londonbjk
asked on
Telnet user privilege
Dear Users,
We have just bought a new cisco Router which has got all the default configurations. I have given it a hostname and configure some of the interfaces. What I would like to do is to configure two new users with admin rights and give a telnet access to the router just from specific subnet. In addition I would really appreciate if somebody can give me a link or some kind of documentation and template with important security configuration of a Router and hardening it.
Best Regards
We have just bought a new cisco Router which has got all the default configurations. I have given it a hostname and configure some of the interfaces. What I would like to do is to configure two new users with admin rights and give a telnet access to the router just from specific subnet. In addition I would really appreciate if somebody can give me a link or some kind of documentation and template with important security configuration of a Router and hardening it.
Best Regards
ASKER
Hi,
The first link is really usefull and can help me of creating the admin accounts. what is the difference between typing login local or login privilege 15 under the vty line? Do both command do the same job? In additon I would still appreciate if someone has got any security config template.
Thanks
The first link is really usefull and can help me of creating the admin accounts. what is the difference between typing login local or login privilege 15 under the vty line? Do both command do the same job? In additon I would still appreciate if someone has got any security config template.
Thanks
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
login local would look for a valid username and password configured on the router to allow access
login privelege 15 would give u enable mode access once the user authenticates in successfully
as for security there is no specific template, it all depends on what do you require for the network but as a basic guidlines
1- telnet is only permitted from a specific users (using an access class under the vty lines)
2- moreover its preferable to use a specified user name and password, so not just anybody can guess the password (use login local in that case and configure usernames and much better is to use a Tacacs server with AAA configured)
3- console and AUX password should be a strong one and only known to a few
4- you should try to block known ports that are usually attacked by viruses using Access lists on interfaces to prevent denial of service attacks
login privelege 15 would give u enable mode access once the user authenticates in successfully
as for security there is no specific template, it all depends on what do you require for the network but as a basic guidlines
1- telnet is only permitted from a specific users (using an access class under the vty lines)
2- moreover its preferable to use a specified user name and password, so not just anybody can guess the password (use login local in that case and configure usernames and much better is to use a Tacacs server with AAA configured)
3- console and AUX password should be a strong one and only known to a few
4- you should try to block known ports that are usually attacked by viruses using Access lists on interfaces to prevent denial of service attacks
good point, logic2,
and here is an example of a very basic config just in case:
----------
! user admin (15 - administrator/super-user)
! user cisco (7 - moderate user access)
username admin priv 15 password cisco (
username cisco priv 7 password cisco
!
enable password cisco
!
line vty 0 4
login local
!
---------
http://www.cisco.com/en/US/docs/ios/12_2/security/configuration/guide/scfpass.html
and here is an example of a very basic config just in case:
----------
! user admin (15 - administrator/super-user)
! user cisco (7 - moderate user access)
username admin priv 15 password cisco (
username cisco priv 7 password cisco
!
enable password cisco
!
line vty 0 4
login local
!
---------
http://www.cisco.com/en/US/docs/ios/12_2/security/configuration/guide/scfpass.html
---------------
-specific config:
http://www.petri.co.il/csc_how_to_configure_passwords_to_secure_your_cisco_router.htm
http://www.debianadmin.com/howto-setup-cisco-router-auxiliaryconsole-and-telnet-passwords.html
cisco official guide:
http://www.cisco.com/en/US/tech/tk648/tk361/technologies_tech_note09186a0080120f48.shtml
---------------
hope it helps.