Senior Acquisitions Editor: Kenyon Brown Development Editor: Kim Wimpsett
Yüklə 22,5 Mb. Pdf görüntüsü
|
- Bu səhifədəki naviqasiya:
- Enable Passwords
- Setting Up Secure Shell (SSH)
- Encrypting Your Passwords
|
Administrative Configurations Even though the following sections aren’t critical to making a router or switch work on a network, they’re still really important. I’m going to guide you through configuring specific commands that are particularly helpful when administering your network. You can configure the following administrative functions on a router and switch:
Hostnames Banners
Passwords Interface descriptions Remember, none of these will make your routers or switches work better or faster, but trust me, your life will be a whole lot better if you just take the time to set these configurations on each of your network devices. This is because doing so makes troubleshooting and maintaining your network a great deal easier—seriously! In this next section, I’ll be demonstrating commands on a Cisco switch, but understand that these commands are used in the exact same way on a Cisco router.
We use the hostname command to set the identity of the router and switch. This is only locally significant, meaning it doesn’t affect how the router or switch performs name lookups or how the device actually works on the internetwork. But the hostname is still important in routes because it’s often used for authentication in many wide area networks (WANs). Here’s an example: Switch#
config t Switch(config)# hostname Todd Todd(config)# hostname Chicago Chicago(config)# hostname Todd Todd(config)# I know it’s pretty tempting to configure the hostname after your own name, but it’s usually a much better idea to name the device something that relates to its physical location. A name that maps to where the device lives will make finding it a whole lot easier, which among other things, confirms that you’re actually configuring the correct device. Even though it seems like I’m completely ditching my own advice by naming mine Todd, I’m not, because this particular device really does live in “Todd’s” office. Its name perfectly maps to where it is, so it won’t be confused with those in the other networks I work with!
A very good reason for having a banner is to give any and all who dare attempt to telnet or sneak into your internetwork a little security notice. And they’re very cool because you can create and customize them so that they’ll greet anyone who shows up on the router with exactly the information you want them to have! Here are the three types of banners you need to be sure you’re familiar with:
Exec process creation banner Login banner Message of the day banner And you can see them all illustrated in the following code: Todd(config)#
LINE c banner-text c, where 'c' is a delimiting character exec Set EXEC process creation banner incoming Set incoming terminal line banner login Set login banner motd Set Message of the Day banner prompt-timeout Set Message for login authentication timeout slip-ppp Set Message for SLIP/PPP Message of the day (MOTD) banners are the most widely used banners because they give a message to anyone connecting to the router via Telnet or an auxiliary port or even through a console port as seen here: Todd(config)#
LINE c banner-text c, where 'c' is a delimiting character Todd(config)#
Enter TEXT message. End with the character '#'. $
Todd(config)# ^Z (Press the control key + z keys to return to privileged mode) Todd#
con0 is now available Press RETURN to get started. If you are not authorized to be in Acme.com network, then you must disconnect immediately. Todd#
This MOTD banner essentially tells anyone connecting to the device to get lost if they’re not on the guest list. The part to focus upon here is the delimiting character, which is what informs the router the message is done. Clearly, you can use any character you want for it except for the delimiting character in the message itself. Once the message is complete, press Enter, then the delimiting character, and then press Enter again. Everything will still work if you don’t follow this routine unless you have more than one banner. If that’s the case, make sure you do follow it or your banners will all be combined into one message and put on a single line!
You can set a banner on one line like this: Todd(config)# banner motd x Unauthorized access prohibited! x Let’s take a minute to go into more detail about the other two types of banners I mentioned:
displayed when EXEC processes such as a line activation or an incoming connection to a VTY line have been created. Simply initiating a user exec session through a console port will activate the exec banner. Login banner You can configure a login banner for display on all connected terminals. It will show up after the MOTD banner but before the login prompts. This login banner can’t be disabled on a per-line basis, so to globally disable it you’ve got to delete it with the no banner login command.
Here’s what a login banner output looks like: ! banner login ^C ——————————————————————————————————————————————————————————————————————————— Cisco Router and Security Device Manager (SDM) is installed on this device. This feature requires the one-time use of the username "cisco" with the password "cisco". The default username and password have a privilege level of 15. Please change these publicly known initial credentials using SDM or the IOS CLI. Here are the Cisco IOS commands. username no username cisco Replace password you want to use. For more information about SDM please follow the instructions in the QUICK START GUIDE for your router or go to www.cisco.com/go/sdm ————————————————————————————————————————————————————————————————————————————– ^C ! The previous login banner should look pretty familiar to anyone who’s ever logged into an ISR router because it’s the banner Cisco has in the default configuration for its ISR routers. Remember that the login banner is displayed before the login prompts and after the MOTD banner.
There are five passwords you’ll need to secure your Cisco routers: console, auxiliary, telnet/SSH (VTY), enable password, and enable secret. The enable secret and enable password are the ones used to set the password for securing privileged mode. Once the enable
commands are set, users will be prompted for a password. The other three are used to configure a password when user mode is accessed through the console port, through the auxiliary port, or via Telnet. Let’s take a look at each of these now.
You set the enable passwords from global configuration mode like this: Todd(config)#
last-resort Define enable action if no TACACS servers respond password Assign the privileged level password secret Assign the privileged level secret use-tacacs Use TACACS to check enable passwords The following list describes the enable password parameters:
This allows you to still enter the device if you set up authentication through a TACACS server and it’s not available. It won’t be used if the TACACS server is working. password This sets the enable password on older, pre-10.3 systems and isn’t ever used if an enable secret is set.
The newer, encrypted password that overrides the enable password if it has been set.
This tells the router or switch to authenticate through a TACACS server. It comes in really handy when you have lots of routers because changing the password on a multitude of them can be insanely tedious. It’s much easier to simply go through the TACACS server and change the password only once! Here’s an example that shows how to set the enable passwords: Todd(config)# enable secret todd Todd(config)# enable password todd The enable password you have chosen is the same as your enable secret. This is not recommended. Re-enter the enable password. If you try to set the enable secret and enable passwords the same, the device will give you a polite warning to change the second password. Make a note to yourself that if there aren’t any old legacy routers involved, you don’t even bother to use the enable password! User-mode passwords are assigned via the line
command like this: Todd(config)# line ? <0-16> First Line number console Primary terminal line vty Virtual terminal And these two lines are especially important for the exam objectives: console Sets a console user-mode password. vty Sets a Telnet password on the device. If this password isn’t set, then by default, Telnet can’t be used. To configure user-mode passwords, choose the line you want and configure it using the login
command to make the switch prompt for authentication. Let’s focus in on the configuration of individual lines now. Console Password We set the console password with the line console 0 command, but look at what happened when I tried to type line console ? from the (config- line)#
prompt—I received an error! Here’s the example: Todd(config-line)# line console ? % Unrecognized command Todd(config-line)#
Todd(config)# line console ? <0-0> First Line number Todd(config)# line console 0 Todd(config-line)# password console Todd(config-line)# login You can still type line console 0 and that will be accepted, but the help screens just don’t work from that prompt. Type
to go back one level, and you’ll find that your help screens now work. This is a “feature.” Really.
Because there’s only one console port, I can only choose line console 0. You can set all your line passwords to the same password, but doing this isn’t exactly a brilliant security move! And it’s also important to remember to apply the login command or the console port won’t prompt for authentication. The way Cisco has this process set up means you can’t set the login command before a password is set on a line because if you set it but don’t then set a password, that line won’t be usable. You’ll actually get prompted for a password that doesn’t exist, so Cisco’s method isn’t just a hassle; it makes sense and is a feature after all! Definitely remember that although Cisco has this “password feature” on its routers starting with IOS 12.2 and above, it’s not included in older IOSs. Okay, there are a few other important commands you need to know regarding the console port. For one, the exec-timeout 0 0 command sets the time-out for the console EXEC session to zero, ensuring that it never times out. The default time- out is 10 minutes. If you’re feeling mischievous, try this on people at work: Set the exec-timeout command to 0 1. This will make the console time out in 1 second, and to fix it, you have to continually press the down arrow key while changing the time-out time with your free hand! Logging synchronous is such a cool command that it should be a default, but it’s not. It’s great because it’s the antidote for those annoying console messages that disrupt the input you’re trying to type. The messages will still pop up, but at least you get returned to your device prompt without your input being interrupted! This makes your input messages oh-so- much easier to read! Here’s an example of how to configure both commands: Todd(config-line)# line con 0 Todd(config-line)# exec-timeout ? <0-35791> Timeout in minutes Todd(config-line)# exec-timeout 0 ? <0-2147483> Timeout in seconds Todd(config-line)# exec-timeout 0 0 Todd(config-line)# logging synchronous You can set the console to go from never timing out (0 0) to timing out in 35,791 minutes and 2,147,483 seconds. Remember that the default is 10 minutes. Telnet Password To set the user-mode password for Telnet access into the router or switch, use the line vty
command. IOS switches typically have 16 lines, but routers running the Enterprise edition have considerably more. The best way to find out how many lines you have is to use that handy question mark like this: Todd(config-line)#
% Unrecognized command Todd(config-line)#
Todd(config)# line vty 0 ? <1-15> Last Line number Todd(config)# line vty 0 15 Todd(config-line)# password telnet Todd(config-line)# login This output clearly shows that you cannot get help from your (config- line)#
prompt. You must go back to global config mode in order to use the question mark ( ? ).
VTY password set? You’ll receive an error saying the connection has been refused because the password isn’t set. So, if you telnet into a switch and receive a message like this one that I got from Switch B Todd#
telnet SwitchB Trying SwitchB (10.0.0.1)…Open Password required, but none set [Connection to SwitchB closed by foreign host] Todd# it means the switch doesn’t have the VTY password set. But you can still get around this and tell the switch to allow Telnet connections without a password by using the no login command:
SwitchB(config-line)# line vty 0 15 SwitchB(config-line)# no login I definitely do not recommend using the no login command
to allow Telnet connections without a password, unless you’re in a testing or classroom environment. In a production network, always set your VTY password! After your IOS devices are configured with an IP address, you can use the Telnet program to configure and check your routers instead of having to use a console cable. You can use the Telnet program by typing telnet from any command prompt (DOS or Cisco). I’ll cover all things Telnet more thoroughly in Chapter 7, “Managing a Cisco Internetwork.”
To configure the auxiliary password on a router, go into global configuration mode and type line aux ? . And by the way, you won’t find these ports on a switch. This output shows that you only get a choice of 0–0, which is because there’s only one port: Todd#
Todd(config)# line aux ? <0-0> First Line number Todd(config)# line aux 0 Todd(config-line)# login % Login disabled on line 1, until 'password' is set Todd(config-line)#
Todd(config-line)# login Setting Up Secure Shell (SSH) I strongly recommend using Secure Shell (SSH) instead of Telnet because it creates a more secure session. The Telnet application uses an unencrypted data stream, but SSH uses encryption keys to send data so your username and password aren’t sent in the clear, vulnerable to anyone lurking around! Here are the steps for setting up SSH: 1. Set your hostname: Router(config)#
2. Set the domain name—both the hostname and domain name are required for the encryption keys to be generated: Todd(config)# ip domain-name Lammle.com 3. Set the username to allow SSH client access: Todd(config)#
4. Generate the encryption keys for securing the session: Todd(config)#
The name for the keys will be: Todd.Lammle.com Choose the size of the key modulus in the range of 360 to 4096 for your General Purpose Keys. Choosing a key modulus Greater than 512 may take a few minutes. How many bits in the modulus [512]: 1024 % Generating 1024 bit RSA keys, keys will be non-exportable...
[OK] (elapsed time was 6 seconds) Todd(config)# 1d14h: %SSH-5-ENABLED: SSH 1.99 has been enabled*June 24 19:25:30.035: %SSH-5-ENABLED: SSH 1.99 has been enabled 5. Enable SSH version 2 on the device—not mandatory, but strongly suggested: Todd(config)#
6. Connect to the VTY lines of the switch or router: Todd(config)#
7. Tell the lines to use the local database for password: Todd(config-line)#
8. Configure your access protocols: Todd(config-line)#
all All protocols none No protocols ssh TCP/IP SSH protocol telnet TCP/IP Telnet protocol Beware of this next line, and make sure you never use it in production because it’s a horrendous security risk: Todd(config-line)# transport input all I recommend using the next line to secure your VTY lines with SSH: Todd(config-line)#
telnet TCP/IP Telnet protocol I actually do use Telnet once in a while when a situation arises that specifically calls for it. It just doesn’t happen very often. But if you want to go with Telnet, here’s how you do that: Todd(config-line)#
Know that if you don’t use the keyword telnet at the end of the command string, then only SSH will work on the device. You can go with either, just so long as you understand that SSH is way more secure than Telnet. Encrypting Your Passwords Because only the enable secret password is encrypted by default, you’ll need to manually configure the user-mode and enable passwords for encryption. Notice that you can see all the passwords except the enable secret when performing a show running-config on a switch: Todd#
Building configuration... Current configuration : 1020 bytes ! ! Last configuration change at 00:03:11 UTC Mon Mar 1 1993 ! version 15.0 no service pad service timestamps debug datetime msec service timestamps log datetime msec no service password-encryption ! hostname Todd ! enable secret 4 ykw.3/tgsOuy9.6qmgG/EeYOYgBvfX4v.S8UNA9Rddg enable password todd ! [output cut] ! line con 0 password console login
line vty 0 4 password telnet login line vty 5 15 password telnet login
! end
To manually encrypt your passwords, use the service password- encryption command. Here’s how: Todd#
Todd(config)# service password-encryption Todd(config)# exit Todd#
show run Building configuration... ! ! enable secret 4 ykw.3/tgsOuy9.6qmgG/EeYOYgBvfX4v.S8UNA9Rddg enable password 7 1506040800 ! [output cut] ! ! line con 0 password 7 050809013243420C login
line vty 0 4 password 7 06120A2D424B1D login line vty 5 15 password 7 06120A2D424B1D login
! end
Todd# config t Todd(config)# no service password-encryption Todd(config)# ^Z Todd#
Nicely done—the passwords will now be encrypted. All you need to do is encrypt the passwords, perform a show run , then turn off the command if you want. This output clearly shows us that the enable password and the line passwords are all encrypted. Before we move on to find out how to set descriptions on your interfaces, I want to stress some points about password encryption. As I said, if you set your passwords and then turn on the service password-encryption command, you have to perform a show running-config before you turn off the encryption service or your passwords won’t be encrypted. You don’t have to turn off the encryption service at all—you’d only do that if your switch is running low on processes. And if you turn on the service before you set your passwords, then you don’t even have to view them to have them encrypted. Yüklə 22,5 Mb. Dostları ilə paylaş:
|