Router Security - Best Practices

First you should define some RULES for the password definitions. For example - Minimal Password Lenght:
(config)#security passwords min-length 7

Permit users to have to wait for 1 minute if they attempt to log in for 3 times, and LOG it:
(config)#login block-for 60 attempts 3 within 60 <- ALLOW 3 ATTEMPTS WITHIN 1 MINUTE
(config)#security authentication failure rate 3 log <- LOG FAILED ATTEMPTS

To set up a PRIVILEGE mode password, that used an MD5 hashing:
(config)#enable secret level 15 0 Cisco07
*TIP: If your password contains "?", you need to press "ESC+Q" before you enter the "?" sign.

To define the USERNAME and assign it a MD5 Hash Password:
(config)#username cisqueros secret 0 Cisco07
(config)#do sh run | i username
username cisqueros secret 5 $1$YyRE$V60bOcwZ7ZK0LMusIVnhs/

No Service Password-Recovery feature is a security enhancement to prevent anyone with console access from accessing the router configuration and clearing the password. If you want to do this, make sure the Conf.Register is 0x2102:
#sh ver | i register
Configuration register 0x2102 (Ignores break, Boots into ROM if initial boot fails, 9600 console baud rate default)
More about Configuration Register Values:

The apply the command. *This command is HIDDEN, so the "?" will not display it! You will also be WARNED by IOS:
(config)#no service password-recovery
WARNING: Executing this command will disable password recovery mechanism.
Do not execute this command without another plan for password recovery.
Are you sure you want to continue? [yes/no]:

!!!Don´t forget to configure both - CONSOLE Port (line con 0) and AUXILIARY Port as a backup solution (line aux 0)
You should automatically DISCONNECT these sessions (CON & AUX) after some time of inactivity:
(config-line)#session-timeout 300 <-DISCONNECT IF NO INPUT FOR 5 MINUTES

If you have more then one administrator, and you want to limit them to a certain commands, use "privilege EXEC", and define the Privilege Level 9 commands:
(config)#privilege exec level 9 show interfaces <- BOTH "SHOW" AND "SHOW INT" WILL APPEAR IN "SHOW RUN"
(config)#privilege exec level 9 ping
(config)#privilege exec level 9 traceroute

Be sure to apply the usage of the local user database on the CONSOLE PORT:
(config)#line con 0
(config-line)#login local

To disable showing WHO IS CURRENTLU LOGGED INTO the device:
(config)#no ip finger

Most Popular Posts