Friday, 3 January 2014

Secure Your Cisco: Enable Secret

Enable Secret


This is the most basic step for securing the management plane on your Cisco router and possibly the most simple. Out of the box, you can type "enable" at an exec prompt and you will be elevated to the all powerful priveliged exec shell. Unfortunately, so will anybody else who logs in. What you need to do is put a password on there. It's not a great idea to use the "enable password" command, because it doesn't encrypt it for you. Using "enable secret" uses MD5, which isn't the most secure but it's better than plain test in your running config.

To put the enable secret, you'll need to type "enable" to enter privileged exec mode, and type "config t" (short for configure terminal). Then type "enable secret 15 0 yourpassword" as below:

 Router>enable   
 Router#config t  
 Enter configuration commands, one per line. End with CNTL/Z.  
 Router(config)#enable secret level 15 0 Cisco2014  
 Router(config)#  

The 15 means you are entering an enable secret for privilege level 15 while the 0 means you are typing in plain text. Should you already have an MD5 hashed password that you want to enter, in case somebody is looking over your shoulder perhaps, you would type "enable secret 15 5 yourpassword".

We can see in the running config that it is encrypted:

 enable secret level 15 5 $1$mERr$p2OmsMs3HNDyiBPyIT0m20  

We could type the above as mentioned should you not want to type the unencrypted password on your screen, we are doing this with security in mind after all!

No comments:

Post a Comment