Telnet to the Cisco router for remote management is the choice of many network management, but the data transmitted through Telnet is in plain text, so this login method has a great security risk. A malicious user may use a Sniffer tool like Sniffer to perform local monitoring on the Administrator host or an appropriate interface to obtain the Administrator's password for logging on to the Cisoc router.
1. Security Testing
I installed sniffer locally and used Telnet to log on to the Cisco router. Stop sniffing and decode it. 1 shows that the user logs on to the vro in user mode and global mode. The entered passwords are displayed in plain text. Although the password is split into two parts, an experienced attacker may combine them to obtain the logon password of the Cisco router. In fact, more than that, all the commands entered on the router by the sniffer tool administrator will be sniffed. In this way, even if the administrator changes the vro password and encrypts it, it can be sniffed. (Figure 1)
2. SSH Security
SSH is called Secure Shell in English, and its default connection port is 22. By using SSH, all transmitted data can be encrypted, which is not possible in the "man-in-the-middle" attack mode above, and can also prevent DNS and IP spoofing. In addition, it also has an additional advantage that the transmitted data is compressed, so it can speed up transmission.
3. SSH deployment
Based on the above tests and SSH security features, it is necessary to use SSH instead of Telnet for security management of Cisco routers. Of course, to implement security management of CISOC over SSH, you also need to set up on the vro. The following describes how to deploy and connect SSH in a virtual environment.
(1). Cisco Configuration
The following are commands and instructions for configuring SSH on Cisco:
Ra # config terminalra (config) # ip domain-name ctocio.com.cn//configure a domain name ra (config) # crypto key generate rsa general-keys modulus 1024 // generate an rsa algorithm key with a key of 1024 bits |
(Note: In Cisoc, rsa supports 360-2048 bits. The principle of this algorithm is that the host distributes its own public key to the relevant client, when the client accesses the host, it uses the public key of the host to encrypt the data. The host uses its own private key to decrypt the data, so as to implement host key authentication and determine the reliable identity of the client.
Ra (config) # ip ssh time 120 // set the ssh time to 120 seconds ra (config) # ip ssh authentication 4 // set the number of ssh authentication retries to 4, you can select ra (config) # line vty 0 4 between 0 and 5 // enter vty mode ra (config-line) # transport input ssh // set the logon mode of vty to ssh, by default, all is allowed to log on to ra (config-line) # login |
After the configuration is complete, you cannot telnet to the Cisoc router. (Figure 3)
Ra (config-line) # exitra (config) # aaa authentication login default local // enable aaa authentication and set ra (config-line) authentication on the local server) # username ctocio password ctocio // create a user ctocio and set its password to ctocio for SSH client login |
In this way, the CISCO configuration for SSH is complete.