Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Create a new article
4827
Views
0
Helpful
0
Comments

Securing Terminal Line

athukral
Level 1
Level 1

‎12-06-2011 12:33 AM - edited ‎03-08-2019 06:43 PM

[toc:faq]

Introduction

This document explains the way of Securing Terminal Line.

Prerequisites

Router running Security Feature set.

Description:

One biggest security risk on Cisco-based network is the VTY lines of routers and switches. These lines are used for remote access (via telnet, by default) and are suseptible to brute force password attacks. Below mentioned are few simple steps you can follow to ensure your security at VTV lines.

1.) Enabling username / password based authentication: There are many solutions for authentication ranging from the incredibly complicated to the exceptionally simple. Here you can see the easiest way to enable username / password authentication.

First, you will enable username / password authentication. For this example, we'll use the local user database and only create one user, tiger.

aaa.png

The first line turns on the new authentication model. The second line sets the default authentication mechanism to the "local" database — that's the list of users you are going to be entering by hand. The final line adds a user called 'tiger' with password '11ercghu!#nj045'. The password is hashed inside the configuration.

2.) Restricting VTY line access with an access-list: Once you've defined a list of management addresses, you should apply the list to your VTY lines in order to prevent requests from unwanted IP addresses for connection.

Brute force password attacks attempts happen on network devices all day every day. All it takes is one weak password for your device to be compromised. If we lock out all machines that should not be attempting to access the system, we've done a great deal to prevent maliciousness.

We'll use an access-list to define a block of IPs that should be allowed to access our Cisco router (or IOS-based Catalyst switch) and then apply it to our virtual terminal (VTY) lines.

acl.png

We are using a standard access-list rather than an extended access-list because we are not concerned with matching sources and destinations. We have allowed the first 16 consecutive IPs from 172.16.9.0 through 172.16.9.15. By way of example, we'll assume these are the IP addresses of the hosts used by our network administrators. A single host at 172.16.9.99 is also permitted to access the system. A monitoring server, perhaps. Finally, we deny access by all other hosts.

acl 1.png

3.)  Use SSH-enabled version of IOS: telnet traffic is sent clear text or unencrypted and represents a major security risk on the network. Even if your devices are behind a firewall, you are still exposing your telnet and enable passwords to your internal network. Using telnet should be avoided.

Once we've installed an SSH-enabled version of IOS, the SSH server will start automatically once you generate the encryption keys with the command mentioned below:

crypto key generate rsa

You need to apply the access-list to the VTY lines and force users to use SSH as shown below:

ssh.png

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents