Monday, 6 January 2014

Secure Your Cisco: Local Users

I've covered how to add an enable secret to your router/switch but if you want to further improve your security posture you should consider adding local user accounts so that you are able to track who is logging in.

Adding a user is easy stuff, but first we need to make sure we've got passwords set in our console, auxillary and VTY lines:


 Router#conf t   
 Router(config-line)#line console 0  
 Router(config-line)#password cisco123  
 Router(config-line)#login  
 Router(config-line)#line vty 0 4  
 Router(config-line)#password cisco123  
 Router(config-line)#login  
 Router(config-line)#line aux 0  
 Router(config-line)#password cisco123  
 Router(config-line)#login  
 Router(config-line)#  

Try to choose different passwords for each of the lines, not like on my example here! These will be saved in plain text in the running config, so let's make them a little less vulnerable:

 Router(config)#service password-encryption   

This won't make them difficult to crack should somebody be so inclined, but it will prevent those looking over your shoulder at your running-config from seeing what your passwords are.

Let's now set up the local users so that logins will check the local database when somebody tries to connnect. Set up a couple of sample users, staying in configuration mode to do so:

 Router(config)#username root privilege 15 secret 0 cisco123  
 Router(config)#username user privilege 5 secret 0 userpass  

We can take a look in our running config and see that using "secret" has scrambled the passwords that were entered as plain text:

 Router(config)#do show run | inc username  
 username user privilege 5 secret 5 $1$HdVg$.GMFfsfjIrtdNIQ75IZfZ/  
 username root privilege 15 secret 5 $1$/OAi$uSE6rzk.3gN026rQTulKv.  

Next step is to enforce the use of the local database for all logins:

 Router(config)#line console 0   
 Router(config-line)#login local   
 Router(config-line)#line aux 0  
 Router(config-line)#login local  
 Router(config-line)#line vty 0 4   
 Router(config-line)#login local  

We're all set now, anybody who tries to connect either via ssh or telnet, via the console port or the auxillary port will now be prompted for a username as well as a password. Furthermore we've got a privilege level 15 user and a privilege level 5 user so that we can give the level 5 password and username to a user who we want to issue a set of restricted commands to.



No comments:

Post a Comment