Thursday, February 2, 2017

Disabling Console Port on a Cisco Router

A customer reported their connection was intermittent and I've checked the router logs and it seems that someone was trying to configure SSL VPN on the CE router. The hacker was trying to lab up and play around with the router via its console port. The router has AAA/TACACS configured and I suspect the hacker tried a password recovery or disabled AAA by temporarily removing the WAN interface. As a precaution, I've disabled the console port using the no exec line command and locked down the Telnet/VTY lines to our management servers.


*Jan 10 05:04:22.979: %VPN_HW-6-INFO_LOC: Crypto engine: onboard 0  State changed to: Initialized       // HACKER ACTIVATED SSL VPN ON THE ROUTER
*Jan 10 05:04:22.987: %VPN_HW-6-INFO_LOC: Crypto engine: onboard 0  State changed to: Enabled

*Jan 10 05:04:24.943: %LINEPROTO-5-UPDOWN: Line protocol on Interface VoIP-Null0, changed state to up
*Jan 10 05:04:24.947: %LINK-3-UPDOWN: Interface FastEthernet0/0, changed state to up
*Jan 10 05:04:24.947: %LINK-3-UPDOWN: Interface FastEthernet0/1, changed state to up
*Jan 10 05:04:24.947: %LINK-3-UPDOWN: Interface Serial0/3/0, changed state to down
*Jan 10 05:04:24.947: %LINEPROTO-5-UPDOWN: Line protocol on Interface SSLVPN-VIF0, changed state to up
*Jan 10 05:04:26.291: %LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet0/0, changed state to up
*Jan 10 05:04:26.291: %LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet0/1, changed state to up
*Jan 10 05:04:26.291: %LINEPROTO-5-UPDOWN: Line protocol on Interface Serial0/3/0, changed state to down
*Jan 10 05:04:41 UTC: %LINK-5-CHANGED: Interface Serial0/3/0, changed state to administratively down
*Jan 10 05:04:41 UTC: %LINEPROTO-5-UPDOWN: Line protocol on Interface BVI2, changed state to up
*Jan 10 05:04:42 UTC: %SYS-5-CONFIG_I: Configured from memory by console
*Jan 10 05:04:42 UTC: %PARSER-5-CFGLOG_LOGGEDCMD: User:console  logged command:access-list 199 permit icmp host 10.10.10.10 host 20.20.20.20
*Jan 10 05:04:42 UTC: %PARSER-5-CFGLOG_LOGGEDCMD: User:console  logged command:crypto map NiStTeSt1 10 ipsec-manual
*Jan 10 05:04:42 UTC: %PARSER-5-CFGLOG_LOGGEDCMD: User:console  logged command:match address 199

*Jan 10 05:04:42 UTC: %PARSER-5-CFGLOG_LOGGEDCMD: User:console  logged command:set peer 20.20.20.20
*Jan 10 05:04:42 UTC: %PARSER-5-CFGLOG_LOGGEDCMD: User:console  logged command:exit
*Jan 10 05:04:42 UTC: %PARSER-5-CFGLOG_LOGGEDCMD: User:console  logged command:no access-list 199
*Jan 10 05:04:42 UTC: %PARSER-5-CFGLOG_LOGGEDCMD: User:console  logged command:no crypto map NiStTeSt1

*Jan 10 05:04:43 UTC: %SYS-5-RESTART: System restarted --
Cisco IOS Software, 2800 Software (C2800NM-ADVIPSERVICESK9-M), Version 12.4(20)T, RELEASE SOFTWARE (fc3)
Technical Support: http://www.cisco.com/techsupport
Copyright (c) 1986-2008 by Cisco Systems, Inc.
Compiled Thu 10-Jul-08 22:00 by prod_rel_team


Router#show version
Cisco IOS Software, 2800 Software (C2800NM-ADVIPSERVICESK9-M), Version 12.4(20)T, RELEASE SOFTWARE (fc3)
Technical Support: http://www.cisco.com/techsupport
Copyright (c) 1986-2008 by Cisco Systems, Inc.
Compiled Thu 10-Jul-08 22:00 by prod_rel_team

ROM: System Bootstrap, Version 12.4(13r)T, RELEASE SOFTWARE (fc1)

Router uptime is 1 hour, 55 minutes
System returned to ROM by power-on
System image file is "flash:c2800nm-advipservicesk9-mz.124-20.T.bin"

This product contains cryptographic features and is subject to United
States and local country laws governing import, export, transfer and
use. Delivery of Cisco cryptographic products does not imply
third-party authority to import, export, distribute or use encryption.
Importers, exporters, distributors and users are responsible for
compliance with U.S. and local country laws. By using this product you
agree to comply with applicable laws and regulations. If you are unable
to comply with U.S. and local laws, return this product immediately.

A summary of U.S. laws governing Cisco cryptographic products may be found at:
http://www.cisco.com/wwl/export/crypto/tool/stqrg.html

If you require further assistance please contact us by sending email to
export@cisco.com.

Cisco 2811 (revision 53.51) with 247808K/14336K bytes of memory.
Processor board ID FTX1218A123
2 FastEthernet interfaces
1 Serial(sync/async) interface
1 Virtual Private Network (VPN) Module
12 Voice FXO interfaces
DRAM configuration is 64 bits wide with parity enabled.
239K bytes of non-volatile configuration memory.
125440K bytes of ATA CompactFlash (Read/Write)

Configuration register is 0x2102


Router#show ip interface brief
Interface                  IP-Address      OK? Method Status                Protocol
FastEthernet0/0            unassigned      YES NVRAM  up                    up     
FastEthernet0/0.1          172.27.103.193  YES NVRAM  up                    up     
FastEthernet0/0.3          172.27.103.129  YES NVRAM  up                    up     
FastEthernet0/0.800        unassigned      YES unset  up                    up     
FastEthernet0/1            unassigned      YES NVRAM  up                    up     
FastEthernet0/1.3          172.27.1.234    YES NVRAM  up                    up     
FastEthernet0/1.100        172.27.1.86     YES NVRAM  up                    up     
FastEthernet0/1.900        172.27.1.90     YES NVRAM  up                    up     
Serial0/3/0                unassigned      YES NVRAM  administratively down down   
Serial0/3/0.106            61.8.7.6      YES NVRAM  administratively down down   
SSLVPN-VIF0                unassigned      NO  unset  up                    up       // A VIRTUAL INTERFACE WAS AUTOMATICALLY CREATED WHEN SSL VPN WAS ACTIVATED
BVI2                       172.26.102.129  YES NVRAM  up                    up    

Router(config)#line console 0
Router(config-line)#no exec

No comments:

Post a Comment