Overview:
Basic device hardening consists of setting user authentication passwords, enable passwords, restricting access to the device through telnet/SSH and displaying login banners.
Study Notes:
- Device hardening helps to restrict access to different command modes on routers and switches
|
|
|
|
---|---|---|---|
User EXEC |
Log in |
|
Use the logout command. |
Privileged EXEC |
From user EXEC mode, use the enable EXEC command |
|
To return to user EXEC mode, use the disable command |
Global configuration |
From privileged EXEC mode, use the configure terminal privileged EXEC command |
|
To return to privileged EXEC mode from global configuration mode, use the exit or end command, or press Ctrl-Z |
Interface configuration |
From global configuration mode, specify an interface using an interface command |
|
To return to global configuration mode, use the exit command To return to privileged EXEC mode, use the end command, or press Ctrl-Z |
ROM monitor |
From privileged EXEC mode, use the reload EXEC command. Press the Break key during the first 60 seconds while the system is booting |
|
To exit ROM monitor mode, use the continue command |
6.5.a Local authentication
- Authentication is a way of identifying a user before permitting access to the network and network services
- Local authentication on a device references usernames and passwords configured locally on the device
- Local authentication restricts access to the User Exec command mode to the accounts configured on the device
- To configure local authentication
Router(config)#username [username] password [password] Router(config)#aaa new-model Router(config)#aaa authentication login default local
6.5.b Secure password
- A secure password prevents access to the Privileged Exec command mode
- The enable password stores the password in plain text in the configuration
Router(config)#enable password [password]
- The enable secret creates an MD5 hash of the plain-text password that is entered and stores the hash in the configuration
- It is recommended to use enable secret instead of enable password
Router(config)#enable secret [password]
6.5.c Access to device
6.5.c (i) Source address
- Configure an access-control list to only allow access to your device from a trusted source address (i.e. a management machine)
Router(config)#access-list 10 permit 192.168.10.10 0.0.0.0 Router(config)#access-list 10 deny any
- Apply the access-list to the vty lines
Router(config)#line vty 0 4 Router(config-line)#access-class 10 in
6.5.c (ii) Telnet/SSH
- Telnet is an insecure protocol, do not use it.
- To disable telnet on a device just specify the protocols that are allowed and all other protocols will be denied.
- To configure SSH on a router
- Configure the hostname
Router(config)#hostname Router1
- Configure the domain name
Router(config)#ip domain-name econfigs.com
- Generate the RSA keys
Router(config)#crypto key generate rsa The name for the keys will be: Router1.econfigs.com Choose the size of the key modulus in the range of 360 to 2048 for your General Purpose Keys. Choosing a key modulus greater than 512 may take a few minutes. How many bits in the modulus [512]: 1024 % Generating 1024 bit RSA keys, keys will be non-exportable...[OK]
- Configure the VTY lines
Router(config)#line vty 0 4 Router(config-line)#transport input ssh
- Also remember to configure a local username and password so you can login when the prompt appears
6.5.d Login banner
- A login banner appears just before the Username: prompt when user authentication is required to login to a device
- A character delimiter is required to specify the beginning and end of the login banner
Router1(config)#banner login ? LINE c banner-text c, where 'c' is a delimiting character Router1(config)#banner login %this is the login banner% Router1(config)#exit Router1#exit Enter this is the login banner User Access Verification Username:
PacketTracer Lab: CCNA-6.5-Configure-verify-and-troubleshoot-basic-device-hardening.pkt
Subscribe Now for access to the labs!