May 12

To increase the security level of our router is of course possible to use passwords but also the so-called Privileged Levels.

Passwords
Regarding the password there are two types: Line Enable Password and Password. The Enable password is the password needed to switch state of Privileged Mode while the Line Password protect against unauthorized access as the console port, auxiliary port and telnet.

The Enable Password

We can set the Enable password in two ways: a safe and a no. But should address both:

Router # conf t
Enter configuration commands, one per line. End with CNTL / Z.
Router (config) # enable password test
Router (config) #

This method is insecure since the password is clearly visible in the router. Indeed:

Router # sh run
..
..
enable password test
!
..
..

To remedy this, we can enter the password and ensure that it is encrypted using the enable secret command:

Router # conf t
Enter configuration commands, one per line. End with CNTL / Z.
Router (config) # enable secret test2
Router (config) #

Here’s the password in the configuration is no longer visible in the clear but rather only encrypted:

Router # sh run
..
..
!
enable secret $ 5 $ 1 $ AWfn JnM/50S9kiJoDEcUuFd4 /.
..
..

The Line Password

The Line Password, as mentioned above, protect the router from unauthorized access as the console port, auxiliary port (AUX) and telnet.
Look on the router can configure which interfaces with the command line?:

Router (config) # line?
<0-70> First Line number
aux Auxiliary line
console Primary terminal line
tty Terminal controller
vty Virtual terminal
x / y Slot / Port for Modems
Router (config) #

We can also see how many interfaces have a certain type. Example:

Router (config) # line tty?
<1-64> First Line number
Router (config) #

or, another example:

Router (config) # line aux?
<0-0> First Line number
Router (config) #

Warning: in this case with <0-0> does not mean that we have no Aux port. 0-0 is just the range from which we infer that a port Aux. Also because, otherwise, there would result aux Auxiliary line with the command line?.

The procedure to assign a password to these three different types of ports (or access) is the same:

Router # conf t
Enter configuration commands, one per line. End with CNTL / Z.
Router (config) # line aux?
<0-0> First Line number

Router (config) # line aux 0
Router (config-line) # login
% Login disabled on line 65, until 'password' IS SET
Router (config-line) # password prova3
Router (config-line) # end
Router #

And so on for the other:

Router # conf t
Enter configuration commands, one per line. End with CNTL / Z.
Router (config) # line with?
<0-0> First Line number

Router (config) # line with 0
Router (config-line) # login
Router (config-line) # password prova4
Router (config-line) # end
Router #

For the console port, while the tty:

Router # conf t
Enter configuration commands, one per line. End with CNTL / Z.
Router (config) # line vty?
<0-181> First Line number

Router (config) # line vty 1
Router (config-line) # password prova5
Router (config-line) # end
Router #

All these passwords will be visible with a sh run:

Router # sh run
..
..
!
line with 0
Password prova4
login
line aux 0
Password prova3
login
line vty 0
password cisco
login
line vty 1
Password prova5
login
line vty 2 4
password cisco
login
!
!
end

At this point we ask: ok, the Enable password do I have to encrypt the enable secret password. And the Line Password? In reality there is a dedicated service for the latter but a service that encrypts all passwords on the router: password-encryption!

Router # conf t
Enter configuration commands, one per line. End with CNTL / Z.
Router (config) # service password-encryption
Router (config) # end
Router #

Well, we have activated the service. Recheck it and see that sh run service password-encryption is active and of course all passwords previously entered will be encrypted:

Router # sh run
..
..
service password-encryption
!
..
..
!
line with 0
password 7 15021903122B7F
login
line aux 0
password 7 03144904100E72
login
line vty 0
password 7 121A0C041104
login
line vty 1
password 7 140700041A057F
login
line vty 2 4
password 7 045802150C2E
login
!
!
end

The Privilege Level

The privilege level are just different levels, namely sixteen (0 to 15) that allow the execution of certain commands or not. Default levels used in Cisco routers are three:

  • Level 0: very rarely used. Enables you to use commands enable, disable, exit, help, and logout.
  • Level 1: privileged mode or EXEC mode. And ‘the level of the defaul login, the prompt is router>.
  • Level 15: privileged mode (Privileged EXEC Mode). It ’s the level that we found after entering the enable password. The prompt is router #.


In addition to these three levels by default, we can use all the other (2-14) to specify what commands available for each specific level!
First, we must assign a password to the level that will enable:

Router (config) # enable password level 10 test
% Converting to a secret. Please use "enable secret" in the future.
Router (config) #

(Note also the ability to encrypt this type enable secret password). After that specify the commands that we intend to make available:

Router (config) # privilege exec level 10 comando_1
Router (config) # privilege exec level 10 comando_2
Router (config) # privilege exec level 10 comando_3
(Etc etc)

Then save the configuration:

Router # copy running-config startup-config
Destination filename [startup-config]?
Building configuration …
[OK]
Router #

Well, to use that level, we use the enable command. Thus:

Router> enable 10
Password:
Router #

We can verify that we are using this show with privilege level:

router # show privilege
Current privilege level is 10
Router #

Let’s take an example: we must enable the debug cdp ip. To see the difference and the actual change:

Router # debug?
..
..
cca CCA activity
cdapi CDAPI information
cdp CDP information
chat Chat scripts activity
cls CLS Information
..
..
Router # debug cdp?
adjacency CDP neighbor info
CDP events events
ip CDP ip Info
packets CDP packet-related information
Router #

Well, these are the available commands. Now set the privilege level by making available only debug cdp ip:

Router (config) # enable password password level 3
% Converting to a secret. Please use 'enable secret "in the future.
Router (config) #
Router (config) # privilege exec level 3 debug cdp ip

Well, now this Privilege Level and check that you have available only the debug cdp ip command:

Router # debug?
cdp CDP information
conn Connection Manager information

Router # debug cdp?
ip CDP ip Info
Router #

Posted in Cisco, Security |

Leave a Comment

Please note: Comment moderation is enabled and may delay your comment. There is no need to resubmit your comment.

Designed By :Xperwebbuilder.com  All Right Reserved