Add to collection(s) Add to saved
  1. Engineering & Technology
  2. Computer Science
  3. Networking

User Access to Router

advertisement 
Securing Access







Set up authentication for the console,
auxiliary, and VTY lines to use the
local authentication database (login
local)
Two administrative machines:
192.168.3.10 and 192.168.3.11
For the VTY lines, restrict Telnet (and
SSH) access to only the two
administrative PCs.
Disable specific services: HTTP,
HTTPS, and SNMP
For both the auxiliary and VTY lines,
limit their idle timeout to 5 minutes
Allow SSH access, which gives the
two administrators encrypted access
to the Skunk router
Set up an ACL that allows SSH (TCP
22) but denies Telnet (TCP 23) to the
router

Cisco IOS offers 16
privilege levels

◦ User Exec mode: Level 1
◦ Privilege EXEC mode:
Level 15

additional levels of
access to commands,
called privilege levels
can be configured to
protect the system
from unauthorized
access
Configures the specified privilege level to allow
access to the specified command or, if the all
keyword is used, to all commands that start with
the specified string
◦

Router(config)#privilege exec all level 5 show
ip
Sets the password for the specified privilege
level. This is the password users will enter after
entering the enable level command to access the
specified level.
◦
Router(config)#enable secret password level 6
0 letmein

0 indicates an unencrypted password string
follows,

5 indicates an encrypted password string
follows

◦
◦
◦
do copy running-config startup-config
Router> enable 15
Password:
http://www.cisco.com/en/US/docs/ios/12_2t/12_2t13/feature
/guide/ftprienh.html#wp1027184


To assign a static password to the
console line, use the following
configuration:
◦ Router(config)# line console 0
◦ Router(config-line)# password
password
Solution
◦ encrypting the clear-text
password, and
◦ use a secure form of copying of
your configuration to an external
server without having to use TFTP,
which lacks any authentication and
encryption method

Problem:
The password that you enter in
the password command is a
clear-text password
◦ Access to clear text password
if someone is looking over
your shoulder or if you back
up your configuration to a
TFTP server with the copy
running-config tftp command


Cisco uses VTY lines to handle
incoming and outgoing Telnet
connections. VTYs are basically
logical lines: The Cisco IOS
treats them as a physical line
from a configuration and
operation perspective, but they
are not something that you
physically can touch with your
hands
Example:
◦ Router(config)# line vty 0 4
◦ Router(config-line)#
password cisco
◦ Router(config-line)# login





Router(config)# line vty 0 4
Router(config-line)# [no] login [local]
Login
◦ The login command, by itself, specifies
the use of authentication
◦ it checks for a password configured
with the password line-configuration
command
no login
◦ To disable authentication checking
◦ (never is recommended for any type of
connection, whether local or remote
access)
login local
◦ you can override the use of the
password configured on the line and use
other methods, such as a local username
and password database, by specifying

By default, console,
auxiliary, and Telnet (VTY)
sessions time out after 10
minutes of idling. You can
override this with the
exec-timeout command





Router(config)# line type
#
Router(config-line)#
exec-timeout minutes
seconds
This simple example sets
the timeout to 5 minutes
for Telnet sessions
Router(config)# line vty 0 4
Router(config-line)# exectimeout 5 0

Two components are
required for SSH to
function:

◦ Server
◦ Client

Before setting up SSH,
you must install a Cisco
IOS image that supports
DES or 3DES (this requires
the image to support
IPSec). For both router
client and server
functions to work, you
need at least Cisco IOS
12.1(3)T.


The SSH server provides a secure
connection, which is encrypted, to
the Cisco IOS CLI. This connection is
similar to an encrypted Telnet
connection.
The SSH client runs the SSH protocol
to connect to an SSH server, and it
must support the Data Encryption
Standard (DES) or 3DES as well as
password authentication.
Authentication is performed in a
normal fashion: Users can be
authenticated using local
mechanisms or by using an external
security server. Cisco routers support
both server and client connections






Step 1. Assign a name to the router (required).
◦ Router(config)# hostname router_name
Step 2. Assign a domain name to the router (required).
◦ Router(config)# ip domain-name DNS_domain_name
Step 3. Generate your encryption keys (required).
◦ Router(config)# crypto key generate rsa
Step 4. Set up your VTY access for SSH (optional, but recommended):
◦ Router(config)# username name secret password
◦ Router(config)# line vty 0 4
◦ Router(config-line)# transport input ssh
◦ Router(config-line)# transport output ssh
◦ Router(config-line) login local
Step 5. Tune the SSH server (optional).
◦ Router(config)# ip ssh {[timeout seconds] | [authentication-retries integer]}
Step 6. Verify SSH server operation (optional).
Router# show ssh
Router# show ip ssh


Cisco supports the use of a web browser to access and manage a Cisco router
By default, the HTTP server function on the router is disabled. To configure HTTP access, use the
following steps:

Step 1. Enable the HTTP server (required).

Router(config)# ip http server

Step 2. Define an authentication method (highly recommended).

Router(config)# ip http authentication {aaa | enable | local}

Step 3. Restrict access through HTTP (highly recommended).

Router(config)# ip http access-class standard_ACL_#
This command enables you to restrict, based on the source IP address of the client, which devices are
allowed HTTP or HTTPS access to the route.

Step 4. Change the HTTP port number (optional).

Router(config)# ip http port port_#

By default, the Cisco IOS uses port 80 for HTTP connections; however, you can change this port to a
different number with the ip http port command. By changing the port number to a nonstandard one,
you make it more difficult for a hacker to determine that you are running a web server on the router.

Step 5. Change the location of HTML files (optional).

Router(config)# ip http path URL_location

Step 6. Restrict the number of HTTP connections (recommended).

Router(config)# ip http max-connections #_of_connections








Router(config)# access-list 1 permit
172.16.3.10
Router(config)# access-list 1 permit
172.16.3.11
Router(config)# username richard
privilege 15 secret bigXdogYlover
Router(config)# username natalie
privilege 15 secret BIGxDOGyLOVER
Router(config)# ip http server
Router(config)# ip http authentication
local
Router(config)# ip http access-class 1



Allow only two devices are
allowed HTTP access to the
router: 172.16.3.10 and
172.16.3.11
Both administrators have
accounts set up, and the
router uses the local
authentication database
(username commands) to
perform the authentication.
One interesting thing to
point out about the
username commands is the
privilege 15







Set up authentication for the console,
auxiliary, and VTY lines to use the
local authentication database (login
local)
Two administrative machines:
192.168.3.10 and 192.168.3.11
For the VTY lines, restrict Telnet (and
SSH) access to only the two
administrative PCs.
Disable specific services: HTTP,
HTTPS, and SNMP
For both the auxiliary and VTY lines,
limit their idle timeout to 5 minutes
Allow SSH access, which gives the
two administrators encrypted access
to the Skunk router
Set up an ACL that allows SSH (TCP
22) but denies Telnet (TCP 23) to the
router
Related documents
Adtran 1234 Reset and Web enable
Adtran 1234 Reset and Web enable
Exercise 8
Exercise 8
Project2 - City Tech OpenLab
Project2 - City Tech OpenLab
CCNA 2 - Chapter 8 Study Guide 1. Why
CCNA 2 - Chapter 8 Study Guide 1. Why
Packet Tracer Part 2
Packet Tracer Part 2
CCNA Final Config Ex..
CCNA Final Config Ex..
Assignment 1
Assignment 1
Password Recovery Procedure for the Cisco 2500 Series
Password Recovery Procedure for the Cisco 2500 Series
Download
advertisement