Line Configurations
This chapter previously discussed how to secure access to Privileged EXEC by using the enable password or enable secret command. However, this assumes that any administrators can still gain User EXEC to the Cisco device. The problem with this configuration is that you can send excessive pings or Telnet to another device from your router or switch in User EXEC. Because the ping and Telnet traffic are coming from your private router or switch, they might not be blocked by a security device such as a firewall. This section looks into how to secure access to the User EXEC by assigning a password on the EXEC lines into the Cisco device.
Securing Console Access to User EXEC
Objective:
- Implement basic router security
Console access necessitates that an admin have physical access to the device itself. If your Cisco router or switch is physically accessible to non-authorized personnel (not highly recommended), you should take preventative measures to add another level of security by having the devices prompt anybody trying to get to User EXEC via the console port for a password. The
following three commands ultimately achieve that goal:
CCNA2811(config)#line console 0 CCNA2811(config-line)#login CCNA2811(config-line)#password myconsolepassword
The first command navigates the IOS to a sub-configuration mode for the console port. The second command instructs the IOS to prompt anybody connecting to this EXEC line for a login, using the password chosen in the third command.
TIP
It does not matter if you type the password command before the login command. The important factor is that both commands are configured.
To add yet another additional level of security comfort, it is also advisable to have the IOS close the console session after so much time of inactivity (no typing) in the session. After the EXEC session is closed, the admin has to enter the console password (assuming the above console configuration was in place) to get into User EXEC again. This is generally useful for those emergency bathroom breaks that arise after a couple cups of coffee or those unscheduled fire drills. By default, the console session closes after 10 minutes of inactivity which, unfortunately, is plenty of time for someone to jump on to your terminal and change passwords and lock you out if you are not present. To change that setting, use the exec-timeout command followed by the number of minutes and seconds the IOS should wait to time out. For example, if you want the console to close after 1 minute and 30 seconds of inactivity, the command should
reflect the following:
CCNA2811(config-line)#exec-timeout 1 30
EXAM ALERT
The exec-timeout command identifies how long the EXEC terminal session will remain active when no commands are being typed. The syntax specifies the minutes followed by the seconds.
TIP
The IOS sends all alerts and notification messages to the console port by default. Unfortunately, this some times interrupts the command you are typing. To make your Cisco device more polite and stop interrupting you, use the logging synchronous command. After it is configured, IOS still send a notification to the terminal session, but returns a new line to the user with the information already entered.
Console access necessitates that an admin have physical access to the device itself. If your Cisco router or switch is physically accessible to non-authorized personnel (not highly recommended), you should take preventative measures to add another level of security by having the devices prompt anybody trying to get to User EXEC via the console port for a password. The following three commands ultimately achieve that goal:
CCNA2811(config)#line console 0 CCNA2811(config-line)#login CCNA2811(config-line)#password myconsolepassword
The first command navigates the IOS to a sub-configuration mode for the console port. The second command instructs the IOS to prompt anybody connecting to this EXEC line for a login, using the password chosen in the third command
TIP
It does not matter if you type the password command before the login command. The important factor is that both commands are configured.
To add yet another additional level of security comfort, it is also advisable to have the IOS close the console session after so much time of inactivity (no typing) in the session. After the EXEC session is closed, the admin has to enter the console password (assuming the above console configuration was in place) to get into User EXEC again. This is generally useful for those emergency bathroom breaks that arise after a couple cups of coffee or those unscheduled fire drills. By default, the console session closes after 10 minutes of inactivity which, unfortunately, is plenty of time for someone to jump on to your terminal and change passwords and lock you out if you are not present. To change that setting, use the exec-timeout command followed by the number of minutes and seconds the IOS should wait to time out. For example, if you want the console to close after 1 minute and 30 seconds of inactivity, the command should reflect the following:
CCNA2811(config-line)#exec-timeout 1 30
EXAM ALERT
The exec-timeout command identifies how long the EXEC terminal session will remain active when no commands are being typed. The syntax specifies the minutes followed by the seconds.
TIP
The IOS sends all alerts and notification messages to the console port by default. Unfortunately, this some times interrupts the command you are typing. To make your Cisco device more polite and stop interrupting you, use the logging synchronous command. After it is configured, IOS still send a notification to the terminal session, but returns a new line to the user with the information already entered.
Securing Auxiliary Access to User EXEC
Objective:
- Implement basic router security
If your organization has decided to allow remote terminal access to your Cisco device through an external modem or terminal server connected to the auxiliary port, you have added another means of getting to User EXEC that you must secure. The auxiliary port is slightly easier to connect than the console port because physical access is no longer a mandate. As long as you know the phone number to dial into the modem, you can gain access to a User EXEC session. This ease of access should be counterbalanced with security measures to ensure authorized users are connecting to this EXEC line. Conveniently, the commands are practically identical to those used to secure a console connection. The only major difference is the navigation to the auxiliary port as opposed to the console:
CCNA2811(config)#line auxiliary 0 CCNA2811(config-line)#login CCNA2811(config-line)#password myauxpassword CCNA2811(config-line)#exec-timeout 1 30
Securing Telnet and SSH Access to User EXEC
Objectives:
- Implement basic router security
- Verify device configuration and network connectivity using ping, traceroute, telnet, SSH or other utilities
Telnet and SSH are by far the most insecure methods of establishing an EXEC session because any user with IP connectivity to the device can initiate a Telnet or SSH session to it. For this reason, the default state of these lines is to require that a vty password be set for anyone to achieve access to User EXEC. Otherwise, you will receive an error similar to the following:
Password required, but none set In addition, if you do not have an enable password set on the device, you are not able to enter Privileged EXEC mode. The error you receive in this situation is the following:
% No password set
EXAM ALERT
Remember, by default a password must be set on the vty lines to give SSH and Telnet access to this device. An enable password must be set to access Privileged EXEC over a Telnet or SSH session.
Once again, the configuration is similar to those of the console and the auxiliary port; however, the navigation of the Telnet lines is slightly different than what you find with the rest. To assign a login password to all the vty lines into the device, you must specify the range of those vty lines in your navigation. For instance, most routers allow five Telnet or SSH sessions into them. To encompass all the vty lines, you have to identify them starting with the first line (remembering that numbering begins with 0), followed by the last (0-4 is a total of 5 lines), as shown here:
CCNA2811(config)#line vty 0 4 CCNA2811(config-line)#login CCNA2811(config-line)#password mytelnetpassword CCNA2811(config-line)#exec-timeout 1 30
The question usually begs, “What would happen if you configured only line vty 0 or you put a different password on each vty line?” To answer the first part of the question, if you configure only line vty 0, the router prompts the first user for a password. If another user tries to connect with that first Telnet session still running, he cannot log in to the router (remembering that the default state is that a password must be set as mentioned in the earlier Exam Tip). On the other hand, if you assign different passwords to each of the vty lines, you can connect on all the lines; however, you have no means of choosing or knowing to which vty line you are connected. You would have to guess the password within three tries (IOS only allows three attempts).
EXAM ALERT
Be sure you are easily able to supply a configuration to any number of the EXEC lines depending on the scenario given.
Your configuration should look like the following (with possible variation on the abbreviation of the commands):
! Step 1
Router>enable Router#configure terminal Enter configuration commands, one per line. End with CNTL/Z ! Step 2 Router(config)#line console 0 Router(config-line)#login Router(config-line)#password captnstubing ! Step 3 Router(config-line)#exec-timeout 2 10 Router(config-line)#exit ! Step 4 Router(config)#line aux 0 Router(config-line)#login Router(config-line)#password bartenderisaac ! Step 5 Router(config-line)#exec-timeout 3 0 Router(config-line)#exit ! Step 6 Router(config)#line vty 0 4 Router(config-line)#login Router(config-line)#password yeomangopher Router(config-line)#exit ! Step 7 Router(config)#hostname TheLoveRouter ! Step 8 TheLoveRouter(config)#ip domain-name comeaboard.com ! Step 9 TheLoveRouter(config)#crypto key generate rsa The name for the keys will be: TheLoveRouter.comeaboard.com Choose the size of the key modulus in the range of 360 to 2048 for your General Purpose Keys. Choosing a key modulus greater than 512 may take a few minutes. How many bits in the modulus [512]: 1024 Generating RSA keys ... [OK] 7w1d: %SSH-5-ENABLED: SSH 1.5 has been enabled ! Step 10 TheLoveRouter(config)#username jmcoy password cruisedirector ! Step 11 TheLoveRouter(config)#enable password theloveboat ! Step 12 TheLoveRouter(config)#enable secret something4every1 ! Step 14 TheLoveRouter(config)#service password-encryption
In this configuration, anyone connecting to the console port needs to enter the password captnstubing before gaining an EXEC session via the console port. After 2 minutes and 10 seconds of inactivity, the sessions close and users have to enter in the password again to return to User EXEC. Likewise, anyone accessing the router from the auxiliary port needs to enter the password bartenderisaac at the login prompt and has to re-enter that password after 3 minutes of inactivity. Up to five administrators can Telnet or SSH into this router, at which point they all have to enter the password yeomangopher at the login prompt. RSA was enabled by using the crypto key generate rsa command and specifying the key length as 1024. The key generated used our configured IP domain, comeaboard.com, and the default hostname of Router (since that was unchanged).
Because the enable password command and the enable secret command are used in this configuration, the password something4every1 inevitably will be used to enter Privileged EXEC because the enable secret command overrides the enable password. The final command, service password-encryption, encrypts the enable, vty, aux, and console passwords so they are not visible to anyone who can see the configuration.