Mark Yeates Fri, 09/19/2008 - 10:54
User Badges:
  • Gold, 750 points or more

Amin,


Here is a guide to help you harden your router by disabling some unneeded services and lock down access. You can prevent password recovery by issuing the "no service password-recovery" command. You can also use SDM or the auto secure feature with IOS to assist with device hardening.


http://www.cisco.com/en/US/tech/tk648/tk361/technologies_tech_note09186a0080120f48.shtml


HTH,

Mark

Istvan_Rabai Sat, 09/20/2008 - 00:18
User Badges:
  • Gold, 750 points or more

Hi Mark,


Though what you are suggesting may be right, generally (and hopefully) no unauthorized personnel can get physical access to the routers, so there is no way for them to get into ROMMON mode and recover the password.


The "no service password-recovery" command effectively disables access to ROMMON mode.


The drawback of this is that if you really forgot the router password, there is no way for you to recover it. In addition, you will not have the possibility to recover corrupted IOS images on flash without access to ROMMON mode.


So I would suggest to take exceptional care of using this command.


I suppose Amin is asking for a way to avoid password recovery by unauthorized persons.


Another solution for this may be using "service password-encryption" and "enable secret" commands.


"enable secret" creates an MD5 hash of the secret in which case the original secret is deemed unrecoverable.


Though the "service password-encryption" command creates a Viginere-cypher for the other passwords which is not very hard to break, it protects against reading a password over your shoulder.


To have access to these passwords encrypted by the "service password-encryption" command, first someone must have the appropriate privileged level access to the router. And that can be hardened very well.


So I would recommend this solution prior to using the "no service password-recovery" command.


Cheers:

Istvan




Danilo Dy Sat, 09/20/2008 - 04:23
User Badges:
  • Blue, 1500 points or more

I agree with Isvan regarding "no password recovery". We can hardened Cisco IOS as much as we can but we have to assess the impact, some of the commands could be dangerous :)


For user account and enable password, I recommend the following commands.



!

service password-encryption

!

username secret

!

no enable password

enable secret

!

service tcp-keepalives-in

service tcp-keepalives-out


The above user and enable passwords will be hard to decrypt (or not at all) as they use MD5. One of the IOS improvement is the use of MD5 to encrypt the user password which traditionally use Viginere-cypher that is easy to decrypt


Access to router should be limited from few source ip address from internal network. Also use SSH.

paul.matthews Sat, 09/20/2008 - 06:51
User Badges:
  • Silver, 250 points or more

They have a point. I would avoid the no passwird revovery command if I could. If someone has physical access to your network kit so that they could perform a password recovery, I would rather expect that instead of doing that, they may well just eBay it!


SSH should be the norm on newly installed kit rather than Telnet, and SSH and SNMP should be protected by access lists.


Anything that can be passworded should be - HSRP, GLBP, VTP, OSPF etc.


I like the use of TACACS/RADIUS to secure access. It centralised passwords, so regular password changes are simpler than having to log into (or script) every device to change that passwords. Either also make it easier to enforce stronger passwords.


Shoot anyone that types:

line con 0

exec-timeout 0 0


into a router - that means no timeout on the console, and thus the risk of console being left in enable mode.


If you have multiple levels of support, consider adjusting he priv levels of commands, that way first line can shut/no shut an interface for example, but not configure OSPF.

Actions

This Discussion