Официален блог на WebEKM EKM очаквайте сайта онлайн скоро.

Download Free Templates http://bigtheme.net/ free full Wordpress, Joomla, Mgento - premium themes.

Management Plane security on Cisco routers and password recovery procedure

cisco-security1smallBy default Cisco router doesn’t provide any security regarding the access. You have to secure the router by yourself. In this article I’ll show how to do this for console and VTY lines

Just for recalling, on Cisco routers we have got Command Modes :

User EXEC mode – Router>
Privileged EXEC mode – Router#
Global Configuration mode – Router(config)#
Interface Configuration mode – Router(config-if)#

When you are connected to the router via console cable and for the first boot up the router and type “enable” default privilege level is 15 what means you may type any command and get into configuration mode with no restricsions. By default we have configured 3 privelege levels:

0 – no access
1 – user mode access
15 – privilege enable access

level 2-14 are available for assignment (customs privilege levels)

Assigning privilege levels

enable secret level 15 0 itbundle

Per User
username admin privilege 15 secret 0 itbundle

Per Line
line vty 0 4
privelege level 15

show privilege – shows current privilege level
service password encryption – writes passwords in MD5 hashes, instead of plain text
security password min lenght 10 – we set up required minimum lenght of the password

Securing Privileged Mode in 3 ways

All this 3 commands means the same, the difference is only regarding giving the password, in the first case I did it in plain text, in second and third way I gave the password as MD5 hash. In third case I didn’t write “level 15” because IOS assumes by default that we set up password for level 15, unless we state different.

enable secret level 15 0 itbundle
enable secret level 15 5 42bee8d607a72e84e02f0fa74c07af0e
enable secret 5 42bee8d607a72e84e02f0fa74c07af0e

Let’s set up something for level 5
enable secret level 5 0 itbundle

We may also set up restricsions for different modes “exec” and “configure” :

privilege exec level 5 ping – in exec mode “ping” command will be accesible from level 5 up to 15
privelege configure level 5 interface – in configure mode “interface” command will be accessible from level 5 up to 15

The command thanks to which we may protect the router against brute force attack :

login block for 300 attempts 10 within 60 – blocking the user for 300 seconds if wrongly gave passwords 10 times within 1 minute

exec-timeout command in (config-line) mode determines how long an idle line (console, vty) will stay logged int the CLI
(exec) process
line console 0
exec-timeout 300

Normally a user with physical console access can perform password recovery via ROMMON to access saved config & CLI
no service-password recovery – disables ability to recover config, we still have access to ROMMON but password recovery attempt deletes NVRAM

Examples of configuration :

1. Securing with no users database

line vty 0 4
password itbundle

You have to use ‘password’ and ‘login’ together in order to force pasword requirement. If you  use ‘no password‘ and ‘no login‘ command the access will be granted automatically! 

2. Securing with local database

username admin privilege 15 secret 0 itbundle

line vty 0 4
login local

3. Securing with AAA server

aaa new-model – starting local AAA server

aaa authentication login default local – in order to log in, the user use default list, and use local users database

aaa authentication login CONSOLE-AUTH group radius – creating CONSOLE-AUTH list and authenticate users via external radius server
line console 0
login authentication CONSOLE-AUTH – use CONSOLE-AUTH for authentication
authorization exec CONSOLE-AUTH – use CONSOLE-AUTH for authorization

authentication list default – “default” list is destined for VTY, console and AUX
aaa local authentication attempts max-fail 3 – maximum njumber of wrong logging

In case we don’t want to use Telnet but SSH :

hostname router1 – giving a name to the router
ip domain-name itbundle.net – creating a domain
crypto key generate rsa modulus 1024 – generating rsa key

line VTY 0 4
transport input SSH – changing the protocol of login

4. Securing with external AAA server

aaa new-model

Define the Radius server or servers and the key server:

radius server RADIUS
address ipv4 auth-port 1812
key itbundle

Define a Radius server group (we may have a couple of servers in the group for redundancy)

aaa group server radius RADIUS-GROUP
server name RADIUS



Now let’s try to deal with forgotten password issue.
Firstly we need to know that Cisco devices using “the configuration register” that tells the router how to bootu its up and what particulat options choose during the process.

In order to recover the password we have to be familiar with 2 modes:

0x2142 bypasses the startup config
0x2102 does not bypass the startup config

The procedure looks like:

1 press <CTRL + BREAK> – to egt into ROMMON (ROM monitor) mode

2 run “confreg 0x2142″ – in order to ignore startup-config

3 reload the router

4 copy startup-config running-config – to copy NVRAM into memory

5 enable password <password> – to change the password

6 run “confreg 0x2102” to get reading startup-config during boot up

7 copy running-config startup-config

8 reload



Onlain bookmaker bet365.com - the best bokie