6.5 Configure, verify, and troubleshoot basic device hardening

6.5.a Local authentication

Router>
 Router>en
 Router#conf t
 Enter configuration commands, one per line. End with CNTL/Z.
 Router(config)#enable secret cisco // enforces enable password
 Router(config)#^Z
 Router#exi
 *Feb 17 11:47:36.950: %SYS-5-CONFIG_I: Configured from console by console
 Router#exit

Router con0 is now available

Press RETURN to get started.

Router>en
 Password: // password is now needed to enter enable mode
 Router#conf t
 Enter configuration commands, one per line. End with CNTL/Z.
 Router(config)#line con 0  // this is the console line
 Router(config-line)#login local // enable local username and passwords combos
 Router(config-line)#end
 Router#u
 *Feb 17 11:48:21.548: %SYS-5-CONFIG_I: Configured from console by console
 Router#conf t
 Enter configuration commands, one per line. End with CNTL/Z.
 Router(config)#username admin secret cisco // add user admin with secret cisco
 Router(config)#^Z
 Router#exit
 *Feb 17 11:48:47.478: %SYS-5-CONFIG_I: Configured from console by console
 Router#exit

Router con0 is now available
 Press RETURN to get started.

User Access Verification

Username: admin // username is now prompted not just password
 Password:
 Router>en
 Password:
 Router#

6.5.b Secure password

I think this is a reference to the insecure enable password command which stores the password in the configuration file:

Router#conf t
Enter configuration commands, one per line. End with CNTL/Z.
Router(config)#enable password gus
Router(config)#^Z
Router#
Router#conf t 
*Feb 17 12:00:18.028: %SYS-5-CONFIG_I: Configured from console by admin on console
Router#show run | begin enable
enable password gus

6.5.c Access to device

Securing access to the device starts with SSH (telnet is unsafe):

User Access Verification

Username: admin
Password: 
Router>en
Password: 
Router#conf t
Enter configuration commands, one per line. End with CNTL/Z.
Router(config)#hostname router1
router1(config)#ip domain-name clinetworking.wordpress.com
router1(config)#crypto key generate rsa
The name for the keys will be: router1.clinetworking.wordpress.com
Choose the size of the key modulus in the range of 360 to 4096 for your
 General Purpose Keys. Choosing a key modulus greater than 512 may take
 a few minutes.

How many bits in the modulus [512]: 4096
% Generating 4096 bit RSA keys, keys will be non-exportable...
[OK] (elapsed time was 7 seconds)

router1(config)#
*Feb 17 12:15:53.440: %SSH-5-ENABLED: SSH 1.99 has been enabled
router1(config)#ip ssh version 2
router1(config)#line vty 0 4 
router1(config-line)#login local
router1(config-line)#transport input ssh // disable telnet
router1(config-line)#exit
router1(config)#username sshlogin secret mysecret
router1(config)#^Z
router1#
*Feb 17 12:16:59.700: %SYS-5-CONFIG_I: Configured from console by admin on console
router1#

6.5.c. [i] Source address

To restrict access via ssh configure an ACL for the vty lines:

router1#conf t
Enter configuration commands, one per line. End with CNTL/Z.
router1(config)#access-list 1 permit 10.0.0.5 0.0.0.0
router1(config)#access-list 1 deny any
router1(config)#^Z
end

Then apply the ACL:

router1#conf t
Enter configuration commands, one per line. End with CNTL/Z.
router1(config)#line vty 0 4
router1(config-line)#access-class 1 in 
router1(config-line)#^Z
router1#

This will permit access only from 10.0.0.5:

Router#ssh -l admin 10.0.0.1
% Connection refused by remote host
Router#conf t
Enter configuration commands, one per line. End with CNTL/Z.
Router(config)#int e0/0 
Router(config-if)#ip address 10.0.0.5 255.255.255.0 // change ip
Router(config-if)#^Z
Router#ssh -l admin 10.0.0.1
*Feb 17 12:39:10.426: %SYS-5-CONFIG_I: Configured from console by console
Router#ssh -l admin 10.0.0.1 // access is now allowed 
Password: 
router1>en 
Password: 
router1#show ssh
Connection Version Mode Encryption Hmac State Username
0 1.99 IN aes128-cbc hmac-sha1 Session started admin
0 1.99 OUT aes128-cbc hmac-sha1 Session started admin
%No SSHv1 server connections running.
router1#exit

6.5.c. [ii] Telnet/SSH

As shown above disable telnet with:

router1(config)#
*Feb 17 12:15:53.440: %SSH-5-ENABLED: SSH 1.99 has been enabled
router1(config)#ip ssh version 2
router1(config)#line vty 0 4 
router1(config-line)#login local
router1(config-line)#transport input ssh // disable telnet
router1(config-line)#exit

 6.5.d Login banner
Adding a banner is good for legal reasons:

Screenshot_2018-02-17_12-36-42

 

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s