With these Simple Easy to follow commands, secure how you connect to your remote CISCO device in less than 3 minutes.
In my last post, I shared how I have come up with a list of commands that I have used over the years to set up new CISCO devices (Routers & Switches) when they are straight out the box. This list includes device host names and local user accounts e.t.c.
An important part of initial device configuration is adding in some security, so that your device is safe from intruders. One weak point in your network or organization’s network can often prove costly in today’s world.
A very important security feature that must be at the front of your mind, is securing the remote connection to your network device. Once you finish the initial configuration of the device (while connected directly) you will want to access it remotely, either from within your network or from outside.
Telnet, is enabled by default, once you have setup your vty (virtual) ports. The problems is Telnet is NOT secure and vulnerable to attack.
Telnet transfers data over the network, ie from your computer to your network device in clear readable text. This means an attacker could plug into your network or connect on your WIFI and sniff your traffic. He could see usernames and passwords that you have typed in to log into your network device. To fix this, Secure Shell (SSH) is the preferred protocol to use for remote management of your devices. SSH encrypts data that it transmits over the network which makes it extremely difficult to crack and break into your device.
The commands below will help you quickly configure SSH on your Router or Switch and secure your device access.
Username, Password & Domain Name
R1(config)# username nexadmin privilege 15 secret strongpass
~creates user account called ”nexadmin” with full administrative privileges. Password is set to “strongpass”
R1(config)# ip domain-name mynetworknexus.com
~Sets the DNS domain name to “mynetworknexus.com”. The domain name is required by SSH
SSH Key Generation
R1(config)# crypto key generate rsa
~Generates an SSH key to be used for encryption of traffic. You will get the following output
The name for the keys will be: rtr-01.domainname.com Choose the size of the key modulus in the range of 360 to 2048 for your General Purpose Keys. Choosing a key modulus greater than 512 may take a few minutes.
How many bits in the modulus [512]: 768
~You must choose a key Size. In this case we chose 768 because we want to setup SSH version 2. Note choosing a modulus of 768 or greater will allow you to enable SSH version2
R1(config)# ip ssh time-out 60
~Tells SSH to time out after 60 seconds of inactivity
R1(config)# ip ssh authentication-retries 3
~Will allow 3 incorrect login attempts before cutting off
Specify Login Protocol
R1(config)# ip ssh version 2
~Explicitly tells the device which version of SSH to use
R1(config)# line vty 0 4
~Enter virtual interface configuration
R1(config-line)# transport input SSH
~Tell the device to use SSH to allow remote logins, instead of the default (Telnet)
R1(config-line)# login local
~Tells the device to allow logins using the local accounts (e.g “nexadmin” account created above)
Concluding
The commands above give you a quick easy way to secure remote connections to your device. In 2 minutes or less you can create a secure device which is difficult to break into from the outside. By default, virtual interfaces on CISCO devices allow login via TELNET which very insecure. The simple commands above fix this vulnerability and keep your network safe.
Need more detail, check out this awesome article from firewallcx with more detail on how to configure SSH on your CISCO device.
P.S if you liked this article, you can grab the ebook and enjoy the same content in kindle format. Every ebook you guys get helps us maintain the website and keep adding great new, up to date content for you to enjoy.