×

Warning message

  • Cisco Support Forums is in Read Only mode while the site is being migrated.
  • Cisco Support Forums is in Read Only mode while the site is being migrated.

How to disable recovery procedure on a router for security reason

Answered Question
Oct 29th, 2002
User Badges:

I want to disable the password recovery procedure on a Cisco router (i.e.: if i leave a router "alone" the users can't do the recovery procedure with the break caracter at the startup), is there a rommon configuration or a Jumper ?


Thanks in advance.


Correct Answer by deilert about 14 years 9 months ago

There is an undocumneted command ' no service password-recovery'

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
Correct Answer
deilert Tue, 10/29/2002 - 08:14
User Badges:
  • Silver, 250 points or more

There is an undocumneted command ' no service password-recovery'

kosterbrink Fri, 11/14/2003 - 02:13
User Badges:

Since IOS 12.3 the 'no service password-recovery' command is no longer undocumented. It´s official now.


Does someone know, in which IOS the undocumented 'no service password-recovery' command was integrated first?


Thanks,

Kai

I do not believe that there is any way to do this. The best that you can try is to change the console baud rate in rom-monitor, but this is just obfuscation. The only way that I can see to accomplish this is to fill the console port with epoxy or unsolder the console and aux ports from the board. NB: I strongly recommend against any of the above procedures. If people have physical access to the router, you will always be at risk. If soneone has physical access, they can sniff traffic off the ethernet, install a v.35 / fddi / whatever splitter nad sniff wan traffic, or they could just walk off with the while device. Your time and effort would be better served securing access to the space where the device is.

scottmac Tue, 10/29/2002 - 12:43
User Badges:
  • Green, 3000 points or more

Warran has nailed it.


Without physical security, anything else is just part of the delay loop.


(IMHO)


Scott


omar598 Wed, 12/10/2003 - 11:51
User Badges:

I totally agree,

We have started locking all of our gear in secure cabinets. Until recently only about half of our gear was secure, so any kid/person who knew enough to read a few pdf's could have access to our entire network. lock them down...

Actions

This Discussion