I got certified in CCNA Security (IINS v1.0) last 2012 and I did some labs for IINS v2.0 (640-554) while studying for my CompTIA Seccurity+. The big difference in the CCNA Security Student Lab Manual is that Cisco Configuration Professional (CCP) was used throughout the course, it had basic ASA firewall and SSL/AnyConnect VPN added to it.
The term "hardening" is usually applied to the operating system (router IOS in this case). The idea is to "lock down" the operating system. For example, ensure that all unneeded services are turned off, all unneeded software are uninstalled, patches are updated, user accounts are checked for security, and so forth. Hardening is a general process of making certain that the operating system itself is as secure as it can be. In fact, it could be said that if you have not hardened the operating system, then any other security measures are going to be far less effective and possibly completely ineffective!
Below is the initial (and lengthy) router IOS "hardening" and CCP (version 2.8) lab that I did.
R1(config)#no ip domain-lookup
R1(config)#interface fastethernet0/1
R1(config-if)#ip address 192.168.1.1 255.255.255.0
R1(config-if)#no shutdown
R1(config-if)#
*Apr 11 10:50:19.967: %LINK-3-UPDOWN: Interface FastEthernet0/1, changed state to up
*Apr 11 10:50:20.967: %LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet0/1, changed state to up
R1(config-if)#interface serial0/0/0
R1(config-if)#ip address 10.1.1.1 255.255.255.0
R1(config-if)#clockrate 64000
R1(config-if)#no shutdown
*Apr 11 10:50:57.527: %LINK-3-UPDOWN: Interface Serial0/0/0, changed state to down
R1(config-if)#exit
R1(config)#ip route 0.0.0.0 0.0.0.0 10.1.1.2
R2(config)#no ip domain-lookup
R2(config)#interface serial0/0/0
R2(config-if)#ip address 10.1.1.2 255.255.255.0
R2(config-if)#no shutdown
R2(config-if)#
*Apr 11 09:34:36.439: %LINK-3-UPDOWN: Interface Serial0/0/0, changed state to down
R2(config-if)#interface serial0/0/1
R2(config-if)#ip address 10.2.2.2 255.255.255.0
R2(config-if)#clockrate 64000
R2(config-if)#no shutdown
R2(config-if)#
*Apr 11 09:35:30.179: %LINK-3-UPDOWN: Interface Serial0/0/1, changed state to up
*Apr 11 09:35:31.179: %LINEPROTO-5-UPDOWN: Line protocol on Interface Serial0/0/1, changed state to up
R2(config)#ip route 192.168.1.0 255.255.255.0 10.1.1.1
R2(config)#ip route 192.168.3.0 255.255.255.0 10.2.2.1
R2(config)#exit
R2#ping 10.1.1.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.1.1.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 28/28/32 ms
R3(config)#no ip domain-lookup
R3(config)#interface fastethernet0/1
R3(config-if)#ip address 192.168.3.1 255.255.255.0
R3(config-if)#no shutdown
R3(config-if)#
*Apr 11 11:03:12.867: %LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet0/1, changed state to up
R3(config-if)#interface serial0/0/1
R3(config-if)#ip address 10.2.2.1 255.255.255.0
R3(config-if)#no shutdown
R3(config-if)#
*Apr 11 11:03:31.847: %LINK-3-UPDOWN: Interface Serial0/0/1, changed state to down
R3(config-if)#
*Apr 11 11:04:06.171: %LINK-3-UPDOWN: Interface Serial0/0/1, changed state to up
*Apr 11 11:04:07.171: %LINEPROTO-5-UPDOWN: Line protocol on Interface Serial0/0/1, changed state to up
R3(config-if)#exit
R3(config)#ip route 0.0.0.0 0.0.0.0 10.2.2.2
R3#ping 10.2.2.2
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.2.2.2, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 28/28/28 ms
R1#ping 10.2.2.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.2.2.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 56/56/56 ms
R1#ping 192.168.3.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.3.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 56/56/56 ms
C:\Users\John Lloyd>ipconfig
Windows IP Configuration
Ethernet adapter Local Area Connection:
Connection-specific DNS Suffix . :
Link-local IPv6 Address . . . . . : fe80::4562:9b92:c15f:91ff%10
IPv4 Address. . . . . . . . . . . : 192.168.1.3
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Default Gateway . . . . . . . . . : 192.168.1.1
C:\Users\John Lloyd>ping 192.168.3.1
Pinging 192.168.3.1 with 32 bytes of data:
Reply from 192.168.3.1: bytes=32 time=35ms TTL=253
Reply from 192.168.3.1: bytes=32 time=35ms TTL=253
Reply from 192.168.3.1: bytes=32 time=35ms TTL=253
Reply from 192.168.3.1: bytes=32 time=35ms TTL=253
Ping statistics for 192.168.3.1:
Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
Minimum = 35ms, Maximum = 35ms, Average = 35ms
R1(config)#security ?
authentication Authentication security CLIs
passwords Password security CLIs
R1(config)#security passwords ?
min-length Minimum length of passwords
R1(config)#security passwords min-length ?
<0-16> Minimum length of all user/enable passwords
R1(config)#security passwords min-length 10
R1(config)#enable secret ?
0 Specifies an UNENCRYPTED password will follow
5 Specifies an ENCRYPTED secret will follow
LINE The UNENCRYPTED (cleartext) 'enable' secret
level Set exec level password
R1(config)#enable secret cisco12345 // COMPLEX PASSWORD IS RECOMMENDED IN PRODUCTION NETWORK
R1(config)#line console 0
R1(config-line)#password ciscocon
% Invalid Password length - must contain 10 to 25 characters. Password configuration failed
R1(config-line)#password ciscoconpass
R1(config-line)#exec-timeout ?
<0-35791> Timeout in minutes
R1(config-line)#exec-timeout 5 ?
<0-2147483> Timeout in seconds
<cr>
R1(config-line)#exec-timeout 5 0 // FORCE LOG OUT AFTER 5 MINS OF INACTIVITY
R1(config-line)#login
R1(config-line)#logging ?
synchronous Synchronized message output
R1(config-line)#logging synchronous // PREVENTS CONSOLE MESSAGES FROM INTERRUPTING COMMAND ENTRY
R1(config-line)#line aux 0
R1(config-line)#password ciscoauxpass
R1(config-line)#exec-timeout 5 0
R1(config-line)#login
R2#telnet 10.1.1.1
Trying 10.1.1.1 ... Open
Password required, but none set // VTY LINES NOT YET CONFIGURED
[Connection to 10.1.1.1 closed by foreign host]
R1(config-line)#line vty 0 4
R1(config-line)#password ciscovtypass
R1(config-line)#exec-timeout 5 0
R1(config-line)#login
R2#
R2#telnet 10.1.1.1
Trying 10.1.1.1 ... Open
User Access Verification
Password:
R1>enable
Password:
R1#show run
Building configuration...
Current configuration : 1321 bytes
!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname R1
!
boot-start-marker
boot-end-marker
!
security passwords min-length 10
logging message-counter syslog
enable secret 5 $1$5oiF$Exa2eC.qWnL.prd21/7E5. // MD5 ENCRYPTION
!
no aaa new-model
dot11 syslog
ip source-route
!
!
!
!
ip cef
no ip domain lookup
!
no ipv6 cef
multilink bundle-name authenticated
!
!
!
!
!
archive
log config
hidekeys
!
!
!
!
!
!
!
!
interface FastEthernet0/0
no ip address
shutdown
duplex auto
speed auto
!
interface FastEthernet0/1
ip address 192.168.1.1 255.255.255.0
duplex auto
speed auto
!
interface Serial0/0/0
ip address 10.1.1.1 255.255.255.0
no fair-queue
clock rate 64000
!
interface Serial0/0/1
no ip address
shutdown
clock rate 2000000
!
interface Serial0/1/0
no ip address
shutdown
clock rate 2000000
!
interface Serial0/1/1
no ip address
shutdown
clock rate 2000000
!
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 10.1.1.2
no ip http server
no ip http secure-server
!
!
!
!
!
!
!
!
!
!
control-plane
!
!
!
line con 0
exec-timeout 5 0
password ciscoconpass
logging synchronous
login
line aux 0
exec-timeout 5 0
password ciscoauxpass
login
line vty 0 4
exec-timeout 5 0
password ciscovtypass
login
!
scheduler allocate 20000 1000
end
R3(config)#security passwords min-length 10
R3(config)#enable secret cisco12345
R3(config)#enable secret cisco12345
R3(config)#line console 0
R3(config-line)#password ciscoconpass
R3(config-line)#exec-timeout 5 0
R3(config-line)#login
R3(config-line)#logging synchronous
R3(config-line)#line aux 0
R3(config-line)#password ciscoauxpass
R3(config-line)#exec-timeout 5 0
R3(config-line)#login
R3(config-line)#line vty 0 4
R3(config-line)#password ciscovtypass
R3(config-line)#exec-timeout 5 0
R3(config-line)#login
R1(config)#service ?
alignment Control alignment correction and logging
compress-config Compress the nvram configuration file
config TFTP load config files
dhcp Enable DHCP server and relay agent
disable-ip-fast-frag Disable IP particle-based fast fragmentation
exec-callback Enable exec callback
exec-wait Delay EXEC startup on noisy lines
finger Allow responses to finger requests
hide-telnet-addresses Hide destination addresses in telnet command
linenumber enable line number banner for each exec
nagle Enable Nagle's congestion control algorithm
old-slip-prompts Allow old scripts to operate with slip/ppp
pad Enable PAD commands
password-encryption Encrypt system passwords
prompt Enable mode specific prompt
pt-vty-logging Log significant VTY-Async events
sequence-numbers Stamp logger messages with a sequence number
slave-log Enable log capability of slave IPs
tcp-keepalives-in Generate keepalives on idle incoming network
connections
tcp-keepalives-out Generate keepalives on idle outgoing network
connections
tcp-small-servers Enable small TCP servers (e.g., ECHO)
telnet-zeroidle Set TCP window 0 when connection is idle
timestamps Timestamp debug/log messages
txacc-accounting Enable transmit credit accounting
udp-small-servers Enable small UDP servers (e.g., ECHO)
R1(config)#service password-encryption
R1(config)#do show run
Building configuration...
Current configuration : 1366 bytes
!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname R1
!
boot-start-marker
boot-end-marker
!
security passwords min-length 10
logging message-counter syslog
enable secret 5 $1$5oiF$Exa2eC.qWnL.prd21/7E5.
!
no aaa new-model
dot11 syslog
ip source-route
!
!
!
/line
filtering...
line con 0
exec-timeout 5 0
password 7 121A0C0411040F0B243B253B20 // CISCO TYPE 7 ENCRYPTION; A WEAK ENCRYPTION (VIGENERE CIPHER) TO PROTECT FROM SHOULDER SURFING
logging synchronous
login
line aux 0
exec-timeout 5 0
password 7 045802150C2E4D5B1109040401
login
line vty 0 4
exec-timeout 5 0
password 7 1511021F07253D303123343100
login
!
scheduler allocate 20000 1000
end
R3(config)#service password-encryption
R1(config)#banner ?
LINE c banner-text c, where 'c' is a delimiting character
exec Set EXEC process creation banner
incoming Set incoming terminal line banner
login Set login banner
motd Set Message of the Day banner
prompt-timeout Set Message for login authentication timeout
slip-ppp Set Message for SLIP/PPP
R1(config)#banner motd ?
LINE c banner-text c, where 'c' is a delimiting character
R1(config)#banner motd $
Enter TEXT message. End with the character '$'
Unauthorized access strictly prohibited and prosecuted to the full extent of the law $
R1(config)#do show run
Building configuration...
Current configuration : 1467 bytes
!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname R1
!
boot-start-marker
boot-end-marker
!
security passwords min-length 10
logging message-counter syslog
enable secret 5 $1$5oiF$Exa2eC.qWnL.prd21/7E5.
!
no aaa new-model
dot11 syslog
ip source-route
!
!
!
/banner
filtering...
banner motd ^C
Unauthorized access strictly prohibited and prosecuted to the full extent of the law ^C
!
line con 0
exec-timeout 5 0
password 7 121A0C0411040F0B243B253B20
logging synchronous
login
line aux 0
exec-timeout 5 0
password 7 045802150C2E4D5B1109040401
login
line vty 0 4
exec-timeout 5 0
password 7 1511021F07253D303123343100
login
!
scheduler allocate 20000 1000
end
R3(config)#banner motd $
Enter TEXT message. End with the character '$'
Unauthorized access strictly prohibited and prosecuted to the full extent of the law $
R3(config)#end
R3#exit
R3 con0 is now available
Press RETURN to get started.
*Apr 11 11:35:00.699: %SYS-5-CONFIG_I: Configured from console by console
Unauthorized access strictly prohibited and prosecuted to the full extent of the law
User Access Verification
Password:
R1(config)#username ?
WORD User name
R1(config)#username user01 ?
aaa AAA directive
access-class Restrict access by access-class
autocommand Automatically issue a command after the user logs in
callback-dialstring Callback dialstring
callback-line Associate a specific line with this callback
callback-rotary Associate a rotary group with this callback
dnis Do not require password when obtained via DNIS
nocallback-verify Do not require authentication after callback
noescape Prevent the user from using an escape character
nohangup Do not disconnect after an automatic command
nopassword No password is required for the user to log in
one-time Specify that the username/password is valid for only one
time
password Specify the password for the user
privilege Set user privilege level
secret Specify the secret for the user
user-maxlinks Limit the user's number of inbound links
view Set view name
<cr>
R1(config)#username user01 password ?
0 Specifies an UNENCRYPTED password will follow
7 Specifies a HIDDEN password will follow
LINE The UNENCRYPTED (cleartext) user password
R1(config)#username user01 password 0 ?
LINE The UNENCRYPTED (cleartext) user password
R1(config)#username user01 password 0 user01pass
R1(config)#do show run
Building configuration...
Current configuration : 1517 bytes
!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname R1
!
boot-start-marker
boot-end-marker
!
security passwords min-length 10
logging message-counter syslog
enable secret 5 $1$5oiF$Exa2eC.qWnL.prd21/7E5.
!
no aaa new-model
dot11 syslog
ip source-route
!
!
!
!
ip cef
no ip domain lookup
!
no ipv6 cef
multilink bundle-name authenticated
!
!
!
!
!
username user01 password 7 1402010E1E547B3B253B20 // service password-encryption IS IN EFFECT
R1(config)#username user02 secret user02pass
R1(config)#do show run
Building configuration...
Current configuration : 1573 bytes
!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname R1
!
boot-start-marker
boot-end-marker
!
security passwords min-length 10
logging message-counter syslog
enable secret 5 $1$5oiF$Exa2eC.qWnL.prd21/7E5.
!
no aaa new-model
dot11 syslog
ip source-route
!
!
!
!
ip cef
no ip domain lookup
!
no ipv6 cef
multilink bundle-name authenticated
!
!
!
!
!
username user01 password 7 1402010E1E547B3B253B20
username user02 secret 5 $1$3hK5$V40afHUlgSlqieuRRLE5k/ // MD5 HASHING ENCRYPTION
R1(config)#line console 0
R1(config-line)#login ?
local Local password checking
<cr>
R1(config-line)#login local
R1(config-line)#end
*Apr 11 11:38:43.723: %SYS-5-CONFIG_I: Configured from console by console
R1#exit
R1 con0 is now available
Press RETURN to get started.
Unauthorized access strictly prohibited and prosecuted to the full extent of the law
User Access Verification
Username: user01
Password:
R1>show run // CAN'T ISSUE COMMAND DUE TO USER MODE ACCESS
^
% Invalid input detected at '^' marker.
R1>enable
Password:
R1#
R1(config)#line vty 0 4
R1(config-line)#login local
C:\Users\John Lloyd>telnet 10.1.1.1
Unauthorized access strictly prohibited and prosecuted to the full extent of the
law
User Access Verification
Username: user01
Password:<user01pass>
R1>
R3(config)#username user01 password 0 user01pass
R3(config)#username user02 secret user02pass
R3(config)#line console 0
R3(config-line)#login local
R3(config-line)#line vty 0 4
R3(config-line)#login local
C:\Users\John Lloyd>telnet 192.168.1.1
Unauthorized access strictly prohibited and prosecuted to the full extent of the
law
User Access Verification
Password:<ciscovtypass>
R1>enable
Password:<cisco12345>
R1#conf t
R1(config)#line aux 0
R1(config-line)#login local
R3(config)#line aux 0
R3(config-line)#login local
R1#show login
No login delay has been applied.
No Quiet-Mode access list has been configured.
Router NOT enabled to watch for login Attacks
R1#conf t
Enter configuration commands, one per line. End with CNTL/Z.
R1(config)#login ?
block-for Set quiet-mode active time period
delay Set delay between successive fail login
on-failure Set options for failed login attempt
on-success Set options for successful login attempt
quiet-mode Set quiet-mode options
R1(config)#login block-for ?
<1-65535> Time period in seconds
R1(config)#login block-for 60 ?
attempts Set max number of fail attempts
R1(config)#login block-for 60 attempts 2 ?
within Watch period for fail attempts
R1(config)#login block-for 60 attempts 2 within ?
<1-65535> Time period in seconds
R1(config)#login block-for 60 attempts 2 within 30 // PREVENT BRUTE-FORCE LOGIN ATTACK FROM TELNET, SSH OR HTTP; WILL SHUTDOWN FOR 60 SEC (QUIET MODE TIMER) IF 2 FAILED LOGIN ATTEMPTS ARE MADE WITHIN 30 SEC
R1(config)#do show login
A default login delay of 1 seconds is applied.
No Quiet-Mode access list has been configured.
Router enabled to watch for login Attacks.
If more than 2 login failures occur in 30 seconds or less,
logins will be disabled for 60 seconds.
Router presently in Normal-Mode.
Current Watch Window
Time remaining: 27 seconds.
Login failures for current window: 0.
Total login failures: 0.
R1(config)#login ?
block-for Set quiet-mode active time period
delay Set delay between successive fail login
on-failure Set options for failed login attempt
on-success Set options for successful login attempt
quiet-mode Set quiet-mode options
R1(config)#login on-success ?
every Periodicity for logs/traps generated
log Generate syslogs on successful logins
trap Generate traps on successful logins
<cr>
R1(config)#login on-success log // LOGS EVERY SUCCESSFUL LOGIN
R1(config)#login on-failure log ?
every Periodicity for logs/traps generated
<cr>
R1(config)#login on-failure log every ?
<1-65535> Number defining periodicity
R1(config)#login on-failure log every 2 // LOGS EVERY 2ND FAILED LOGIN
R1(config)#do show login
A default login delay of 1 seconds is applied.
No Quiet-Mode access list has been configured.
All successful login is logged.
Every 2 failed login is logged.
Router enabled to watch for login Attacks.
If more than 2 login failures occur in 30 seconds or less,
logins will be disabled for 60 seconds.
Router presently in Normal-Mode.
Current Watch Window
Time remaining: 21 seconds.
Login failures for current window: 0.
Total login failures: 0.
R3(config)#login block-for 60 attempts 2 within 30
R3(config)#login on-success log
R3(config)#login on-failure log every 2
C:\Users\John Lloyd>telnet 10.1.1.1
Unauthorized access strictly prohibited and prosecuted to the full extent of the
law
User Access Verification
Username: cisco
Password:
% Login invalid
Username: admin
Password:
% Login invalid
Connection to host lost.
R1#
*Apr 11 11:58:35.875: %SEC_LOGIN-4-LOGIN_FAILED: Login failed [user: admin] [Source: 192.168.1.3] [localport: 23] [Reason: Login Authentication Failed - BadUser] at 11:58:35 UTC Sat Apr 11 2015
R1#
*Apr 11 11:58:35.875: %SEC_LOGIN-1-QUIET_MODE_ON: Still timeleft for watching failures is 14 secs, [user: admin] [Source: 192.168.1.3] [localport: 23] [Reason: Login Authentication Failed - BadUser] [ACL: sl_def_acl] at 11:58:35 UTC Sat Apr 11 2015
Connection to host lost.
C:\Users\John Lloyd>telnet 10.1.1.1
Connecting To 10.1.1.1...Could not open connection to the host, on port 23: Conn
ect failed
R1#
*Apr 11 12:00:40.355: %SEC-6-IPACCESSLOGP: list sl_def_acl denied tcp 192.168.1.3(4015) -> 0.0.0.0(23), 1 packet
R1#show login
A default login delay of 1 seconds is applied.
No Quiet-Mode access list has been configured.
All successful login is logged.
Every 2 failed login is logged.
Router enabled to watch for login Attacks.
If more than 2 login failures occur in 30 seconds or less,
logins will be disabled for 60 seconds.
Router presently in Quiet-Mode.
Will remain in Quiet-Mode for 31 seconds.
Denying logins from all sources.
R1#show login
A default login delay of 1 seconds is applied.
No Quiet-Mode access list has been configured.
All successful login is logged.
Every 2 failed login is logged.
Router enabled to watch for login Attacks.
If more than 2 login failures occur in 30 seconds or less,
logins will be disabled for 60 seconds.
Router presently in Normal-Mode.
Current Watch Window
Time remaining: 29 seconds.
Login failures for current window: 0.
Total login failures: 5.
R1#
*Apr 11 12:01:36.607: %SEC_LOGIN-5-QUIET_MODE_OFF: Quiet Mode is OFF, because block period timed out at 12:01:36 UTC Sat Apr 11 2015
C:\Users\John Lloyd>telnet 10.1.1.1
Unauthorized access strictly prohibited and prosecuted to the full extent of th
law
User Access Verification
Username: user01
Password:
R1>
R1#
*Apr 11 12:02:33.683: %SEC_LOGIN-5-LOGIN_SUCCESS: Login Success [user: user01] [Source: 192.168.1.3] [localport: 23] at 12:02:33 UTC Sat Apr 11 2015
R1(config)#ip domain-name ?
WORD Default domain name
vrf Specify VRF
R1(config)#ip domain-name ccnasecurity.com
R1(config)#username admin ?
aaa AAA directive
access-class Restrict access by access-class
autocommand Automatically issue a command after the user logs in
callback-dialstring Callback dialstring
callback-line Associate a specific line with this callback
callback-rotary Associate a rotary group with this callback
dnis Do not require password when obtained via DNIS
nocallback-verify Do not require authentication after callback
noescape Prevent the user from using an escape character
nohangup Do not disconnect after an automatic command
nopassword No password is required for the user to log in
one-time Specify that the username/password is valid for only one
time
password Specify the password for the user
privilege Set user privilege level
secret Specify the secret for the user
user-maxlinks Limit the user's number of inbound links
view Set view name
<cr>
R1(config)#username admin privilege ?
<0-15> User privilege level
R1(config)#username admin privilege 15 ?
aaa AAA directive
access-class Restrict access by access-class
autocommand Automatically issue a command after the user logs in
callback-dialstring Callback dialstring
callback-line Associate a specific line with this callback
callback-rotary Associate a rotary group with this callback
dnis Do not require password when obtained via DNIS
nocallback-verify Do not require authentication after callback
noescape Prevent the user from using an escape character
nohangup Do not disconnect after an automatic command
nopassword No password is required for the user to log in
one-time Specify that the username/password is valid for only one
time
password Specify the password for the user
privilege Set user privilege level
secret Specify the secret for the user
user-maxlinks Limit the user's number of inbound links
view Set view name
<cr>
R1(config)#username admin privilege 15 secret ?
0 Specifies an UNENCRYPTED secret will follow
5 Specifies a HIDDEN secret will follow
LINE The UNENCRYPTED (cleartext) user secret
R1(config)#username admin privilege 15 secret cisco12345
Unauthorized access strictly prohibited and prosecuted to the full extent of the law
User Access Verification
Username: admin
Password:<cisco12345>
R1#
*Apr 12 11:32:28.727: %SEC_LOGIN-5-LOGIN_SUCCESS: Login Success [user: admin] [Source: 0.0.0.0] [localport: 0] at 11:32:28 UTC Sun Apr 12 2015
R1#
R1(config)#line vty 0 4
R1(config-line)#?
Line configuration commands:
absolute-timeout Set absolute timeout for line disconnection
access-class Filter connections based on an IP access list
activation-character Define the activation character
autobaud Set line to normal autobaud
autocommand Automatically execute an EXEC command
autocommand-options Autocommand options
autohangup Automatically hangup when last connection closes
autoselect Set line to autoselect
buffer-length Set DMA buffer length
data-character-bits Size of characters being handled
databits Set number of data bits per character
default Set a command to its defaults
disconnect-character Define the disconnect character
dispatch-character Define the dispatch character
dispatch-machine Reference a TCP dispatch state machine
dispatch-timeout Set the dispatch timer
domain-lookup Enable domain lookups in show commands
editing Enable command line editing
escape-character Change the current line's escape character
exec Configure EXEC
exec-banner Enable the display of the EXEC banner
exec-character-bits Size of characters to the command exec
exec-timeout Set the EXEC timeout
exit Exit from line configuration mode
flowcontrol Set the flow control
flush-at-activation Clear input stream at activation
full-help Provide help to unprivileged user
help Description of the interactive help system
history Enable and control the command history function
hold-character Define the hold character
insecure Mark line as 'insecure' for LAT
international Enable international 8-bit character support
ip IP options
ipv6 IPv6 options
length Set number of lines on a screen
location Enter terminal location description
lockable Allow users to lock a line
logging Modify message logging facilities
login Enable password checking
logout-warning Set Warning countdown for absolute timeout of
line
modem Configure the Modem Control Lines
monitor Copy debug output to the current terminal line
motd-banner Enable the display of the MOTD banner
no Negate a command or set its defaults
notify Inform users of output from concurrent sessions
padding Set padding for a specified output character
parity Set terminal parity
password Set a password
prc PRC commands
private Configuration options that user can set will
remain in effect between terminal sessions
privilege Change privilege level for line
refuse-message Define a refuse banner
rotary Add line to a rotary group
rxspeed Set the receive speed
script specify event related chat scripts to run on the
line
session-disconnect-warning Set warning countdown for session-timeout
session-limit Set maximum number of sessions
session-timeout Set interval for closing connection when there is
no input traffic
special-character-bits Size of the escape (and other special) characters
speed Set the transmit and receive speeds
start-character Define the start character
stop-character Define the stop character
stopbits Set async line stop bits
telnet Telnet protocol-specific configuration
terminal-type Set the terminal type
timeout Timeouts for the line
transport Define transport protocols for line
txspeed Set the transmit speed
vacant-message Define a vacant banner
width Set width of the display terminal
x25 X25 protocol-specific configuration
R1(config-line)#privilege ?
level Assign default privilege level for line
R1(config-line)#privilege level ?
<0-15> Default privilege level for line
R1(config-line)#privilege level 15 // DEFAULTS TO PRIVILEGE EXEC MODE
R1(config-line)#login ?
local Local password checking
<cr>
R1(config-line)#login local
R1(config-line)#transport ?
input Define which protocols to use when connecting to the terminal
server
output Define which protocols to use for outgoing connections
preferred Specify the preferred protocol to use
R1(config-line)#transport input ?
all All protocols
lapb-ta LAPB Terminal Adapter
mop DEC MOP Remote Console Protocol
none No protocols
pad X.3 PAD
rlogin Unix rlogin protocol
ssh TCP/IP SSH protocol
telnet TCP/IP Telnet protocol
udptn UDPTN async via UDP protocol
v120 Async over ISDN
R1(config-line)#transport input ssh // WILL ONLY ACCEPT INBOUND SSH CONNECTIONS
R1(config-line)#exit
R1(config)#crypto key ?
decrypt Decrypt a keypair.
encrypt Encrypt a keypair.
export Export keys
generate Generate new keys
import Import keys
move Move keys
pubkey-chain Peer public key chain management
storage default storage location for keypairs
zeroize Remove keys
R1(config)#crypto key zeroize ?
rsa Remove RSA keys
<cr>
R1(config)#crypto key zeroize rsa // ERASE EXISTING RSA KEY PAIR
% No Signature RSA Keys found in configuration.
R1(config)#crypto key ?
decrypt Decrypt a keypair.
encrypt Encrypt a keypair.
export Export keys
generate Generate new keys
import Import keys
move Move keys
pubkey-chain Peer public key chain management
storage default storage location for keypairs
zeroize Remove keys
R1(config)#crypto key generate ?
rsa Generate RSA keys
<cr>
R1(config)#crypto key generate rsa ?
encryption Generate a general purpose RSA key pair for signing and
encryption
exportable Allow the key to be exported
general-keys Generate a general purpose RSA key pair for signing and
encryption
label Provide a label
modulus Provide number of modulus bits on the command line
on create key on specified device.
signature Generate a general purpose RSA key pair for signing and
encryption
storage Store key on specified device
usage-keys Generate separate RSA key pairs for signing and encryption
<cr>
R1(config)#crypto key generate rsa general-keys ?
exportable Allow the key to be exported
label Provide a label
modulus Provide number of modulus bits on the command line
on create key on specified device.
storage Store key on specified device
<cr>
R1(config)#crypto key generate rsa general-keys modulus ?
<360-2048> size of the key modulus [360-2048]
R1(config)#crypto key generate rsa general-keys modulus 1024 // ROUTER USES THE RSA KEY PAIR FOR AUTHENTICATION AND ENCRYPTION OF TRANSMITTED SSH DATA; DEFAULT IS 512 MODULUS BITS
The name for the keys will be: R1.ccnasecurity.com
% The key modulus size is 1024 bits
% Generating 1024 bit RSA keys, keys will be non-exportable...[OK]
R1(config)#
*Apr 12 11:37:12.715: %SSH-5-ENABLED: SSH 1.99 has been enabled
R1#show ip ssh
SSH Enabled - version 1.99
Authentication timeout: 120 secs; Authentication retries: 3
Minimum expected Diffie Hellman key size : 1024 bits
R1(config)#ip ssh ?
authentication-retries Specify number of authentication retries
break-string break-string
dh Diffie-Hellman
logging Configure logging for SSH
maxstartups Maximum concurrent sessions allowed
port Starting (or only) Port number to listen on
rsa Configure RSA keypair name for SSH
source-interface Specify interface for source address in SSH
connections
time-out Specify SSH time-out interval
version Specify protocol version to be supported
R1(config)#ip ssh time-out ?
<1-120> SSH time-out interval (secs)
R1(config)#ip ssh time-out 90
R1(config)#ip ssh authentication-retries ?
<0-5> Number of authentication retries
R1(config)#ip ssh authentication-retries 2
R1#show ip ssh
SSH Enabled - version 1.99
Authentication timeout: 90 secs; Authentication retries: 2
Minimum expected Diffie Hellman key size : 1024 bits
R3(config)#ip domain-name ccnasecurity.com
R3(config)#username admin privilege 15 secret cisco12345
R3(config)#line vty 0 4
R3(config-line)#privilege level 15
R3(config-line)#login local
R3(config-line)#transport input ssh
R3(config-line)#exit
R3(config)#crypto key generate rsa general-keys modulus 1024
The name for the keys will be: R3.ccnasecurity.com
% The key modulus size is 1024 bits
% Generating 1024 bit RSA keys, keys will be non-exportable...[OK]
R3(config)#
R3(config)#
*Apr 12 11:45:06.719: %SSH-5-ENABLED: SSH 1.99 has been enabled
R3(config)#ip ssh time-out 90
R3(config)#ip ssh authentication-retries 2
login as: admin
Using keyboard-interactive authentication.
Password:<cisco12345>
Unauthorized access strictly prohibited and prosecuted to the full extent of the law
R1#
R1#show users
Line User Host(s) Idle Location
*194 vty 0 admin idle 00:00:00 192.168.1.3
Interface User Mode Idle Peer Address
C:\Users\John Lloyd>telnet 192.168.1.1
Connecting To 192.168.1.1...Could not open connection to the host, on port 23: C
onnect failed
login as: user01
Using keyboard-interactive authentication.
Password:
Unauthorized access strictly prohibited and prosecuted to the full extent of the law
R1>enable
Password:
R1#
R1(config)#no login on-success log
R3(config)#no login on-success log
R1(config)#aaa ?
new-model Enable NEW access control commands and functions.(Disables OLD
commands.)
R1(config)#aaa new-model
R1(config)#exit
R1#
*Apr 12 12:40:27.743: %SYS-5-CONFIG_I: Configured from console by admin on console
R1#enable view
Password:<cisco12345>
R1#
*Apr 12 12:40:39.275: %PARSER-6-VIEW_SWITCH: successfully set to view 'root'.
R1#conf t
Enter configuration commands, one per line. End with CNTL/Z.
R1(config)#parser ?
% Ambiguous command: "parser "
R1(config)#parser view admin1
R1(config-view)#
*Apr 12 12:43:28.807: %PARSER-6-VIEW_CREATED: view 'admin1' successfully created.
R1(config-view)#commands ?
RITE-profile Router IP traffic export profile command mode
RMI-Node-Config Resource Policy Node Config mode
RMI-Resource-Group Resource Group Config mode
RMI-Resource-Manager Resource Manager Config mode
RMI-Resource-Policy Resource Policy Config mode
SASL-profile SASL profile configuration mode
aaa-attr-list AAA attribute list config mode
aaa-user AAA user definition
accept-dialin VPDN group accept dialin configuration mode
accept-dialout VPDN group accept dialout configuration mode
address-family Address Family configuration mode
archive Archive the router configuration mode
auto-ip-sla-mpls Auto IP SLA MPLS LSP Monitor configs
auto-ip-sla-mpls-lpd-params Auto IP SLA MPLS LPD params configs
auto-ip-sla-mpls-params Auto IP SLA MPLS LSP Monitor Params configs
bba-group BBA Group configuration mode
boomerang Boomerang configuration mode
call-filter-matchlist Call Filter matchlist configuration mode
cascustom Cas custom configuration mode
ces-conn CES connection configuration mode
ces-vc CES VC configuration mode
cm-ac AC-AC connect configuration mode
cns-connect-config CNS Connect Info Mode
cns-connect-intf-config CNS Connect Intf Info Mode
cns-tmpl-connect-config CNS Template Connect Info Mode
cns_inventory_submode CNS Inventory SubMode
config-ip-sla-http-rr IP SLAs HTTP raw request Configuration
config-l2tp-class l2tp-class configuration mode
configure Global configuration mode
congestion Frame Relay congestion configuration mode
controller Controller configuration mode
cpf-classmap Class-map configuration mode
cpf-policyclass Class-in-Policy configuration mode
cpf-policymap Policy-map configuration mode
crypto-identity Crypto identity config mode
crypto-ipsec-profile IPSec policy profile mode
crypto-keyring Crypto Keyring command mode
crypto-map Crypto map config mode
crypto-transform Crypto transform config mode
cwmp CWMP configuration mode
dfp-submode DFP config mode
dhcp DHCP pool configuration mode
dhcp-class DHCP class configuration mode
dhcp-pool-class Per DHCP pool class configuration mode
dhcp-relay-info DHCP class relay agent info configuration
<OUTPUT TRUNCATED>
R1(config-view)#commands exec ?
exclude Exclude the command from the view
include Add command to the view
include-exclusive Include in this view but exclude from others
R1(config-view)#commands exec include ?
LINE Keywords of the command
all wild card support
R1(config-view)#commands exec include all ?
LINE Keywords of the command
R1(config-view)#commands exec include all show
% Password not set for the view admin1
R1(config-view)#secret ?
0 Specifies an UNENCRYPTED password will follow
5 Specifies an ENCRYPTED secret will follow
LINE The UNENCRYPTED (cleartext) view secret string
R1(config-view)#secret admin1pass
R1(config-view)#commands exec include all show
R1(config-view)#commands exec include all config terminal
R1(config-view)#commands exec include all debug
R1(config-view)#end
*Apr 12 12:44:42.423: %SYS-5-CONFIG_I: Configured from console by admin on console
R1#enable view ?
WORD View Name
<cr>
R1#enable view admin1
Password:<admin1pass>
R1#
*Apr 12 12:44:51.039: %PARSER-6-VIEW_SWITCH: successfully set to view 'admin1'.
R1#show parser view
Current view is 'admin1'
R1#?
Exec commands:
configure Enter configuration mode
debug Debugging functions (see also 'undebug')
enable Turn on privileged commands
exit Exit from the EXEC
show Show running system information
R1#show ?
aaa Show AAA values
access-expression List access expression
access-lists List access lists
accounting Accounting data for active sessions
adjacency Adjacent nodes
aliases Display alias commands
alignment Show alignment information
appfw Application Firewall information
archive Archive of the running configuration information
arp ARP table
ase Display ASE specific information
async Information on terminal lines used as router
interfaces
auto Show Automation Template
autoupgrade Show autoupgrade related information
backhaul-session-manager Backhaul Session Manager information
backup Backup status
beep Show BEEP information
bfd BFD protocol info
bgp BGP information
bridge Bridge Forwarding/Filtering Database [verbose]
buffers Buffer pool statistics
calendar Display the hardware calendar
call Show call
caller Display information about dialup connections
cca CCA information
cdapi CDAPI information
cdp CDP information
cef CEF address family independent status
cellular Cellular Status
cfmpal Show CFM Commands
checkpoint Checkpoint Facility (CPF)
class-map Show QoS Class Map
clns CLNS network information
clock Display the system clock
cls DLC user information
cns CNS agents
compress Show compression statistics
configuration Configuration details
connection Show Connection
context Show context information about recent crash(s)
control-plane Control Plane information
controllers Interface controller status
cops COPS information
crypto Encryption module
<OUTPUT TRUNCATED>
R1#enable view // COMMAND TO LOGIN TO root
Password:<cisco12345>
R1#
*Apr 12 12:47:03.291: %PARSER-6-VIEW_SWITCH: successfully set to view 'root'.
R1#conf t
Enter configuration commands, one per line. End with CNTL/Z.
R1(config)#parser view admin2
*Apr 12 12:47:18.211: %PARSER-6-VIEW_CREATED: view 'admin2' successfully created.
R1(config-view)#secret admin2pass
R1(config-view)#commands exec include all show
R1(config-view)#end
R1#
*Apr 12 12:47:38.251: %SYS-5-CONFIG_I: Configured from console by admin on console
R1#enable view admin2
Password:<admin2pass>
R1#
*Apr 12 12:47:45.995: %PARSER-6-VIEW_SWITCH: successfully set to view 'admin2'.
R1#show parser view
Current view is 'admin2'
R1#?
Exec commands:
enable Turn on privileged commands
exit Exit from the EXEC
show Show running system information
R1#enable view
Password:
R1#
*Apr 12 12:48:52.071: %PARSER-6-VIEW_SWITCH: successfully set to view 'root'.
R1#conf t
Enter configuration commands, one per line. End with CNTL/Z.
R1(config)#parser view tech
R1(config-view)#secre
*Apr 12 12:49:00.411: %PARSER-6-VIEW_CREATED: view 'tech' successfully created.
R1(config-view)#secret techpasswd
R1(config-view)#commands exec include show version
R1(config-view)#commands exec include show interfaces
R1(config-view)#commands exec include show ip interface brief
R1(config-view)#commands exec include show parser view
R1(config-view)#end
R1#
*Apr 12 12:49:45.903: %SYS-5-CONFIG_I: Configured from console by admin on console
R1#enable view tech
Password:<techpasswd>
R1#
*Apr 12 12:50:01.427: %PARSER-6-VIEW_SWITCH: successfully set to view 'tech'.
R1#show parser view
Current view is 'tech'
R1#?
Exec commands:
enable Turn on privileged commands
exit Exit from the EXEC
show Show running system information
R1#show ?
flash: display information about flash: file system
interfaces Interface status and configuration
ip IP information
parser Show parser commands
version System hardware and software status
R1#enable view tech
Password:
R1#
*Apr 12 12:50:01.427: %PARSER-6-VIEW_SWITCH: successfully set to view 'tech'.
R1#show parser view
Current view is 'tech'
R1#?
Exec commands:
enable Turn on privileged commands
exit Exit from the EXEC
show Show running system information
R1#show ?
flash: display information about flash: file system
interfaces Interface status and configuration
ip IP information
parser Show parser commands
version System hardware and software status
R1#show ip interface brief
Interface IP-Address OK? Method Status Protocol
FastEthernet0/0 unassigned YES NVRAM administratively down down
FastEthernet0/1 192.168.1.1 YES NVRAM up up
Serial0/0/0 10.1.1.1 YES NVRAM up up
Serial0/0/1 unassigned YES NVRAM administratively down down
Serial0/1/0 unassigned YES NVRAM administratively down down
Serial0/1/1 unassigned YES NVRAM administratively down down
R1#
R1#show ip route
^
% Invalid input detected at '^' marker.
R1#show ip r? // NOT CONFIGURED UNDER tech
% Unrecognized command
R1#enable view
Password:
R1#
*Apr 12 12:51:51.507: %PARSER-6-VIEW_SWITCH: successfully set to view 'root'.
R1#show run
Building configuration...
Current configuration : 2499 bytes
!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname R1
!
boot-start-marker
boot-end-marker
!
security passwords min-length 10
logging message-counter syslog
enable secret 5 $1$5oiF$Exa2eC.qWnL.prd21/7E5.
!
aaa new-model
!
!
!
!
aaa session-id common
dot11 syslog
ip source-route
!
!
!
!
ip cef
no ip domain lookup
ip domain name ccnasecurity.com
login block-for 60 attempts 2 within 30
login on-failure log every 2
!
no ipv6 cef
multilink bundle-name authenticated
!
!
!
!
!
username user01 password 7 1402010E1E547B3B253B20
username user02 secret 5 $1$3hK5$V40afHUlgSlqieuRRLE5k/
username admin privilege 15 secret 5 $1$3G4k$OeEXvxJbdjZYSMYvwKEsH/
archive
log config
hidekeys
!
!
!
!
!
ip ssh time-out 90
ip ssh authentication-retries 2
!
!
!
interface FastEthernet0/0
no ip address
shutdown
duplex auto
speed auto
!
interface FastEthernet0/1
ip address 192.168.1.1 255.255.255.0
duplex auto
speed auto
!
interface Serial0/0/0
ip address 10.1.1.1 255.255.255.0
no fair-queue
clock rate 64000
!
interface Serial0/0/1
no ip address
shutdown
clock rate 2000000
!
interface Serial0/1/0
no ip address
shutdown
clock rate 2000000
!
interface Serial0/1/1
no ip address
shutdown
clock rate 2000000
!
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 10.1.1.2
no ip http server
no ip http secure-server
!
!
!
!
!
!
!
!
!
!
!
control-plane
!
!
banner motd ^C
Unauthorized access strictly prohibited and prosecuted to the full extent of the law ^C
!
line con 0
exec-timeout 5 0
password 7 121A0C0411040F0B243B253B20
logging synchronous
line aux 0
exec-timeout 5 0
password 7 045802150C2E4D5B1109040401
line vty 0 4
exec-timeout 5 0
privilege level 15
password 7 1511021F07253D303123343100
transport input ssh
!
parser view admin1
secret 5 $1$IRkc$eXvwVGVgbqNHEKqTS3J8w.
commands exec include all configure terminal
commands exec include configure
commands exec include all show
commands exec include all debug
!
parser view admin2
secret 5 $1$hEB5$O51wAWwEmfWu3JrWcy/2P0
commands exec include all show
!
parser view tech
secret 5 $1$vGf1$/0w6UcifBxPTaulKiKCyi1
commands exec include show ip interface brief
commands exec include show ip interface
commands exec include show ip
commands exec include show version
commands exec include show parser view
commands exec include show parser
commands exec include show interfaces
commands exec include show
!
scheduler allocate 20000 1000
end
R3#enable view
% AAA must be configured.
R3#conf t
Enter configuration commands, one per line. End with CNTL/Z.
R3(config)#aaa new-model
R3(config)#end
R3#
*Apr 12 12:58:20.243: %SYS-5-CONFIG_I: Configured from console by admin on console
R3#enable view
Password:
R3#
*Apr 12 12:58:25.323: %PARSER-6-VIEW_SWITCH: successfully set to view 'root'.
R3#conf t
Enter configuration commands, one per line. End with CNTL/Z.
R3(config)#parser view admin1
R3(config-view)#
*Apr 12 12:58:34.187: %PARSER-6-VIEW_CREATED: view 'admin1' successfully created.
R3(config-view)#secret admin1pass
R3(config-view)#commands exec include all show
R3(config-view)#commands exec include all config terminal
R3(config-view)#commands exec include all debug
R3(config-view)#end
R3#
*Apr 12 12:59:03.527: %SYS-5-CONFIG_I: Configured from console by admin on console
R3#enable view admin1
Password:
R3#
*Apr 12 12:59:14.891: %PARSER-6-VIEW_SWITCH: successfully set to view 'admin1'.
R3#show parser view
Current view is 'admin1'
R3#?
Exec commands:
configure Enter configuration mode
debug Debugging functions (see also 'undebug')
enable Turn on privileged commands
exit Exit from the EXEC
show Show running system information
R3#enable view
Password:
R3#c
*Apr 12 12:59:39.575: %PARSER-6-VIEW_SWITCH: successfully set to view 'root'.
R3#conf t
Enter configuration commands, one per line. End with CNTL/Z.
R3(config)#parser view admin2
R3(config-view)#
*Apr 12 12:59:47.751: %PARSER-6-VIEW_CREATED: view 'admin2' successfully created.
R3(config-view)#secret admin2pass
R3(config-view)#commands exec include all show
R3(config-view)#end
R3#
*Apr 12 13:00:10.099: %SYS-5-CONFIG_I: Configured from console by admin on console
R3#enable view admin2
Password:
R3#
*Apr 12 13:00:19.379: %PARSER-6-VIEW_SWITCH: successfully set to view 'admin2'.
R3#show parser view
Current view is 'admin2'
R3#?
Exec commands:
enable Turn on privileged commands
exit Exit from the EXEC
show Show running system information
R3#enable view
Password:
R3#
*Apr 12 13:00:35.963: %PARSER-6-VIEW_SWITCH: successfully set to view 'root'.
R3#conf t
Enter configuration commands, one per line. End with CNTL/Z.
R3(config)#parser view tech
R3(config-view)#
*Apr 12 13:01:09.695: %PARSER-6-VIEW_CREATED: view 'tech' successfully created.
R3(config-view)#secret techpasswd
R3(config-view)#commands exec include show version
R3(config-view)#commands exec include show interfaces
R3(config-view)#commands exec include show ip interface brief
R3(config-view)#commands exec include show parser view
R3(config-view)#end
R3#
*Apr 12 13:01:42.263: %SYS-5-CONFIG_I: Configured from console by admin on console
R3#enable view tech
Password:
R3#
*Apr 12 13:01:59.067: %PARSER-6-VIEW_SWITCH: successfully set to view 'tech'.
R3#?
Exec commands:
enable Turn on privileged commands
exit Exit from the EXEC
show Show running system information
R3#show ?
flash: display information about flash: file system
interfaces Interface status and configuration
ip IP information
parser Show parser commands
version System hardware and software status
R1#show flash
-#- --length-- -----date/time------ path
1 37124796 Apr 11 2015 10:34:16 c1841-advipservicesk9-mz.124-20.T4.bin
2 2898 Sep 07 2010 05:50:46 cpconfig-18xx.cfg
3 2938880 Sep 07 2010 05:51:14 cpexpress.tar
4 1038 Sep 07 2010 05:51:26 home.shtml
5 122880 Sep 07 2010 05:51:40 home.tar
6 527849 Sep 07 2010 05:51:54 128MB.sdf
7 1697952 Sep 07 2010 05:52:26 securedesktop-ios-3.1.1.45-k9.pkg
8 415956 Sep 07 2010 05:52:48 sslclient-win-1.1.4.176.pkg
21155840 bytes available (42844160 bytes used)
R1(config)#secure ?
boot-config Archive the startup configuration
boot-image Secure the running image
R1(config)#secure boot-image
R1(config)#
*May 2 13:25:47.955: %IOS_RESILIENCE-5-IMAGE_RESIL_ACTIVE: Successfully secured running image
R1(config)#secure boot-config
R1(config)#
*May 2 13:25:57.235: %IOS_RESILIENCE-5-CONFIG_RESIL_ACTIVE: Successfully secured config archive [flash:.runcfg-20150502-132556.ar]
R1#show secure ?
bootset Display information about secured image and configuration files
| Output modifiers
<cr>
R1#show secure bootset
IOS resilience router id FHK143771N8
IOS image resilience version 12.4 activated at 13:25:47 UTC Sat May 2 2015
Secure archive flash:c1841-advipservicesk9-mz.124-20.T4.bin type is image (elf) []
file size is 37124796 bytes, run size is 37290480 bytes
Runnable image, entry point 0x8000F000, run from ram
IOS configuration resilience version 12.4 activated at 13:25:57 UTC Sat May 2 2015
Secure archive flash:.runcfg-20150502-132556.ar type is config
configuration archive size 2537 bytes
R1#show flash // IOS IMAGE HIDDEN FROM dir and show flash COMMANDS; CAN ONLY BE VIEWED FROM ROMMON MODE
-#- --length-- -----date/time------ path
2 2898 Sep 07 2010 05:50:46 cpconfig-18xx.cfg
3 2938880 Sep 07 2010 05:51:14 cpexpress.tar
4 1038 Sep 07 2010 05:51:26 home.shtml
5 122880 Sep 07 2010 05:51:40 home.tar
6 527849 Sep 07 2010 05:51:54 128MB.sdf
7 1697952 Sep 07 2010 05:52:26 securedesktop-ios-3.1.1.45-k9.pkg
8 415956 Sep 07 2010 05:52:48 sslclient-win-1.1.4.176.pkg
21147648 bytes available (42852352 bytes used)
R1(config)#no secure boot-image
R1(config)#
*May 2 13:29:52.511: %IOS_RESILIENCE-5-IMAGE_RESIL_INACTIVE: Disabled secure image archival
R1(config)#no secure boot-config
R1(config)#
*May 2 13:30:07.043: %IOS_RESILIENCE-5-CONFIG_RESIL_INACTIVE: Disabled secure config archival [removed flash:.runcfg-20150502-132556.ar]
R1#show flash
-#- --length-- -----date/time------ path
1 37124796 Apr 11 2015 10:34:16 c1841-advipservicesk9-mz.124-20.T4.bin
2 2898 Sep 07 2010 05:50:46 cpconfig-18xx.cfg
3 2938880 Sep 07 2010 05:51:14 cpexpress.tar
4 1038 Sep 07 2010 05:51:26 home.shtml
5 122880 Sep 07 2010 05:51:40 home.tar
6 527849 Sep 07 2010 05:51:54 128MB.sdf
7 1697952 Sep 07 2010 05:52:26 securedesktop-ios-3.1.1.45-k9.pkg
8 415956 Sep 07 2010 05:52:48 sslclient-win-1.1.4.176.pkg
21155840 bytes available (42844160 bytes used)
R2#show clock
*12:13:09.135 UTC Sat May 2 2015
R2#clock set 12:14:00 May 2 2015
R2#
*May 2 12:14:00.000: %SYS-6-CLOCKUPDATE: System clock has been updated from 12:13:37 UTC Sat May 2 2015 to 12:14:00 UTC Sat May 2 2015, configured from console by console.
R2(config)#ntp ?
access-group Control NTP access
authenticate Authenticate time sources
authentication-key Authentication key for trusted time sources
broadcastdelay Estimated round-trip delay
clock-period Length of hardware clock tick
logging Enable NTP message logging
master Act as NTP master clock
max-associations Set maximum number of associations
peer Configure NTP peer
server Configure NTP server
source Configure interface for source address
trusted-key Key numbers for trusted time sources
update-calendar Periodically update calendar with NTP time
R2(config)#ntp master ?
<1-15> Stratum number
<cr>
R2(config)#ntp master 3 // STRATUM 3 INDICATES DISTANCE FROM THE ORIGINAL CLOCK SOURCE; WHEN ANOTHER DEVICE LEARNS TIME FROM NTP MASTER, STRATUM NUMBER INCREASE BY 1
R1(config)#ntp server 10.1.1.2
R1(config)#ntp update-calendar
R1#show ntp associations
address ref clock st when poll reach delay offset disp
~10.1.1.2 .INIT. 16 - 64 0 0.000 0.000 16000.
* sys.peer, # selected, + candidate, - outlyer, x falseticker, ~ configured
R1#show ntp associations
address ref clock st when poll reach delay offset disp
~10.1.1.2 .INIT. 16 - 64 0 0.000 0.000 16000.
* sys.peer, # selected, + candidate, - outlyer, x falseticker, ~ configured
R1#show ntp associations
address ref clock st when poll reach delay offset disp
~10.1.1.2 127.127.1.1 3 7 64 1 0.000 -470204 7937.5 // TOOK SOME TIME FOR NTP ASSOCIATION TO FORM
* sys.peer, # selected, + candidate, - outlyer, x falseticker, ~ configured
R1#show ntp associations detail // VERSBOSE OUTPUT
10.1.1.2 configured, insane, invalid, stratum 3
ref ID 127.127.1.1 , time D8EF3FBB.AC0D68E8 (12:21:15.672 UTC Sat May 2 2015)
our mode client, peer mode server, our poll intvl 64, peer poll intvl 64
root delay 0.00 msec, root disp 0.41, reach 1, sync dist 7.95
delay 0.00 msec, offset -4702046.9354 msec, dispersion 7937.50
precision 2**24, version 4
org time D8EF3FC8.D64BFB1E (12:21:28.837 UTC Sat May 2 2015)
rec time D8EF5226.E544EA9E (13:39:50.895 UTC Sat May 2 2015)
xmt time D8EF5226.DF54EE26 (13:39:50.872 UTC Sat May 2 2015)
filtdelay = 0.02 0.00 0.00 0.00 0.00 0.00 0.00 0.00
filtoffset = -4702.0 0.00 0.00 0.00 0.00 0.00 0.00 0.00
filterror = 0.00 16.00 16.00 16.00 16.00 16.00 16.00 16.00
minpoll = 6, maxpoll = 10
R3#debug ntp ?
adjust NTP clock adjustments
all NTP all debugging on
core NTP core messages
events NTP events
packet NTP packet debugging
refclock NTP refclock messages
R3#debug ntp all
NTP events debugging is on
NTP core messages debugging is on
NTP clock adjustments debugging is on
NTP reference clocks debugging is on
NTP packets debugging is on
R3#conf t
Enter configuration commands, one per line. End with CNTL/Z.
R3(config)#ntp server 10.1.1.2
*May 2 13:45:06.851: NTP Core(INFO): keys initilized.
*May 2 13:45:06.887: %NTP : Drift Read Failed (String Error).
*May 2 13:45:06.887: NTP Core(DEBUG): drift value read: 0.000000000
*May 2 13:45:06.891: NTP: Initialized interface FastEthernet0/0
*May 2 13:45:06.891: NTP: Initialized interface FastEthernet0/1
*May 2 13:45:06.891: NTP: Initialized interface Serial0/0/0
*May 2 13:45:06.891: NTP: Initialized interface Serial0/0/1
R3(config)#ntp update-calendar
R3#show ntp associations
address ref clock st when poll reach delay offset disp
~10.1.1.2 .INIT. 16 - 64 0 0.000 0.000 16000.
* sys.peer, # selected, + candidate, - outlyer, x falseticker, ~ configured
R3#
*May 2 13:46:05.891: NTP message sent to 10.1.1.2, from interface 'Serial0/0/1' (10.2.2.1).
*May 2 13:46:05.911: NTP message received from 10.1.1.2 on interface 'Serial0/0/1' (10.2.2.1).
*May 2 13:46:05.911: NTP Core(DEBUG): ntp_receive: message received
*May 2 13:46:05.911: NTP Core(DEBUG): ntp_receive: peer is 0x64554690, next action is 1.
*May 2 13:46:05.915: NTP Core(DEBUG): receive: packet given to process_packet
*May 2 13:46:05.915: NTP Core(DEBUG): Peer becomes reachable, poll set to 6.
*May 2 13:46:05.915: NTP Core(INFO): peer 10.1.1.2 event 'event_reach' (0x84) status 'unreach, conf, 1 event, event_reach' (0x8014)
R3#show ntp associations
address ref clock st when poll reach delay offset disp
~10.1.1.2 127.127.1.1 3 17 64 1 0.000 -486242 7937.5
* sys.peer, # selected, + candidate, - outlyer, x falseticker, ~ configured
C:\Users\John Lloyd>ipconfig
Windows IP Configuration
Ethernet adapter Local Area Connection:
Connection-specific DNS Suffix . :
Link-local IPv6 Address . . . . . : fe80::4562:9b92:c15f:91ff%10
IPv4 Address. . . . . . . . . . . : 192.168.1.3
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Default Gateway . . . . . . . . . : 192.168.1.1
C:\Users\John Lloyd>ping 192.168.1.1 // VERIFY CONNECTIVITY BETWEEN PC-A AND R1
Pinging 192.168.1.1 with 32 bytes of data:
Reply from 192.168.1.1: bytes=32 time=1ms TTL=255
Reply from 192.168.1.1: bytes=32 time=1ms TTL=255
Reply from 192.168.1.1: bytes=32 time=1ms TTL=255
Reply from 192.168.1.1: bytes=32 time=1ms TTL=255
Ping statistics for 192.168.1.1:
Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
Minimum = 1ms, Maximum = 1ms, Average = 1ms
R1#show run | include timestamp // VERIFY TIMESTAMP SERVICE FOR LOGGING
service timestamps debug datetime msec
service timestamps log datetime msec
R1(config)#logging ?
Hostname or A.B.C.D IP address of the logging host
buffered Set buffered logging parameters
buginf Enable buginf logging for debugging
cns-events Set CNS Event logging level
console Set console logging parameters
count Count every log message and timestamp last occurrence
discriminator Create or modify a message discriminator
dmvpn DMVPN Configuration
esm Set ESM filter restrictions
exception Limit size of exception flush output
facility Facility parameter for syslog messages
filter Specify logging filter
history Configure syslog history table
host Set syslog server IP address and parameters
message-counter Configure log message to include certain counter value
monitor Set terminal line (monitor) logging parameters
on Enable logging to all enabled destinations
origin-id Add origin ID to syslog messages
persistent Set persistent logging parameters
queue-limit Set logger message queue size
rate-limit Set messages per second limit
reload Set reload logging level
server-arp Enable sending ARP requests for syslog servers when
first configured
source-interface Specify interface for source address in logging
transactions
trap Set syslog server logging level
userinfo Enable logging of user info on privileged mode enabling
R1(config)#logging host ?
Hostname or A.B.C.D IP address of the syslog server
ipv6 Configure IPv6 syslog server
R1(config)#logging host 192.168.1.3 // CONFIGURE TO SEND SYSLOG MESSAGES TO SYSLOG SERVER
R1(config)#logging trap ?
<0-7> Logging severity level
alerts Immediate action needed (severity=1)
critical Critical conditions (severity=2)
debugging Debugging messages (severity=7)
emergencies System is unusable (severity=0)
errors Error conditions (severity=3)
informational Informational messages (severity=6)
notifications Normal but significant conditions (severity=5)
warnings Warning conditions (severity=4)
<cr>
R1(config)#logging trap warnings // CAPTURE SYSLOG MESSAGES WITH SEVERITY LEVEL 4, 3, 2, 1 AND 0
R1#show logging
Syslog logging: enabled (0 messages dropped, 1 messages rate-limited,
0 flushes, 0 overruns, xml disabled, filtering disabled)
No Active Message Discriminator.
No Inactive Message Discriminator.
Console logging: level debugging, 36 messages logged, xml disabled,
filtering disabled
Monitor logging: level debugging, 0 messages logged, xml disabled,
filtering disabled
Buffer logging: disabled, xml disabled,
filtering disabled
Logging Exception size (4096 bytes)
Count and timestamp logging messages: disabled
Persistent logging: disabled
No active filter modules.
ESM: 0 messages dropped
Trap logging: level warnings, 39 message lines logged
Logging to 192.168.1.3 (udp port 514, audit disabled,
authentication disabled, encryption disabled, link down),
0 message lines logged,
0 message lines rate-limited,
0 message lines dropped-by-MD,
xml disabled, sequence number disabled
filtering disabled
R1(config)#logging userinfo // ENABLE LOGGING OF USER INFO
R1(config)#end
R1#
May 2 12:45:36.285: %SYS-5-CONFIG_I: Configured from console by console
R1#enable view admin1
Password:<admin1pass>
R1#
May 2 12:45:54.257: %PARSER-6-VIEW_SWITCH: successfully set to view 'admin1'.
R1#
May 2 12:45:54.257: %SYS-5-VIEW_AUTH_PASS: View set to admin1 by unknown on console
R3#erase startup-config
R3#reload
Router(config)#hostname R3
R3(config)#no ip domain-lookup
R3(config)#interface fastethernet0/1
R3(config-if)#ip address 192.168.3.1 255.255.255.0
R3(config-if)#no shutdown
R3(config-if)#interface serial0/0/1
R3(config-if)#
*May 2 12:54:04.883: %LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet0/1, changed state to up
R3(config-if)#ip address 10.2.2.1 255.255.255.0
R3(config-if)#no shutdown
R3(config-if)#ip route 0.0.0.0 0.0.0.0 10.2.2.2
R3(config)#end
*May 2 12:54:20.551: %SYS-5-CONFIG_I: Configured from console by console.2.2
R3#ping 10.2.2.2
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.2.2.2, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 28/28/32 ms
R3#ping 192.168.1.3 source 192.168.3.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.1.3, timeout is 2 seconds:
Packet sent with a source address of 192.168.3.1
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 56/56/56 ms
R3#show run
Building configuration...
Current configuration : 912 bytes
!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname R3
!
boot-start-marker
boot-end-marker
!
logging message-counter syslog
!
no aaa new-model
dot11 syslog
ip source-route
!
!
!
!
ip cef
no ip domain lookup
!
no ipv6 cef
multilink bundle-name authenticated
!
!
!
!
!
archive
log config
hidekeys
!
!
!
!
!
!
!
!
interface FastEthernet0/0
no ip address
shutdown
duplex auto
speed auto
!
interface FastEthernet0/1
ip address 192.168.3.1 255.255.255.0
duplex auto
speed auto
!
interface Serial0/0/0
no ip address
shutdown
clock rate 2000000
!
interface Serial0/0/1
ip address 10.2.2.1 255.255.255.0
!
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 10.2.2.2
no ip http server
no ip http secure-server
!
!
!
!
!
!
!
!
!
!
control-plane
!
!
!
line con 0
line aux 0
line vty 0 4
login
!
scheduler allocate 20000 1000
end
R3#auto ?
secure AutoSecure Commands
R3#auto secure // AUTOSECURE FEATURE SIMPLIFIES AND HARDENS ROUTER CONFIGURATION
--- AutoSecure Configuration ---
*** AutoSecure configuration enhances the security of
the router, but it will not make it absolutely resistant
to all security attacks ***
AutoSecure will modify the configuration of your device.
All configuration changes will be shown. For a detailed
explanation of how the configuration changes enhance security
and any possible side effects, please refer to Cisco.com for
Autosecure documentation.
At any prompt you may enter '?' for help.
Use ctrl-c to abort this session at any prompt.
Gathering information about the router for AutoSecure
Is this router connected to internet? [no]: yes
Enter the number of interfaces facing the internet [1]:
Interface IP-Address OK? Method Status Protocol
FastEthernet0/0 unassigned YES unset administratively down down
FastEthernet0/1 192.168.3.1 YES manual up up
Serial0/0/0 unassigned YES unset administratively down down
Serial0/0/1 10.2.2.1 YES SLARP up up
Enter the interface name that is facing the internet: Serial0/0/1
Securing Management plane services...
Disabling service finger
Disabling service pad
Disabling udp & tcp small servers
Enabling service password encryption
Enabling service tcp-keepalives-in
Enabling service tcp-keepalives-out
Disabling the cdp protocol
Disabling the bootp server
Disabling the http server
Disabling the finger service
Disabling source routing
Disabling gratuitous arp
Here is a sample Security Banner to be shown
at every access to device. Modify it to suit your
enterprise requirements.
Authorized Access only
This system is the property of So-&-So-Enterprise.
UNAUTHORIZED ACCESS TO THIS DEVICE IS PROHIBITED.
You must have explicit permission to access this
device. All activities performed on this device
are logged. Any violations of access policy will result
in disciplinary action.
Enter the security banner {Put the banner between
k and k, where k is any character}:
# Unauthorized Access Prohibited #
Enable secret is either not configured or
is the same as enable password
Enter the new enable secret:<cisco12345>
Confirm the enable secret :<cisco12345>
Enter the new enable password:<cisco67890>
Confirm the enable password:<cisco67890>
Configuration of local user database
Enter the username: admin
Enter the password:<cisco12345>
Confirm the password:<cisco12345>
Configuring AAA local authentication
Configuring Console, Aux and VTY lines for
local authentication, exec-timeout, and transport
Securing device against Login Attacks
Configure the following parameters
Blocking Period when Login Attack detected: 60
Maximum Login failures with the device: 2
Maximum time period for crossing the failed login attempts: 30
Configure SSH server? [yes]:
Enter the domain-name: ccnasecurity.com
Configuring interface specific AutoSecure services
Disabling the following ip services on all interfaces:
no ip redirects
no ip proxy-arp
no ip unreachables
no ip directed-broadcast
no ip mask-reply
Disabling mop on Ethernet interfaces
Securing Forwarding plane services...
Enabling unicast rpf on all interfaces connected
to internet
Configure CBAC Firewall feature? [yes/no]: no
Tcp intercept feature is used prevent tcp syn attack
on the servers in the network. Create autosec_tcp_intercept_list
to form the list of servers to which the tcp traffic is to
be observed
Enable tcp intercept feature? [yes/no]: yes
This is the configuration generated:
no service finger
no service pad
no service udp-small-servers
no service tcp-small-servers
service password-encryption
service tcp-keepalives-in
service tcp-keepalives-out
no cdp run
no ip bootp server
no ip http server
no ip finger
no ip source-route
no ip gratuitous-arps
no ip identd
banner motd ^C Unauthorized Access Prohibited ^C
security passwords min-length 6
security authentication failure rate 10 log
enable secret 5 $1$.RkX$Apudk9Je9f8VPO3qQmzRI.
enable password 7 104D000A0618445C545D7A
username admin password 7 0822455D0A165445415F59
aaa new-model
aaa authentication login local_auth local
line con 0
login authentication local_auth
exec-timeout 5 0
transport output telnet
line aux 0
login authentication local_auth
exec-timeout 10 0
transport output telnet
line vty 0 4
login authentication local_auth
transport input telnet
line tty 1
login authentication local_auth
exec-timeout 15 0
login block-for 60 attempts 2 within 30
ip domain-name ccnasecurity.com
crypto key generate rsa general-keys modulus 1024
ip ssh time-out 60
ip ssh authentication-retries 2
line vty 0 4
transport input ssh telnet
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
logging facility local2
logging trap debugging
service sequence-numbers
logging console critical
logging buffered
interface FastEthernet0/0
no ip redirects
no ip proxy-arp
no ip unreachables
no ip directed-broadcast
no ip mask-reply
no mop enabled
interface FastEthernet0/1
no ip redirects
no ip proxy-arp
no ip unreachables
no ip directed-broadcast
no ip mask-reply
no mop enabled
interface Serial0/0/0
no ip redirects
no ip proxy-arp
no ip unreachables
no ip directed-broadcast
no ip mask-reply
interface Serial0/0/1
no ip redirects
no ip proxy-arp
no ip unreachables
no ip directed-broadcast
no ip mask-reply
access-list 100 permit udp any any eq bootpc
interface Serial0/0/1
ip verify unicast source reachable-via rx allow-default 100
ip tcp intercept list autosec_tcp_intercept_list
ip tcp intercept drop-mode random
ip tcp intercept watch-timeout 15
ip tcp intercept connection-timeout 3600
ip tcp intercept max-incomplete low 450
ip tcp intercept max-incomplete high 550
!
end
Apply this configuration to running-config? [yes]:
Applying the config generated to running-config
The name for the keys will be: R3.ccnasecurity.com
% The key modulus size is 1024 bits
% Generating 1024 bit RSA keys, keys will be non-exportable...[OK]
R3#
login as: admin
Using keyboard-interactive authentication.
Password:
Unauthorized Access Prohibited
R3>enable
Password:
R3#show flash
-#- --length-- -----date/time------ path
1 37124796 Apr 11 2015 10:46:06 c1841-advipservicesk9-mz.124-20.T4.bin
2 913 May 02 2015 12:59:48 pre_autosec.cfg
26873856 bytes available (37130240 bytes used)
R3#more flash:pre_autosec.cfg
!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname R3
!
boot-start-marker
boot-end-marker
!
logging message-counter syslog
!
no aaa new-model
dot11 syslog
ip source-route
!
!
!
!
ip cef
no ip domain lookup
!
no ipv6 cef
multilink bundle-name authenticated
!
!
!
!
!
archive
log config
hidekeys
!
!
!
!
!
!
!
!
interface FastEthernet0/0
no ip address
shutdown
duplex auto
speed auto
!
interface FastEthernet0/1
ip address 192.168.3.1 255.255.255.0
duplex auto
speed auto
!
interface Serial0/0/0
no ip address
shutdown
clock rate 2000000
!
interface Serial0/0/1
ip address 10.2.2.1 255.255.255.0
!
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 10.2.2.2
no ip http server
no ip http secure-server
!
!
!
!
!
!
!
!
!
!
control-plane
!
!
!
line con 0
line aux 0
line vty 0 4
login
!
scheduler allocate 20000 1000
end
Below are the settings I've used for Cisco Configuration Professional (CCP) version 2.8 in order for Security Audit to work. I used Internet Explorer (IE) Version 11 and Java Version 8 Update 45.
R3(config)#username admin privilege 15 secret ?
0 Specifies an UNENCRYPTED secret will follow
5 Specifies a HIDDEN secret will follow
LINE The UNENCRYPTED (cleartext) user secret
R3(config)#username admin privilege 15 secret cisco12345 // CREATE PRIVILEGE LEVEL 15 USER
R3(config)#ip http ?
access-class Restrict http server access by access-class
active-session-modules Set up active http server session modules
authentication Set http server authentication method
client Set http client parameters
digest Set http digest parameters
help-path HTML help root URL
max-connections Set maximum number of concurrent http server
connections
path Set base path for HTML
port Set http port
secure-active-session-modules Set up active http secure server session
modules
secure-ciphersuite Set http secure server ciphersuite
secure-client-auth Set http secure server with client
authentication
secure-port Set http secure server port number for
listening
secure-server Enable HTTP secure server
secure-trustpoint Set http secure server certificate trustpoint
server Enable http server
session-module-list Set up a http(s) server session module list
timeout-policy Set http server time-out policy parameters
R3(config)#ip http secure-server
% Generating 1024 bit RSA keys, keys will be non-exportable...[OK]
R3(config)#
*Jun 25 14:12:44.019: %SSH-5-ENABLED: SSH 1.99 has been enabled
R3(config)#
*Jun 25 14:12:44.259: %PKI-4-NOAUTOSAVE: Configuration was modified. Issue "write memory" to save new certificate
R3(config)#do write memory
Building configuration...
[OK]
R3(config)#ip http authentication ?
aaa Use AAA access control methods
enable Use enable passwords
local Use local username and passwords
R3(config)#ip http authentication local
The term "hardening" is usually applied to the operating system (router IOS in this case). The idea is to "lock down" the operating system. For example, ensure that all unneeded services are turned off, all unneeded software are uninstalled, patches are updated, user accounts are checked for security, and so forth. Hardening is a general process of making certain that the operating system itself is as secure as it can be. In fact, it could be said that if you have not hardened the operating system, then any other security measures are going to be far less effective and possibly completely ineffective!
Below is the initial (and lengthy) router IOS "hardening" and CCP (version 2.8) lab that I did.
R1(config)#no ip domain-lookup
R1(config)#interface fastethernet0/1
R1(config-if)#ip address 192.168.1.1 255.255.255.0
R1(config-if)#no shutdown
R1(config-if)#
*Apr 11 10:50:19.967: %LINK-3-UPDOWN: Interface FastEthernet0/1, changed state to up
*Apr 11 10:50:20.967: %LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet0/1, changed state to up
R1(config-if)#interface serial0/0/0
R1(config-if)#ip address 10.1.1.1 255.255.255.0
R1(config-if)#clockrate 64000
R1(config-if)#no shutdown
*Apr 11 10:50:57.527: %LINK-3-UPDOWN: Interface Serial0/0/0, changed state to down
R1(config-if)#exit
R1(config)#ip route 0.0.0.0 0.0.0.0 10.1.1.2
R2(config)#no ip domain-lookup
R2(config)#interface serial0/0/0
R2(config-if)#ip address 10.1.1.2 255.255.255.0
R2(config-if)#no shutdown
R2(config-if)#
*Apr 11 09:34:36.439: %LINK-3-UPDOWN: Interface Serial0/0/0, changed state to down
R2(config-if)#interface serial0/0/1
R2(config-if)#ip address 10.2.2.2 255.255.255.0
R2(config-if)#clockrate 64000
R2(config-if)#no shutdown
R2(config-if)#
*Apr 11 09:35:30.179: %LINK-3-UPDOWN: Interface Serial0/0/1, changed state to up
*Apr 11 09:35:31.179: %LINEPROTO-5-UPDOWN: Line protocol on Interface Serial0/0/1, changed state to up
R2(config)#ip route 192.168.1.0 255.255.255.0 10.1.1.1
R2(config)#ip route 192.168.3.0 255.255.255.0 10.2.2.1
R2(config)#exit
R2#ping 10.1.1.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.1.1.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 28/28/32 ms
R3(config)#no ip domain-lookup
R3(config)#interface fastethernet0/1
R3(config-if)#ip address 192.168.3.1 255.255.255.0
R3(config-if)#no shutdown
R3(config-if)#
*Apr 11 11:03:12.867: %LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet0/1, changed state to up
R3(config-if)#interface serial0/0/1
R3(config-if)#ip address 10.2.2.1 255.255.255.0
R3(config-if)#no shutdown
R3(config-if)#
*Apr 11 11:03:31.847: %LINK-3-UPDOWN: Interface Serial0/0/1, changed state to down
R3(config-if)#
*Apr 11 11:04:06.171: %LINK-3-UPDOWN: Interface Serial0/0/1, changed state to up
*Apr 11 11:04:07.171: %LINEPROTO-5-UPDOWN: Line protocol on Interface Serial0/0/1, changed state to up
R3(config-if)#exit
R3(config)#ip route 0.0.0.0 0.0.0.0 10.2.2.2
R3#ping 10.2.2.2
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.2.2.2, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 28/28/28 ms
R1#ping 10.2.2.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.2.2.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 56/56/56 ms
R1#ping 192.168.3.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.3.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 56/56/56 ms
C:\Users\John Lloyd>ipconfig
Windows IP Configuration
Ethernet adapter Local Area Connection:
Connection-specific DNS Suffix . :
Link-local IPv6 Address . . . . . : fe80::4562:9b92:c15f:91ff%10
IPv4 Address. . . . . . . . . . . : 192.168.1.3
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Default Gateway . . . . . . . . . : 192.168.1.1
C:\Users\John Lloyd>ping 192.168.3.1
Pinging 192.168.3.1 with 32 bytes of data:
Reply from 192.168.3.1: bytes=32 time=35ms TTL=253
Reply from 192.168.3.1: bytes=32 time=35ms TTL=253
Reply from 192.168.3.1: bytes=32 time=35ms TTL=253
Reply from 192.168.3.1: bytes=32 time=35ms TTL=253
Ping statistics for 192.168.3.1:
Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
Minimum = 35ms, Maximum = 35ms, Average = 35ms
R1(config)#security ?
authentication Authentication security CLIs
passwords Password security CLIs
R1(config)#security passwords ?
min-length Minimum length of passwords
R1(config)#security passwords min-length ?
<0-16> Minimum length of all user/enable passwords
R1(config)#security passwords min-length 10
R1(config)#enable secret ?
0 Specifies an UNENCRYPTED password will follow
5 Specifies an ENCRYPTED secret will follow
LINE The UNENCRYPTED (cleartext) 'enable' secret
level Set exec level password
R1(config)#enable secret cisco12345 // COMPLEX PASSWORD IS RECOMMENDED IN PRODUCTION NETWORK
R1(config)#line console 0
R1(config-line)#password ciscocon
% Invalid Password length - must contain 10 to 25 characters. Password configuration failed
R1(config-line)#password ciscoconpass
R1(config-line)#exec-timeout ?
<0-35791> Timeout in minutes
R1(config-line)#exec-timeout 5 ?
<0-2147483> Timeout in seconds
<cr>
R1(config-line)#exec-timeout 5 0 // FORCE LOG OUT AFTER 5 MINS OF INACTIVITY
R1(config-line)#login
R1(config-line)#logging ?
synchronous Synchronized message output
R1(config-line)#logging synchronous // PREVENTS CONSOLE MESSAGES FROM INTERRUPTING COMMAND ENTRY
R1(config-line)#line aux 0
R1(config-line)#password ciscoauxpass
R1(config-line)#exec-timeout 5 0
R1(config-line)#login
R2#telnet 10.1.1.1
Trying 10.1.1.1 ... Open
Password required, but none set // VTY LINES NOT YET CONFIGURED
[Connection to 10.1.1.1 closed by foreign host]
R1(config-line)#line vty 0 4
R1(config-line)#password ciscovtypass
R1(config-line)#exec-timeout 5 0
R1(config-line)#login
R2#
R2#telnet 10.1.1.1
Trying 10.1.1.1 ... Open
User Access Verification
Password:
R1>enable
Password:
R1#show run
Building configuration...
Current configuration : 1321 bytes
!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname R1
!
boot-start-marker
boot-end-marker
!
security passwords min-length 10
logging message-counter syslog
enable secret 5 $1$5oiF$Exa2eC.qWnL.prd21/7E5. // MD5 ENCRYPTION
!
no aaa new-model
dot11 syslog
ip source-route
!
!
!
!
ip cef
no ip domain lookup
!
no ipv6 cef
multilink bundle-name authenticated
!
!
!
!
!
archive
log config
hidekeys
!
!
!
!
!
!
!
!
interface FastEthernet0/0
no ip address
shutdown
duplex auto
speed auto
!
interface FastEthernet0/1
ip address 192.168.1.1 255.255.255.0
duplex auto
speed auto
!
interface Serial0/0/0
ip address 10.1.1.1 255.255.255.0
no fair-queue
clock rate 64000
!
interface Serial0/0/1
no ip address
shutdown
clock rate 2000000
!
interface Serial0/1/0
no ip address
shutdown
clock rate 2000000
!
interface Serial0/1/1
no ip address
shutdown
clock rate 2000000
!
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 10.1.1.2
no ip http server
no ip http secure-server
!
!
!
!
!
!
!
!
!
!
control-plane
!
!
!
line con 0
exec-timeout 5 0
password ciscoconpass
logging synchronous
login
line aux 0
exec-timeout 5 0
password ciscoauxpass
login
line vty 0 4
exec-timeout 5 0
password ciscovtypass
login
!
scheduler allocate 20000 1000
end
R3(config)#security passwords min-length 10
R3(config)#enable secret cisco12345
R3(config)#enable secret cisco12345
R3(config)#line console 0
R3(config-line)#password ciscoconpass
R3(config-line)#exec-timeout 5 0
R3(config-line)#login
R3(config-line)#logging synchronous
R3(config-line)#line aux 0
R3(config-line)#password ciscoauxpass
R3(config-line)#exec-timeout 5 0
R3(config-line)#login
R3(config-line)#line vty 0 4
R3(config-line)#password ciscovtypass
R3(config-line)#exec-timeout 5 0
R3(config-line)#login
R1(config)#service ?
alignment Control alignment correction and logging
compress-config Compress the nvram configuration file
config TFTP load config files
dhcp Enable DHCP server and relay agent
disable-ip-fast-frag Disable IP particle-based fast fragmentation
exec-callback Enable exec callback
exec-wait Delay EXEC startup on noisy lines
finger Allow responses to finger requests
hide-telnet-addresses Hide destination addresses in telnet command
linenumber enable line number banner for each exec
nagle Enable Nagle's congestion control algorithm
old-slip-prompts Allow old scripts to operate with slip/ppp
pad Enable PAD commands
password-encryption Encrypt system passwords
prompt Enable mode specific prompt
pt-vty-logging Log significant VTY-Async events
sequence-numbers Stamp logger messages with a sequence number
slave-log Enable log capability of slave IPs
tcp-keepalives-in Generate keepalives on idle incoming network
connections
tcp-keepalives-out Generate keepalives on idle outgoing network
connections
tcp-small-servers Enable small TCP servers (e.g., ECHO)
telnet-zeroidle Set TCP window 0 when connection is idle
timestamps Timestamp debug/log messages
txacc-accounting Enable transmit credit accounting
udp-small-servers Enable small UDP servers (e.g., ECHO)
R1(config)#service password-encryption
R1(config)#do show run
Building configuration...
Current configuration : 1366 bytes
!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname R1
!
boot-start-marker
boot-end-marker
!
security passwords min-length 10
logging message-counter syslog
enable secret 5 $1$5oiF$Exa2eC.qWnL.prd21/7E5.
!
no aaa new-model
dot11 syslog
ip source-route
!
!
!
/line
filtering...
line con 0
exec-timeout 5 0
password 7 121A0C0411040F0B243B253B20 // CISCO TYPE 7 ENCRYPTION; A WEAK ENCRYPTION (VIGENERE CIPHER) TO PROTECT FROM SHOULDER SURFING
logging synchronous
login
line aux 0
exec-timeout 5 0
password 7 045802150C2E4D5B1109040401
login
line vty 0 4
exec-timeout 5 0
password 7 1511021F07253D303123343100
login
!
scheduler allocate 20000 1000
end
R3(config)#service password-encryption
R1(config)#banner ?
LINE c banner-text c, where 'c' is a delimiting character
exec Set EXEC process creation banner
incoming Set incoming terminal line banner
login Set login banner
motd Set Message of the Day banner
prompt-timeout Set Message for login authentication timeout
slip-ppp Set Message for SLIP/PPP
R1(config)#banner motd ?
LINE c banner-text c, where 'c' is a delimiting character
R1(config)#banner motd $
Enter TEXT message. End with the character '$'
Unauthorized access strictly prohibited and prosecuted to the full extent of the law $
R1(config)#do show run
Building configuration...
Current configuration : 1467 bytes
!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname R1
!
boot-start-marker
boot-end-marker
!
security passwords min-length 10
logging message-counter syslog
enable secret 5 $1$5oiF$Exa2eC.qWnL.prd21/7E5.
!
no aaa new-model
dot11 syslog
ip source-route
!
!
!
/banner
filtering...
banner motd ^C
Unauthorized access strictly prohibited and prosecuted to the full extent of the law ^C
!
line con 0
exec-timeout 5 0
password 7 121A0C0411040F0B243B253B20
logging synchronous
login
line aux 0
exec-timeout 5 0
password 7 045802150C2E4D5B1109040401
login
line vty 0 4
exec-timeout 5 0
password 7 1511021F07253D303123343100
login
!
scheduler allocate 20000 1000
end
R3(config)#banner motd $
Enter TEXT message. End with the character '$'
Unauthorized access strictly prohibited and prosecuted to the full extent of the law $
R3(config)#end
R3#exit
R3 con0 is now available
Press RETURN to get started.
*Apr 11 11:35:00.699: %SYS-5-CONFIG_I: Configured from console by console
Unauthorized access strictly prohibited and prosecuted to the full extent of the law
User Access Verification
Password:
R1(config)#username ?
WORD User name
R1(config)#username user01 ?
aaa AAA directive
access-class Restrict access by access-class
autocommand Automatically issue a command after the user logs in
callback-dialstring Callback dialstring
callback-line Associate a specific line with this callback
callback-rotary Associate a rotary group with this callback
dnis Do not require password when obtained via DNIS
nocallback-verify Do not require authentication after callback
noescape Prevent the user from using an escape character
nohangup Do not disconnect after an automatic command
nopassword No password is required for the user to log in
one-time Specify that the username/password is valid for only one
time
password Specify the password for the user
privilege Set user privilege level
secret Specify the secret for the user
user-maxlinks Limit the user's number of inbound links
view Set view name
<cr>
R1(config)#username user01 password ?
0 Specifies an UNENCRYPTED password will follow
7 Specifies a HIDDEN password will follow
LINE The UNENCRYPTED (cleartext) user password
R1(config)#username user01 password 0 ?
LINE The UNENCRYPTED (cleartext) user password
R1(config)#username user01 password 0 user01pass
R1(config)#do show run
Building configuration...
Current configuration : 1517 bytes
!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname R1
!
boot-start-marker
boot-end-marker
!
security passwords min-length 10
logging message-counter syslog
enable secret 5 $1$5oiF$Exa2eC.qWnL.prd21/7E5.
!
no aaa new-model
dot11 syslog
ip source-route
!
!
!
!
ip cef
no ip domain lookup
!
no ipv6 cef
multilink bundle-name authenticated
!
!
!
!
!
username user01 password 7 1402010E1E547B3B253B20 // service password-encryption IS IN EFFECT
R1(config)#username user02 secret user02pass
R1(config)#do show run
Building configuration...
Current configuration : 1573 bytes
!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname R1
!
boot-start-marker
boot-end-marker
!
security passwords min-length 10
logging message-counter syslog
enable secret 5 $1$5oiF$Exa2eC.qWnL.prd21/7E5.
!
no aaa new-model
dot11 syslog
ip source-route
!
!
!
!
ip cef
no ip domain lookup
!
no ipv6 cef
multilink bundle-name authenticated
!
!
!
!
!
username user01 password 7 1402010E1E547B3B253B20
username user02 secret 5 $1$3hK5$V40afHUlgSlqieuRRLE5k/ // MD5 HASHING ENCRYPTION
R1(config)#line console 0
R1(config-line)#login ?
local Local password checking
<cr>
R1(config-line)#login local
R1(config-line)#end
*Apr 11 11:38:43.723: %SYS-5-CONFIG_I: Configured from console by console
R1#exit
R1 con0 is now available
Press RETURN to get started.
Unauthorized access strictly prohibited and prosecuted to the full extent of the law
User Access Verification
Username: user01
Password:
R1>show run // CAN'T ISSUE COMMAND DUE TO USER MODE ACCESS
^
% Invalid input detected at '^' marker.
R1>enable
Password:
R1#
R1(config)#line vty 0 4
R1(config-line)#login local
C:\Users\John Lloyd>telnet 10.1.1.1
Unauthorized access strictly prohibited and prosecuted to the full extent of the
law
User Access Verification
Username: user01
Password:<user01pass>
R1>
R3(config)#username user01 password 0 user01pass
R3(config)#username user02 secret user02pass
R3(config)#line console 0
R3(config-line)#login local
R3(config-line)#line vty 0 4
R3(config-line)#login local
C:\Users\John Lloyd>telnet 192.168.1.1
Unauthorized access strictly prohibited and prosecuted to the full extent of the
law
User Access Verification
Password:<ciscovtypass>
R1>enable
Password:<cisco12345>
R1#conf t
R1(config)#line aux 0
R1(config-line)#login local
R3(config)#line aux 0
R3(config-line)#login local
R1#show login
No login delay has been applied.
No Quiet-Mode access list has been configured.
Router NOT enabled to watch for login Attacks
R1#conf t
Enter configuration commands, one per line. End with CNTL/Z.
R1(config)#login ?
block-for Set quiet-mode active time period
delay Set delay between successive fail login
on-failure Set options for failed login attempt
on-success Set options for successful login attempt
quiet-mode Set quiet-mode options
R1(config)#login block-for ?
<1-65535> Time period in seconds
R1(config)#login block-for 60 ?
attempts Set max number of fail attempts
R1(config)#login block-for 60 attempts 2 ?
within Watch period for fail attempts
R1(config)#login block-for 60 attempts 2 within ?
<1-65535> Time period in seconds
R1(config)#login block-for 60 attempts 2 within 30 // PREVENT BRUTE-FORCE LOGIN ATTACK FROM TELNET, SSH OR HTTP; WILL SHUTDOWN FOR 60 SEC (QUIET MODE TIMER) IF 2 FAILED LOGIN ATTEMPTS ARE MADE WITHIN 30 SEC
R1(config)#do show login
A default login delay of 1 seconds is applied.
No Quiet-Mode access list has been configured.
Router enabled to watch for login Attacks.
If more than 2 login failures occur in 30 seconds or less,
logins will be disabled for 60 seconds.
Router presently in Normal-Mode.
Current Watch Window
Time remaining: 27 seconds.
Login failures for current window: 0.
Total login failures: 0.
R1(config)#login ?
block-for Set quiet-mode active time period
delay Set delay between successive fail login
on-failure Set options for failed login attempt
on-success Set options for successful login attempt
quiet-mode Set quiet-mode options
R1(config)#login on-success ?
every Periodicity for logs/traps generated
log Generate syslogs on successful logins
trap Generate traps on successful logins
<cr>
R1(config)#login on-success log // LOGS EVERY SUCCESSFUL LOGIN
R1(config)#login on-failure log ?
every Periodicity for logs/traps generated
<cr>
R1(config)#login on-failure log every ?
<1-65535> Number defining periodicity
R1(config)#login on-failure log every 2 // LOGS EVERY 2ND FAILED LOGIN
R1(config)#do show login
A default login delay of 1 seconds is applied.
No Quiet-Mode access list has been configured.
All successful login is logged.
Every 2 failed login is logged.
Router enabled to watch for login Attacks.
If more than 2 login failures occur in 30 seconds or less,
logins will be disabled for 60 seconds.
Router presently in Normal-Mode.
Current Watch Window
Time remaining: 21 seconds.
Login failures for current window: 0.
Total login failures: 0.
R3(config)#login block-for 60 attempts 2 within 30
R3(config)#login on-success log
R3(config)#login on-failure log every 2
C:\Users\John Lloyd>telnet 10.1.1.1
Unauthorized access strictly prohibited and prosecuted to the full extent of the
law
User Access Verification
Username: cisco
Password:
% Login invalid
Username: admin
Password:
% Login invalid
Connection to host lost.
R1#
*Apr 11 11:58:35.875: %SEC_LOGIN-4-LOGIN_FAILED: Login failed [user: admin] [Source: 192.168.1.3] [localport: 23] [Reason: Login Authentication Failed - BadUser] at 11:58:35 UTC Sat Apr 11 2015
R1#
*Apr 11 11:58:35.875: %SEC_LOGIN-1-QUIET_MODE_ON: Still timeleft for watching failures is 14 secs, [user: admin] [Source: 192.168.1.3] [localport: 23] [Reason: Login Authentication Failed - BadUser] [ACL: sl_def_acl] at 11:58:35 UTC Sat Apr 11 2015
Connection to host lost.
C:\Users\John Lloyd>telnet 10.1.1.1
Connecting To 10.1.1.1...Could not open connection to the host, on port 23: Conn
ect failed
R1#
*Apr 11 12:00:40.355: %SEC-6-IPACCESSLOGP: list sl_def_acl denied tcp 192.168.1.3(4015) -> 0.0.0.0(23), 1 packet
R1#show login
A default login delay of 1 seconds is applied.
No Quiet-Mode access list has been configured.
All successful login is logged.
Every 2 failed login is logged.
Router enabled to watch for login Attacks.
If more than 2 login failures occur in 30 seconds or less,
logins will be disabled for 60 seconds.
Router presently in Quiet-Mode.
Will remain in Quiet-Mode for 31 seconds.
Denying logins from all sources.
R1#show login
A default login delay of 1 seconds is applied.
No Quiet-Mode access list has been configured.
All successful login is logged.
Every 2 failed login is logged.
Router enabled to watch for login Attacks.
If more than 2 login failures occur in 30 seconds or less,
logins will be disabled for 60 seconds.
Router presently in Normal-Mode.
Current Watch Window
Time remaining: 29 seconds.
Login failures for current window: 0.
Total login failures: 5.
R1#
*Apr 11 12:01:36.607: %SEC_LOGIN-5-QUIET_MODE_OFF: Quiet Mode is OFF, because block period timed out at 12:01:36 UTC Sat Apr 11 2015
C:\Users\John Lloyd>telnet 10.1.1.1
Unauthorized access strictly prohibited and prosecuted to the full extent of th
law
User Access Verification
Username: user01
Password:
R1>
R1#
*Apr 11 12:02:33.683: %SEC_LOGIN-5-LOGIN_SUCCESS: Login Success [user: user01] [Source: 192.168.1.3] [localport: 23] at 12:02:33 UTC Sat Apr 11 2015
R1(config)#ip domain-name ?
WORD Default domain name
vrf Specify VRF
R1(config)#ip domain-name ccnasecurity.com
R1(config)#username admin ?
aaa AAA directive
access-class Restrict access by access-class
autocommand Automatically issue a command after the user logs in
callback-dialstring Callback dialstring
callback-line Associate a specific line with this callback
callback-rotary Associate a rotary group with this callback
dnis Do not require password when obtained via DNIS
nocallback-verify Do not require authentication after callback
noescape Prevent the user from using an escape character
nohangup Do not disconnect after an automatic command
nopassword No password is required for the user to log in
one-time Specify that the username/password is valid for only one
time
password Specify the password for the user
privilege Set user privilege level
secret Specify the secret for the user
user-maxlinks Limit the user's number of inbound links
view Set view name
<cr>
R1(config)#username admin privilege ?
<0-15> User privilege level
R1(config)#username admin privilege 15 ?
aaa AAA directive
access-class Restrict access by access-class
autocommand Automatically issue a command after the user logs in
callback-dialstring Callback dialstring
callback-line Associate a specific line with this callback
callback-rotary Associate a rotary group with this callback
dnis Do not require password when obtained via DNIS
nocallback-verify Do not require authentication after callback
noescape Prevent the user from using an escape character
nohangup Do not disconnect after an automatic command
nopassword No password is required for the user to log in
one-time Specify that the username/password is valid for only one
time
password Specify the password for the user
privilege Set user privilege level
secret Specify the secret for the user
user-maxlinks Limit the user's number of inbound links
view Set view name
<cr>
R1(config)#username admin privilege 15 secret ?
0 Specifies an UNENCRYPTED secret will follow
5 Specifies a HIDDEN secret will follow
LINE The UNENCRYPTED (cleartext) user secret
R1(config)#username admin privilege 15 secret cisco12345
Unauthorized access strictly prohibited and prosecuted to the full extent of the law
User Access Verification
Username: admin
Password:<cisco12345>
R1#
*Apr 12 11:32:28.727: %SEC_LOGIN-5-LOGIN_SUCCESS: Login Success [user: admin] [Source: 0.0.0.0] [localport: 0] at 11:32:28 UTC Sun Apr 12 2015
R1#
R1(config)#line vty 0 4
R1(config-line)#?
Line configuration commands:
absolute-timeout Set absolute timeout for line disconnection
access-class Filter connections based on an IP access list
activation-character Define the activation character
autobaud Set line to normal autobaud
autocommand Automatically execute an EXEC command
autocommand-options Autocommand options
autohangup Automatically hangup when last connection closes
autoselect Set line to autoselect
buffer-length Set DMA buffer length
data-character-bits Size of characters being handled
databits Set number of data bits per character
default Set a command to its defaults
disconnect-character Define the disconnect character
dispatch-character Define the dispatch character
dispatch-machine Reference a TCP dispatch state machine
dispatch-timeout Set the dispatch timer
domain-lookup Enable domain lookups in show commands
editing Enable command line editing
escape-character Change the current line's escape character
exec Configure EXEC
exec-banner Enable the display of the EXEC banner
exec-character-bits Size of characters to the command exec
exec-timeout Set the EXEC timeout
exit Exit from line configuration mode
flowcontrol Set the flow control
flush-at-activation Clear input stream at activation
full-help Provide help to unprivileged user
help Description of the interactive help system
history Enable and control the command history function
hold-character Define the hold character
insecure Mark line as 'insecure' for LAT
international Enable international 8-bit character support
ip IP options
ipv6 IPv6 options
length Set number of lines on a screen
location Enter terminal location description
lockable Allow users to lock a line
logging Modify message logging facilities
login Enable password checking
logout-warning Set Warning countdown for absolute timeout of
line
modem Configure the Modem Control Lines
monitor Copy debug output to the current terminal line
motd-banner Enable the display of the MOTD banner
no Negate a command or set its defaults
notify Inform users of output from concurrent sessions
padding Set padding for a specified output character
parity Set terminal parity
password Set a password
prc PRC commands
private Configuration options that user can set will
remain in effect between terminal sessions
privilege Change privilege level for line
refuse-message Define a refuse banner
rotary Add line to a rotary group
rxspeed Set the receive speed
script specify event related chat scripts to run on the
line
session-disconnect-warning Set warning countdown for session-timeout
session-limit Set maximum number of sessions
session-timeout Set interval for closing connection when there is
no input traffic
special-character-bits Size of the escape (and other special) characters
speed Set the transmit and receive speeds
start-character Define the start character
stop-character Define the stop character
stopbits Set async line stop bits
telnet Telnet protocol-specific configuration
terminal-type Set the terminal type
timeout Timeouts for the line
transport Define transport protocols for line
txspeed Set the transmit speed
vacant-message Define a vacant banner
width Set width of the display terminal
x25 X25 protocol-specific configuration
R1(config-line)#privilege ?
level Assign default privilege level for line
R1(config-line)#privilege level ?
<0-15> Default privilege level for line
R1(config-line)#privilege level 15 // DEFAULTS TO PRIVILEGE EXEC MODE
R1(config-line)#login ?
local Local password checking
<cr>
R1(config-line)#login local
R1(config-line)#transport ?
input Define which protocols to use when connecting to the terminal
server
output Define which protocols to use for outgoing connections
preferred Specify the preferred protocol to use
R1(config-line)#transport input ?
all All protocols
lapb-ta LAPB Terminal Adapter
mop DEC MOP Remote Console Protocol
none No protocols
pad X.3 PAD
rlogin Unix rlogin protocol
ssh TCP/IP SSH protocol
telnet TCP/IP Telnet protocol
udptn UDPTN async via UDP protocol
v120 Async over ISDN
R1(config-line)#transport input ssh // WILL ONLY ACCEPT INBOUND SSH CONNECTIONS
R1(config-line)#exit
R1(config)#crypto key ?
decrypt Decrypt a keypair.
encrypt Encrypt a keypair.
export Export keys
generate Generate new keys
import Import keys
move Move keys
pubkey-chain Peer public key chain management
storage default storage location for keypairs
zeroize Remove keys
R1(config)#crypto key zeroize ?
rsa Remove RSA keys
<cr>
R1(config)#crypto key zeroize rsa // ERASE EXISTING RSA KEY PAIR
% No Signature RSA Keys found in configuration.
R1(config)#crypto key ?
decrypt Decrypt a keypair.
encrypt Encrypt a keypair.
export Export keys
generate Generate new keys
import Import keys
move Move keys
pubkey-chain Peer public key chain management
storage default storage location for keypairs
zeroize Remove keys
R1(config)#crypto key generate ?
rsa Generate RSA keys
<cr>
R1(config)#crypto key generate rsa ?
encryption Generate a general purpose RSA key pair for signing and
encryption
exportable Allow the key to be exported
general-keys Generate a general purpose RSA key pair for signing and
encryption
label Provide a label
modulus Provide number of modulus bits on the command line
on create key on specified device.
signature Generate a general purpose RSA key pair for signing and
encryption
storage Store key on specified device
usage-keys Generate separate RSA key pairs for signing and encryption
<cr>
R1(config)#crypto key generate rsa general-keys ?
exportable Allow the key to be exported
label Provide a label
modulus Provide number of modulus bits on the command line
on create key on specified device.
storage Store key on specified device
<cr>
R1(config)#crypto key generate rsa general-keys modulus ?
<360-2048> size of the key modulus [360-2048]
R1(config)#crypto key generate rsa general-keys modulus 1024 // ROUTER USES THE RSA KEY PAIR FOR AUTHENTICATION AND ENCRYPTION OF TRANSMITTED SSH DATA; DEFAULT IS 512 MODULUS BITS
The name for the keys will be: R1.ccnasecurity.com
% The key modulus size is 1024 bits
% Generating 1024 bit RSA keys, keys will be non-exportable...[OK]
R1(config)#
*Apr 12 11:37:12.715: %SSH-5-ENABLED: SSH 1.99 has been enabled
R1#show ip ssh
SSH Enabled - version 1.99
Authentication timeout: 120 secs; Authentication retries: 3
Minimum expected Diffie Hellman key size : 1024 bits
R1(config)#ip ssh ?
authentication-retries Specify number of authentication retries
break-string break-string
dh Diffie-Hellman
logging Configure logging for SSH
maxstartups Maximum concurrent sessions allowed
port Starting (or only) Port number to listen on
rsa Configure RSA keypair name for SSH
source-interface Specify interface for source address in SSH
connections
time-out Specify SSH time-out interval
version Specify protocol version to be supported
R1(config)#ip ssh time-out ?
<1-120> SSH time-out interval (secs)
R1(config)#ip ssh time-out 90
R1(config)#ip ssh authentication-retries ?
<0-5> Number of authentication retries
R1(config)#ip ssh authentication-retries 2
R1#show ip ssh
SSH Enabled - version 1.99
Authentication timeout: 90 secs; Authentication retries: 2
Minimum expected Diffie Hellman key size : 1024 bits
R3(config)#ip domain-name ccnasecurity.com
R3(config)#username admin privilege 15 secret cisco12345
R3(config)#line vty 0 4
R3(config-line)#privilege level 15
R3(config-line)#login local
R3(config-line)#transport input ssh
R3(config-line)#exit
R3(config)#crypto key generate rsa general-keys modulus 1024
The name for the keys will be: R3.ccnasecurity.com
% The key modulus size is 1024 bits
% Generating 1024 bit RSA keys, keys will be non-exportable...[OK]
R3(config)#
R3(config)#
*Apr 12 11:45:06.719: %SSH-5-ENABLED: SSH 1.99 has been enabled
R3(config)#ip ssh time-out 90
R3(config)#ip ssh authentication-retries 2
login as: admin
Using keyboard-interactive authentication.
Password:<cisco12345>
Unauthorized access strictly prohibited and prosecuted to the full extent of the law
R1#
R1#show users
Line User Host(s) Idle Location
*194 vty 0 admin idle 00:00:00 192.168.1.3
Interface User Mode Idle Peer Address
C:\Users\John Lloyd>telnet 192.168.1.1
Connecting To 192.168.1.1...Could not open connection to the host, on port 23: C
onnect failed
login as: user01
Using keyboard-interactive authentication.
Password:
Unauthorized access strictly prohibited and prosecuted to the full extent of the law
R1>enable
Password:
R1#
R1(config)#no login on-success log
R3(config)#no login on-success log
R1(config)#aaa ?
new-model Enable NEW access control commands and functions.(Disables OLD
commands.)
R1(config)#aaa new-model
R1(config)#exit
R1#
*Apr 12 12:40:27.743: %SYS-5-CONFIG_I: Configured from console by admin on console
R1#enable view
Password:<cisco12345>
R1#
*Apr 12 12:40:39.275: %PARSER-6-VIEW_SWITCH: successfully set to view 'root'.
R1#conf t
Enter configuration commands, one per line. End with CNTL/Z.
R1(config)#parser ?
% Ambiguous command: "parser "
R1(config)#parser view admin1
R1(config-view)#
*Apr 12 12:43:28.807: %PARSER-6-VIEW_CREATED: view 'admin1' successfully created.
R1(config-view)#commands ?
RITE-profile Router IP traffic export profile command mode
RMI-Node-Config Resource Policy Node Config mode
RMI-Resource-Group Resource Group Config mode
RMI-Resource-Manager Resource Manager Config mode
RMI-Resource-Policy Resource Policy Config mode
SASL-profile SASL profile configuration mode
aaa-attr-list AAA attribute list config mode
aaa-user AAA user definition
accept-dialin VPDN group accept dialin configuration mode
accept-dialout VPDN group accept dialout configuration mode
address-family Address Family configuration mode
archive Archive the router configuration mode
auto-ip-sla-mpls Auto IP SLA MPLS LSP Monitor configs
auto-ip-sla-mpls-lpd-params Auto IP SLA MPLS LPD params configs
auto-ip-sla-mpls-params Auto IP SLA MPLS LSP Monitor Params configs
bba-group BBA Group configuration mode
boomerang Boomerang configuration mode
call-filter-matchlist Call Filter matchlist configuration mode
cascustom Cas custom configuration mode
ces-conn CES connection configuration mode
ces-vc CES VC configuration mode
cm-ac AC-AC connect configuration mode
cns-connect-config CNS Connect Info Mode
cns-connect-intf-config CNS Connect Intf Info Mode
cns-tmpl-connect-config CNS Template Connect Info Mode
cns_inventory_submode CNS Inventory SubMode
config-ip-sla-http-rr IP SLAs HTTP raw request Configuration
config-l2tp-class l2tp-class configuration mode
configure Global configuration mode
congestion Frame Relay congestion configuration mode
controller Controller configuration mode
cpf-classmap Class-map configuration mode
cpf-policyclass Class-in-Policy configuration mode
cpf-policymap Policy-map configuration mode
crypto-identity Crypto identity config mode
crypto-ipsec-profile IPSec policy profile mode
crypto-keyring Crypto Keyring command mode
crypto-map Crypto map config mode
crypto-transform Crypto transform config mode
cwmp CWMP configuration mode
dfp-submode DFP config mode
dhcp DHCP pool configuration mode
dhcp-class DHCP class configuration mode
dhcp-pool-class Per DHCP pool class configuration mode
dhcp-relay-info DHCP class relay agent info configuration
<OUTPUT TRUNCATED>
R1(config-view)#commands exec ?
exclude Exclude the command from the view
include Add command to the view
include-exclusive Include in this view but exclude from others
R1(config-view)#commands exec include ?
LINE Keywords of the command
all wild card support
R1(config-view)#commands exec include all ?
LINE Keywords of the command
R1(config-view)#commands exec include all show
% Password not set for the view admin1
R1(config-view)#secret ?
0 Specifies an UNENCRYPTED password will follow
5 Specifies an ENCRYPTED secret will follow
LINE The UNENCRYPTED (cleartext) view secret string
R1(config-view)#secret admin1pass
R1(config-view)#commands exec include all show
R1(config-view)#commands exec include all config terminal
R1(config-view)#commands exec include all debug
R1(config-view)#end
*Apr 12 12:44:42.423: %SYS-5-CONFIG_I: Configured from console by admin on console
R1#enable view ?
WORD View Name
<cr>
R1#enable view admin1
Password:<admin1pass>
R1#
*Apr 12 12:44:51.039: %PARSER-6-VIEW_SWITCH: successfully set to view 'admin1'.
R1#show parser view
Current view is 'admin1'
R1#?
Exec commands:
configure Enter configuration mode
debug Debugging functions (see also 'undebug')
enable Turn on privileged commands
exit Exit from the EXEC
show Show running system information
R1#show ?
aaa Show AAA values
access-expression List access expression
access-lists List access lists
accounting Accounting data for active sessions
adjacency Adjacent nodes
aliases Display alias commands
alignment Show alignment information
appfw Application Firewall information
archive Archive of the running configuration information
arp ARP table
ase Display ASE specific information
async Information on terminal lines used as router
interfaces
auto Show Automation Template
autoupgrade Show autoupgrade related information
backhaul-session-manager Backhaul Session Manager information
backup Backup status
beep Show BEEP information
bfd BFD protocol info
bgp BGP information
bridge Bridge Forwarding/Filtering Database [verbose]
buffers Buffer pool statistics
calendar Display the hardware calendar
call Show call
caller Display information about dialup connections
cca CCA information
cdapi CDAPI information
cdp CDP information
cef CEF address family independent status
cellular Cellular Status
cfmpal Show CFM Commands
checkpoint Checkpoint Facility (CPF)
class-map Show QoS Class Map
clns CLNS network information
clock Display the system clock
cls DLC user information
cns CNS agents
compress Show compression statistics
configuration Configuration details
connection Show Connection
context Show context information about recent crash(s)
control-plane Control Plane information
controllers Interface controller status
cops COPS information
crypto Encryption module
<OUTPUT TRUNCATED>
R1#enable view // COMMAND TO LOGIN TO root
Password:<cisco12345>
R1#
*Apr 12 12:47:03.291: %PARSER-6-VIEW_SWITCH: successfully set to view 'root'.
R1#conf t
Enter configuration commands, one per line. End with CNTL/Z.
R1(config)#parser view admin2
*Apr 12 12:47:18.211: %PARSER-6-VIEW_CREATED: view 'admin2' successfully created.
R1(config-view)#secret admin2pass
R1(config-view)#commands exec include all show
R1(config-view)#end
R1#
*Apr 12 12:47:38.251: %SYS-5-CONFIG_I: Configured from console by admin on console
R1#enable view admin2
Password:<admin2pass>
R1#
*Apr 12 12:47:45.995: %PARSER-6-VIEW_SWITCH: successfully set to view 'admin2'.
R1#show parser view
Current view is 'admin2'
R1#?
Exec commands:
enable Turn on privileged commands
exit Exit from the EXEC
show Show running system information
R1#enable view
Password:
R1#
*Apr 12 12:48:52.071: %PARSER-6-VIEW_SWITCH: successfully set to view 'root'.
R1#conf t
Enter configuration commands, one per line. End with CNTL/Z.
R1(config)#parser view tech
R1(config-view)#secre
*Apr 12 12:49:00.411: %PARSER-6-VIEW_CREATED: view 'tech' successfully created.
R1(config-view)#secret techpasswd
R1(config-view)#commands exec include show version
R1(config-view)#commands exec include show interfaces
R1(config-view)#commands exec include show ip interface brief
R1(config-view)#commands exec include show parser view
R1(config-view)#end
R1#
*Apr 12 12:49:45.903: %SYS-5-CONFIG_I: Configured from console by admin on console
R1#enable view tech
Password:<techpasswd>
R1#
*Apr 12 12:50:01.427: %PARSER-6-VIEW_SWITCH: successfully set to view 'tech'.
R1#show parser view
Current view is 'tech'
R1#?
Exec commands:
enable Turn on privileged commands
exit Exit from the EXEC
show Show running system information
R1#show ?
flash: display information about flash: file system
interfaces Interface status and configuration
ip IP information
parser Show parser commands
version System hardware and software status
R1#enable view tech
Password:
R1#
*Apr 12 12:50:01.427: %PARSER-6-VIEW_SWITCH: successfully set to view 'tech'.
R1#show parser view
Current view is 'tech'
R1#?
Exec commands:
enable Turn on privileged commands
exit Exit from the EXEC
show Show running system information
R1#show ?
flash: display information about flash: file system
interfaces Interface status and configuration
ip IP information
parser Show parser commands
version System hardware and software status
R1#show ip interface brief
Interface IP-Address OK? Method Status Protocol
FastEthernet0/0 unassigned YES NVRAM administratively down down
FastEthernet0/1 192.168.1.1 YES NVRAM up up
Serial0/0/0 10.1.1.1 YES NVRAM up up
Serial0/0/1 unassigned YES NVRAM administratively down down
Serial0/1/0 unassigned YES NVRAM administratively down down
Serial0/1/1 unassigned YES NVRAM administratively down down
R1#
R1#show ip route
^
% Invalid input detected at '^' marker.
R1#show ip r? // NOT CONFIGURED UNDER tech
% Unrecognized command
R1#enable view
Password:
R1#
*Apr 12 12:51:51.507: %PARSER-6-VIEW_SWITCH: successfully set to view 'root'.
R1#show run
Building configuration...
Current configuration : 2499 bytes
!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname R1
!
boot-start-marker
boot-end-marker
!
security passwords min-length 10
logging message-counter syslog
enable secret 5 $1$5oiF$Exa2eC.qWnL.prd21/7E5.
!
aaa new-model
!
!
!
!
aaa session-id common
dot11 syslog
ip source-route
!
!
!
!
ip cef
no ip domain lookup
ip domain name ccnasecurity.com
login block-for 60 attempts 2 within 30
login on-failure log every 2
!
no ipv6 cef
multilink bundle-name authenticated
!
!
!
!
!
username user01 password 7 1402010E1E547B3B253B20
username user02 secret 5 $1$3hK5$V40afHUlgSlqieuRRLE5k/
username admin privilege 15 secret 5 $1$3G4k$OeEXvxJbdjZYSMYvwKEsH/
archive
log config
hidekeys
!
!
!
!
!
ip ssh time-out 90
ip ssh authentication-retries 2
!
!
!
interface FastEthernet0/0
no ip address
shutdown
duplex auto
speed auto
!
interface FastEthernet0/1
ip address 192.168.1.1 255.255.255.0
duplex auto
speed auto
!
interface Serial0/0/0
ip address 10.1.1.1 255.255.255.0
no fair-queue
clock rate 64000
!
interface Serial0/0/1
no ip address
shutdown
clock rate 2000000
!
interface Serial0/1/0
no ip address
shutdown
clock rate 2000000
!
interface Serial0/1/1
no ip address
shutdown
clock rate 2000000
!
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 10.1.1.2
no ip http server
no ip http secure-server
!
!
!
!
!
!
!
!
!
!
!
control-plane
!
!
banner motd ^C
Unauthorized access strictly prohibited and prosecuted to the full extent of the law ^C
!
line con 0
exec-timeout 5 0
password 7 121A0C0411040F0B243B253B20
logging synchronous
line aux 0
exec-timeout 5 0
password 7 045802150C2E4D5B1109040401
line vty 0 4
exec-timeout 5 0
privilege level 15
password 7 1511021F07253D303123343100
transport input ssh
!
parser view admin1
secret 5 $1$IRkc$eXvwVGVgbqNHEKqTS3J8w.
commands exec include all configure terminal
commands exec include configure
commands exec include all show
commands exec include all debug
!
parser view admin2
secret 5 $1$hEB5$O51wAWwEmfWu3JrWcy/2P0
commands exec include all show
!
parser view tech
secret 5 $1$vGf1$/0w6UcifBxPTaulKiKCyi1
commands exec include show ip interface brief
commands exec include show ip interface
commands exec include show ip
commands exec include show version
commands exec include show parser view
commands exec include show parser
commands exec include show interfaces
commands exec include show
!
scheduler allocate 20000 1000
end
R3#enable view
% AAA must be configured.
R3#conf t
Enter configuration commands, one per line. End with CNTL/Z.
R3(config)#aaa new-model
R3(config)#end
R3#
*Apr 12 12:58:20.243: %SYS-5-CONFIG_I: Configured from console by admin on console
R3#enable view
Password:
R3#
*Apr 12 12:58:25.323: %PARSER-6-VIEW_SWITCH: successfully set to view 'root'.
R3#conf t
Enter configuration commands, one per line. End with CNTL/Z.
R3(config)#parser view admin1
R3(config-view)#
*Apr 12 12:58:34.187: %PARSER-6-VIEW_CREATED: view 'admin1' successfully created.
R3(config-view)#secret admin1pass
R3(config-view)#commands exec include all show
R3(config-view)#commands exec include all config terminal
R3(config-view)#commands exec include all debug
R3(config-view)#end
R3#
*Apr 12 12:59:03.527: %SYS-5-CONFIG_I: Configured from console by admin on console
R3#enable view admin1
Password:
R3#
*Apr 12 12:59:14.891: %PARSER-6-VIEW_SWITCH: successfully set to view 'admin1'.
R3#show parser view
Current view is 'admin1'
R3#?
Exec commands:
configure Enter configuration mode
debug Debugging functions (see also 'undebug')
enable Turn on privileged commands
exit Exit from the EXEC
show Show running system information
R3#enable view
Password:
R3#c
*Apr 12 12:59:39.575: %PARSER-6-VIEW_SWITCH: successfully set to view 'root'.
R3#conf t
Enter configuration commands, one per line. End with CNTL/Z.
R3(config)#parser view admin2
R3(config-view)#
*Apr 12 12:59:47.751: %PARSER-6-VIEW_CREATED: view 'admin2' successfully created.
R3(config-view)#secret admin2pass
R3(config-view)#commands exec include all show
R3(config-view)#end
R3#
*Apr 12 13:00:10.099: %SYS-5-CONFIG_I: Configured from console by admin on console
R3#enable view admin2
Password:
R3#
*Apr 12 13:00:19.379: %PARSER-6-VIEW_SWITCH: successfully set to view 'admin2'.
R3#show parser view
Current view is 'admin2'
R3#?
Exec commands:
enable Turn on privileged commands
exit Exit from the EXEC
show Show running system information
R3#enable view
Password:
R3#
*Apr 12 13:00:35.963: %PARSER-6-VIEW_SWITCH: successfully set to view 'root'.
R3#conf t
Enter configuration commands, one per line. End with CNTL/Z.
R3(config)#parser view tech
R3(config-view)#
*Apr 12 13:01:09.695: %PARSER-6-VIEW_CREATED: view 'tech' successfully created.
R3(config-view)#secret techpasswd
R3(config-view)#commands exec include show version
R3(config-view)#commands exec include show interfaces
R3(config-view)#commands exec include show ip interface brief
R3(config-view)#commands exec include show parser view
R3(config-view)#end
R3#
*Apr 12 13:01:42.263: %SYS-5-CONFIG_I: Configured from console by admin on console
R3#enable view tech
Password:
R3#
*Apr 12 13:01:59.067: %PARSER-6-VIEW_SWITCH: successfully set to view 'tech'.
R3#?
Exec commands:
enable Turn on privileged commands
exit Exit from the EXEC
show Show running system information
R3#show ?
flash: display information about flash: file system
interfaces Interface status and configuration
ip IP information
parser Show parser commands
version System hardware and software status
R1#show flash
-#- --length-- -----date/time------ path
1 37124796 Apr 11 2015 10:34:16 c1841-advipservicesk9-mz.124-20.T4.bin
2 2898 Sep 07 2010 05:50:46 cpconfig-18xx.cfg
3 2938880 Sep 07 2010 05:51:14 cpexpress.tar
4 1038 Sep 07 2010 05:51:26 home.shtml
5 122880 Sep 07 2010 05:51:40 home.tar
6 527849 Sep 07 2010 05:51:54 128MB.sdf
7 1697952 Sep 07 2010 05:52:26 securedesktop-ios-3.1.1.45-k9.pkg
8 415956 Sep 07 2010 05:52:48 sslclient-win-1.1.4.176.pkg
21155840 bytes available (42844160 bytes used)
R1(config)#secure ?
boot-config Archive the startup configuration
boot-image Secure the running image
R1(config)#secure boot-image
R1(config)#
*May 2 13:25:47.955: %IOS_RESILIENCE-5-IMAGE_RESIL_ACTIVE: Successfully secured running image
R1(config)#secure boot-config
R1(config)#
*May 2 13:25:57.235: %IOS_RESILIENCE-5-CONFIG_RESIL_ACTIVE: Successfully secured config archive [flash:.runcfg-20150502-132556.ar]
R1#show secure ?
bootset Display information about secured image and configuration files
| Output modifiers
<cr>
R1#show secure bootset
IOS resilience router id FHK143771N8
IOS image resilience version 12.4 activated at 13:25:47 UTC Sat May 2 2015
Secure archive flash:c1841-advipservicesk9-mz.124-20.T4.bin type is image (elf) []
file size is 37124796 bytes, run size is 37290480 bytes
Runnable image, entry point 0x8000F000, run from ram
IOS configuration resilience version 12.4 activated at 13:25:57 UTC Sat May 2 2015
Secure archive flash:.runcfg-20150502-132556.ar type is config
configuration archive size 2537 bytes
R1#show flash // IOS IMAGE HIDDEN FROM dir and show flash COMMANDS; CAN ONLY BE VIEWED FROM ROMMON MODE
-#- --length-- -----date/time------ path
2 2898 Sep 07 2010 05:50:46 cpconfig-18xx.cfg
3 2938880 Sep 07 2010 05:51:14 cpexpress.tar
4 1038 Sep 07 2010 05:51:26 home.shtml
5 122880 Sep 07 2010 05:51:40 home.tar
6 527849 Sep 07 2010 05:51:54 128MB.sdf
7 1697952 Sep 07 2010 05:52:26 securedesktop-ios-3.1.1.45-k9.pkg
8 415956 Sep 07 2010 05:52:48 sslclient-win-1.1.4.176.pkg
21147648 bytes available (42852352 bytes used)
R1(config)#no secure boot-image
R1(config)#
*May 2 13:29:52.511: %IOS_RESILIENCE-5-IMAGE_RESIL_INACTIVE: Disabled secure image archival
R1(config)#no secure boot-config
R1(config)#
*May 2 13:30:07.043: %IOS_RESILIENCE-5-CONFIG_RESIL_INACTIVE: Disabled secure config archival [removed flash:.runcfg-20150502-132556.ar]
R1#show flash
-#- --length-- -----date/time------ path
1 37124796 Apr 11 2015 10:34:16 c1841-advipservicesk9-mz.124-20.T4.bin
2 2898 Sep 07 2010 05:50:46 cpconfig-18xx.cfg
3 2938880 Sep 07 2010 05:51:14 cpexpress.tar
4 1038 Sep 07 2010 05:51:26 home.shtml
5 122880 Sep 07 2010 05:51:40 home.tar
6 527849 Sep 07 2010 05:51:54 128MB.sdf
7 1697952 Sep 07 2010 05:52:26 securedesktop-ios-3.1.1.45-k9.pkg
8 415956 Sep 07 2010 05:52:48 sslclient-win-1.1.4.176.pkg
21155840 bytes available (42844160 bytes used)
R2#show clock
*12:13:09.135 UTC Sat May 2 2015
R2#clock set 12:14:00 May 2 2015
R2#
*May 2 12:14:00.000: %SYS-6-CLOCKUPDATE: System clock has been updated from 12:13:37 UTC Sat May 2 2015 to 12:14:00 UTC Sat May 2 2015, configured from console by console.
R2(config)#ntp ?
access-group Control NTP access
authenticate Authenticate time sources
authentication-key Authentication key for trusted time sources
broadcastdelay Estimated round-trip delay
clock-period Length of hardware clock tick
logging Enable NTP message logging
master Act as NTP master clock
max-associations Set maximum number of associations
peer Configure NTP peer
server Configure NTP server
source Configure interface for source address
trusted-key Key numbers for trusted time sources
update-calendar Periodically update calendar with NTP time
R2(config)#ntp master ?
<1-15> Stratum number
<cr>
R2(config)#ntp master 3 // STRATUM 3 INDICATES DISTANCE FROM THE ORIGINAL CLOCK SOURCE; WHEN ANOTHER DEVICE LEARNS TIME FROM NTP MASTER, STRATUM NUMBER INCREASE BY 1
R1(config)#ntp server 10.1.1.2
R1(config)#ntp update-calendar
R1#show ntp associations
address ref clock st when poll reach delay offset disp
~10.1.1.2 .INIT. 16 - 64 0 0.000 0.000 16000.
* sys.peer, # selected, + candidate, - outlyer, x falseticker, ~ configured
R1#show ntp associations
address ref clock st when poll reach delay offset disp
~10.1.1.2 .INIT. 16 - 64 0 0.000 0.000 16000.
* sys.peer, # selected, + candidate, - outlyer, x falseticker, ~ configured
R1#show ntp associations
address ref clock st when poll reach delay offset disp
~10.1.1.2 127.127.1.1 3 7 64 1 0.000 -470204 7937.5 // TOOK SOME TIME FOR NTP ASSOCIATION TO FORM
* sys.peer, # selected, + candidate, - outlyer, x falseticker, ~ configured
R1#show ntp associations detail // VERSBOSE OUTPUT
10.1.1.2 configured, insane, invalid, stratum 3
ref ID 127.127.1.1 , time D8EF3FBB.AC0D68E8 (12:21:15.672 UTC Sat May 2 2015)
our mode client, peer mode server, our poll intvl 64, peer poll intvl 64
root delay 0.00 msec, root disp 0.41, reach 1, sync dist 7.95
delay 0.00 msec, offset -4702046.9354 msec, dispersion 7937.50
precision 2**24, version 4
org time D8EF3FC8.D64BFB1E (12:21:28.837 UTC Sat May 2 2015)
rec time D8EF5226.E544EA9E (13:39:50.895 UTC Sat May 2 2015)
xmt time D8EF5226.DF54EE26 (13:39:50.872 UTC Sat May 2 2015)
filtdelay = 0.02 0.00 0.00 0.00 0.00 0.00 0.00 0.00
filtoffset = -4702.0 0.00 0.00 0.00 0.00 0.00 0.00 0.00
filterror = 0.00 16.00 16.00 16.00 16.00 16.00 16.00 16.00
minpoll = 6, maxpoll = 10
R3#debug ntp ?
adjust NTP clock adjustments
all NTP all debugging on
core NTP core messages
events NTP events
packet NTP packet debugging
refclock NTP refclock messages
R3#debug ntp all
NTP events debugging is on
NTP core messages debugging is on
NTP clock adjustments debugging is on
NTP reference clocks debugging is on
NTP packets debugging is on
R3#conf t
Enter configuration commands, one per line. End with CNTL/Z.
R3(config)#ntp server 10.1.1.2
*May 2 13:45:06.851: NTP Core(INFO): keys initilized.
*May 2 13:45:06.887: %NTP : Drift Read Failed (String Error).
*May 2 13:45:06.887: NTP Core(DEBUG): drift value read: 0.000000000
*May 2 13:45:06.891: NTP: Initialized interface FastEthernet0/0
*May 2 13:45:06.891: NTP: Initialized interface FastEthernet0/1
*May 2 13:45:06.891: NTP: Initialized interface Serial0/0/0
*May 2 13:45:06.891: NTP: Initialized interface Serial0/0/1
R3(config)#ntp update-calendar
R3#show ntp associations
address ref clock st when poll reach delay offset disp
~10.1.1.2 .INIT. 16 - 64 0 0.000 0.000 16000.
* sys.peer, # selected, + candidate, - outlyer, x falseticker, ~ configured
R3#
*May 2 13:46:05.891: NTP message sent to 10.1.1.2, from interface 'Serial0/0/1' (10.2.2.1).
*May 2 13:46:05.911: NTP message received from 10.1.1.2 on interface 'Serial0/0/1' (10.2.2.1).
*May 2 13:46:05.911: NTP Core(DEBUG): ntp_receive: message received
*May 2 13:46:05.911: NTP Core(DEBUG): ntp_receive: peer is 0x64554690, next action is 1.
*May 2 13:46:05.915: NTP Core(DEBUG): receive: packet given to process_packet
*May 2 13:46:05.915: NTP Core(DEBUG): Peer becomes reachable, poll set to 6.
*May 2 13:46:05.915: NTP Core(INFO): peer 10.1.1.2 event 'event_reach' (0x84) status 'unreach, conf, 1 event, event_reach' (0x8014)
R3#show ntp associations
address ref clock st when poll reach delay offset disp
~10.1.1.2 127.127.1.1 3 17 64 1 0.000 -486242 7937.5
* sys.peer, # selected, + candidate, - outlyer, x falseticker, ~ configured
C:\Users\John Lloyd>ipconfig
Windows IP Configuration
Ethernet adapter Local Area Connection:
Connection-specific DNS Suffix . :
Link-local IPv6 Address . . . . . : fe80::4562:9b92:c15f:91ff%10
IPv4 Address. . . . . . . . . . . : 192.168.1.3
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Default Gateway . . . . . . . . . : 192.168.1.1
C:\Users\John Lloyd>ping 192.168.1.1 // VERIFY CONNECTIVITY BETWEEN PC-A AND R1
Pinging 192.168.1.1 with 32 bytes of data:
Reply from 192.168.1.1: bytes=32 time=1ms TTL=255
Reply from 192.168.1.1: bytes=32 time=1ms TTL=255
Reply from 192.168.1.1: bytes=32 time=1ms TTL=255
Reply from 192.168.1.1: bytes=32 time=1ms TTL=255
Ping statistics for 192.168.1.1:
Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
Minimum = 1ms, Maximum = 1ms, Average = 1ms
R1#show run | include timestamp // VERIFY TIMESTAMP SERVICE FOR LOGGING
service timestamps debug datetime msec
service timestamps log datetime msec
R1(config)#logging ?
Hostname or A.B.C.D IP address of the logging host
buffered Set buffered logging parameters
buginf Enable buginf logging for debugging
cns-events Set CNS Event logging level
console Set console logging parameters
count Count every log message and timestamp last occurrence
discriminator Create or modify a message discriminator
dmvpn DMVPN Configuration
esm Set ESM filter restrictions
exception Limit size of exception flush output
facility Facility parameter for syslog messages
filter Specify logging filter
history Configure syslog history table
host Set syslog server IP address and parameters
message-counter Configure log message to include certain counter value
monitor Set terminal line (monitor) logging parameters
on Enable logging to all enabled destinations
origin-id Add origin ID to syslog messages
persistent Set persistent logging parameters
queue-limit Set logger message queue size
rate-limit Set messages per second limit
reload Set reload logging level
server-arp Enable sending ARP requests for syslog servers when
first configured
source-interface Specify interface for source address in logging
transactions
trap Set syslog server logging level
userinfo Enable logging of user info on privileged mode enabling
R1(config)#logging host ?
Hostname or A.B.C.D IP address of the syslog server
ipv6 Configure IPv6 syslog server
R1(config)#logging host 192.168.1.3 // CONFIGURE TO SEND SYSLOG MESSAGES TO SYSLOG SERVER
R1(config)#logging trap ?
<0-7> Logging severity level
alerts Immediate action needed (severity=1)
critical Critical conditions (severity=2)
debugging Debugging messages (severity=7)
emergencies System is unusable (severity=0)
errors Error conditions (severity=3)
informational Informational messages (severity=6)
notifications Normal but significant conditions (severity=5)
warnings Warning conditions (severity=4)
<cr>
R1(config)#logging trap warnings // CAPTURE SYSLOG MESSAGES WITH SEVERITY LEVEL 4, 3, 2, 1 AND 0
R1#show logging
Syslog logging: enabled (0 messages dropped, 1 messages rate-limited,
0 flushes, 0 overruns, xml disabled, filtering disabled)
No Active Message Discriminator.
No Inactive Message Discriminator.
Console logging: level debugging, 36 messages logged, xml disabled,
filtering disabled
Monitor logging: level debugging, 0 messages logged, xml disabled,
filtering disabled
Buffer logging: disabled, xml disabled,
filtering disabled
Logging Exception size (4096 bytes)
Count and timestamp logging messages: disabled
Persistent logging: disabled
No active filter modules.
ESM: 0 messages dropped
Trap logging: level warnings, 39 message lines logged
Logging to 192.168.1.3 (udp port 514, audit disabled,
authentication disabled, encryption disabled, link down),
0 message lines logged,
0 message lines rate-limited,
0 message lines dropped-by-MD,
xml disabled, sequence number disabled
filtering disabled
R1(config)#logging userinfo // ENABLE LOGGING OF USER INFO
R1(config)#end
R1#
May 2 12:45:36.285: %SYS-5-CONFIG_I: Configured from console by console
R1#enable view admin1
Password:<admin1pass>
R1#
May 2 12:45:54.257: %PARSER-6-VIEW_SWITCH: successfully set to view 'admin1'.
R1#
May 2 12:45:54.257: %SYS-5-VIEW_AUTH_PASS: View set to admin1 by unknown on console
R3#erase startup-config
R3#reload
Router(config)#hostname R3
R3(config)#no ip domain-lookup
R3(config)#interface fastethernet0/1
R3(config-if)#ip address 192.168.3.1 255.255.255.0
R3(config-if)#no shutdown
R3(config-if)#interface serial0/0/1
R3(config-if)#
*May 2 12:54:04.883: %LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet0/1, changed state to up
R3(config-if)#ip address 10.2.2.1 255.255.255.0
R3(config-if)#no shutdown
R3(config-if)#ip route 0.0.0.0 0.0.0.0 10.2.2.2
R3(config)#end
*May 2 12:54:20.551: %SYS-5-CONFIG_I: Configured from console by console.2.2
R3#ping 10.2.2.2
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.2.2.2, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 28/28/32 ms
R3#ping 192.168.1.3 source 192.168.3.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.1.3, timeout is 2 seconds:
Packet sent with a source address of 192.168.3.1
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 56/56/56 ms
R3#show run
Building configuration...
Current configuration : 912 bytes
!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname R3
!
boot-start-marker
boot-end-marker
!
logging message-counter syslog
!
no aaa new-model
dot11 syslog
ip source-route
!
!
!
!
ip cef
no ip domain lookup
!
no ipv6 cef
multilink bundle-name authenticated
!
!
!
!
!
archive
log config
hidekeys
!
!
!
!
!
!
!
!
interface FastEthernet0/0
no ip address
shutdown
duplex auto
speed auto
!
interface FastEthernet0/1
ip address 192.168.3.1 255.255.255.0
duplex auto
speed auto
!
interface Serial0/0/0
no ip address
shutdown
clock rate 2000000
!
interface Serial0/0/1
ip address 10.2.2.1 255.255.255.0
!
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 10.2.2.2
no ip http server
no ip http secure-server
!
!
!
!
!
!
!
!
!
!
control-plane
!
!
!
line con 0
line aux 0
line vty 0 4
login
!
scheduler allocate 20000 1000
end
R3#auto ?
secure AutoSecure Commands
R3#auto secure // AUTOSECURE FEATURE SIMPLIFIES AND HARDENS ROUTER CONFIGURATION
--- AutoSecure Configuration ---
*** AutoSecure configuration enhances the security of
the router, but it will not make it absolutely resistant
to all security attacks ***
AutoSecure will modify the configuration of your device.
All configuration changes will be shown. For a detailed
explanation of how the configuration changes enhance security
and any possible side effects, please refer to Cisco.com for
Autosecure documentation.
At any prompt you may enter '?' for help.
Use ctrl-c to abort this session at any prompt.
Gathering information about the router for AutoSecure
Is this router connected to internet? [no]: yes
Enter the number of interfaces facing the internet [1]:
Interface IP-Address OK? Method Status Protocol
FastEthernet0/0 unassigned YES unset administratively down down
FastEthernet0/1 192.168.3.1 YES manual up up
Serial0/0/0 unassigned YES unset administratively down down
Serial0/0/1 10.2.2.1 YES SLARP up up
Enter the interface name that is facing the internet: Serial0/0/1
Securing Management plane services...
Disabling service finger
Disabling service pad
Disabling udp & tcp small servers
Enabling service password encryption
Enabling service tcp-keepalives-in
Enabling service tcp-keepalives-out
Disabling the cdp protocol
Disabling the bootp server
Disabling the http server
Disabling the finger service
Disabling source routing
Disabling gratuitous arp
Here is a sample Security Banner to be shown
at every access to device. Modify it to suit your
enterprise requirements.
Authorized Access only
This system is the property of So-&-So-Enterprise.
UNAUTHORIZED ACCESS TO THIS DEVICE IS PROHIBITED.
You must have explicit permission to access this
device. All activities performed on this device
are logged. Any violations of access policy will result
in disciplinary action.
Enter the security banner {Put the banner between
k and k, where k is any character}:
# Unauthorized Access Prohibited #
Enable secret is either not configured or
is the same as enable password
Enter the new enable secret:<cisco12345>
Confirm the enable secret :<cisco12345>
Enter the new enable password:<cisco67890>
Confirm the enable password:<cisco67890>
Configuration of local user database
Enter the username: admin
Enter the password:<cisco12345>
Confirm the password:<cisco12345>
Configuring AAA local authentication
Configuring Console, Aux and VTY lines for
local authentication, exec-timeout, and transport
Securing device against Login Attacks
Configure the following parameters
Blocking Period when Login Attack detected: 60
Maximum Login failures with the device: 2
Maximum time period for crossing the failed login attempts: 30
Configure SSH server? [yes]:
Enter the domain-name: ccnasecurity.com
Configuring interface specific AutoSecure services
Disabling the following ip services on all interfaces:
no ip redirects
no ip proxy-arp
no ip unreachables
no ip directed-broadcast
no ip mask-reply
Disabling mop on Ethernet interfaces
Securing Forwarding plane services...
Enabling unicast rpf on all interfaces connected
to internet
Configure CBAC Firewall feature? [yes/no]: no
Tcp intercept feature is used prevent tcp syn attack
on the servers in the network. Create autosec_tcp_intercept_list
to form the list of servers to which the tcp traffic is to
be observed
Enable tcp intercept feature? [yes/no]: yes
This is the configuration generated:
no service finger
no service pad
no service udp-small-servers
no service tcp-small-servers
service password-encryption
service tcp-keepalives-in
service tcp-keepalives-out
no cdp run
no ip bootp server
no ip http server
no ip finger
no ip source-route
no ip gratuitous-arps
no ip identd
banner motd ^C Unauthorized Access Prohibited ^C
security passwords min-length 6
security authentication failure rate 10 log
enable secret 5 $1$.RkX$Apudk9Je9f8VPO3qQmzRI.
enable password 7 104D000A0618445C545D7A
username admin password 7 0822455D0A165445415F59
aaa new-model
aaa authentication login local_auth local
line con 0
login authentication local_auth
exec-timeout 5 0
transport output telnet
line aux 0
login authentication local_auth
exec-timeout 10 0
transport output telnet
line vty 0 4
login authentication local_auth
transport input telnet
line tty 1
login authentication local_auth
exec-timeout 15 0
login block-for 60 attempts 2 within 30
ip domain-name ccnasecurity.com
crypto key generate rsa general-keys modulus 1024
ip ssh time-out 60
ip ssh authentication-retries 2
line vty 0 4
transport input ssh telnet
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
logging facility local2
logging trap debugging
service sequence-numbers
logging console critical
logging buffered
interface FastEthernet0/0
no ip redirects
no ip proxy-arp
no ip unreachables
no ip directed-broadcast
no ip mask-reply
no mop enabled
interface FastEthernet0/1
no ip redirects
no ip proxy-arp
no ip unreachables
no ip directed-broadcast
no ip mask-reply
no mop enabled
interface Serial0/0/0
no ip redirects
no ip proxy-arp
no ip unreachables
no ip directed-broadcast
no ip mask-reply
interface Serial0/0/1
no ip redirects
no ip proxy-arp
no ip unreachables
no ip directed-broadcast
no ip mask-reply
access-list 100 permit udp any any eq bootpc
interface Serial0/0/1
ip verify unicast source reachable-via rx allow-default 100
ip tcp intercept list autosec_tcp_intercept_list
ip tcp intercept drop-mode random
ip tcp intercept watch-timeout 15
ip tcp intercept connection-timeout 3600
ip tcp intercept max-incomplete low 450
ip tcp intercept max-incomplete high 550
!
end
Apply this configuration to running-config? [yes]:
Applying the config generated to running-config
The name for the keys will be: R3.ccnasecurity.com
% The key modulus size is 1024 bits
% Generating 1024 bit RSA keys, keys will be non-exportable...[OK]
R3#
login as: admin
Using keyboard-interactive authentication.
Password:
Unauthorized Access Prohibited
R3>enable
Password:
R3#show flash
-#- --length-- -----date/time------ path
1 37124796 Apr 11 2015 10:46:06 c1841-advipservicesk9-mz.124-20.T4.bin
2 913 May 02 2015 12:59:48 pre_autosec.cfg
26873856 bytes available (37130240 bytes used)
R3#more flash:pre_autosec.cfg
!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname R3
!
boot-start-marker
boot-end-marker
!
logging message-counter syslog
!
no aaa new-model
dot11 syslog
ip source-route
!
!
!
!
ip cef
no ip domain lookup
!
no ipv6 cef
multilink bundle-name authenticated
!
!
!
!
!
archive
log config
hidekeys
!
!
!
!
!
!
!
!
interface FastEthernet0/0
no ip address
shutdown
duplex auto
speed auto
!
interface FastEthernet0/1
ip address 192.168.3.1 255.255.255.0
duplex auto
speed auto
!
interface Serial0/0/0
no ip address
shutdown
clock rate 2000000
!
interface Serial0/0/1
ip address 10.2.2.1 255.255.255.0
!
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 10.2.2.2
no ip http server
no ip http secure-server
!
!
!
!
!
!
!
!
!
!
control-plane
!
!
!
line con 0
line aux 0
line vty 0 4
login
!
scheduler allocate 20000 1000
end
Below are the settings I've used for Cisco Configuration Professional (CCP) version 2.8 in order for Security Audit to work. I used Internet Explorer (IE) Version 11 and Java Version 8 Update 45.
R3(config)#username admin privilege 15 secret ?
0 Specifies an UNENCRYPTED secret will follow
5 Specifies a HIDDEN secret will follow
LINE The UNENCRYPTED (cleartext) user secret
R3(config)#username admin privilege 15 secret cisco12345 // CREATE PRIVILEGE LEVEL 15 USER
R3(config)#ip http ?
access-class Restrict http server access by access-class
active-session-modules Set up active http server session modules
authentication Set http server authentication method
client Set http client parameters
digest Set http digest parameters
help-path HTML help root URL
max-connections Set maximum number of concurrent http server
connections
path Set base path for HTML
port Set http port
secure-active-session-modules Set up active http secure server session
modules
secure-ciphersuite Set http secure server ciphersuite
secure-client-auth Set http secure server with client
authentication
secure-port Set http secure server port number for
listening
secure-server Enable HTTP secure server
secure-trustpoint Set http secure server certificate trustpoint
server Enable http server
session-module-list Set up a http(s) server session module list
timeout-policy Set http server time-out policy parameters
R3(config)#ip http secure-server
% Generating 1024 bit RSA keys, keys will be non-exportable...[OK]
R3(config)#
*Jun 25 14:12:44.019: %SSH-5-ENABLED: SSH 1.99 has been enabled
R3(config)#
*Jun 25 14:12:44.259: %PKI-4-NOAUTOSAVE: Configuration was modified. Issue "write memory" to save new certificate
R3(config)#do write memory
Building configuration...
[OK]
R3(config)#ip http authentication ?
aaa Use AAA access control methods
enable Use enable passwords
local Use local username and passwords
R3(config)#ip http authentication local
No comments:
Post a Comment