Cisco Security Basics

Hi,

Here are the basics for setting up a Cisco router:

Thanks to Neuromancer & Data Plumber for pointing out the initial commands and helping me with this blog. So, to prepare for entering configuration commands. The initial commands to enter into the system:

Router>enable
Router#configure terminal
Router(config)#

You are now ready to start entering commands to configure the system. The following are probably the most common and those neccessary to configure a working router.
Enable password-encryption (to ensure passwords are stored in a way that is unreadable to any chancer):

Router(config)#service password-encryption

Enable secret – higher encrypted authorisation.

Router(config)#enable secret password

Enable login using password authentication:

Router(config)#enable password password

Enable console password authentication:

Router(config)#line console 0
Router(config-line)#password password
Router(config-line)#login
Router(config-line)#exit

Enable virtual terminal password authentication (for the five available logins):

Router(config)#line vty 0 4
Router(config-line)#password password
Router(config-line)#login
Router(config-line)#exit

Set the hostname of your Router:

Router(config)#hostname Cisco1
Cisco1(config)#

Set the banner displayed when greeted by the router:

Cisco1(config)#banner motd # Authorised access only #

If, like me your router is too small to hold a newer ISO image. You can do one of two things – a) like I now have, buy memory upgrades (from ebay) or b) store your newly purchased IOS image on a tftp server and load it at boot time.

Cisco1(config)#boot system tftp 2500-io-l.122-5.bin 192.168.0.100

Breaking the last down, the first tells the router to read this boot line first, it then reads that we are booting a system file, the third part says that we are retrieving an image from a remote tftp server (this tftp server must be on a network connected to one of the configured interfaces) — this is not a configuration file, which is separate and stored in nvram, which is loaded into ram during the bootstrap,next is the IOS image, this will vary entirely on you, lastly is the address of the tftp server — there thats it, just saved £30 on a memory upgrade

So now you have your system quite nice and customised to your liking – you better save it!

Cisco1(config)#end //you can also hit CTRL-Z
Cisco#copy running-config startup-config

Hmm, I wonder which version of software I am running and how much memory I have.

Cisco1#show version
Cisco1#show flash

Configuring RIP routing protocol, so that a router can act as an intermediary between two networks. In this example we are traversing networks 192.168.0.0 and 172.16.0.0.


Cisco1#conf t
Cisco1(config)#router rip
Cisco1(config-router)#network 192.168.0.0
Cisco1(config-router)#network 172.16.0.0
Cisco1(config-router)#end
Cisco1#copy run start

Advertisements

3 thoughts on “Cisco Security Basics

  1. Useful stuff – if I remember when I get into work tomorrow, I’ll post some of my favourite standard config statements up too.

    Just a couple of comments:

    To turn on password encryption, the command (in config mode) is “service password-encryption”

    You don’t want to rely on password-encryption though, because if someone gets hold of your running or startup config they can easily decrypt the password using one of the commonly available tools on the net. Have a look at the following website:

    http://users.skynet.be/glu/ciscopw.htm

    When you get there, paste in this encrypted password and hit the “Decrypt” button to reveal all:

    14341B180F0B187875212766

    Instead, you’re better off using “enable secret “. I’ve no idea what the cryptographic algorithm used with this is, but it is apparently non-reversible (so they tell me…)

    Like

  2. Just remembered something I wrote up last year:

    Imagine: You type “conf t” hundreds of times a day, but how many times does it come out as “cofn t”? Frustrating huh?

    How about when you type “itn fa0/1”? (Or is it just me whose right hand is out of sync with his left?)

    To side-step these things, use Cisco IOS aliases. Instead of typing “conf t” you’ll be able to type just “c” – aliases remove the potential for error.

    Have a look at this posting for more info – I paste some of these into every router I configure:
    http://dataplumber.wordpress.com/2006/11/10/cisco-ios-aliases/

    Like

Post a comment

Please log in using one of these methods to post your comment:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s