Setting Minimum Password Length:
The minimum password length serves as a foundational security measure. Longer passwords with a minimum length of 4 or more characters significantly enhance the complexity and strength of the password, making it more resistant to brute-force attacks.
Router(config)#security passwords min-length 4Setting Passwords for Privilege Mode Access:
For this purpose, the ‘enable password’ and ‘enable secret’ are used. When a user types the ‘enable’ command to access Privilege Mode from User Mode, they must enter this password.
Router(config)#enable password hossein
Router(config)#enable secret amirSetting Passwords for Console, AUX, Telnet Access on Cisco Devices:
Enabling passwords for various access modes (such as console, AUX, Telnet) ensures secure access to different interfaces of Cisco devices. Each access mode requires its own password setup to prevent unauthorized entry.
- Console:
Router(config)#line console 0
Router(config-line)#password passwd
Router(config-line)#login
Router(config-line)#exec-timeout 4 0- AUX:
Router(config)#line Aux 0
Router(config-line)#password passwd
Router(config-line)#login
Router(config-line)#exec-timeout 4 0- Telnet:
Router(config)#line vty 0 4
Router(config-line)#password passwd
Router(config-line)#login
Router(config-line)#exec-timeout 4 0Note: To activate Telnet, the ‘enable password’ must also be active on our Cisco device.
Applying Encryption to Passwords:
Applying encryption to passwords ensures that even if someone gains access to the configuration, the passwords remain encrypted, enhancing overall security and preventing easy readability of sensitive credentials.
Router(config)#service password-encryptionConfiguring Security Login Warning Banners:
Configuring warning banners serves as a legal notice or warning to unauthorized users attempting to access the system. It’s a legal requirement in many cases and helps establish a clear boundary of authorized access.
Router(config)#banner motd $Unauthorized access$User Account Defination and Privilages
Defining user accounts, both with standard and secret passwords, allows for better user management. Assigning different privilege levels to users ensures restricted access based on their roles and responsibilities within the network.
Defining User Accounts:
Router(config)#username amir password passwdDefining User Accounts with Secret Password:
Router(config)#username amir2 secret passwdUsing Local User Accounts for Device Access:
- Console
Router(config)#line console 0
Router(config-line)#login local- AUX:
Router(config)#line aux 0
Router(config-line)#login local- Telnet:
Router(config)#line vty 0 4
Router(config-line)#login localProtecting Telnet, SSH, and HTTP Sessions Against DoS Attacks:
Blocking login attempts after a specified number of failed login attempts within a certain timeframe is crucial to protect against Denial-of-Service (DoS) attacks, where an attacker tries to overload the system with repeated failed login attempts.
Router(config)#login block-for 120 attempts 5 within 30To disable this capability:
Router(config)#no login block-forConfiguring Login Message Display for Success and Failed Logins:
Regularly reviewing and updating security configurations is essential. Monitoring login attempts, reviewing logs for successful and failed logins, and adapting security protocols to evolving threats ensures ongoing network safety.
Router(config)#login on-success log
Router(config)#login on-failure logSSH Configuration and Versioning
Enabling SSH and specifying different versions enhance security by offering encrypted communication between devices. It’s crucial to specify SSH versions for compatibility and security reasons, considering vulnerabilities associated with older versions.
Enabling SSH:
Router(config)#ip domain-name home.local
Router(config)#hostname Router1
Router1(config)#crypto key generate rsa general-keys modulus 1024Creating a user with Privilege 15 on the device:
Router1(config)#username amir privilege 15 secret passwdEnabling SSH on VTY port:
Router1(config)#line vty 0 4
Router1(config-line)#login local
Router1(config-line)#transport input sshSpecifying SSH protocol versions:
Router1(config)#ip ssh version 1
Router1(config)#ip ssh version 2Setting timeout and authentication retries:
Setting timeout intervals and authentication retries adds an additional layer of security. For instance, setting a timeout ensures that inactive SSH sessions are automatically terminated after a defined period, and limiting authentication retries prevents brute-force attacks.
Router1(config)#ip ssh time-out 100
Router1(config)#ip ssh authentication-retries 2