CCNA 6.5: Configure, verify, and troubleshoot basic device hardening

Overview:

Basic device hardening consists of setting user authentication passwords, enable passwords, restricting access to the device through telnet/SSH and displaying login banners.

 

Study Notes:

  • Device hardening helps to restrict access to different command modes on routers and switches
Command Mode
Access Method
Prompt
Exit Method

User EXEC

Log in

Router>

Use the logout command.

Privileged EXEC

From user EXEC mode, use the enable EXEC command

Router#

To return to user EXEC mode, use the disable command

Global configuration

From privileged EXEC mode, use the configure terminal privileged EXEC command

Router(config)#

To return to privileged EXEC mode from global configuration mode, use the exit or end command, or press Ctrl-Z

Interface configuration

From global configuration mode, specify an interface using an interface command

Router(config-if)#

To return to global configuration mode, use the exit command

To return to privileged EXEC mode, use the end command, or press Ctrl-Z

ROM monitor

From privileged EXEC mode, use the reload EXEC command. Press the Break key during the first 60 seconds while the system is booting

>

To exit ROM monitor mode, use the continue command

 

6.5.a Local authentication

  • Authentication is a way of identifying a user before permitting access to the network and network services
  • Local authentication on a device references usernames and passwords configured locally on the device
  • Local authentication restricts access to the User Exec command mode to the accounts configured on the device
  • To configure local authentication
Router(config)#username [username] password [password]
Router(config)#aaa new-model
Router(config)#aaa authentication login default local

 

6.5.b Secure password

  • A secure password prevents access to the Privileged Exec command mode
  • The enable password stores the password in plain text in the configuration
Router(config)#enable password [password]
  • The enable secret creates an MD5 hash of the plain-text password that is entered and stores the hash in the configuration
  • It is recommended to use enable secret instead of enable password
Router(config)#enable secret [password]

 

6.5.c Access to device

6.5.c (i) Source address

  • Configure an access-control list to only allow access to your device from a trusted source address (i.e. a management machine)
Router(config)#access-list 10 permit 192.168.10.10 0.0.0.0
Router(config)#access-list 10 deny any
  • Apply the access-list to the vty lines
Router(config)#line vty 0 4
Router(config-line)#access-class 10 in

 

6.5.c (ii) Telnet/SSH

  • Telnet is an insecure protocol, do not use it.
  • To disable telnet on a device just specify the protocols that are allowed and all other protocols will be denied.
  • To configure SSH on a router
    • Configure the hostname
    Router(config)#hostname Router1
    • Configure the domain name
    Router(config)#ip domain-name econfigs.com
    • Generate the RSA keys
    Router(config)#crypto key generate rsa
     The name for the keys will be: Router1.econfigs.com
     Choose the size of the key modulus in the range of 360 to 2048 for your
       General Purpose Keys. Choosing a key modulus greater than 512 may take
       a few minutes.
    
    How many bits in the modulus [512]: 1024
     % Generating 1024 bit RSA keys, keys will be non-exportable...[OK]
    
    • Configure the VTY lines
    Router(config)#line vty 0 4
    Router(config-line)#transport input ssh
  • Also remember to configure a local username and password so you can login when the prompt appears

 

6.5.d Login banner

  • A login banner appears just before the Username: prompt when user authentication is required to login to a device
  • A character delimiter is required to specify the beginning and end of the login banner
Router1(config)#banner login ?
  LINE  c banner-text c, where 'c' is a delimiting character
Router1(config)#banner login %this is the login banner%
Router1(config)#exit
Router1#exit
Enter

this is the login banner

User Access Verification

Username: 

 

PacketTracer Lab: CCNA-6.5-Configure-verify-and-troubleshoot-basic-device-hardening.pkt

Subscribe Now for access to the labs!

Leave a Reply
s2Member®