This is a tutorial on how to harden the security of you Cisco Routers.
image from concetpdraw.com
Default Privilege
By default, the privilege is 15.
2. Setting Enable Password. Take note that we should only use Enable Secret in a production network because the Enable Password is in clear text, while the Enable Secret is encrypted.
Creating secret with privilege level 15.
Creating secret privilege level 5.
3. To enter Enable privilege 15, just enter the command enable on user exec mode. But if you wish to enter privilege 4, you must specify the privilege number. Example. “R1>enable 4"
SInce no specific authorization to access global config mode to privilege 4, the user is unable to access Configure Terminal.
4. Securing VTY Lines and AUX Port
Securing the Router using it’s local database.
5. AAA Framework (Authentication, Authorization, and Accounting)
This is a sample topology on packet tracer. Please take note that some command here does not work as the real cisco appliances.
6. Default Authentication Method List
The privilege 4 was given access to use “ping” command.
Before proceeding with your AAA configuration, the first step is to input “aaa new-model” command, or else it won’t work.
This command specifies which server will provide authentication method as well as the Secret key.
This is a good way to test if your authentication works. Although here we used telnet, the best practice is to use ssh.
7. Custom Method List
In this command, we use tacacs+ as the authentication method and “enable” password as a fallback in case the tacacs+ server fails.
8. Additional Security commands
This commands can mitigate brute-forcing of password.
