0.0.0.0
Boston(config)#line vty 0 4
Boston(config-line)#access-class 30 in You
must configure passwords for all of the vty lines on the
router. Remember that you can add more vty lines to the router.
The default vty lines 0 to 4 and any added lines must be
protected. Auxiliary Lines
By default,
Cisco router auxiliary ports do not require a password for
remote administrative access. Administrators sometimes use
auxiliary ports to remotely configure and monitor the router
using a dialup modem connection. Unlike console and vty
passwords, the auxiliary password is not configured during the
initial configuration dialog and should be configured using the
password command in auxiliary line configuration mode.
If you want to turn off the EXEC process for the aux port, use
the no exec command within the auxiliary line
configuration mode. Setting the auxiliary line-level password
is only one of several steps that you must complete when
configuring a router auxiliary port for remote dial-in access.
The table in Figure explains commands that you can use when
configuring an auxiliary port.
Content
5.5 Securing Cisco Router
Administrative Access 5.5.4 Additional Password
Security Cisco IOS software provides a number of enhanced
features that allow you to increase the security of your
passwords. These features include setting a minimum password
length, encrypting your passwords, and encrypting usernames.
Password Minimum Length Enforcement
Cisco IOS
Release 12.3(1) and later allows you to set the minimum
character length for all router passwords using the security
passwords min-length global configuration command. Figure
shows the command syntax. This command provides enhanced
security access to the router by allowing you to specify a
minimum password length (0 to 16), which eliminates common
passwords that are prevalent on most networks, such as
lab and cisco. This command affects user
passwords, enable passwords and secrets, and line passwords
that users create after the command is executed. Existing
router passwords remain unaffected. It is highly recommended
that you set your minimum password length to at least 10
characters. After you enable this command, any attempt to
create a new password that is less than the specified length
fails and results in an error message similar to the
following: Password too short - must be at least 10 characters.
Password configuration failed. Encrypting Passwords
Just like console and vty passwords, router configurations do
not encrypt auxiliary passwords. This is why it is important to
use the service password-encryption command. Figure
shows the syntax for this command. With the exception of the
enable secret password, all Cisco router passwords are, by
default, stored in plaintext form within the router
configuration. View these passwords with the show
running-config command. Sniffers can also see these
passwords if your TFTP server configuration files traverse an
unsecured intranet or Internet connection. If an intruder gains
access to the TFTP server where the router configuration files
are stored, the intruder will be able to obtain these
passwords. A proprietary Cisco algorithm based on a Vigenere
cipher (indicated by the number 7 when viewing the
configuration) allows the service password-encryption
command to encrypt all passwords (except the previously
encrypted enable secret password) in the router configuration
file. This method is not as safe as MD5, which is used with the
enable secret command, but prevents casual discovery of
the router line-level passwords. Most cryptographers consider
the encryption algorithm in the service
password-encryption command to be relatively weak. Several
Internet sites post mechanisms for cracking this cipher. This
opinion only proves that relying on the encrypted passwords
alone is not sufficient security for your Cisco routers. You
need to ensure that the communications link between the console
and the routers, or between the TFTP or management server and
the routers, is a secured connection. After all of your
passwords are configured for the router, you should run the
service password-encryption command in global
configuration mode, as shown in Figure . When you remove the
service password-encryption command with the no form,
the command does not decrypt the passwords. Enhanced
Username Password Security
You can choose to use an MD5
hashing mechanism to encrypt username passwords. Cisco routers
can maintain a list of usernames and passwords for performing
local login authentication. Traditionally, local users were
defined with the username password command, which was
used to configure users and plaintext passwords. These
passwords could then be obfuscated by the password-encryption
service, which employed the weak Vigenere cipher that defended
against reading the passwords but did not provide adequate
protection from hackers. Option 7 in the username
password command allows you to enter the ciphertext of a
password, computed by the Vigenere algorithm. This option was
used in recovery scenarios in which a previous configuration,
using password-encryption service, needed to be reinstalled and
only obfuscated passwords were available in the backup
configuration. Enhanced username password security uses the
username secret command and MD5 password hashing. This
combination is a much stronger encryption scheme than the
standard type 7 encryption found in the service
password-encryption command. The added layer of MD5
encryption is useful in environments in which the password
crosses the network or is stored on a TFTP server. Using the
username secret command in global configuration mode,
you can choose to enter a plaintext password for MD5 hashing by
the router (option 0), or enter a previously encrypted MD5
secret (option 5). Figure shows the syntax of the username
password command and the username secret command and
an example. username name secret {[0]
password | 5 encrypted-secret} Figure
lists the parameters to use with this command. Note that
MD5 encryption is a strong encryption method that is not
retrievable; therefore, you cannot use MD5 encryption with
protocols that require plaintext passwords, such as Challenge
Handshake Authentication Protocol (CHAP).
Content
5.5 Securing Cisco Router
Administrative Access 5.5.5 Protecting Your
Router by Securing ROMMON By default, Cisco IOS routers
allow a break sequence during power up, which forces the router
into ROM Monitor (ROMMON) mode. Once the router is in ROMMON
mode, anyone can choose to enter a new enable secret password
using the well-known Cisco password recovery procedure. This
procedure, if performed correctly, leaves the router
configuration intact. This scenario presents a potential
security breach because anyone who gains physical access to the
router console port can enter ROMMON, reset the enable secret
password, and discover the router configuration. You can
mitigate this potential security breach by using the no
service password-recovery global configuration command as
shown in Figure . The no service password-recovery
command has no arguments or keywords. Caution
If you
configure a router with the no service
password-recovery command, all access to the ROMMON is
disabled. If the router flash memory does not contain a valid
Cisco IOS image, you will not be able to use the rommon
xmodem command to load a new flash image. In order to
repair the router, you must obtain a new Cisco IOS image on a
flash SIMM or on a Personal Computer Memory Card International
Association (PCMCIA) card (model dependent). See Cisco.com for
more information regarding backup flash images. Once the no
service password-recovery command is executed, the router
boot sequence will look similar to the display shown in Figure