Friday, April 2, 2010


Before a Switch or Router would allow Telnet access, you'll have to set up some passwords. For a Telnet session to even be in Privileged Mode, you must have enable secret enabled.
The first things you want to protect is the Privileged Mode. To protect the Privileged Mode, you'll have to turn on enable secret. To do this, go to Global Configuration Mode and type:
enable secret cisco

To move back to User Mode from Privileged Mode, type:

There are two kinds of enable passwords. The first is enable secret which is shown above. The second way is:
enable password cisco

Enable password is actually legacy, which is not used anymore. The enable password is just there for backward compatibility for old configurations. The enable secret actually stores a hash of the password.

The enable secret supersedes the enable password if both are in the configuration. If you happen to copy a configuration from "show run", it should be pasted in from Global Configuration Mode. To remove the enable password, use:
no enable password cisco

Remember that if you hit a space after typing your password, the space is counted as part of your password. This is a common mistake made by people who try to use context sensitive help after typing the password.

To protect the User Mode from the console port, use:
line con 0
password cisco

The login line makes it so that it requires a user to log in. A common misconception people have is that they think "no login" would prevent any login. But instead of that, it would actually allow a user to login WITHOUT logging in.

To set a password for Telnet, use:
line vty 0 4
password cisco

VTY actually historically stands for Virtual Teletype. In Linux, a console is known as a TTY. TTY simply means Teletype. TTY is also used in terms like GeTTY and PuTTY. VTY is actually short for VTTY, which then makes it Virtual Teletype. However, "Teletype" is a legacy term. In modern times VTY simply stands for Virtual Terminal. Both are correct, however.

By default, enable passwords and terminal (vty and con) passwords are shown in clear-text in the running configuration. To fix this, you'll need to enable a password encryption service through:
service password-encryption

This password encryption service prevents shoulder surfing attacks, but the password is very easily reversed through web services. The password is encryption through "Type 7 Encryption". To crack that encryption, simply do a Google search for "Cisco Password Cracker" or just click here.

It is critical not to put "Welcome" in a login banner. There are many different banners you can create, and they are set from global configuration. The two most common banners are "login" and "motd". login shows up only from VTYs, while motd shows up when you login from console or VTY.

To set a login banner from Global Configuration, type:
banner motd $

SSH stands for Secure SHell. SSH is made to replace Telnet. Transactions done in Telnet are sent in clear-text, and any sniffer could easily get hold of your passwords. SSH makes use of asymmetric encryption to secure data. Because it uses asymmetric encryption, you'll need to generate the keys in the form of certificates. Before you can generate the certificates, you'll need to set your domain name from the Global Configuration through:
ip domain-name syraxius.ath.cx

You'll need to then create a RSA keypair through:
crypto key generate rsa

You can choose any size of keys you want, but try to use larger keys to be safe. Next, you set the SSH version:
ip ssh version 2

Go into your VTY and set SSH as the transport protocol:
line vty 0 4
transport input ssh

Finally, create user accounts:
user cisco password cisco

No comments :

Post a Comment