Below is a diagram that illustrates the network layout for this series of posts.
- Lab Network - 10.0.1.0/24
- Test Network - 10.0.2.0/24
Part 1 - Initial Configuration
In this part I will configure my ports and apply some security to the router.
I name the router, apply an enable password and create a banner.
Router#configure terminal
Router(config)#hostname Router1
Router1(config)#enable secret cisco123
Router1(config)#banner motd % No Unauthorised Access %
I create a local user.
Router1(config)#username bob secret cisco123
Router1(config)#aaa new-model
Router1(config)#aaa authentication login local_auth local
I set the domain, create SSH keys and apply some SSH settings.
Router1(config)#ip domain-name walliford.local
Router1(config)#crypto key generate rsa general-keys modulus 1024
The name for the keys will be: Router1.walliford.local
% The key modulus size is 1024 bits
% Generating 1024 bit RSA keys, keys will be non-exportable...[OK]
Router1(config)#ip ssh time-out 120
Router1(config)#ip ssh version 2
Router1(config)#ip ssh authentication-retries 2
I create an ACL which I will be applying to my telnet ports
Router1(config)#ip access-list standard ADMIN_ACCESS
Router1(config-std-nacl)#permit 10.0.1.0 0.0.0.255 log
Router1(config-std-nacl)#deny any log
Router1(config-std-nacl)#exit
I configure the console port to use the local user account and apply some timeout values.
Router1(config)#line console 0
Router1(config-line)#logging synchronous
Router1(config-line)#login authentication local_auth
Router1(config-line)#exec-timeout 30 0
Router1(config-line)#exit
I apply several settings to the Aux port so it cannot be used.
Router1(config)#line aux 0
Router1(config-line)#no password
Router1(config-line)#no exec
Router1(config-line)#exec-timeout 0 0
Router1(config-line)#transport input none
Router1(config-line)#exit
I configure my telnet ports to use SSH and telnet only and the local user account. I apply some timeout values and apply the ACL so only hosts from the Lab network can access the router.
Router1(config)#line vty 0 4
Router1(config-line)#logging synchronous
Router1(config-line)#login authentication local_auth
Router1(config-line)#transport input ssh telnet
Router1(config-line)#exec-timeout 30 0
Router1(config-line)#access-class ADMIN_ACCESS in
Router1(config-line)#end
I prevent 3 of the 5 telnet ports from being used.
Router1(config)#line vty 2 4
Router1(config-line)#transport input none
Router1(config-line)#exit
I set the clock, timezone and daylight saving settings.
Router1(config)#clock timezone GMT 0
Router1(config)#clock summer-time BST recurring last Sun Mar 2:00 last Sun Oct 2:00
Router1(config)#end
Router1#clock set 21:24:00 12 May 2010
I apply timeout values to login attempts to prevent brute-force attacks.
Router1(config)#login block-for 20 attempts 3 within 20
Router1(config)#login delay 2
No comments:
Post a Comment