Cisco Street Commands Pt 3

User Acess and Privilege

1. Everyone knows that cisco password 7 encryption is cryptographically weak and can be easily reversed within seconds. A good website to reverse the cisco password 7 would be

http://www.securitystats.com/tools/ciscocrack.php

To configure a strong nonreversible encryption of the priviledge password use the enable secret command in config t mode.

cisco#config t
cisco(config)#username cisco secret cisco
cisco(config)#end

Issue show running-config | grep secret to see the scramble alpha-numeric numbers.
You will see something like enable secret 5 hfnfTfgcni@#4$mf


2. To see all active users, issue the following commands
cisco#show users all
cisco#show users
cisco#who

If you see an asterisk * on the ultra left, it indicates that it is the current session. Of course there is finger command too, but its good to disable it.


3. Sending messages

Sending message to all active users:
cisco#send *


Sending a private message to a user logged onto a specific line, to check which line this user belong to, use the show users command.
cisco#send 12


Sending a private message to a user on the AUX port:
cisco#send aux 0


Sending a private message to a user on the console port, use the following command:
cisco#send console 0


Sending private message to a user on a specific VTY port:
Router1#send vty 4

Example would be:
cisco#send 12

hi, this is a test

Press enter upon confirmation and the message is sent.


4. Prevent your session from time outs.

cisco#config t
cisco(config)#line vty 0 7
cisco(config-line)#exec-timeout 0 0
cisco(config)#end

The exec-timeout 0 0 means do not expire at all. First 0 is min and second 0 is seconds.


5. You want to restrict access to which protocol can be used to access the cisco router VTY ports.

cisco#config t
cisco(config)#line vty 0 8
cisco(config-line)#transport input telnet
cisco(config-line)#exit
cisco(config)#end

What this command does is it disables unused protocol such as rlogin, ssh, nasi and some others and only restrict it to telnet. So only telnet into the VTY ports is possible.


6. Banners, banners, banners

Everyone knows what a banner is. Implementing a banner is one of the important step in good security practice. For instance, if someone manages to break into your router and gain root access, a strict banner would actually repel the hacker from doing anything malicious because legal action.

cisco#config t
cisco(config)#banner exec
cisco(config)#banner login
cisco(config)#banner motd
cisco(config)#end


7. Prevent all the VTY lines from being used up. This is especially useful in large environments where there are a lot of network administrators and all of them are using the VTY lines.

cisco#config t
cisco(config)#access-list 21 permit 192.168.1.1
cisco(config)#line vty 7
cisco(config-line)#access-class 21 in
cisco(config-line)#exit
cisco(config)#end

you can then issue show line vty 7 to see the vty stats.

8. Configuring ssh for the router. This is a must if you are doing remote configurations and monitoring. Disable telnet. Its bad..

cisco#config t
cisco(config)#hostname cisco
cisco(config)#ip domain-name cisco.com
cisco(config)#crypto key generate rsa

Enter 1024 for the rsa bits

cisco(config)#ip ssh time-out 60
cisco(config)#ip ssh authentication-retries 3
cisco(config)#end

This is the command to basically implement ssh on cisco routers. However, only IOS version 12.1(1)T onwards support this. So implement SSH now and disable telnet.

Issue show ssh and show ip ssh to see sessions ans stats.


9. Those who knows cisco priviledge level, yall know that level 15 is the highest for any user. With this level, you are a super user and can execute any commands. For a router that has many users, you would often want to limit certain commands to certain users. Only the senior engineers can have all the root priviledge and juniors are only restricted to some commands. Its like Unix, where only root can execute most of the commands, normal users would need to use the sudo command to actually execute as root.

cisco#config t
cisco(config)#aaa new-model
cisco(config)#aaa authentication login default local
cisco(config)#aaa authorization exec default local
cisco(config)#username cisco privilege 15 password cisco
cisco(config)#privilege exec level 11 show ssh
cisco(config)#privilege exec level 1 show users
cisco(config)#privilege exec level 1 show ver
cisco(config)#end

What this command actually does is it assigns privilege level 15(admin) access to user cisco. All user level below 11 cannot execute show ssh but can issue show users and show ver. You can determine your user level by issuing show privilege command.