Securing the Router for Administrative Access

Network Topology

Learning Objectives

At the end of this lab exercise, you will have completed the following tasks:

Control Administrative Access for Routers
Configure Administrative Roles
Configure Cisco IOS Resilience and Management Reporting

Part 1: Initial Setup

The following instructions are for students using the lab computers in ECL2.039 and ECL2.044. Please use the following link which will describe how to download and install the Network Security Virtual Machine on a Windows machine.

Image the lab machine with the Windows xxx image.
Open VMware Workstation and start the NS-VM-17v# (# will represent the version number) virtual machine. When it has successfully started you will see in the VMware terminal something similar to the following image. The only thing you need to take note of is the IP address that is displayed. Note: You do NOT need to ever login into the actual VM for this class so I have changed the default root password.

File:NS-UNL-VM-IP-ADDRESS.png

Open a browser session using the IP address that was displayed in the VMware terminal window. You should then be greeted with the following login page. Log in using the username: admin and password: unl. Note: In the lab you must turn off the turn off the proxy setting in your web browser.

File:NS-UNL-LOGIN-SCREEN.png

Once logged in you will see a screen which show folders such as Lab Exercises. Select this folder and then select the Basic-Lab-Topology-1.unl lab and then open the lab using the blue Open button on the screen.

is displayed Note: you will not be able to login into the virtual machine using the defaultWhen you open GNS3 you will notice a window to the right that has the title Servers Summary and it will display the Local CPU %. File:GNS3-Servers-Summary-NO-Load.png When you start all the devices in the next step you will notice the CPU utilization will jump dramatically File:GNS3-Servers-Summary-Heavy-Load.png. Once they have all started it will take a minute or two before see the CPU % will drop dramatically File:GNS3-Servers-Running-Load.png. At this time you can start looking at configuring your devices. You should NEVER open a console window on a device and start hitting the enter key several times before the CPU stabilizes. Otherwise your initial router configurations are unlike to load properly. All console connections should contain a host name such as R1 or Host1 NOT router. A router> prompt in a console window indicates the router has failed to load its initial configuration.

Ensure you have the appropriate GNS3 environment loaded on your computer.
Download and Unzip the GNS3 topology NS_Lab_Sec_Router_Admin_Access.zip file from LMS.
Start GNS3 by using the sudo gns3 command in a terminal window.
Be sure to open the open the project. Once opened you will see the initial network topology for the lab and you should now display the interface names on all the devices by selecting the File:GNS3-Diplay-Network-Labesl.png GNS3 menu icon. You should now see something like the network topology displayed above.
Start all devices by selecting the File:GNS3-Start-Button.png menu icon in GNS3.
Open a console window to all devices by selecting the File:Console2allDevices.png menu icon in GNS3.
Verify that router R1 has a valid path from Host1 to Host2. Use the traceroute command to verify end-to-end connectivity before going any further. You should NOT have to configure anything to get end-to-end connectivity.

Part 2: Control Administrative Access for Routers

Task 1: Configure and Encrypt Passwords on Routers R1

Step 1: Configure a minimum password length for all router passwords.

Use the security passwords command to set a minimum password length of 10 characters.

R1(config)# security passwords min-length 10

Step 2: Configure the enable secret password.

Configure the enable secret encrypted password on the router.

R1(config)# enable algorithm-type sha256 secret cisco12345

How does configuring an enable algorithm-type sha256 secret password help protect a router from being compromised by an attack?

____________________________________________________________________________________

Step 3: Configure basic console, auxiliary port, and virtual access lines.

Note: Passwords in this task are set to a minimum of 10 characters but are relatively simple for the benefit of performing the lab. More complex passwords are recommended in a production network.

1. Configure a console password and enable login for routers. For additional security, the exec-timeout command causes the line to log out after 5 minutes of inactivity. The logging synchronous command prevents console messages from interrupting command entry.

Note: To avoid repetitive logins during this lab, the exec-timeout command can be set to 0 0, which prevents it from expiring. However, this is not considered a good security practice.

R1(config)# line console 0
R1(config-line)# exec-timeout 5 0
R1(config-line)# logging synchronous
R1(config-line)# password ciscocon <--- You will get an error when you enter this.
R1(config-line)# login

When you configured the password for the console line, what message was displayed?

____________________________________________________________________________________

2. Configure a new password of ciscoconpass for the console.

3. Configure a password for the AUX port for router R1.

R1(config)# line aux 0
R1(config-line)# password ciscoauxpass
R1(config-line)# exec-timeout 5 0
R1(config-line)# login

4. Telnet from R2 to R1.

R2> telnet 10.1.1.1

Were you able to login? Why or why not?

____________________________________________________________________________________

5. Configure the password on the vty lines for router R1.

R1(config)# line vty 0 4
R1(config-line)# password ciscovtypass
R1(config-line)# exec-timeout 5 0
R1(config-line)# login

6. Telnet from R2 to R1 again. Were you able to login this time?

____________________________________________________________________________________

7. Enter privileged EXEC mode and issue the show run command. Can you read the enable secret password? Why or why not?

____________________________________________________________________________________

Can you read the console, aux, and vty passwords? Why or why not?

____________________________________________________________________________________

Step 4: Encrypt clear text passwords.

1. Use the service password-encryption command to encrypt the console, aux, and vty passwords.

R1(config)# service password-encryption

2. Issue the show run command. Can you read the console, aux, and vty passwords? Why or why not?

____________________________________________________________________________________

At what level (number) is the enable secret password encrypted? ______________

At what level (number) are the other passwords encrypted? ______________

Which level of encryption is harder to crack and why?

____________________________________________________________________________________

Task 2: Configure a Login Warning Banner on Routers R1.

Step 1: Configure a warning message to display prior to login.

1. Configure a warning to unauthorized users with a message-of-the-day (MOTD) banner using the banner motd command. When a user connects to one of the routers, the MOTD banner appears before the login prompt. In this example, the dollar sign ($) is used to start and end the message.

R1(config)# banner motd $Unauthorized access strictly prohibited!$
R1(config)# exit

2. Issue the show run command. What does the $ convert to in the output?

____________________________________________________________________________________

3. Exit privileged EXEC mode using the disable or exit command and press Enter to get started. Does the MOTD banner look like what you created with the banner motd command?

If the MOTD banner is not as you wanted it, recreate it using the banner motd command.

Task 3: Configure Enhanced Username Password Security on Routers R1.

Step 1: Investigate the options for the username command.

In global configuration mode, enter the following command:

R1(config)# username user01 password ?

What options are available?

____________________________________________________________________________________

Step 2: Create a new user account using the username command.

1. Create the user01 account, specifying the password with no encryption.

R1(config)# username user01 password 0 user01pass

2. Use the show run command to display the running configuration and check the password that is enabled.

Even though unencrypted (0) was specified, you still cannot read the password for the new user account, because the service password-encryption command is in effect.

Step 3: Create a new user account with a secret password.

1. Create a new user account with MD5 hashing to encrypt the password.

R1(config)# username user02 secret user02pass

2. Exit global configuration mode and save your configuration.

3. Display the running configuration. Which hashing method is used for the password?

____________________________________________________________________________________

Step 4: Test the new account by logging in to the console.

1. Set the console line to use the locally defined login accounts.

R1(config)# line console 0
R1(config-line)# login local
R1(config-line)# end
R1# exit

2. Exit to the initial router screen which displays: R1 con0 is now available, Press RETURN to get started.

3. Log in using the username user01 and the password user01pass, previously defined.

What is the difference between logging in at the console now and previously? ____________________________________________________________________________________

____________________________________________________________________________________

4. After logging in, issue the show run command. Were you able to issue the command? Explain.

____________________________________________________________________________________

5. Enter privileged EXEC mode using the enable command. Were you prompted for a password? Explain.

____________________________________________________________________________________

Step 5: Test the new account by logging in from a Telnet session.

1. From PC-A, establish a Telnet session with R1.

PC-A> telnet 192.168.1.1

Were you prompted for a user account? Why or why not?

____________________________________________________________________________________

2. Set the vty lines to use the locally defined login accounts.

R1(config)# line vty 0 4
R1(config-line)# login local

3. From PC-A, telnet to R1 again.

PC-A> telnet 192.168.1.1

Were you prompted for a user account? Explain.

____________________________________________________________________________________

4. Log in as user01 with a password of user01pass.

5. During the Telnet session to R1, access privileged EXEC mode with the enable command.

What password did you use?

____________________________________________________________________________________

6. For added security, set the AUX port to use the locally defined login accounts.

R1(config)# line aux 0
R1(config-line)# login local

7. End the Telnet session with the exit command.

Task 4: Configure Enhanced Virtual Login Security on Routers R1.

Step 1: Configure the router to protect against login attacks.

Use the login block-for command to help prevent brute-force login attempts from a virtual connection, such as Telnet, SSH, or HTTP. This can help slow down dictionary attacks and help protect the router from a possible DoS attack.

1. From the user EXEC or privileged EXEC prompt, issue the show login command to see the current router login attack settings.

R1# show login
      No login delay has been applied.
      No Quiet-Mode access list has been configured.

      Router NOT enabled to watch for login Attacks

2. Use the login block-for command to configure a 60 second login shutdown (quiet mode timer) if two failed login attempts are made within 30 seconds.

R1(config)# login block-for 60 attempts 2 within 30

3. Exit global configuration mode and issue the show login command.

R1# show login

Is the router enabled to watch for login attacks? _________________

What is the default login delay?

____________________________________________________________________________________

Step 2: Configure the router to log login activity.

1. Configure the router to generate system logging messages for both successful and failed login attempts. The following commands log every successful login and log failed login attempts after every second failed login.

R1(config)# login on-success log
R1(config)# login on-failure log every 2
R1(config)# exit

2. Issue the show login command. What additional information is displayed?

____________________________________________________________________________________

Step 3: Test the enhanced login security login configuration.

1. From PC-A, establish a Telnet session with R1.

PC-A> telnet 10.1.1.1

2. Attempt to log in with the wrong user ID or password two times. What message was displayed on PC-A after the second failed attempt?

____________________________________________________________________________________

What message was displayed on the router R1 console after the second failed login attempt?

____________________________________________________________________________________

3. From PC-A, attempt to establish another Telnet session to R1 within 60 seconds. What message was displayed on PC-A after the attempted Telnet connection?

____________________________________________________________________________________

What message was displayed on router R1 after the attempted Telnet connection?

____________________________________________________________________________________

4. Issue the show login command within 60 seconds. What additional information is displayed?

____________________________________________________________________________________

Step 4: Allow Admin access to router R1 during quite-mode

1. Configure ACL to permit the Admin host computer.

R1(config)#ip access-list standard PERMIT-ADMIN
R1(config-std-nacl)#permit host 192.168.1.50
R1(config-std-nacl)#exit
R1(config)#login quiet-mode access-class PERMIT-ADMIN

2. From PC-A, attempt to log in to R1 with the wrong user ID or password two times and then quickly attempted it a third time.

Where you permitted to log in on the third attempt? ___________

Task 5: Configure the SSH Server on Router R1 Using the CLI.

In this task, use the CLI to configure the router to be managed securely using SSH instead of Telnet. Secure Shell (SSH) is a network protocol that establishes a secure terminal emulation connection to a router or other networking device. SSH encrypts all information that passes over the network link and provides authentication of the remote computer. SSH is rapidly replacing Telnet as the remote login tool of choice for network professionals.

Note: For a router to support SSH, it must be configured with local authentication, (AAA services, or username) or password authentication. In this task, you configure an SSH username and local authentication.

Step 1: Configure a domain name.

Enter global configuration mode and set the domain name.

R1# conf t
R1(config)# ip domain-name ccnasecurity.com

Step 2: Configure a privileged user for login from the SSH client.

1. Use the username command to create the user ID with the highest possible privilege level and a secret password.

R1(config)# username admin privilege 15 algorithm-type sha secret cisco12345

2. Exit to the initial router login screen. Log in with the username admin and the associated password. What was the router prompt after you entered the password?

____________________________________________________________________________________

Step 3: Configure the incoming vty lines.

Specify a privilege level of 15 so that a user with the highest privilege level (15) will default to privileged EXEC mode when accessing the vty lines. Other users will default to user EXEC mode. Use the local user accounts for mandatory login and validation, and accept only SSH connections.

R1(config)# line vty 0 4
R1(config-line)# privilege level 15
R1(config-line)# login local
R1(config-line)# transport input ssh
R1(config-line)# exit

Note: The login local command should already be configured in a previous step. It is included here to provide all commands if you were doing this for the first time.

Note: If you add the keyword telnet to the transport input command, users can log in using Telnet as well as SSH, however, the router will be less secure. If only SSH is specified, the connecting host must have an SSH client installed.

Step 4: Erase existing key pairs on the router.

R1(config)# crypto key zeroize rsa

Note: If no keys exist, you might receive this message: % No Signature RSA Keys found in configuration.

Step 5: Generate the RSA encryption key pair for the router.

The router uses the RSA key pair for authentication and encryption of transmitted SSH data.

Configure the RSA keys with 2048 for the number of modulus bits. The default is 512, and the range is from 360 to 4096.

R1(config)# crypto key generate rsa general-keys modulus 2048

The name for the keys will be: R1.ccnasecurity.com

R1(config)# exit

Note: The details of encryption methods are covered in Chapter 7.

Step 6: Verify the SSH configuration.

1. Use the show ip ssh command to see the current settings.

R1# show ip ssh

2. Fill in the following information based on the output of the show ip ssh command.

SSH version enabled: ________________________________________

Authentication timeout: ________________________________________

Authentication retries: ________________________________________

Step 7: Configure SSH timeouts and authentication parameters.

1. The default SSH timeouts and authentication parameters can be altered to be more restrictive using the following commands.

R1(config)# ip ssh time-out 90
R1(config)# ip ssh authentication-retries 2

2. Generate an RSA key on Router R3. From router R3 verify that SSH is working on router R1 by using the following command.

R3# ssh -c 3des -l admin 192.168.1.1
Password: cisco12345

Test1

Contents

Network Topology

Learning Objectives

Part 1: Initial Setup

Part 2: Control Administrative Access for Routers

Task 1: Configure and Encrypt Passwords on Routers R1

Step 1: Configure a minimum password length for all router passwords.

Step 2: Configure the enable secret password.

Step 3: Configure basic console, auxiliary port, and virtual access lines.

Step 4: Encrypt clear text passwords.

Task 2: Configure a Login Warning Banner on Routers R1.

Step 1: Configure a warning message to display prior to login.

Task 3: Configure Enhanced Username Password Security on Routers R1.

Step 1: Investigate the options for the username command.

Step 2: Create a new user account using the username command.

Step 3: Create a new user account with a secret password.

Step 4: Test the new account by logging in to the console.

Step 5: Test the new account by logging in from a Telnet session.

Task 4: Configure Enhanced Virtual Login Security on Routers R1.

Step 1: Configure the router to protect against login attacks.

Step 2: Configure the router to log login activity.

Step 3: Test the enhanced login security login configuration.

Step 4: Allow Admin access to router R1 during quite-mode

Task 5: Configure the SSH Server on Router R1 Using the CLI.

Step 1: Configure a domain name.

Step 2: Configure a privileged user for login from the SSH client.

Step 3: Configure the incoming vty lines.

Step 4: Erase existing key pairs on the router.

Step 5: Generate the RSA encryption key pair for the router.

Step 6: Verify the SSH configuration.

Step 7: Configure SSH timeouts and authentication parameters.

Navigation menu

Search