First you should define some RULES for the password definitions. For example - Minimal Password Lenght:
(config)#security passwords min-length 7
Permit users to have to wait for 1 minute if they attempt to log in for 3 times, and LOG it:
(config)#login block-for 60 attempts 3 within 60 <- ALLOW 3 ATTEMPTS WITHIN 1 MINUTE
(config)#security authentication failure rate 3 log <- LOG FAILED ATTEMPTS
To set up a PRIVILEGE mode password, that used an MD5 hashing:
(config)#enable secret level 15 0 Cisco07
*TIP: If your password contains "?", you need to press "ESC+Q" before you enter the "?" sign.
To define the USERNAME and assign it a MD5 Hash Password:
(config)#username cisqueros secret 0 Cisco07
(config)#do sh run | i username
username cisqueros secret 5 $1$YyRE$V60bOcwZ7ZK0LMusIVnhs/
No Service Password-Recovery feature is a security enhancement to prevent anyone with console access from accessing the router configuration and clearing the password. If you want to do this, make sure the Conf.Register is 0x2102:
#sh ver | i register
Configuration register 0x2102 (Ignores break, Boots into ROM if initial boot fails, 9600 console baud rate default)
More about Configuration Register Values:
The apply the command. *This command is HIDDEN, so the "?" will not display it! You will also be WARNED by IOS:
(config)#no service password-recovery
WARNING: Executing this command will disable password recovery mechanism.
Do not execute this command without another plan for password recovery.
Are you sure you want to continue? [yes/no]:
!!!Don´t forget to configure both - CONSOLE Port (line con 0) and AUXILIARY Port as a backup solution (line aux 0)
You should automatically DISCONNECT these sessions (CON & AUX) after some time of inactivity:
(config-line)#session-timeout 300 <-DISCONNECT IF NO INPUT FOR 5 MINUTES
(config-line)#exit-timeout 300 <-TERMINATE CONSOLE CONNECTION IF NO INPUT FOR 5 MINUTES
If you have more then one administrator, and you want to limit them to a certain commands, use "privilege EXEC", and define the Privilege Level 9 commands:
(config)#privilege exec level 9 show interfaces <- BOTH "SHOW" AND "SHOW INT" WILL APPEAR IN "SHOW RUN"
(config)#privilege exec level 9 ping
(config)#privilege exec level 9 traceroute
Be sure to apply the usage of the local user database on the CONSOLE PORT:
(config)#line con 0
To disable showing WHO IS CURRENTLU LOGGED INTO the device:
(config)#no ip finger
Most Popular Posts
[In collaboration with the guest blogger, Marc Espinosa ] Let's start with the messaging protocols, MQTT and CoAP, and consider which ...
First of all, I need to explain why I decided to write such a post. It's quite simple to everyone who ever tried to Deploy/Configure/Und...
Ever since Cisco bought Insieme and created Cisco ACI, and VMware bought Nicira and created NSX, I've been intensively deep-diving and b...
Before we get deeper into the ACI (Application Centric Infrastructure) as the Cisco's official SDN solution, we need to clarify a few te...
The VM-Series firewall for VMware NSX is jointly developed by Palo Alto Networks and VMware. NetX APIs are used to integrate the Palo Alto N...
After a few months of heavy preps, I managed to pass the exam. I got the electronic certificate, and supposedly I'll get a Cloud Archite...
Having spent quite some time with Linux and Kubernetes admins, I've come to realize that networking isn't one of their strong si...
Before we start, lets once again make sure we fully understand what Bridge Domain is. The bridge domain can be compared to a giant distribut...
It's 2018, and looking back at 2017 I must say that I'm quite happy, because having all in mind - it seems that Cisco is taking Clou...
A question I've been getting a lot from the Network Engineers, should they go for CCIE. There are two points to this question: Knowle...