Auto Secure Command on Cisco Routers – Part 2

In previous post we discussed about benefits & what auto secure command does on Cisco devices.

In this post we will see the configuration and it’s output.

Router#auto secure

— AutoSecure Configuration —

*** AutoSecure configuration enhances the security of

the router, but it will not make it absolutely resistant

to all security attacks ***

AutoSecure will modify the configuration of your device.

All configuration changes will be shown. For a detailed

explanation of how the configuration changes enhance security

and any possible side effects, please refer to Cisco.com for

Autosecure documentation.

At any prompt you may enter ‘?’ for help.

Use ctrl-c to abort this session at any prompt.

Gathering information about the router for AutoSecure

Is this router connected to internet? [no]: yes

Enter the number of interfaces facing the internet [1]:

Interface                 IP-Address     OK? Method Status               Protocol

FastEthernet0/0           unassigned     YES unset administratively down down

FastEthernet1/0           unassigned     YES unset administratively down down

FastEthernet1/1           unassigned     YES unset administratively down down

FastEthernet2/0           unassigned     YES unset administratively down down

FastEthernet2/1           unassigned     YES unset administratively down down

Serial3/0                  unassigned     YES unset administratively down down

Serial3/1                 unassigned     YES unset administratively down down

Serial3/2                 unassigned     YES unset administratively down down

Serial3/3                 unassigned     YES unset administratively down down

Enter the interface name that is facing the internet: FastEthernet0/0

Securing Management plane services…

Disabling service finger

Disabling service pad

Disabling udp & tcp small servers

Enabling service password encryption

Enabling service tcp-keepalives-in

Enabling service tcp-keepalives-out

Disabling the cdp protocol

Disabling the bootp server

Disabling the http server

Disabling the finger service

Disabling source routing

Disabling gratuitous arp

Here is a sample Security Banner to be shown

at every access to device. Modify it to suit your

enterprise requirements.

Authorized Access only

This system is the property of So-&-So-Enterprise.

UNAUTHORIZED ACCESS TO THIS DEVICE IS PROHIBITED.

You must have explicit permission to access this

device. All activities performed on this device

are logged. Any violations of access policy will result

in disciplinary action.

Enter the security banner {Put the banner between

k and k, where k is any character}:

k UNAUTHORIZED ACCESS TO THIS DEVICE IS PROHIBITED.

You must have explicit permission to access this

device. All activities performed on this device

are logged. Any violations of access policy will result

in disciplinary action. k

Enable secret is either not configured or

is the same as the enable password

Enter the new enable secret:cisco

% Invalid Password length – must contain 6 to 25 characters. Password configuration failed

Enter the new enable secret: In@nE^bL121

Confirm the enable secret : In@nE^bL121

Enter the new enable password: In@nE^bL199

Confirm the enable password: In@nE^bL199

Configuration of local user database

Enter the username: admin

Enter the password: In@nE^bL199

Confirm the password: In@nE^bL199

Configuring AAA local authentication

Configuring console, Aux and vty lines for

local authentication, exec-timeout, transport

Securing device against Login Attacks

Configure the following parameters

Blocking Period when Login Attack detected: 3

Maximum Login failures with the device: 3

Maximum time period for crossing the failed login attempts: 3

Configure SSH server? [yes]:

Enter the domain-name: internetworksblog.com

Configuring interface specific AutoSecure services

Disabling the following ip services on all interfaces:

no ip redirects

no ip proxy-arp

no ip unreachables

no ip directed-broadcast

no ip mask-reply

Disabling mop on Ethernet interfaces

Securing Forwarding plane services…

Enabling unicast rpf on all interfaces connected

to internet

Configure CBAC Firewall feature? [yes/no]: no

Tcp intercept feature is used prevent tcp syn attack

on the servers in the network. Create autosec_tcp_intercept_list

to form the list of servers to which the tcp traffic is to

be observed

Enable tcp intercept feature? [yes/no]: yes

This is the configuration generated:

no service finger

no service pad

no service udp-small-servers

no service tcp-small-servers

service password-encryption

service tcp-keepalives-in

service tcp-keepalives-out

no cdp run

no ip bootp server

no ip http server

no ip finger

no ip source-route

no ip gratuitous-arps

no ip identd

banner motd ^C UNAUTHORIZED ACCESS TO THIS DEVICE IS PROHIBITED.

You must have explicit permission to access this

device. All activities performed on this device

are logged. Any violations of access policy will result

in disciplinary action. ^C

security passwords min-length 6

security authentication failure rate 10 log

enable secret 5 $1$0RYA$SW1b9aQREOBwKWbGJcCsN/

enable password 7 02050D4808092F701E1D

username admin password 7 060506324F41584B56

aaa new-model

aaa authentication login local_auth local

line console 0

login authentication local_auth

exec-timeout 5 0

transport output telnet

line aux 0

login authentication local_auth

exec-timeout 10 0

transport output telnet

line vty 0 4

login authentication local_auth

transport input telnet

login block-for 3 attempts 3 within 3

ip domain-name internetworksblog.com

crypto key generate rsa general-keys modulus 1024

ip ssh time-out 60

ip ssh authentication-retries 2

line vty 0 4

transport input ssh telnet

service timestamps debug datetime msec localtime show-timezone

service timestamps log datetime msec localtime show-timezone

logging facility local2

logging trap debugging

service sequence-numbers

logging console critical

logging buffered

interface FastEthernet0/0

no ip redirects

no ip proxy-arp

no ip unreachables

no ip directed-broadcast

no ip mask-reply

no mop enabled

interface FastEthernet1/0

no ip redirects

no ip proxy-arp

no ip unreachables

no ip directed-broadcast

no ip mask-reply

no mop enabled

interface FastEthernet1/1

no ip redirects

no ip proxy-arp

no ip unreachables

no ip directed-broadcast

no ip mask-reply

no mop enabled

interface FastEthernet2/0

no ip redirects

no ip proxy-arp

no ip unreachables

no ip directed-broadcast

no ip mask-reply

no mop enabled

interface FastEthernet2/1

no ip redirects

no ip proxy-arp

no ip unreachables

no ip directed-broadcast

no ip mask-reply

no mop enabled

interface Serial3/0

no ip redirects

no ip proxy-arp

no ip unreachables

no ip directed-broadcast

no ip mask-reply

interface Serial3/1

no ip redirects

no ip proxy-arp

no ip unreachables

no ip directed-broadcast

no ip mask-reply

interface Serial3/2

no ip redirects

no ip proxy-arp

no ip unreachables

no ip directed-broadcast

no ip mask-reply

interface Serial3/3

no ip redirects

no ip proxy-arp

no ip unreachables

no ip directed-broadcast

no ip mask-reply

access-list 100 permit udp any any eq bootpc

interface FastEthernet0/0

ip verify unicast source reachable-via rx allow-default 100

ip tcp intercept list autosec_tcp_intercept_list

ip tcp intercept drop-mode random

ip tcp intercept watch-timeout 15

ip tcp intercept connection-timeout 3600

ip tcp intercept max-incomplete low 450

ip tcp intercept max-incomplete high 550

!

end

Apply this configuration to running-config? [yes]: yes

Applying the config generated to running-config

The name for the keys will be: R1.internetworksblog.com

% The key modulus size is 1024 bits

% Generating 1024 bit RSA keys, keys will be non-exportable…[OK]

“ip tcp intercept max-incomplete low ” is deprecated

Please use “ip tcp intercept max-incomplete low high ”

“ip tcp intercept max-incomplete high ” is deprecated

Please use “ip tcp intercept max-incomplete low high ”

Router#

000045: *May 9 19:39:14.343 UTC: %AUTOSEC-1-MODIFIED: AutoSecure configuration has been Modified on this device

Router#

#DV

Advertisements

One thought on “Auto Secure Command on Cisco Routers – Part 2

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s