Setting Minimum Password Length:
The minimum password length serves as a foundational security measure. Longer passwords with a minimum length of 4 or more characters significantly enhance the complexity and strength of the password, making it more resistant to brute-force attacks.
Router(config)#security passwords min-length 4
Setting Passwords for Privilege Mode Access:
For this purpose, the ‘enable password’ and ‘enable secret’ are used. When a user types the ‘enable’ command to access Privilege Mode from User Mode, they must enter this password.
Router(config)#enable password hossein
Router(config)#enable secret amir
Setting Passwords for Console, AUX, Telnet Access on Cisco Devices:
Enabling passwords for various access modes (such as console, AUX, Telnet) ensures secure access to different interfaces of Cisco devices. Each access mode requires its own password setup to prevent unauthorized entry.
- Console:
Router(config)#line console 0
Router(config-line)#password passwd
Router(config-line)#login
Router(config-line)#exec-timeout 4 0
- AUX:
Router(config)#line Aux 0
Router(config-line)#password passwd
Router(config-line)#login
Router(config-line)#exec-timeout 4 0
- Telnet:
Router(config)#line vty 0 4
Router(config-line)#password passwd
Router(config-line)#login
Router(config-line)#exec-timeout 4 0
Note: To activate Telnet, the ‘enable password’ must also be active on our Cisco device.
Applying Encryption to Passwords:
Applying encryption to passwords ensures that even if someone gains access to the configuration, the passwords remain encrypted, enhancing overall security and preventing easy readability of sensitive credentials.
Router(config)#service password-encryption
Configuring Security Login Warning Banners:
Configuring warning banners serves as a legal notice or warning to unauthorized users attempting to access the system. It’s a legal requirement in many cases and helps establish a clear boundary of authorized access.
Router(config)#banner motd $Unauthorized access$
User Account Defination and Privilages
Defining user accounts, both with standard and secret passwords, allows for better user management. Assigning different privilege levels to users ensures restricted access based on their roles and responsibilities within the network.
Defining User Accounts:
Router(config)#username amir password passwd
Defining User Accounts with Secret Password:
Router(config)#username amir2 secret passwd
Using Local User Accounts for Device Access:
- Console
Router(config)#line console 0
Router(config-line)#login local
- AUX:
Router(config)#line aux 0
Router(config-line)#login local
- Telnet:
Router(config)#line vty 0 4
Router(config-line)#login local
Protecting Telnet, SSH, and HTTP Sessions Against DoS Attacks:
Blocking login attempts after a specified number of failed login attempts within a certain timeframe is crucial to protect against Denial-of-Service (DoS) attacks, where an attacker tries to overload the system with repeated failed login attempts.
Router(config)#login block-for 120 attempts 5 within 30
To disable this capability:
Router(config)#no login block-for
Configuring Login Message Display for Success and Failed Logins:
Regularly reviewing and updating security configurations is essential. Monitoring login attempts, reviewing logs for successful and failed logins, and adapting security protocols to evolving threats ensures ongoing network safety.
Router(config)#login on-success log
Router(config)#login on-failure log
SSH Configuration and Versioning
Enabling SSH and specifying different versions enhance security by offering encrypted communication between devices. It’s crucial to specify SSH versions for compatibility and security reasons, considering vulnerabilities associated with older versions.
Enabling SSH:
Router(config)#ip domain-name home.local
Router(config)#hostname Router1
Router1(config)#crypto key generate rsa general-keys modulus 1024
Creating a user with Privilege 15 on the device:
Router1(config)#username amir privilege 15 secret passwd
Enabling SSH on VTY port:
Router1(config)#line vty 0 4
Router1(config-line)#login local
Router1(config-line)#transport input ssh
Specifying SSH protocol versions:
Router1(config)#ip ssh version 1
Router1(config)#ip ssh version 2
Setting timeout and authentication retries:
Setting timeout intervals and authentication retries adds an additional layer of security. For instance, setting a timeout ensures that inactive SSH sessions are automatically terminated after a defined period, and limiting authentication retries prevents brute-force attacks.
Router1(config)#ip ssh time-out 100
Router1(config)#ip ssh authentication-retries 2