0 0.0.0.255
R1(config)# exit
R1(config)# login quiet-mode access-class login-permit-adm
Prevent logins on lines (auxiliary, and virtual) :
/ / Auxiliary Line :
R1(config)# line aux 0
R1(config-line)# no password
R1(config-line)# login
R1(config-line)# exit
/ / Virtual lines :
R1(config)# line vty 0 4
R1(config-line)# no password
R1(config-line)# login
R1(config-line)# exit
R1(config-line)# no password
R1(config-line)# login
R1(config-line)# exit
Just allow remote access via SSH (and telnet is not secure) :
R1(config)# line vty 0 4
R1(config-line)# no transport input
R1(config-line)# transport input ssh
R1(config-line)# exit
R1(config-line)# no transport input
R1(config-line)# transport input ssh
R1(config-line)# exit
Configuring additional security for the VTY lines, console and AUX :
R1(config)# line vty 0 4
R1(config-line)# exec-timeout 5
R1(config-line)# exit
R1(config-line)# exec-timeout 5
R1(config-line)# exit
R1(config)# line console 0
R1(config-line)# exec-timeout 5
R1(config-line)# exit
R1(config)# line aux 0
R1(config-line)# exec-timeout 5
R1(config-line)# exit
R1(config)# service tcp-keepalives-in
Configuring SSH Security :
R1(config)# hostname Ottawa // definition of hostname)
Ottawa(config)# ip domain-name cisco.com // definition of the domain name)
Ottawa(config)# crypto key generate rsa // generation of asymmetric keys
Ottawa(config)# username emabo secret cisco123
Ottawa(config)# ip domain-name cisco.com // definition of the domain name)
Ottawa(config)# crypto key generate rsa // generation of asymmetric keys
Ottawa(config)# username emabo secret cisco123
Ottawa(config)# line vty 0 4
Ottawa(config-line)# transport input ssh // authentication configuration local and VTY
Ottawa(config-line)# login local
Ottawa(config)# ip ssh time-out 10 // configure ssh timeouts
Ottawa(config)# ip ssh authentication-retries 3 // configuration time test new ssh
Ottawa(config)# ip ssh authentication-retries 3 // configuration time test new ssh
Pay special attention to vulnerabilities SNMP, NTP and DNS :
To ensure functionality, a router relies on other services such as service name resolution. It turns out that these services are often vulnerable. it should therefore ensure that the ancillary services relied on a router are properly configure and secure.
Disable all services, protocols and unnecessary accounts :
R1(config)# no service finger // example of the finger service
R1(config)# no cdp run // example CDP