Download - I Guía_CCNA_SecurityV4 .docx
CCNP 1 OSPF
Guia CCNA Security v4
Router Security2Privilege Level4CLI Views6SSH8Setup AAA:12AAA Base de datos Local15Escenario 115Escenario 216Escenario 316Banner Messages17Auto Secure19
Router Security
En R1 configurar de manera que solo se permita configurar passwords con un mnimo de 5 caracteres. Las password deben ser ilegibles si utilizamos el comando show running-config. Crear el usuario admin password cisco. Si accedemos por consola deberemos loguearnos en la base de datos local.
R1security passwords min-length 5
R1(config)#enable password nico% Invalid Password length - must contain 5 to 25 characters. Password configuration failed
R1(config)#enable password cisco
R1service password-encryption
R1#show running-config | include enableenable password 7 094F471A1A0A
R1username admin password cisco
line con 0 login local
R1#exitR1 con0 is now availablePress RETURN to get started.
User Access VerificationUsername:adminPassword:ciscoR1>enableR1#
En R1 habilitar un timeout de expiracin de consola en 2 horas con 30 segundos.
Normalmente el tiempo de expiracin lo dejo en infinito (exec-timeout 0 0)para no tener que loguearme a cada rato si ese plazo se vence, como en este caso se requiere ingresar los valores utilizaremos ventanas de tiempo grandes.
R1line con 0 exec-timeout 120 30
R1#show line console 0 | section TimeoutsTimeouts: Idle EXEC Idle Session Modem Answer Session Dispatch02:00:30 never none not set Idle Session Disconnect Warning never Login-sequence User Response 00:00:30Autoselect Initial Wait not set
Privilege Level En R1crear dos usuarios con las siguientes caractersticas Definir password para modo privilegiado utilizando la palabra clave cisco.UsuarioPasswordComandos disponibles (EXEC)
adminciscoTodos los comandos (high privilege)
nocnetworkShow, ping, traceroute
R1username noc privilege 2 password network
privilege exec level 2 tracerouteComment by Nicolas Montero: Considerar denegacin privilege exec level 2 traceroute ping.privilege exec level 2 pingprivilege exec level 2 show
username admin privilege 15 password cisco
Para forzar a que los usuarios se tengan que identificar (login) con la base de datos local utilizamos:
R1line con 0 login local
O alternativamente podemos utilizar AAA local.
aaa new-modelComment by Nicolas Montero: No debemos usar este comando si ya habilitamos login local en la consola. aaa authentication login default local none
R1#exitR1 con0 is now available
Press RETURN to get started.
%SYS-5-CONFIG_I: Configured from console by console
User Access VerificationUsername: nocPassword:network
R1#show privilegeCurrent privilege level is 2
R1#conf t ^% Invalid input detected at '^' marker.
R1#ping 10.2.2.2Sending 5, 100-byte ICMP Echos to 10.2.2.2, timeout is 2 seconds:!!!!!Success rate is 100 percent (5/5), round-trip min/avg/max = 32/72/100 ms
Ahora comprobamos el nivel de privilegio del usuario admin (nivel 15).
R1#exitR2 con0 is now availablePress RETURN to get started.
User Access Verification
Username: adminPassword:cisco
R1#show privilegeCurrent privilege level is 15
R1#conf tEnter configuration commands, one per line. End with CNTL/Z.R1(config)#R1(config)#router bgp 20.20
CLI Views
Configurar CLI Views en R2. Crear dos perfiles con las siguientes caractersticas:
UsuarioPassword ViewComandos
ADMINadminTodos los comandos show salvo show version. ping, configure.
NOCnocping
R2aaa new-modelenable secret cisco
R2#enable viewPassword:cisco
R2#%PARSER-6-VIEW_SWITCH: successfully set to view 'root'.
configure terminal
parser view ADMIN secret admin commands exec include configure commands exec exclude show version commands exec include all show
parser view NOC secret noc commands exec include-exclusive ping
R2#disableR2>R2>enable view ADMINPassword:adminR2#show ? aaa Show AAA values access-expression List access expression access-lists List access lists acircuit Access circuit info adjacency Adjacent nodes aliases Display alias commands alignment Show alignment information ancp ANCP information aps APS information archive Archive functions**R2#show version ^% Invalid input detected at '^' marker.
R2#configureConfiguring from terminal, memory, or network [terminal]?Enter configuration commands, one per line. End with CNTL/Z.
R2(config)#?Configure commands: do-exec To run exec commands in config mode exit Exit from configure mode
R2(config)#end ^% Invalid input detected at '^' marker.
R2(config)#exit
Entramos con el perfil de NOC y comprobamos que solo tenemos la opcin ping
R2#exitR2>R2>enable view NOCPassword:noc
R2#?Exec commands: do-exec Mode-independent "do-exec" prefix support enable Turn on privileged commands exit Exit from the EXECping Send echo messages show Show running system information
R2#ping 10.1.12.1Type escape sequence to abort.Sending 5, 100-byte ICMP Echos to 10.1.12.1, timeout is 2 seconds:!!!!!Success rate is 100 percent (5/5), round-trip min/avg/max = 32/42/52 ms
SSH
Configurar enrutamiento esttico o dinmico de manera que exista conectividad completa entre todos los routers incluyendo su interfaces loopbacks0. Configurar Telnet en R1utilizando password r111. Configurar Telnet en R2 para sesiones entrantes y SSH para sesiones salientes, solo se permite establecer sesin SSH con los ID (loopbacks0) de cada router. Utilizar las siguientes polticas: Domain Name: duoc.cl Utilizar version SSH 2.0 (1.9) Autentificar en funcin de base de datos local utilizando AAA La autentificacin solo se debe establecer en line VTY. Mostrar eventos SSH en consola de R1, sesion exitosas y fallidas. El usuariopara SSH es el siguiente:
UsuarioPassword
jadmincisco123
R1 puede acceder a R2 a travs de telnet pero desde R2 solo puede acceder a R3 a utilizando SSH. Configurar en R3 SSH para sesiones entrantes, solo se permite establecer sesin SSH con los ID (loopbacks0) de cada router. Utilizar las siguientes polticas: Domain Name: duoc.cl Utilizar version SSH 2.0 (1.9) Autentificar en funcin de base de datos local utilizando AAA La autentificacin solo se debe establecer en line VTY. Mostrar eventos SSH en consola de R1, sesion exitosas y fallidas. El usuario para SSH es el siguiente:
UsuarioPassword
admincisco
Configure la password cisco para acceder al modo privilegiado en todos los routers.
R1router eigrp 1 network 10.0.0.0 no auto-summary
R2router eigrp 1 network 10.0.0.0 no auto-summary
R3router eigrp 1 network 10.0.0.0 no auto-summary
R2#show ip eigrp neighborsEIGRP-IPv4 Neighbors for AS(1)H Address Interface Hold Uptime SRTT RTO Q Seq (sec) (ms) Cnt Num1 10.1.23.3 Fa0/1 10 00:00:11 159 954 0 30 10.1.12.1 Fa0/0 13 00:00:13 1571 5000 0 4
R1#sh ip route eigrpCodes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2 E1 - OSPF external type 1, E2 - OSPF external type 2 i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2 ia - IS-IS inter area, * - candidate default, U - per-user static route o - ODR, P - periodic downloaded static route, H - NHRP, l - LISP + - replicated route, % - next hop override
Gateway of last resort is not set
10.0.0.0/8 is variably subnetted, 7 subnets, 2 masksD 10.1.23.0/24 [90/30720] via 10.1.12.2, 00:01:12, FastEthernet0/0D 10.2.2.2/32 [90/156160] via 10.1.12.2, 00:01:12, FastEthernet0/0D 10.3.3.3/32 [90/158720] via 10.1.12.2, 00:00:06, FastEthernet0/0
Configuracion lines VTY
R1line vty 0 4 password cisco login
enable secret cisco
R2ip domain-name duoc.clcrypto key generate rsa usage-keysHow many bits in the modulus [512]: 1024
%SSH-5-ENABLED: SSH 1.99 has been enabled
ip ssh logging events
aaa new-modelusername jadmin password cisco123aaa authentication login VTY-LOCAL local
line vty 0 4login authentication VTY-LOCALtransport input telnettransport output ssh
R3ip domain-name duoc.clcrypto key generate rsa usage-keysHow many bits in the modulus [512]: 1024
%SSH-5-ENABLED: SSH 1.99 has been enabled
ip ssh logging events
aaa new-modelusername admin password ciscoaaa authentication login VTY-LOCAL local
line vty 0 4 login authentication VTY-LOCALtransport input ssh
R1 acceder a R2 a travs de telnet, pero desde R2 solo podr acceder a R3 a travs SSH, es decir, al permetro de seguridad.
R1#telnet 10.2.2.2Trying 10.2.2.2 ... Open
User Access Verification
Username: jadminPassword:cisco123
R2>enablePassword:cisco
R2#telnet 10.3.3.3% telnet connections not permitted from this terminal
R2#ssh -l admin -c 3des 10.3.3.3
Password:ciscoR3>enPassword:cisco
R3#*Aug 17 10:41:11.059: %SSH-5-SSH2_SESSION: SSH2 Session request from 10.1.23.2 (tty = 0) using crypto cipher '3des-cbc', hmac 'hmac-sha1' SucceededR3#*Aug 17 10:41:14.523: %SSH-5-SSH2_USERAUTH: User 'admin' authentication for SSH2 Session from 10.1.23.2 (tty = 0) using crypto cipher '3des-cbc', hmac 'hmac-sha1' Succeeded
R3#show users Line User Host(s) Idle Location* 0 con 0 idle 00:00:00 2 vty 0 admin idle 00:01:00 10.1.23.2
Interface User Mode Idle Peer Address
Setup AAA:Configurar AAA en R1con las siguientes caractersticas para la autentificacin: Crear usuario U4 password cisco. Proceso AAA debe pedir usuario y contrasea utilizando Usuario: , Password: . El usuario solo puede acceder al router utilizando sistema case sensitive. Crear banner que tenga el siguiente mensaje $ Autentificacin AAA $ El maximo nmero de intentos es 3 antes de volver a pedir autenticacin, luego se bloquear el permiso para el usuario. Si el usuario no puede autentificarse se debe desplegar el siguiente mensaje: Autentificacin invalida, intentelo nuevamente El usuario debe autentificarse en funcin de la base de datos localPara poder probar inmediatamente lo que hemos configurado podramos habilitar el login en la consola.
R1username U4 password ciscoaaa new-modelaaa authentication password-prompt Password:aaa authentication username-prompt Usuario:aaa authentication login CONS local-case
R1User Access Verification
Usuario:u4Password:cisco
% Authentication failed
Usuario:U4Password:cisco
R1aaa authentication banner $ Autentificacion AAA $
R1>exitPress RETURN to get started.
Autentificacion AAAUsuario:U4Password:cisco
Para comprobar si funciona esta configuracin debemos crear un super usuario en caso de que bloqueemos al usauario U4. Luego de las pruebas debemos desbloquear al usuario U4.
R1username admin privilege 15 password ciscoaaa authentication attempts login 3aaa local authentication attempts max-fail 3
Usuario:U4Password:111
Usuario:U4Password:222
Usuario:U4Password:333
%AAA-5-USER_LOCKED: User U4 locked out on authentication failure% Authentication failed
Usuario:adminPassword:
R1#show aaa local user lockout Local-user Lock timeU4 15:20:39 UTC Wed Sep 14 2011
R1#clear aaa local user lockout username U4R1#%AAA-5-USER_UNLOCKED: User U4 unlocked by admin on console
Ahora podemos volver a intentarlo como usuario U4. Para la casa.
R1aaa authentication fail-message $ AUTENTIFICACISN INVALIDA, INTENTELO NUEVAMENTE $
Usuario:U4Password:1111AUTENTIFICACISN INVALIDA, INTENTELO NUEVAMENTEUsuario:U4Password:ciscoR1>
La configuracin nos quedara de la siguiente manera:aaa new-modelaaa local authentication attempts max-fail 3
aaa authentication banner ^C Autentificacin AAA ^Caaa authentication fail-message ^C AUTENTICATIOIN INVALIDA, INTENTELO NUEVAMENTE ^Caaa authentication password-prompt Password:aaa authentication username-prompt Usuario:aaa authentication login CONS local-case
username U4 password 0 ciscousername admin privilege 15 password 0 cisco
line con 0 login authentication CONS
AAA Base de datos Local
R1interface GigabitEthernet0/0 ip address 10.1.12.1 255.255.255.0 no shut
R2interface GigabitEthernet0/0 ip address 10.1.12.2 255.255.255.0 no shut
Rxrouter eigrp 1network 10.0.0.0
Escenario 1. Accedemos R2 via telnet usando la pasword de enable (modo exec).
R2aaa new-modelaaa authentication login TELNET enableenable secret cisco
line vty 0 4 login authentication TELNET
R1#telnet 10.2.2.2Trying 10.2.2.2 ... Open
User Access Verification
Password:ciscoCorresponde a la misma password que configuramos con enable secret (cisco)
R2>R2>enablePassword:cisco
Escenario 2. Accedemos R2 via telnet usando la base de datos local. Debemos crear un user y su password.Nota: Borrar configuracin anterior. Si est configurado aaa new-model no podremos utilizar la base de datos local directamente en line vty.
R2username admin password admin
line vty 0 4 login local
R1#telnet 10.2.2.2Trying 10.2.2.2 ... Open
User Access Verification
Username: adminPassword:adminR2>enPassword:cisco
Escenario 3. Accedemos R2 via telnet usando si usar password. Como veremos no tendremos que autenticarnos. Salvo si queremos entrar al modo privilegiado.
R2aaa new-modelaaa authentication login TELNET none
line vty 0 4 login authentication TELNET
R1#telnet 10.2.2.2Trying 10.2.2.2 ... OpenR2>
Banner Messages Configure R1 con el mensaje del dia (message of the day = motd) que se muestra a continuacin:
-------------------------------------------------------------------------Te has conectado al router R1 en el puerto de consola 0. XXXXXXXX /| XXXXXXXX|\XXXXXXXXX /*/ XXXXXXXXXXXXXX\*\XXXXXXXXXXXX |**\ X _____XXXXXXXXX/**|XXXXXXXXXXXXX |***\ X_/ \_ /***|___XXXXXXXXXXXX \******* *******/ XXXXX \\XXXXXXX \**** / \ *****/ XXXXX \\XXXXXXX XXXX| 0 0 | XXXXX \XXXXXXX XXXXX | | XXXXX \XXXXXXX XXXXXX \ / XXXXX |________// XXXXXX \ / XXXXX |XXXXXX XXXXXX | O_O | XXXXX ||XXXXX XXXXX \ _ / XXXXX \XXX XXXX| : |XXXX /\ \ _ XXX\_/XXX |\__\ _____/ \ \ ) |_| XXXXXX< | | | XX| |X\_ | _ XXX/ |X XXXX/ | | | |_| |___|XXXX| |XXXXXXXXX|___| | \ XXXXXX/ \XXXXXXXX |____|
Empresas Red Bull Gerencia Informatica
Ubicacion: Av. Bernardo Prat # 1559, Piso 2 !!!! Atencion !!!! Notificar al Area Administracion de Redes cualquier modificacion.------------------------------------------------------------------------ Cisco Router 7200
En el modo de configuracin global agregamos:
banner motd ^CC-------------------------------------------------------------------------Te has conectado al router $(hostname) en el puerto de consola $(line).
XXXXXXXX /| XXXXXXXX|\XXXXXXXXX /*/ XXXXXXXXXXXXXX\*\XXXXXXXXXXXX |**\ X _____XXXXXXXXX/**|XXXXXXXXXXXXX |***\ X_/ \_ /***|___XXXXXXXXXXXX \******* *******/ XXXXX \\XXXXXXX \**** / \ *****/ XXXXX \\XXXXXXX XXXX| 0 0 | XXXXX \XXXXXXX XXXXX | | XXXXX \XXXXXXX XXXXXX \ / XXXXX |________// XXXXXX \ / XXXXX |XXXXXX XXXXXX | O_O | XXXXX ||XXXXX XXXXX \ _ / XXXXX \XXX XXXX| : |XXXX /\ \ _ XXX\_/XXX |\__\ _____/ \ \ ) |_| XXXXXX< | | | XX| |X\_ | _ XXX/ |X XXXX/ | | | |_| |___|XXXX| |XXXXXXXXX|___| | \ XXXXXX/ \XXXXXXXX |____|
Empresas Red Bull Gerencia Informatica Ubicacion: Av. Bernardo Prat # 1559, Piso 2 !!!! Atencion !!!! Notificar al Area Administracion de Redes cualquier modificacion.------------------------------------------------------------------------ Cisco Router 7200 ^C
Auto Secure
R1#auto secure --- AutoSecure Configuration ---
*** AutoSecure configuration enhances the security ofthe router but it will not make router absolutely securefrom all security attacks ***
All the configuration done as part of AutoSecure will beshown here. For more details of why and how this configurationis useful, and any possible side effects, please refer to Ciscodocumentation of AutoSecure.At any prompt you may enter '?' for help.Use ctrl-c to abort this session at any prompt.
If this device is being managed by a network management station,AutoSecure configuration may block network management traffic.Continue with AutoSecure? [no]:yes
Gathering information about the router for AutoSecureIs this router connected to internet? [no]:no
Securing Management plane services..
Disabling service fingerDisabling service padDisabling udp & tcp small serversEnabling service password encryptionEnabling service tcp-keepalives-inEnabling service tcp-keepalives-outDisabling the cdp protocol
Disabling the bootp serverDisabling the http serverDisabling the finger serviceDisabling source routingDisabling gratuitous arp
Here is a sample Security Banner to be shownat every access to device. Modify it to suit yourenterprise requirements.
Authorized Access only This system is the property of So-&-So-Enterprise. UNAUTHORIZED ACCESS TO THIS DEVICE IS PROHIBITED. You must have explicit permission to access this device. All activities performed on this device are logged. Any violations of access policy will result in disciplinary action.
Enter the security banner {Put the banner betweenk and k, where k is any character}:k cisco kEnter the new enable password:Confirm the enable password:
Configuration of local user databaseEnter the username: nicoEnter the password:Confirm the password:Configuring AAA local authenticationConfiguring console, Aux and vty lines forlocal authentication, exec-timeout, transportSecuring device against Login AttacksConfigure the following parameters
Blocking Period when Login Attack detected:Device not secured against 'login attacks'.
Configure SSH server? [yes]: no
Configuring interface specific AutoSecure servicesDisabling the following ip services on all interfaces:
no ip redirects no ip proxy-arp no ip unreachables no ip directed-broadcast no ip mask-replyDisabling mop on Ethernet interfaces
Securing Forwarding plane services..
Enabling unicast rpf on all interfaces connectedto internetTcp intercept feature is used prevent tcp syn attackon the servers in the network. Create autosec_tcp_intercept_listto form the list of servers to which the tcp traffic is tobe observed
Enable tcp intercept feature? [yes/no]: yes
This is the configuration generated:
no service fingerno service padno service udp-small-serversno service tcp-small-serversservice password-encryptionservice tcp-keepalives-inservice tcp-keepalives-outno cdp runno ip bootp serverno ip http serverno ip fingerno ip source-routeno ip gratuitous-arpsno ip identdbanner motd ^C cisco ^Csecurity passwords min-length 6security authentication failure rate 10 logenable password 7 05050F0C2E404F1Ausername nico password 7 05050F0C2E404F1Aaaa new-modelaaa authentication login local_auth localline console 0 login authentication local_auth exec-timeout 5 0 transport output telnetline aux 0 login authentication local_auth exec-timeout 10 0 transport output telnetline vty 0 4 login authentication local_auth transport input telnetservice timestamps debug datetime msec localtime show-timezoneservice timestamps log datetime msec localtime show-timezonelogging facility local2logging trap debuggingservice sequence-numberslogging console criticallogging bufferedint FastEthernet0/0 no ip redirects no ip proxy-arp no ip unreachables no ip directed-broadcast no ip mask-reply no mop enabledint FastEthernet0/1 no ip redirects no ip proxy-arp no ip unreachables no ip directed-broadcast no ip mask-reply no mop enabledip access-list extended 100 permit udp any any eq bootpcip tcp intercept list autosec_tcp_intercept_listip tcp intercept drop-mode randomip tcp intercept watch-timeout 15ip tcp intercept connection-timeout 3600ip tcp intercept max-incomplete low 450ip tcp intercept max-incomplete high 550!end
De una pequea definicin de cada uno de los servicios indicados en la salida anterior.
4
@ NMT 2013