Description:
Banners, passwords, ect
To set the banner message (you will see this locally and remotely!)
1
2
3
4
| banner motd (banner start identification) banner message (banner end identification)
Example:
banner motd $***Unauthorized access to this device is prohibited!***$
# The above command with set the banner to "Unauthorized access to this device is prohibited"
|
Device Passwords:
-
To setup an Enable password
1
2
3
4
| Router(config)#enable password cisco
Router(config)#exit
Router#show run
# You can see the phrase "enable password cisco" in the output, not good
|
-
To setup a enable password with light encryption
1
2
3
4
| Router(config)#enable password cisco
Router(config)#service password-encryption
Router#show run
# You can see the phrase "enable password 7 0822455D0A16", better - but still easy to break
|
-
To setup a secret password
1
2
3
4
| Router(config)#enable secret cisco
Router(config)#exit
Router#show run
# You can see the phrase "enable secret 5 $1$mERr$hx5rVt7rPNoS4wqbXKX7m0", best
|
What if you already set an enable password? How to switch to secret?
1
2
3
4
| Router(config)#no enable password
Router(config)#enable secret cisco
Router(config)#do show run # you can now see that your secret password is encrypted
|
To create a key (used by some commands like those in FHRPs):
1
2
3
4
5
| Router(config)#key chain GERRY
Router(config-keychain)#key 0
Router(config-keychain-key)#key-string ciscoROCKS!
Router(config-keychain-key)#accept-lifetime 09:29:00 16 Jan 2017 infinite # this tells it to accept the key starting this day indefinitely. You would ideally set this to the current date.
# to use, you will just type "key 0" in whatever interface command asks for it.
|
Console/VTY Passwords:
1
2
3
4
| R1(config)#line vty 0 15
R1(config-line)#password cisco
R1(config-line)#login # this will require a login password for people telnetting/ssh'ing into the router
R1(config-line)#exec-timeout 10 # Sets time out period to 10 minutes, example exec-timeout 0 0 is commonly used to disable timouts for console, but 5 min for vty
|
1
2
3
| R1(config)#line con 0
R1(config-line)#username paul password cisco
R1(config-line)#login local #requires a local user account to be used
|
Using ACLs to Limit remote connections:
1
2
3
4
5
6
7
8
9
10
| #The following example defines an ACL permitting Telnet traffic from host 10.10.10.1, which will then be applied inbound to the VTY lines:
Router(config)#ip access-list extended VTY_ACCESS
Router(config-ext-nacl)#permit tcp host 10.10.10.1 any eq telnet
Router(config-ext-nacl)#deny tcp any any
Router(config-ext-nacl)#exit
Router(config)#
Router(config)#line vty 0 15
Router(config-line)# access-class VTY_ACCESS in
Router(config-line)#end
Router#show run | sect line vty
|
Creating Users:
1
2
3
4
5
6
7
8
9
10
11
| username (username) privilege (0-15) password (password)
username (username) exec level (0-15) command
Typically, you would do something like:
Router#config t
Router(config)#username gerry password cisco
Router(config)#username billy password cisco
Router(config)#username jon password cisco
Router(config)#line vty 0 15 # this will configure all vty lines at once
router(config-line)#login local
router(config-line)#exit
router(config)#exit
|
Cisco routers have 16 security levels 0-15 where 15 is full access. Example:
1
2
3
4
5
6
7
8
| router#config t
router(config)#username support privilege 4 password soccer
router(config)#privilege exec level 4 ping
router(config)#privilege exec level 4 traceroute
router(config)#privilege exec level 4 show ip interface brief
router(config)#line console 0
router(config-line)#password basketball
router(config-line)#login local #means password is needed
|
Configuring SSH (and disabling Telnet):
1
2
3
4
5
6
7
8
| Router#show version # make sure it says something about crypto features
Router#config t
Router(config)#ip domain-name test.pvt # enter your domain name
Router(config)#hostname R1 # make sure to set the hostname before generating the private key as it is based on the name of the router.
Router(config)#ip ssh version 2
Router(config)#crypto key generate rsa # enter the highest number for the modulus, it has to be above 1024 for ssh version 2. Enter this even if it suggests 512.
Router(config)#ip ssh time-out 60 # sets the timeout period to 60 seconds
Router(config)#ip ssh authentication-retries 2 # ssh will reset after 2 failed attempts.
|
Checking SSH Sessions:
1
2
| Router# Show ssh sessions # get the session ID field number for who you want to disconnect.
Router# ssh disconnect (session ID)
|
To apply to VTY Access:
1
2
3
4
5
| R1(config)#line vty 0 15
R1(config-line)#password cisco
R1(config-line)#login # this will require a login password for people telnetting/ssh'ing into the router
R1(config-line)#exec-timeout 10 # Sets time out period to 10 minutes, example exec-timeout 0 0 is commonly used to disable timouts for console, but 5 min for vty
R1(config-line)#transport input ssh # This is all you need to enable SSH! If you type this, it only enables SSH and disables telnet. If you want both type "transport input ssh telnet" altogether.
|
A Similar Example:
1
2
3
4
5
6
7
8
9
10
11
12
| Router#show ip ssh # see if it is possible
Router#config t
Router(config)#ip domain-name test.pvt
Router(config)#hostname R1
Router(config)#username gerry password cisco
Router(config)#crypto key generate rsa # enter 2048
Router(config)#ip ssh version 2
Router(config)#ip ssh time-out 60 # sets the timeout period to 60 seconds
Router(config)#ip ssh authentication-retries 2 # ssh will reset after 2 failed attempts.
Router(config)#line vty 0 15
Router(config-line)#transport input ssh
Router(config-line)#login local
|
To disable SSH:
1
| Router(config)#crypto key zeroize rsa
|
To start a connection to another server:
1
2
| Router#telnet 10.0.0.1
Router#ssh 10.0.0.1
|
Show Commands:
1
2
3
| show crypto key mypubkey rsa # to view your public key
show ip ssh # to see what version you are running
show sessions # shows active telnet sessions
|
Suggested Training Opportunities
- Free Resources
- Instructor led:
Comments