Cisco Base Configuration Best Practices

Cisco Base Configuration Best Practices 

Everyone has different views on hardening IOS, and while I do not claim to be an expert, these are the practices that I commonly use when bringing up a new device. If you see something I missed, please leave a comment and I’ll update the blog. I’ve also included general best practices that I follow that fall outside of the security realm.

Base Config + Line Console Password

#Hostname Router

Router#Line Console 0

# Password [mypassword ]

#login  !!! this will require you input password to proceed with Privilege / Config mode

#Exec-timeout  0 0 [time = 0 -375791 sec] ! or you can use no exec-timeout for session to timeout

#logging Synchronous !!! it won’t cut your command while showing the status

#enable password Cisco   !!! This is a clear text and can be shown in run config

#service password-encryption  !!! this will hide and encrypt all passwords for Enable + VTY line with password 7 $$%%092343424234@@## . This is not strong and can be decrypted by craker jack …

 

Telnet

# line vty 0 4

# enable secret [Cisco]  !!! This is a clear text and can be shown in run config

#service password-encryption  !!! this will hide and encypt all passwords fir Enable + VTY line with  password 7 $$%%092343424234@@##

OR

#username admin privilege 15 secret 0 cisco  !!! this will also encrypt password

Login Banner

! banner login ^

************************************************************************ You have logged on to a COMPANY proprietary device. This device may be used only for the authorized business purposes of COMPANY. Anyone found using this device or its information for any unauthorized purpose may be subject to disciplinary action and/or prosecution. Have a nice day! 🙂

************************************************************************

^

!

Base SSH and AAA 

In order to enable SSH, we need to set a hostname, domain suffix, and generate an RSA key. These passwords can only be broken with Brute force attack.

hostname Rooter
ip domain-name routerjockey.com
crypto key generate rsa modulus 2048
ip ssh time-out 120
ip ssh version 2
ip scp server enable


logins for 5 minutes if we have 4 unsuccessful attempts inside of 2 minutes. After an unsuccessful attempt, we’re delaying for 2 seconds, and on any failure or success we log.
!
login block-for 300 attempts 4 within 120
login delay 2
login on-failure log
login on-success log
!

Basic configuration for AAA. First we define a level 15 user named admin with a password of cisco.In global configuration, define the security protocol used with AAA (Radius, TACACS+). If you do not want to use either of these two protocols, you can use the local database on the router. If you are using TACACS+, use the tacacs-server host <IP address of the AAA server> <key> command.
!
username admin privilege 15 secret 0 cisco
!
Then, we define our login and exec policies to use the local login methods. This is just a base line of the AAA configuration as once it’s moves to production you’ll add it to your TACACS/ACS server
!
aaa new-model
aaa authentication login default local-case
aaa authorization exec default local if-authenticated
!

The most important is securing your VTY lines. The ACL VTY-in is defined by only allowing devices that absolutely need access. This then applied via the access-class command to the vty lines. Again, logging synchronous, escape-character 3, and transport preferred none are used. I also disable telnet access by only allowing input via SSH.
!
ip access-list extended VTY-in
 remark == Network Engineering VPNs
 permit ip 10.255.200.0 0.3.0.31 any
 remark == Network Management Servers
 permit ip 192.168.42.0 0.0.0.255 any
!
line con 0
 logging synchronous
 transport preferred none
 escape-character 3
line aux 0
 exec-timeout 0 1
 no exec
 transport output none
line vty 0 15
 access-class VTY-in in
 logging synchronous
 transport preferred none
 transport input ssh
 escape-character 3
!

                    


Leave a Reply