[Okta Webinar] Learn how to a build a cloud-first strategyRegister Now

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 1509
  • Last Modified:

Good Config for a Cisco SOHO 91 Router


Hey all,

I am having an issue with my new router and would GREATLY appreciate any help I can get! First off, I seem to have user accounts created in my router by CRWS that I did not create. Would it appear that I have been hacked?

Next, I would like to get a good config that I can use to secure my router. The current config has the 10.10.10.0 network as allowed, but I do not what that allowed...  I am a newbie, so forgive any lack of info.... Here is my config, I have removed some info pertaining to my IP... notice the CRWS users that I did not create...

Router>#show running-config
Building configuration...

Current configuration : 4021 bytes
!
version 12.3
no service pad
service timestamps debug uptime
service timestamps log uptime
service password-encryption
!
hostname Router
!
logging buffered informational
!
username CRWS_Venky privilege 15 password 7 03400A4F315E276D0A06480A24371B0D557F
79777C6461774A51
username CRWS_Gayatri privilege 15 password 7 15565A48337B2D056C3C642D2022060250
00080003045E564F41
username CRWS_Giri privilege 15 password 7 015757406C5A002E65431F062A2007135A5F5
57B7D7D7C61657A
username CRWS_Bijoy privilege 15 password 7 00404242330A0D274B2E1D413A3C15164652
5B5279727570
no aaa new-model
ip subnet-zero
ip dhcp excluded-address 172.16.30.1
!
ip dhcp pool CLIENT
   import all
   network 172.16.30.0 255.255.255.248
   default-router 172.16.30.1
   domain-name ph.cox.net
   lease 0 2
!
!
ip cef
ip inspect name myfw cuseeme timeout 3600
ip inspect name myfw ftp timeout 3600
ip inspect name myfw rcmd timeout 3600
ip inspect name myfw realaudio timeout 3600
ip inspect name myfw smtp timeout 3600
ip inspect name myfw tftp timeout 30
ip inspect name myfw udp timeout 15
ip inspect name myfw tcp timeout 3600
ip inspect name myfw h323 timeout 3600
!
!
!
!
partition flash 2 6 2
!
!
!
!
interface Ethernet0
 description CRWS Generated text. Please do not delete this:172.16.30.1-255.255.
255.248
 ip address 172.16.30.1 255.255.255.248 secondary
 ip address 10.10.10.1 255.255.255.0
 ip nat inside
 no cdp enable
 hold-queue 32 in
!
interface Ethernet1
 ip address dhcp client-id Ethernet1
 ip access-group 101 in
 ip nat outside
 ip inspect myfw out
 duplex auto
 no cdp enable
!
ip nat inside source list 102 interface Ethernet1 overload
ip classless
ip http server
no ip http secure-server
!
access-list 23 permit 172.16.30.0 0.0.0.7
access-list 23 permit 10.10.10.0 0.0.0.255
access-list 101 permit icmp any any administratively-prohibited
access-list 101 permit icmp any any echo
access-list 101 permit icmp any any echo-reply
access-list 101 permit icmp any any packet-too-big
access-list 101 permit icmp any any time-exceeded
access-list 101 permit icmp any any traceroute
access-list 101 permit icmp any any unreachable
access-list 101 permit udp any eq bootps any eq bootpc
access-list 101 permit udp any eq bootps any eq bootps
access-list 101 permit udp any eq domain any
access-list 101 permit esp any any
access-list 101 permit udp any any eq isakmp
access-list 101 permit udp any any eq 10000
access-list 101 permit tcp any any eq 1723
access-list 101 permit tcp any any eq 139
access-list 101 permit udp any any eq netbios-ns
access-list 101 permit udp any any eq netbios-dgm
access-list 101 permit gre any any
access-list 101 deny   ip any any log
access-list 102 permit ip 172.16.30.0 0.0.0.7 any
access-list 111 permit icmp any any administratively-prohibited
access-list 111 permit icmp any any echo
access-list 111 permit icmp any any echo-reply
access-list 111 permit icmp any any packet-too-big
access-list 111 permit icmp any any time-exceeded
access-list 111 permit icmp any any traceroute
access-list 111 permit icmp any any unreachable
access-list 111 permit udp any eq bootps any eq bootpc
access-list 111 permit udp any eq bootps any eq bootps
access-list 111 permit udp any eq domain any
access-list 111 permit esp any any
access-list 111 permit udp any any eq isakmp
access-list 111 permit udp any any eq 10000
access-list 111 permit tcp any any eq 1723
access-list 111 permit tcp any any eq 139
access-list 111 permit udp any any eq netbios-ns
access-list 111 permit udp any any eq netbios-dgm
access-list 111 permit gre any any
access-list 111 deny   ip any any log
no cdp run
route-map icmp deny 10
!
!
line con 0
 exec-timeout 120 0
 no modem enable
 stopbits 1
line aux 0
line vty 0 4
 access-class 23 in
 exec-timeout 120 0
 login local
 length 0
!
scheduler max-task-time 5000
!
end

Thank you!
0
zargoth3
Asked:
zargoth3
  • 3
  • 2
1 Solution
 
MarkDozierCommented:
The good news is you have not been hacked. The bad news is you are closing the CRWS sessions incorrectly.

This article does not specifically mention your router but it does apply.

http://www.cisco.com/en/US/products/hw/routers/ps380/products_field_notice09186a00800e9476.shtml

I would also turn off the web server on the router and either console ot telnet into the router.
You can safely delete thos users without fear.
0
 
zargoth3Author Commented:
Great! That worked. If there are any "Best Practices" ACL's out there, I would appreciate help with that too.

Thanks for your help!
0
 
zargoth3Author Commented:
Sorry... How do I go about turning off the web server?

Thanks
0
 
MarkDozierCommented:
Rtr# config t
Rtr#(config) no http server
Rtr#(config)cntl Z
0
 
zargoth3Author Commented:
I had just figured out the HTTP server thing when I logged back into the site. My router actually wanted NO IP HTTP SERVER instead of NO HTTP SERVER. Thanks for the info again!
0

Featured Post

New feature and membership benefit!

New feature! Upgrade and increase expert visibility of your issues with Priority Questions.

  • 3
  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now