Официален блог на WebEKM EKM очаквайте сайта онлайн скоро.
Download Free Templates http://bigtheme.net/ free full Wordpress, Joomla, Mgento - premium themes.
Management Plane security on Cisco routers and password recovery procedure
By default Cisco router doesn’t provide any security regarding the access. You have to secure the router by yourself. In this article I’ll show how to do this for console and VTY lines
.
Just for recalling, on Cisco routers we have got Command Modes :
User EXEC mode – Router>
Privileged EXEC mode – Router#
Global Configuration mode – Router(config)#
Interface Configuration mode – Router(config-if)#
When you are connected to the router via console cable and for the first boot up the router and type “enable” default privilege level is 15 what means you may type any command and get into configuration mode with no restricsions. By default we have configured 3 privelege levels:
0 – no access
1 – user mode access
15 – privilege enable access
level 2-14 are available for assignment (customs privilege levels)
Assigning privilege levels
Globally
enable secret level 15 0 itbundle
Per User
username admin privilege 15 secret 0 itbundle
Per Line
line vty 0 4
privelege level 15
show privilege – shows current privilege level
service password encryption – writes passwords in MD5 hashes, instead of plain text
security password min lenght 10 – we set up required minimum lenght of the password
Securing Privileged Mode in 3 ways
All this 3 commands means the same, the difference is only regarding giving the password, in the first case I did it in plain text, in second and third way I gave the password as MD5 hash. In third case I didn’t write “level 15” because IOS assumes by default that we set up password for level 15, unless we state different.
enable secret level 15 0 itbundle
enable secret level 15 5 42bee8d607a72e84e02f0fa74c07af0e
enable secret 5 42bee8d607a72e84e02f0fa74c07af0e
Let’s set up something for level 5
enable secret level 5 0 itbundle
We may also set up restricsions for different modes “exec” and “configure” :
privilege exec level 5 ping – in exec mode “ping” command will be accesible from level 5 up to 15
privelege configure level 5 interface – in configure mode “interface” command will be accessible from level 5 up to 15
The command thanks to which we may protect the router against brute force attack :
login block for 300 attempts 10 within 60 – blocking the user for 300 seconds if wrongly gave passwords 10 times within 1 minute
exec-timeout command in (config-line) mode determines how long an idle line (console, vty) will stay logged int the CLI
(exec) process
line console 0
exec-timeout 300
Normally a user with physical console access can perform password recovery via ROMMON to access saved config & CLI
no service-password recovery – disables ability to recover config, we still have access to ROMMON but password recovery attempt deletes NVRAM
Examples of configuration :
1. Securing with no users database
line vty 0 4
password itbundle
login
You have to use ‘password’ and ‘login’ together in order to force pasword requirement. If you use ‘no password‘ and ‘no login‘ command the access will be granted automatically!
2. Securing with local database
username admin privilege 15 secret 0 itbundle
line vty 0 4
login local
3. Securing with AAA server
aaa new-model – starting local AAA server
aaa authentication login default local – in order to log in, the user use default list, and use local users database
aaa authentication login CONSOLE-AUTH group radius – creating CONSOLE-AUTH list and authenticate users via external radius server
line console 0
login authentication CONSOLE-AUTH – use CONSOLE-AUTH for authentication
authorization exec CONSOLE-AUTH – use CONSOLE-AUTH for authorization
authentication list default – “default” list is destined for VTY, console and AUX
aaa local authentication attempts max-fail 3 – maximum njumber of wrong logging
In case we don’t want to use Telnet but SSH :
hostname router1 – giving a name to the router
ip domain-name itbundle.net – creating a domain
crypto key generate rsa modulus 1024 – generating rsa key
line VTY 0 4
transport input SSH – changing the protocol of login
4. Securing with external AAA server
aaa new-model
Define the Radius server or servers and the key server:
radius server RADIUS
address ipv4 192.168.1.1 auth-port 1812
key itbundle
Define a Radius server group (we may have a couple of servers in the group for redundancy)
aaa group server radius RADIUS-GROUP
server name RADIUS
Now let’s try to deal with forgotten password issue.
Firstly we need to know that Cisco devices using “the configuration register” that tells the router how to bootu its up and what particulat options choose during the process.
In order to recover the password we have to be familiar with 2 modes:
0x2142 bypasses the startup config
0x2102 does not bypass the startup config
The procedure looks like:
1 press <CTRL + BREAK> – to egt into ROMMON (ROM monitor) mode
2 run “confreg 0x2142″ – in order to ignore startup-config
3 reload the router
4 copy startup-config running-config – to copy NVRAM into memory
5 enable password <password> – to change the password
6 run “confreg 0x2102” to get reading startup-config during boot up
7 copy running-config startup-config
8 reload