Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

MOP RC (Maintenance Operation Protocol -Remote Console) function enabled

So I just had a white hat security finding on my external router. I appeared to be low in the findings and I am unsure if this protocol is even used any more. My router is a Cisco 3825 running IOS 12.3(11r)T2. This is what they reported:

One or more Cisco routers have the MOP RC (Maintenance Operation Protocol -Remote Console) function enabled, which is a poor security practice. MOP enables personnel on the local network, or a remote network that is bridged to the local network, to obtain access to a remote console on the router if they possess credentials for the device. This is significant because access to router management is usually protected by IP-based ACLs. As a Layer 2 protocol, MOP allows for the circumvention of this type of ACL, making brute force login attempts possible if account lockout is not enabled. If account lockout is enabled, such attempts could result in a denial of service due to user accounts being locked out.

 

I fixing this as easy as just running the no mop enabled command in the interface like this article suggests?  http://blogs.cisco.com/security/router_spring_cleaning_-_no_mop_required/

 

 

 

 

2 REPLIES

HelloNice articalFYI - I do

Hello

Nice artical

FYI - I do apply no mop enabled to all my L3 interfaces learned from my CCIE studies, but I wasnt aware this is still an open protocol in ios 15 train though!

 

res

Paul

Please don't forget to rate any posts that have been helpful. Thanks.
New Member

ya it was a great easy to

ya it was a great easy to read article on a feature you should turn off. Still I wonder how many master hackers try to hack that. DECnet who knew right

 

Do you apply no mop enable the interface or the subinterface??  Also I should only need to apply it to the interface facing the "internet" right?

5864
Views
0
Helpful
2
Replies
CreatePlease login to create content