Solved

CISCO 1921 Port 22 and 53 PCI Compliance

Posted on 2014-01-02
5
757 Views
Last Modified: 2014-02-08
I am working with a customer who has recently gone through a PCI compliance audit and it was found that ports 22 and 53 are open.  I have tried several attempts to disable Ver1 SSH and still I am unable to close these ports.  I have included a running conifg of the router.  I am open to any suggestions and thoughts.

Thanks Justin

Current configuration : 6661 bytes
!
! Last configuration change at 19:42:45 UTC Thu Jan 2 2014 by admin
version 15.2
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname troplanc
!
boot-start-marker
boot-end-marker
!
!
logging buffered 51200 warnings
!
no aaa new-model
!
ip cef
!
!
!
ip dhcp excluded-address 10.10.10.1
ip dhcp excluded-address 10.0.1.1 10.0.1.99
ip dhcp excluded-address 192.168.0.1
!
ip dhcp pool ccp-pool
 import all
 network 10.10.10.0 255.255.255.248
 default-router 10.10.10.1
 lease 0 2
!
ip dhcp pool ADMIN
 import all
 network 10.0.1.0 255.255.255.0
 dns-server 75.75.75.75 76.76.76.76
 default-router 10.0.1.1
!
ip dhcp pool GUEST
 import all
 network 192.168.0.0 255.255.255.0
 dns-server 75.75.75.75 76.76.76.76
 default-router 192.168.0.1
 lease 0 12
!
!
!
ip domain name yourdomain.com
no ipv6 cef
!
multilink bundle-name authenticated
!
!
crypto pki trustpoint TP-self-signed-1999770955
 enrollment selfsigned
 subject-name cn=IOS-Self-Signed-Certificate-1999770955
 revocation-check none
 rsakeypair TP-self-signed-1999770955
!
!
crypto pki certificate chain TP-self-signed-1999770955
 certificate self-signed 01
  3082022B 30820194 A0030201 02020101 300D0609 2A864886 F70D0101 05050030
  31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274
  69666963 6174652D 31393939 37373039 3535301E 170D3133 30353134 31383331
  35385A17 0D323030 31303130 30303030 305A3031 312F302D 06035504 03132649
  4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D31 39393937
  37303935 3530819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281
  8100A4A8 1E248A6B 64A5CE11 A4957CDA AE0C64FD DC55DC30 F332A715 184AEBD0
  B71BE062 63BC7140 D0846EE9 CC478991 99B02730 247FB01B A0305545 5D9538B3
  FBF9385F F085E20E C265D7CB CE0C305C E9E82179 FD7886F6 1F255074 87554BE2
  442BA09A 0D3268B2 7D70FEBE 08D74B6F 7FFFDBCD 8AFE98A7 100F800F DA9F2ACE
  6BE10203 010001A3 53305130 0F060355 1D130101 FF040530 030101FF 301F0603
  551D2304 18301680 14E107FA 2BF516D2 44365EE4 D646CBB5 6ACF2EFA DD301D06
  03551D0E 04160414 E107FA2B F516D244 365EE4D6 46CBB56A CF2EFADD 300D0609
  2A864886 F70D0101 05050003 8181003D 83552CE1 4092643D FA851F22 6A9B0C2C
  6F76F87E 651E8502 F6FBCAE7 F82FD612 2B9DAB99 494421CF 0EAE7636 2754B58A
  3C9F2889 C3C17E2C 9905CC96 9BAAE645 B681AEAC 2A0F0B0C D1E8C22F 5FD47EE5
  F1CA9CA4 0031A0BB DFB51F5F 8A64EEF1 65DCB444 E354AD61 30F003AB 7264191C
  AA2E2B75 E0CA5D00 1C36E63B CE11F2
        quit
license udi pid CISCO1921/K9 sn FGL172021BG
!
!
object-group network net-local
 10.0.1.0 255.255.255.0
!
object-group network net-remote
 10.0.5.0 255.255.255.0
!
username admin privilege 15 secret 4 9Rm7ZxlTUuYCINH6WJRoXb79cZlK6hwDCM0mu3OzG2g

!
redundancy
!
!
!
!
!
!
!
crypto isakmp policy 2
 authentication pre-share
!
crypto isakmp policy 10
 authentication pre-share
crypto isakmp key Nancy8088! address 50.76.118.222
!
!
crypto ipsec transform-set ASA-IPSEC esp-des esp-sha-hmac
 mode tunnel
!
!
!
crypto map SDM_CMAP_1 1 ipsec-isakmp
 set peer 50.76.118.222
 set transform-set ASA-IPSEC
 match address 100
!
!
!
!
!
interface Embedded-Service-Engine0/0
 no ip address
 shutdown
!
interface GigabitEthernet0/0
 description outside
 ip address 50.241.184.25 255.255.255.248
 ip nat outside
 ip virtual-reassembly in
 duplex auto
 speed auto
!
interface GigabitEthernet0/1
 description ADMIN
 no ip address
 ip nat inside
 ip virtual-reassembly in
 duplex auto
 speed auto
!
interface GigabitEthernet0/1.1
 description GUEST LAN
 encapsulation dot1Q 2
 ip address 192.168.0.1 255.255.255.0
 ip nat inside
 ip virtual-reassembly in
!
interface GigabitEthernet0/1.2
 description VoIP
 encapsulation dot1Q 3
 ip address 10.0.3.1 255.255.255.0
 ip nat inside
 ip virtual-reassembly in
!
interface GigabitEthernet0/1.3
 description CCTV
 encapsulation dot1Q 4
 ip address 10.0.4.1 255.255.255.0
 ip nat inside
 ip virtual-reassembly in
!
interface GigabitEthernet0/1.4
 encapsulation dot1Q 10
 ip address 10.0.1.1 255.255.255.0
 ip nat inside
 ip virtual-reassembly in
!
ip forward-protocol nd
!
ip http server
ip http access-class 23
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
!
ip dns server
ip nat inside source list 100 interface GigabitEthernet0/0 overload
ip nat inside source static tcp 10.0.1.10 910 50.241.184.25 910 extendable
ip nat inside source static udp 10.0.1.10 910 50.241.184.25 910 extendable
ip nat inside source static tcp 10.0.1.10 3389 50.241.184.25 3389 extendable
ip nat inside source static udp 10.0.1.10 3389 50.241.184.25 3389 extendable
ip nat inside source static tcp 10.0.4.5 8080 50.241.184.25 8080 extendable
ip nat inside source static udp 10.0.4.5 8080 50.241.184.25 8080 extendable
ip nat inside source static tcp 10.0.4.5 8081 50.241.184.25 8081 extendable
ip nat inside source static udp 10.0.4.5 8081 50.241.184.25 8081 extendable
ip route 0.0.0.0 0.0.0.0 50.241.184.30
ip route 10.0.0.0 255.0.0.0 GigabitEthernet0/1.4
!
access-list 100 permit ip any any
!
!
!
control-plane
!
!
banner exec ^Cine TROP ELITE EQUIPMENT
***************************TROP ELITE EQUIPMENT****************************
RESTRICTED ACCESS - AUTHORIZED PERSONEL ONLY - VIOLATORS WILL BE SHOT
1
RESTRICTED ACCESS - AUTHORIZED PERSONEL ONLY - VIOLATORS WILL BE SHOT
^C
banner login ^C
-----------------------------------------------------------------------
Cisco Configuration Professional (Cisco CP) is installed on this device.
This feature requires the one-time use of the username "cisco" with the
password "cisco". These default credentials have a privilege level of 15.

YOU MUST USE CISCO CP or the CISCO IOS CLI TO CHANGE THESE  PUBLICLY-KNOWN
CREDENTIALS

Here are the Cisco IOS commands.

username <myuser>  privilege 15 secret 0 <mypassword>
no username cisco

Replace <myuser> and <mypassword> with the username and password you want
to use.

IF YOU DO NOT CHANGE THE PUBLICLY-KNOWN CREDENTIALS, YOU WILL NOT BE ABLE
TO LOG INTO THE DEVICE AGAIN AFTER YOU HAVE LOGGED OFF.

For more information about Cisco CP please follow the instructions in the
QUICK START GUIDE for your router or go to http://www.cisco.com/go/ciscocp
-----------------------------------------------------------------------
^C
!
line con 0
 login local
line aux 0
line 2
 no activation-character
 no exec
 transport preferred none
 transport output none
 stopbits 1
line vty 0 4
 access-class 23 in
 privilege level 15
 login local
 transport input none
line vty 5 15
 access-class 23 in
 privilege level 15
 login local
 transport input none
!
scheduler allocate 20000 1000
!
end

troplanc#
0
Comment
Question by:JustinBrian
  • 3
5 Comments
 
LVL 6

Assisted Solution

by:Jordan Medlen
Jordan Medlen earned 250 total points
ID: 39752217
And it is your router that has SSH and DNS open?

First looking at the config, looks like you're defining ACL 23 as what to use for determining access to your vty interfaces. You have none specified as your input transport method. I would change this to ssh for starters. Secondly, I would configure ACL 23 to allow only the specific hosts or subnets that you want to have access to the management of the device.

As for port 53, didn't see where that applies here, not even in your NAT statements, unless I missed something.
0
 
LVL 6

Expert Comment

by:Jordan Medlen
ID: 39752224
Also, SSH is not bad for PCI compliance, but letting anyone access it can be. Also, noticed that you'll want to change your isakmp key now that you published it on the Internet, along with the peer IP address.
0
 

Author Comment

by:JustinBrian
ID: 39752265
I realized that after the fact.....to quick with the copy and paste.  Thanks
0
 
LVL 6

Expert Comment

by:Jordan Medlen
ID: 39752272
No problem. Just making sure you knew about it. Rather fix it now than to post another question on why you got smacked online. :)
0
 
LVL 45

Accepted Solution

by:
Craig Beck earned 250 total points
ID: 39757671
The ip dns server command is where the port 53 issue is coming from.  I can't see why you're running DNS server on the router as none of your DHCP scopes are giving the address of the router as a DNS server.

Just disable it...

conf t
 no ip dns server
end

Open in new window


SSH is only enabled on line 2.  This is for communication between the router and the service module which is installed in the router.  Also, access-list 23 isn't defined so anyone trying to access your vty lines would be denied anyway.
0

Featured Post

Better Security Awareness With Threat Intelligence

See how one of the leading financial services organizations uses Recorded Future as part of a holistic threat intelligence program to promote security awareness and proactively and efficiently identify threats.

Join & Write a Comment

We've been using the Cisco/Linksys RV042 for years as: - an internet Gateway - a site-to-site VPN device - a leased line site-to-site subnet-to-subnet interface (And, here I'm assuming that any RV0xx behaves the same way as an RV042.  So that's …
Tired of waiting for your show or movie to load?  Are buffering issues a constant problem with your internet connection?  Check this article out to see if these simple adjustments are the solution for you.
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

746 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

12 Experts available now in Live!

Get 1:1 Help Now