Secure Administrative Access Part 2 of 2 Table of Contents Disable Unattended Connections ................................................................................................... 3 Disable Unattended Connections ................................................................................................... 4 Encrypt All Passwords ..................................................................................................................... 5 Secure Virtual Logins....................................................................................................................... 6 Disable Login for Excessive Attempts ............................................................................................. 7 Verify Login Security When in Quiet Mode .................................................................................. 11 Verify Login Security When in Quiet Mode .................................................................................. 12 Provide Legal Notification ............................................................................................................. 13 Configuring Banner Messages ...................................................................................................... 14 Protecting vty Line Access #1........................................................................................................ 15 Protecting vty Line Access #2........................................................................................................ 16 Protecting vty Line Access #3........................................................................................................ 17 Configuring SSH............................................................................................................................. 18 Optional SSH Features .................................................................................................................. 21 Optional SSH Features .................................................................................................................. 22 Optional SSH Commands .............................................................................................................. 23 Configuring SSH Using CCP............................................................................................................ 24 Configuring SSH Using CCP............................................................................................................ 26 Privilege Levels .............................................................................................................................. 27 Privilege Levels .............................................................................................................................. 28 Router Privilege Levels Example ................................................................................................... 29 Page 1 of 37
37
Embed
Secure Administrative Access Part 2 of 2...admin 1.1.2.1 23 5 15:38:54 UTC Wed Dec 10 2011 Admin 10.10.10.10 23 13 15:58:43 UTC Wed Dec 10 2011 admin 10.10.10.10 23 3 15:57:14 UTC
This document is posted to help you gain knowledge. Please leave a comment to let me know what you think about it! Share it to your friends and learn new things together.
• By default, an administrative interface stays active and logged in for 10 minutes after the last session activity. – After that, the interface times out and logs out of the session.
• The timer can be adjusted using the exec-timeout command in line configuration mode for each of the line types that are used.– exec-timeout minutes seconds
Note:– exec-timeout 0 0 means that there will be no timeout and the session
will stay active for an unlimited time. • Great for Labs … • Bad in production networks!• Never set the value to 0!
**013 By default, administrative interfaces stay active and logged in for 10 minutes. After 10 minutes they log out and you have to log back in again. And by adjusting the exec-timeout command you can change that. And exec-timeout goes per interface. In other words, it goes for the console port, and it goes separately for the VTY or the telnet ports. So if you want to you can have a different value for the console port than you have for SSH sessions. And if you do zero-zero, no minutes, no seconds, essentially all zeros is eternity. So if you do zero-zero then it never times out.
• Terminates an unattended connection (console or vty).
• Provides additional level of security if an administrator walks away from an active console session.
– To terminate an unattended console connection after 3 minutes and 30 seconds:
– To disable the exec process on the line:
Router(config-line)#
exec-timeout minutes [seconds]
Sudbury(config)# line console 0Sudbury(config-line)# exec-timeout 3 30
Sudbury(config)# line aux 0Sudbury(config-line)# no exec-timeout
**014 So here they are applying it to line console zero, which is the console interface. Exec-timeout 3:30, or if you want to take it back, just say no exec-timeout.
• Encrypt all passwords in the router configuration file.
service password-encryption
Router(config)#
R1(config)# service password-encryptionR1(config)# exitR1# show running-configenable password 7 06020026144A061E!line con 0password 7 094F471A1A0A login!line aux 0password 7 01100F175804575D72loginline vty 0 4password 7 03095A0F034F38435B49150A1819login
**015 Here's service password- encryption. If you see a password 7, 7 is the service password-encryption type, and that's the one that's not very secure.
• In this sample config, if more than 5 login failures occur within 60 seconds, then all logins will be disabled for 120 seconds.– This command must be issued before any other login command can be used.– The command also helps provide DoS detection and prevention.
• The PERMIT-ADMIN commands exempt administrative stations from the disabled login.– If not configured, all login requests will be denied during the Quiet-Mode.
**018 VTY is the virtual terminal. So if I do VTY zero space 4, what's the zero space 4 mean? Student: Is it the range? Instructor: Yeah, it's the range. It means there are-- in a router there are five possible telnet sessions. In a switch there are 16 possible telnet sessions. So zero-four covers all five of the possible telnet sessions in a router. Login local means use the local database. If I don't put login local, it won't ask to use those user accounts we just created.
Page 7 of 37
And then here's "login block-for 120 attempts 5 within 60." Anybody want to decipher that? Block-for 120 would mean what? Hundred and twenty minutes, two hours. Block for two hours if you have five bad attempts within a 60-minute interval. So you can make those numbers any numbers you want them to be. But there's a block-for which says, "How long do you want it to lock out?" And the attempts in this case is five. You can make it any number of attempts, and within any number of minutes. Then down here, right near the bottom, you see where it says login quiet mode? Logging quite mode access. Is it a good idea to have lockouts for when a system's getting- - someone's trying to compromise your system? Student: Yeah. Instructor: Let's turn that around. If I intentionally put five bad passwords in every 30 minutes, what happens? Student: I lock you out. Instructor: Right. Student: So if I run a DDOS and then I attack you that way, I can keep you from resetting your router. Instructor: Yep. Or if I just want to harass you and make it not possible for you to ever get into your router, I don't even have to change the configuration. All I would have to
Page 8 of 37
do is try every 30 minutes and I get you locked out forever. So what they did was they created this login quiet mode. Login quite mode says you can log in during the quiet period or during the lockout. But when you log in during the lockout period, you can only log in from whatever this is, right? Access class permit admin. So, where did we set up permit admin? See, four lines up, when it says access list standard permit admin? What did we list below that? Student: Specific IP addresses. Instructor: Yep, two specific IP addresses: 192.168.10.10, 192.168.11.10. So the concept here is nobody can totally lock you out because once you throw this in, the login block for some period for some number of bad logins within some interval, even someone who tries to lock you out can't lock you out from whatever addresses you put in on the quiet mode. Sounds like you've used this already. Student: I've just seen it in practice. Someone's kind of-- it's not that unheard of of a technique to go after someone's routers. Instructor: Mm-hmm. Go ahead. Student: Question: line vty 0 4. If you were to use that on a switch, if you're copying configs from somewhere, you don't entirely understand what you're doing, what
Page 9 of 37
would that do instead of putting in line vty 0 15? Instructor: It would apply all these rules to just the first five lines, first five attempts. If someone could make more than five concurrent attempts, and so I have more than concurrent sessions-- Student: If you have more than five open sessions and the fifth one-- Instructor: Then they get up to session six-- Student: It goes straight through, or would it not work at all? Instructor: It would depend on how you had the rest of them set. The default is that they would be looking for the local enable secret account, or enable account, to get logged on. So login delay 10, so if you make a bad password you have to wait seconds before you can log in again, or attempt to log in again. And login success and failure into your static logs for the system, or event logs.
• In this example, a 6th failed attempt at logging has occurred. – A log message is initiated at the console stating that the router is in Quiet-
Mode. – All login attempts made using Telnet, SSH, and HTTP are denied except as
specified by the PERMIT-ADMIN ACL.
R1#*Dec 10 15:38:54.455: %SEC_LOGIN-1-QUIET_MODE_ON: Still timeleft for watching failures is 12 secs, [user: admin] [Source: 10.10.10.10] [localport: 23] [Reason: Login Authentication Failed - BadUser] [ACL: PERMIT-ADMIN] at 15:38:54 UTC Wed Dec 10 2008
R1# show loginA login delay of 10 seconds is applied.Quiet-Mode access list PERMIT-ADMIN is applied.
Router enabled to watch for login Attacks.If more than 5 login failures occur in 60 seconds or less,logins will be disabled for 120 seconds.
Router presently in Quiet-Mode.Will remain in Quiet-Mode for 105 seconds.Restricted logins filtered by applied ACL PERMIT-ADMIN.
R1#
**020 And this is what it looks like, right? That's an actual login tree up there. Still time left for watching 12 seconds, and authentication failed, etcetera.
• In this example, the command identifies the number of failures, usernames tried, and offending IP addresses with a timestamp added to each unsuccessful attempt.
R1# show login failuresTotal failed logins: 22Detailed information about last 50 failures
Username SourceIPAddr lPort Count TimeStampadmin 1.1.2.1 23 5 15:38:54 UTC Wed Dec 10 2011Admin 10.10.10.10 23 13 15:58:43 UTC Wed Dec 10 2011admin 10.10.10.10 23 3 15:57:14 UTC Wed Dec 10 2011cisco 10.10.10.10 23 1 15:57:21 UTC Wed Dec 10 2011
R1#
**021 Show login failures. If you look at that, it says where they came from, what port they were working on, and the count of failures. L port 23, login port 23. What would that be? Student: Telnet. Student: Telnet. Instructor: Telnet, right. So they were trying to log in with telnet. If it said L port 22, then they'd be trying to log in with--? Student: SSH. Instructor: SSH. Yep.
• Specify that privacy should not be expected when using this system.
• Do not use the word “welcome.”
• Have legal department review the content of the message.
Router(config)#
banner {exec | incoming | login | motd | slip-ppp} d message d
**023 So configuring banner messages. If you look, banner has all these possible messages in it. MOTD? Student: Message of the day. Instructor: Message of the day. Yep. Back when we thought this was a great place to put jokes or "Hi," but banner message of the day is always going to be there when you log in. It's the message of the day.
• By default, Cisco routers do NOT have any line-level passwords configured for vty lines.– Passwords must be configured for all of the vty lines on the router.– Remember that more vty lines can be added to the router.
• If password checking is enabled (i.e., the login command), a vty password must also be configured before attempting to access the router using Telnet. – If a vty password is NOT configured and password checking is enabled for
vty, an error message similar to the following will be produced:
Telnet 10.0.1.2Trying 10.0.1.2 ….. openPassword required, but none set[Connection to 10.0.1.2 closed by foreign host]
**024 So in this case-- when do you get this? Trying to open and it says password required or password not set, or password required but none set. Passwords have to be-- to make any kind of an SSH session or a telnet session work takes a couple of things. First you have to have it configured to work. Second is you have to have-- if you wanted to do enable mode, you have to have an enable password. You can go into the console and go into enable mode without a password. You cannot go in via telnet and go enable with no password.
• Telnet access should be limited only to specified administrative hosts using ACLs:– Allows Telnet access from specific hosts only.– Implicitly or explicitly blocks access from untrusted hosts.– Tie the ACL to the vty lines using the access-class command.
• For example:
R1(config)# access-list 30 permit 10.0.1.1 0.0.0.0R1(config)# line vty 0 4R1(config-line)# access-class 30 in
**026 And you can make this up. Access list 30 permit 10.0.1.1 0.0.0.0. It says you can limit where people can log in from, where people can telnet in from or SSH in from. If you apply it to the VTY lines here, access class 30 in, and this was access list 30 and permitted addresses, then only people from those permitted addresses can attempt to do a VTY login. Because at the end of every access list, what's the last line of an access list? Deny any. So if I let in 10.0.1.1, and everything else is deny any, then I'm done with.
R1# conf tR1(config)# ip domain-name span.comR1(config)# crypto key generate rsa general-keys modulus 1024The name for the keys will be: R1.span.com
% The key modulus size is 1024 bits% Generating 1024 bit RSA keys, keys will be non-exportable...[OK]
R1(config)#*Dec 13 16:19:12.079: %SSH-5-ENABLED: SSH 1.99 has been enabledR1(config)# username Bob secret ciscoR1(config)# line vty 0 4R1(config-line)# login localR1(config-line)# transport input sshR1(config-line)# exit
**027 So, to do SSH you also have to have the domain name. So IP domain name, cisco.com, span.com. You can actually import certificates or you can generate the certificate locally. If you import the certificate then you won't get the warning banner saying this is a locally generated certificate, and you can actually make it part of your PKI. If you generate a local certificate, "crypto key generate rsa general- keys is mod" and then the mod length. Mod is modulus, which is how big is the key. This is a 1024-bit key.
Page 18 of 37
Down here: username Bob secret cisco, vty 0 4, login local, transport input ssh means now I can-- I've got a username, I'm allowing VTYs to use the local database using SSH. What's the security flaw here? Is there a security flaw here? Student: Yeah, the password is too short. Because it's set for secret passwords, it can be cracked if it's under 10. Instructor: Okay, I'll take that. Another one is: What's the default SSH version that came up? Student: One nine-nine. Instructor: Right, so you have to do SSH version 2 to get it to SSH version 2. And one more that's a little harder to find. Student: 1024 is awfully small. You can do 2048. Instructor: Yeah, you could do 2048. You can also do 4096. There's one more. What level of account did we create? Username Bob. Doesn't have a privilege level, correct? Without a privilege level, what privilege level do they come in with? Students: Zero. Instructor: Zero. Which means if you're really using this to run the router system, not only does everybody have to know their own
Page 19 of 37
username, what else do they have to know? Student: Enable secret. Instructor: Enable secret. If you gave them privilege 15, they would automatically come in with a privileged account. They wouldn't have to know the enable secret password. They'd automatically come in at whatever level you told them to. That way the enable secret account doesn't have to be known by everybody. Because here, even if everybody logs in individually, everybody's sharing one enable secret account and one enable secret password.
• SSH Versions:– Cisco IOS Release 12.1(1)T and later supports SSHv1.– Cisco IOS Release 12.3(4)T and later supports both SSHv1 and SSHv2
(compatibility mode). – To change versions, use the ip ssh version {1 | 2} global
command.
• Number of authentication retries:– By default, a user logging in has 3 attempts before being disconnected. – To configure a different number of consecutive SSH retries, use the ip ssh
authentication-retries integer command in global configuration mode.
• SSH Timeouts:– The default time interval that the router will wait for an SSH client to respond
during SSH negotiation phase is 120 seconds.– Change the time using ip ssh time-out seconds.
**029 So you know, current versions of Cisco IOSs are versions 15.x, right? Which is interesting because what version was before 15? Student: Twelve? Instructor: Version 12. They actually skipped versions 13 and 14 because in different societies both 13 and 14 are unlucky. So it wasn't for a programming reason, it was for cultural reasons. Student: It was for sales. Instructor: For cultural reasons they skipped both 13 and 14. So
Page 22 of 37
when you see somebody going from 12 to 15, yes, that is the progression. There are no 13s, there are no 14s. Just for fun, right? Down here at the bottom, SSH timeouts, SSH timeout, timeout, then seconds. And here, IP SSH version 1 or 2. IP SSH authentication retries.
R1# show ip sshSSH Enabled - version 1.99Authentication timeout: 120 secs; Authentication retries: 3R1#R1# conf tEnter configuration commands, one per line. End with CNTL/Z.R1(config)# ip ssh version 2R1(config)# ip ssh authentication-retries 2R1(config)# ip ssh time-out 60R1(config)# ^ZR1#R1# show ip sshSSH Enabled - version 2.0Authentication timeout: 60 secs; Authentication retries: 2R1#
**030 And if you want to see, the show command is the universal command in Cisco for show, or seeing existing configuration. So if I do show ip ssh, it's going to show me everything about SSH. Version 1.99, 2-minute timeout, three retries.
Page 23 of 37
Go into config mode, SSH version 2, authentication retries 2, timeout 60 seconds.
**031 What's this? It's a pretty GUI, right? You can actually download this, and if you download this you can configure your router using the GUI. There are some things where the GUI might actually be preferred. Relatively few. Some of the firewall settings are easier to do in-- or easier to understand and easier to generate through a GUI than they are through the command line because you may want the dashboard afterwards to see the
Page 24 of 37
results. If you use this, what are you doing? You're leaving HTTP or HTTPS-- hopefully HTTPS, right?-- open on the router. So if you're trying to enhance security and you're going to open up one more service, then you have to weigh that difference and say, "What do I do?" Right? You can take the HTTPS and limit it the same way we limited the telnet sessions. So you can write an access list that says, "Okay, I can use this, but only from certain IP addresses, or certain subnets." So this is just showing you the GUI way to do this, if you want to do it via GUI. So what they did was they went into router, access, SSH, and said "Generate RSA key."
• The needs of a network security operator may not be the same as that of WAN engineer.
• Cisco routers allow configuration at various privilege levels for administrators. – Different passwords can be configured to control who has access to the
various privilege levels.
• There are 16 privilege levels.– Levels 2 to 14 can be configured using the privilege global configuration
command.
**033 Privilege levels, zero to 15. Two to 14 are non-defaults, because the defaults are zero and 15.
• Level 0: – Predefined for user-level access privileges. – Seldom used, but includes five commands: disable, enable, exit, help,
and logout.
• Level 1(User EXEC mode): – The default level for login with the router prompt Router>. – A user cannot make any changes or view the running configuration file.
• Levels 2 –14: – May be customized for user-level privileges. – Commands from lower levels may be moved up to a higher level, or
commands from higher levels may be moved down to a lower level.
• Level 15 (Privileged EXEC mode): – Reserved for the enable mode privileges (enable command). – Users can view and change all aspects of the configuration.
**034 So level 1 is user exec mode. Level zero is actually a predefined mode where all we can use is disable, enable, exit, help, logout. Two to 14 can be custom privileges. Fifteen is full exec. And what happens is mode commands have a privilege level tied to the command.
• In this example, four user accounts were created.– A USER account with normal Level 1 access.– A SUPPORT account with Level 1 and ping command access.– A JR-ADMIN account with the same privileges as the SUPPORT account plus
access to the reload command.– An ADMIN account which has all of the regular privileged EXEC commands.
• Level 0: – Predefined for user-level access privileges. – Seldom used, but includes five commands: disable, enable, exit, help,
and logout.
• Level 1(User EXEC mode): – The default level for login with the router prompt Router>. – A user cannot make any changes or view the running configuration file.
• Levels 2 –14: – May be customized for user-level privileges. – Commands from lower levels may be moved up to a higher level, or
commands from higher levels may be moved down to a lower level.
• Level 15 (Privileged EXEC mode): – Reserved for the enable mode privileges (enable command). – Users can view and change all aspects of the configuration.
**034 --or for the five commands, privilege level zero, or privilege level 15. They're either at this end or that end. But what you can do--
• In this example, four user accounts were created.– A USER account with normal Level 1 access.– A SUPPORT account with Level 1 and ping command access.– A JR-ADMIN account with the same privileges as the SUPPORT account plus
access to the reload command.– An ADMIN account which has all of the regular privileged EXEC commands.
**035 Or one of the things you can do, is you can go into here and say privilege execute level 5 for the ping command. That way if you create a user account with a privilege level of 5 or higher they can ping. People with privilege levels below 5 can't ping. Privilege level 10 and higher can hit the reload command. And then you create a user account. Here's an enable secret level 10. You can actually set multiple enable secrets at different levels. Or you can make a username with a privilege 10. If you
Page 31 of 37
get into that part of it and do it this way, then you can control it like this. This is not a scalable solution. This is a solution that works well for a small office. It's not going to work for somebody with 250 devices. There's a different solution for lots of devices. Because you don't want to have to manually set this for every place, and you don't want to have to manually create these usernames on 250 different devices. Even if you put them in a file and just cut and paste the in, you're still going to have to cut and paste 250 times. Not what you want to do. So when we get to triple-A we'll talk about another way to do this.
• The administrator tests the accounts and logs in as the Level 1 user.– Usernames are not case-sensitive by default.– Notice the prompt indicates Level 1 (R1>).– The ping command which is typically available from Level 1 is no longer
available.
User Access Verification
Username: userPassword: <cisco>R1> show privilegeCurrent privilege level is 1R1# ping 10.10.10.1
^% Invalid input detected at '^' marker.
R1>
**036 So, user, show privilege, and it'll show you your privilege level.
• No access control to specific interfaces, ports, logical interfaces, and slots on a router.
• Commands available at lower privilege levels are always executable at higher levels.
• Commands specifically set on a higher privilege level are not available for lower privileged users.
• Assigning a command with multiple keywords to a specific privilege level also assigns all commands associated with the first keywords to the same privilege level. – An example is the show ip route command.
• If an administrator needs to create a user account that has access to most but not all commands, privilege exec statements must be configured for every command that must be executed at a privilege level lower than 15. – This can be a tedious process.
**040 Privilege level limitations. No access control to specific interfaces, ports, logical interfaces and slots. So I can't tell you that you can have privileges on the inside interface but not on the outside interface. Doesn't work. And I can't tell you if-- if I give you privilege level 5, I can't tell you that you get 5 but not levels 4, 3, 2 and 1. Once you get 5, you get 5 and below. So there's no skipping numbers in there. What you can do is the reverse. You can take privilege levels and just raise them up above 5 so that the guy that has 5 doesn't get the ones you don't want him to have that are below 5.
• Privilege levels and enable mode passwords do not provide the necessary level of detail needed when working with Cisco IOS routers and switches.
• The Role-Based CLI Access feature allows the administrator to define “views”.– Views are a set of operational commands and configuration capabilities that
provide selective or partial access to Cisco IOS EXEC and configuration mode commands.
– Views restrict user access to Cisco IOS CLI and configuration information; that is, a view can define what commands are accepted and what configuration information is visible.
**041 Privilege levels and enable mode passwords don't provide the necessary level of detail. You can also do something called views. So we'll talk about views in a minute.