Secure Access And Passwords

Secure Access And Passwords :

 

 ________________________________________

Follow us on Facebook

Follow us on Google+

________________________________________

 

Disable the reset passwords :

In some cases, it may be necessary to disable the service that allows you to reset the password on a router. It is important to note here that this deactivation can have serious consequences, for example, the obligation to return to the default configuration base (factory) router.

R1(config)# no service passwords-recovery

In case of loss of password, it will be impossible to reset the password of the super user. This command is part of the hidden commands Cisco IOS. I suggest you use it only if you do not have sufficient security level control physical access to your router. 

Set the minimum length of a password :

R1(config)# security passwords min-length 10

The router does not accept passwords less than 10 characters.

Limit the number of failed login attempts :

To prevent dictionary attacks and brute force passwords, limit the number of unsuccessful login attempts on your router (in our example, this number is 4).

R1(config)# security authentication failure rate 4 log

After four unsuccessful login attempts within one minute, the information will be recorded in the event log. 

R1(config)# login block-for 60 attempts 4 within 10

After four unsuccessful login attempts within an interval of 10 seconds, another attempt will be possible after 60 seconds, because the router will remain silent during this period.

During this period, it will be impossible to connect to the router. Which could affect administrators router with rights. To avoid this, it will create an ACL that allows administrators to log in during this period of silence (quiet-mode). 

R1(config)# ip access-list standard login-permit-adm
R1(config-std-nac)# permit 172.16.20.0 0.0.0.255
R1(config)# exit
R1(config)# login quiet-mode access-class login-permit-adm

Prevent logins on lines (auxiliary, and virtual) :

/ / Auxiliary Line :

R1(config)# line aux 0
R1(config-line)# no password
R1(config-line)# login
R1(config-line)# exit

/ / Virtual lines :

R1(config)# line vty 0 4
R1(config-line)# no password
R1(config-line)# login
R1(config-line)# exit 

Just allow remote access via SSH (and telnet is not secure) :

R1(config)# line vty 0 4
R1(config-line)# no transport input
R1(config-line)# transport input ssh
R1(config-line)# exit

Configuring additional security for the VTY lines, console and AUX :

R1(config)# line vty 0 4
R1(config-line)# exec-timeout 5
R1(config-line)# exit

R1(config)# line console 0
R1(config-line)# exec-timeout 5
R1(config-line)# exit

R1(config)# line aux 0
R1(config-line)# exec-timeout 5
R1(config-line)# exit

R1(config)# service tcp-keepalives-in

Configuring SSH Security :

R1(config)# hostname Ottawa                                  // definition of hostname)
Ottawa(config)# ip domain-name cisco.com          // definition of the domain name)
Ottawa(config)# crypto key generate rsa                // generation of asymmetric keys
Ottawa(config)# username emabo secret cisco123

Ottawa(config)# line vty 0 4
Ottawa(config-line)# transport input ssh            // authentication configuration local and VTY
Ottawa(config-line)# login local

Ottawa(config)# ip ssh time-out 10                        // configure ssh timeouts
Ottawa(config)# ip ssh authentication-retries 3    // configuration time test new ssh

Pay special attention to vulnerabilities SNMP, NTP and DNS :

To ensure functionality, a router relies on other services such as  service name resolution. It turns out that these services are often vulnerable. it should therefore ensure that the ancillary services relied on a router are properly configure and secure.

Disable all services, protocols and unnecessary accounts :

R1(config)# no service finger                            // example of the finger service
R1(config)# no cdp run                                       // example CDP