Sunday, August 16, 2009

Securing My Router

In this post i'll cover the following:

  • Giving the router a name
  • Setting up a enable (privilege) mode password
  • Setting the domain name, the clock and pointing it to a DNS server
  • Securing the Console and Aux ports
  • Creating a banner
  • Saving the config
  • Removing unnecessary services

Right. So I've got my test lab set up. To start with i'll just have one router called R0. I'll demonstrate how to configure the router and secure it.

I bring up the console after starting R0 and Terminal (on the Mac by the way) acts as if I was physically connected to the console port on the router itself. After the IOS decompresses and is loaded into RAM I'm prompted to enter the initial configuration setup. I say no to this as I will be manually configuring the router.

The first thing I want to do is give my router an Enable password. The reason for doing so is after I give the interface an IP address there is a window of opportunity for someone to look at the configuration and glean some information that I might not necessarily want them to see.

I enter the Enable mode by typing:


This will change the prompt from a > symbol to a hash #. Before you enter into the Enable mode there are only limited commands available, these can be viewed by typing ? at the prompt as shown in the previous post.

Remember, the hash symbol will be present whenever I am in the Enable mode, and it's from here that I can perform configuration and diagnostic tasks.

Router#configure terminal

To configure an enable password as "letmein" I type:

Router(config)#enable secret letmein

This will create a password for the Enable mode and within the configuration it will be encrypted. The password is encrypted with Type 5 encryption (I'll come back to this in a bit).

After this I'll give my router a name and a DNS domain name, set the clock and tell it what DNS Servers to use:

Router(config)#hostname R0
R0(config)#ip domain name home.local
R0(config)#ip name-server
R0#clock set 22:00:00 16 aug 2009

Notice that my prompt changed to reflect my new name.

Okay, right now I have a Console port and an Auxilary port I want to configure.

To start with I'll secure the Console port. From the Enable mode I want to enter into Configuration mode and then into console port configuration mode. To do this i use the following commands:

R0(config)#line con 0

R0(config-line)#logging synchronous
R0(config-line)#exec-timeout 10 0
R0(config-line)#password flipper


What I have done here is selected to configure line con 0 which is the console port. The prompt changed to indicate which configuration mode I am in. I told it to set logging to synchronous, which means when the informational messages or debugging messages hit the screen it wont screw with my command. I have then set the exec-timeout to 30 minutes and 0 seconds which means my console session will be disconnected after 30 minutes of inactivity. I could have set this to not time out by using 0 minutes and 0 seconds. I have then set my console password to flipper and told it to prompt me to log in by issuing the login command. After entering those I used the exit command to come out of the line con 0 configuration and get back to the configuration mode.

I'll do the same for the Aux port as this can be used to access the router as well.

R0(config)#line aux 0

R0(config-line)#logging synchronous
R0(config-line)#exec-timeout 30 0
R0(config-line)#password flipper


After securing the ports I want to set up a banner on my router to warn any unauthorised people that they should not be accessing the router. I do this with the following:

R0(config)#banner motd % No unauthorised access %

Different banners can be created for events such as prompt timeout, login, exec or for SLIP/PPP. They can also be real fancy and have ASCII art if you so wish.

After all this configuration I look at the running config to check all is as it should be.

R0#show running-config

Here I am able to see all the commands I have entered. Now it's important to remember that the commands take effect as soon as they are typed (and you have pressed enter of course!).

One thing that bothers me about the running config as shown in the screenshot is my console passwords and aux port passwords are in clear text. Anyone looking over my shoulder (the wife or dog) could see these and they would be well on there way to owning my router. I can fix this by turning on the password encryption service, showing the config again and then turning it off. But remember, when we configure the VTY (Telnet) ports in a later post I need to do this again otherwise the new VTY ports passwords will be clear text.

R0#configure terminal
R0(config)#service password-encryption
R0#show running-config
R0(config)#no service password-encryption

So I have entered configuration mode, turned on the password encryption service, looked at the config, then I turned the service off.

Now looking at the config I see that the passwords are encrypted with Type 7 encryption. Now one thing about Type 7 encryption, its a piece of piss to crack, Cape in will do it as will many websites. All that Type 7 will do is stop the casual observer from seeing an easily remembered password (if thats what you use). Obviously its goes without saying that your Enable password should be different from the port passwords you set.

One last thing I noticed is the IP http server is enabled by default.

As I dont plan to use this I disable it using the "no" command

R0(config)#no ip http server

I check this has worked with another show running-config

R0#show running-config

After finally setting up my router so it is secure i save the settings from running-config to startup-config.

R0#copy running-config startup-config
R0#show startup-config

What I have done here is copied the running-config in RAM to the startup-config in NVRAM. The router will prompt me to give the configuration a name but I just press enter to select the default option that is shown in square brackets. After that completed I checked the startup-config.

In my next post I'll be looking at getting telnet and SSH set up.

1 comment:

g3k said...

Excellent! Cisco stuff makes my mouth water.

I'll be keeping a closer eye on this space.