First you should define some RULES for the password definitions. For example - Minimal Password Lenght:
(config)#security passwords min-length 7
Permit users to have to wait for 1 minute if they attempt to log in for 3 times, and LOG it:
(config)#login block-for 60 attempts 3 within 60 <- ALLOW 3 ATTEMPTS WITHIN 1 MINUTE
(config)#security authentication failure rate 3 log <- LOG FAILED ATTEMPTS
To set up a PRIVILEGE mode password, that used an MD5 hashing:
(config)#enable secret level 15 0 Cisco07
*TIP: If your password contains "?", you need to press "ESC+Q" before you enter the "?" sign.
To define the USERNAME and assign it a MD5 Hash Password:
(config)#username cisqueros secret 0 Cisco07
(config)#do sh run | i username
username cisqueros secret 5 $1$YyRE$V60bOcwZ7ZK0LMusIVnhs/
No Service Password-Recovery feature is a security enhancement to prevent anyone with console access from accessing the router configuration and clearing the password. If you want to do this, make sure the Conf.Register is 0x2102:
#sh ver | i register
Configuration register 0x2102 (Ignores break, Boots into ROM if initial boot fails, 9600 console baud rate default)
More about Configuration Register Values:
http://www.cisco.com/en/US/products/hw/routers/ps133/products_tech_note09186a008022493f.shtml
The apply the command. *This command is HIDDEN, so the "?" will not display it! You will also be WARNED by IOS:
(config)#no service password-recovery
WARNING: Executing this command will disable password recovery mechanism.
Do not execute this command without another plan for password recovery.
Are you sure you want to continue? [yes/no]:
!!!Don´t forget to configure both - CONSOLE Port (line con 0) and AUXILIARY Port as a backup solution (line aux 0)
You should automatically DISCONNECT these sessions (CON & AUX) after some time of inactivity:
(config-line)#session-timeout 300 <-DISCONNECT IF NO INPUT FOR 5 MINUTES
(config-line)#exit-timeout 300 <-TERMINATE CONSOLE CONNECTION IF NO INPUT FOR 5 MINUTES
If you have more then one administrator, and you want to limit them to a certain commands, use "privilege EXEC", and define the Privilege Level 9 commands:
(config)#privilege exec level 9 show interfaces <- BOTH "SHOW" AND "SHOW INT" WILL APPEAR IN "SHOW RUN"
(config)#privilege exec level 9 ping
(config)#privilege exec level 9 traceroute
Be sure to apply the usage of the local user database on the CONSOLE PORT:
(config)#line con 0
(config-line)#login local
To disable showing WHO IS CURRENTLU LOGGED INTO the device:
(config)#no ip finger
Subscribe to:
Post Comments (Atom)
Most Popular Posts
-
Before we start, lets once again make sure we fully understand what Bridge Domain is. The bridge domain can be compared to a giant distribut...
-
Ever since Cisco bought Insieme and created Cisco ACI, and VMware bought Nicira and created NSX, I've been intensively deep-diving and b...
-
[In collaboration with the guest blogger, Marc Espinosa ] Let's start with the messaging protocols, MQTT and CoAP, and consider which ...
-
By know you should know the following facts about ACI: Cisco Nexus 9k Switches make the ACI Fabric, which is the Control and the Data pla...
-
Get ready to have your mind blown. One of the easiest procedures I've encountered. You just need to follow these 3 steps, to migrate the...
-
The VM-Series firewall for VMware NSX is jointly developed by Palo Alto Networks and VMware. NetX APIs are used to integrate the Palo Alto N...
-
Google has made their Cloud Platform (GCP) so that you can host your application any way your business requires. When we talk about the ...
-
First time we “unpack” ACI, we will find a certain number of potential Spine and potential Leaf switches, and hopefully 3 (or 5) APIC Contro...
-
Narbik Topology for web-iou Disclaimer: I DON’T OWN NOR HAVE AN ACCESS TO THE TOPOLOGY, INITIAL CONFIGS, IOU/IOL BINARIES OR ANY OTHER ...
-
Before I get into the Python for NX-OS, let me explain a few concepts that I've seen Network Engineers have been struggling with. Dev...
No comments:
Post a Comment