Cisco Device Hardening

Securing Cisco Router Installations and
Administrative Access


Configuring Router Passwords

• A console is a terminal connected to a router console port.
• The terminal can be a dumb terminal or a PC with terminal emulation
software.


Password Creation Rules
• Passwords can be 1 to 25 characters in length.
• Passwords can include:
– Alphanumeric characters
– Uppercase and lowercase characters
– Symbols and spaces
• Passwords cannot have a number as the first character.
• Password-leading spaces are ignored, but any spaces after the first
character are not ignored.
• Change passwords.


Initial Configuration Dialog
Would you like to enter the initial configuration dialog? [yes/no] y

Configuring global parameters:
Enter host name [Router]: Boston
The enable secret is a password used to protect access to privileged EXEC and

configuration modes. This password, after entered, becomes encrypted in the
configuration.
Enter enable secret: CantGuessMe

The enable password is used when you do not specify an enable secret password,
with some older software versions, and some boot images.
Enter enable password: WontGuessMe
The virtual terminal password is used to protect access to the router over a
network interface.
Enter virtual terminal password: CantGuessMeVTY


Configure the Line-Level Password
router(config)#
line console 0
line aux 0
line vty 0 4
• Enters line configuration mode (console, auxiliary, or vty)
router(config-line)#
login
• Enables password checking at login
router(config-line)#
password password
• Sets the line-level password

Boston(config)#line con 0
Boston(config-line)#login
Boston(config-line)#password ConUser1



Password Minimum Length Enforcement
router(config)#

security passwords min-length length
• Sets the minimum length of all Cisco IOS passwords

Boston(config)#security passwords min-length 10


Encrypting Passwords Using the
service password-encryption Command
router(config)#
service password-encryption
• Encrypts all passwords in the router configuration file
Boston(config)#service password-encryption
Boston(config)#exit
Boston#show running-config
enable password 7 06020026144A061E
!
line con 0
password 7 0956F57A109A
!
line vty 0 4
password 7 034A18F366A0
!
line aux 0
password 7 7A4F5192306A


Enhanced Username Password Security

router(config)#

username name password {[0] password | 7 hidden-password}
• Traditional user configuration with plaintext password
router(config)#

username name secret {[0] password | 5 encrypted-secret}
• Uses MD5 hashing for strong password protection
• Better than the type 7 encryption found in service passwordencryption command
Boston(config)#username rtradmin secret 0 Curium96
Boston(config)#username rtradmin secret 5 $1$feb0$a104Qd9UZ./Ak007


Authentication Failure Rate with Login
router(config)#
security authentication failure rate threshold-rate log
• Configures the number of allowable unsuccessful login attempts

• By default, router allows 10 login failures before initiating a 15second delay
• Generates a syslog message when rate is exceeded

Boston(config)#security authentication failure rate 10 log


Setting a Login Failure Blocking Period
router(config)#
login block-for seconds attempts tries within seconds
• Blocks access for a quiet period after a configurable number of
failed login attempts within a specified period
• Must be entered before any other login command

• Mitigates DoS and break-in attacks

Boston(config)#login block-for 100 attempts 2 within 100


Excluding Addresses from Login Blocking
router(config)#
login quiet-mode access-class {acl-name | acl-number}
• Specifies an ACL that is applied to the router when it switches to the
quiet mode.
• If not configured, all login requests will be denied during the quiet
mode.
• Excludes IP addresses from failure counting for login block-for
command.

Boston(config)#login quiet-mode access-class myacl


Setting a Login Delay
router(config)#
login delay seconds
• Configures a delay between successive login attempts.
• Helps mitigate dictionary attacks.
• If not set, a default delay of one second is enforced after the login
block-for command is configured.

Boston(config)#login delay 30


Verifying Login

router#
show login [failures]

• Displays login parameters and failures
Boston(config)#show login
A default login delay of 1 seconds is applied.
No Quiet-Mode access list has been configured.
All successful login is logged and generate SNMP traps.
All failed login is logged and generate SNMP traps.
Router enabled to watch for login Attacks.
If more than 15 login failures occur in 100 seconds or
less, logins will be disabled for 100 seconds.
Router presently in Watch-Mode, will remain in WatchMode for 95 seconds.
Present login failure count 5.


Setting Timeouts for Router Lines
router(config-line)#
exec-timeout minutes [seconds]

• Default is 10 minutes
• Terminates an unattended connection
• Provides an extra safety factor when an administrator walks away
from an active console session
Boston(config)#line console 0
Boston(config-line)#exec-timeout 3 30
Boston(config)#line aux 0
Boston(config-line)#exec-timeout 3 30

• Terminates an unattended console and auxiliary connection after 3

minutes and 30 seconds


Configuring Banner Messages
router(config)#
banner {exec | incoming | login | motd | slip-ppp}
d message d
• Specifies what is “proper use” of the system
• Specifies that the system is being monitored
• Specifies that privacy should not be expected when using this
system
Boston(config)#banner motd %
WARNING: You are connected to $(hostname) on the
Cisco Systems, Incorporated network. Unauthorized
access and use of this network will be vigorously
prosecuted. %


Configuring an SSH Server for
Secure Management
Austin2#configure terminal
Austin2(config)#ip domain-name cisco.com
Austin2(config)#crypto key generate rsa general-keys modulus 1024
Sept 22 13:20:45: %SSH-5-ENABLED: SSH 1.5 has been enabled
Austin2(config)#ip ssh timeout 120
Austin2(config)#ip ssh authentication-retries 4
Austin2(config)#line vty 0 4
Austin2(config-line)#no transport input telnet
Austin2(config-line)#transport input ssh
Austin2(config-line)#end


1.
2.
3.
4.
5.
6.

Configure the IP domain name
Generate the RSA keys
Configure the SSH timeout interval
Configure the SSH retries
Disable vty inbound Telnet sessions
Enable vty inbound SSH sessions


AAA Model
• Authentication:
– Who are you?
– “I am user student and my password validateme proves it.”
• Authorization:
– What can you do? What can you access?
– “User student can access host serverXYZ using Telnet.”
– “Assign an IP address and ACL to user student connecting through
VPN.”
– “When user student starts an EXEC session, assign privilege level 10.”
• Accounting:
– What did you do? How long and how often did you do it?
– “User student accessed host serverXYZ using Telnet for 15 minutes.”


– “User student was connected to VPN for 25 minutes.”
– “EXEC session of user student lasted 20 minutes and only show
commands were executed.”


Implementing AAA

• Administrative access: Console, Telnet, and AUX access
• Remote user network access: Dialup or VPN access


AAA Protocols: RADIUS and TACACS+


RADIUS Authentication and Authorization

• The example shows how RADIUS exchange starts once the NAS is
in possession of the username and password.
• The ACS can reply with Access-Accept message, or Access-Reject if
authentication is not successful.


TACACS+ Authentication

• The example shows how TACACS+ exchange starts before the user
is prompted for username and password.
• The prompt text can be supplied by the TACACS+ server.


TACACS+ Network Authorization


• The example shows the process of network authorization which starts
after successful authentication.


TACACS+ Command Authorization

• The example illustrates the command authorization process which is
repeatedly started for every single command that requires authorization
(based on command privilege level)