- August 20, 2017
- Posted by: Syed Shujaat
- Category: Uncategorized
Cisco Base Configuration Best Practices
Everyone has different views on hardening IOS, and while I do not claim to be an expert, these are the practices that I commonly use when bringing up a new device. If you see something I missed, please leave a comment and I’ll update the blog. I’ve also included general best practices that I follow that fall outside of the security realm.
Base Config + Line Console Password
#Hostname Router
Router#Line Console 0
# Password [mypassword ]
#login !!! this will require you input password to proceed with Privilege / Config mode
#Exec-timeout 0 0 [time = 0 -375791 sec] ! or you can use no exec-timeout for session to timeout
#logging Synchronous !!! it won’t cut your command while showing the status
#enable password Cisco !!! This is a clear text and can be shown in run config
#service password-encryption !!! this will hide and encrypt all passwords for Enable + VTY line with password 7 $$%%092343424234@@## . This is not strong and can be decrypted by craker jack …
Telnet
# line vty 0 4
# enable secret [Cisco] !!! This is a clear text and can be shown in run config
#service password-encryption !!! this will hide and encypt all passwords fir Enable + VTY line with password 7 $$%%092343424234@@##
OR
#username admin privilege 15 secret 0 cisco !!! this will also encrypt password
Login Banner
! banner login ^
************************************************************************ You have logged on to a COMPANY proprietary device. This device may be used only for the authorized business purposes of COMPANY. Anyone found using this device or its information for any unauthorized purpose may be subject to disciplinary action and/or prosecution. Have a nice day! 🙂
************************************************************************
^
!
Base SSH and AAA
In order to enable SSH, we need to set a hostname, domain suffix, and generate an RSA key. These passwords can only be broken with Brute force attack.
hostname Rooter
ip domain-name routerjockey.com
crypto key generate rsa modulus 2048
ip ssh time-out 120
ip ssh version 2
ip scp server enable
logins for 5 minutes if we have 4 unsuccessful attempts inside of 2 minutes. After an unsuccessful attempt, we’re delaying for 2 seconds, and on any failure or success we log.
!
login block-for 300 attempts 4 within 120
login delay 2
login on-failure log
login on-success log
!
Basic configuration for AAA. First we define a level 15 user named admin with a password of cisco.In global configuration, define the security protocol used with AAA (Radius, TACACS+). If you do not want to use either of these two protocols, you can use the local database on the router. If you are using TACACS+, use the tacacs-server host <IP address of the AAA server> <key> command.
!
username admin privilege 15 secret 0 cisco
!
Then, we define our login and exec policies to use the local login methods. This is just a base line of the AAA configuration as once it’s moves to production you’ll add it to your TACACS/ACS server
! aaa new-model aaa authentication login default local-case aaa authorization exec default local if-authenticated ! The most important is securing your VTY lines. The ACL VTY-in is defined by only allowing devices that absolutely need access. This then applied via the access-class command to the vty lines. Again, logging synchronous, escape-character 3, and transport preferred none are used. I also disable telnet access by only allowing input via SSH.
!
ip access-list extended VTY-in
remark == Network Engineering VPNs
permit ip 10.255.200.0 0.3.0.31 any
remark == Network Management Servers
permit ip 192.168.42.0 0.0.0.255 any
!
line con 0
logging synchronous
transport preferred none
escape-character 3
line aux 0
exec-timeout 0 1
no exec
transport output none
line vty 0 15
access-class VTY-in in
logging synchronous
transport preferred none
transport input ssh
escape-character 3
!
Leave a Reply
You must be logged in to post a comment.