Cisco router security configuration command

Which command standard do you want Cisco to use on each vro? Each administrator configures the commands of each vro correctly. The ten commands in this article are what I think you should configure on each vro, with no special order.

1. configure a Logon account on the vro

I strongly recommend that you configure a real user name and password account on the vro and vswitch. This means that you need a user and a password to gain access.

In addition, we recommend that you use a secret password for your username, instead of a common password. It uses MD5 encryption to encrypt passwords, and greatly improves security. Example:

Router (config) # user name root secret My $ Password

After the user name is configured, you must enable the port using the user name. Example:

Router (config) # line con 0

Router (config-line) # login local

Router (config) # line aux 0

Router (config-line) # login local

Router (config) # line vty 0 4

Router (config-line) # login local

2. Set a host name on the vro

I guess the default host name on the router is router. You can keep this default value and the vro can run normally. However, it makes sense to rename a vro and uniquely identify it. Example:

Router (config) # hostname Router-Branch-23

In addition, you can configure a domain name on the router so that it knows which DNS domain it is in. Example:

Router-Branch-23 (config) # ip domain name TechRepublic.com

3. Set a password for privileged Mode

When talking about setting a password to enter the privileged mode, many people think of using the enablepassword command. However, instead of using this command, I strongly recommend using the enablesecret command.

This command uses the MD5 encryption method to encrypt the password, so the prompt is not displayed in plaintext. Example:

Router (config) # enable secret My $ Password

4. encrypt the vro Password

By default, the password is not encrypted in the configuration of the Cisco router. However, you can easily change this point. Example:

Router (config) # service password-encryption

5. Disable Web Services

The Cisco router also enables Web services by default, which is a security risk. If you don't want to use it, you 'd better disable it. Example:

Router (config) # no ip http server

6. Configure DNS or disable DNS Lookup

Let's discuss a small problem I personally think of as a Cisco router: by default, if a command is mistakenly entered in privileged mode, the router thinks you are trying to Telnet to a remote host. However, it performs DNS lookup on the content you enter.

If you do not configure dns on the vro, the command prompt will be suspended until the DNS search fails. For this reason, we recommend that you use one of the following two methods.

One option is to disable DNS. The practice is:

Router (config) # no ip domain-lookup

Alternatively, you can correctly configure DNS to point to a real DNS server.

Router (config) # ip name-server

7. Configure command alias

Many network administrators know the abbreviation (alias) for configuring commands on routers ). Example:

Router (config) # alias exec s sh run

This means that you can enter s instead of the complete showrunning-configuration command.

8. Set the router clock or configure the NTP server.

Most Cisco devices do not have an internal clock. When they are started, they do not know the time. Even if you set the time, If you disable or restart the vro, it does not retain this information.

First, set your time zone and daylight saving time. Example:

Router (config) # clock timezone CST-6

Router (config) # clock summer-time CDT recurring

Then, to ensure that the router event message displays the correct time, set the router clock or configure an NTP server. An example of clock setting is as follows:

Router # clock set 10:54:00 Oct 5 2005

If you already have an NTP server (or a vro that can access the Internet) in the network, you can use it as the time source. This is your best choice. When the router is started, it will set the clock through the NTP server. Example:

Router (config) # ntp server 13.03.4.101

9. Prevent log messages from disturbing your configuration process

Another small problem I think in CiscoIOS is that when I configure a vro, log messages (maybe the Console port, AUX port, or VTY port) are continuously displayed on the console interface ). To prevent this, you can do so.

Therefore, I use the log synchronization command on each port. Example:

Router (config) # line con 0

Router (config-line) # logging synchronous

Router (config) # line aux 0

Router (config-line) # logging synchronous

Router (config) # line vty 0 4

Router (config-line) # logging synchronous

In addition, you can modify the execution timeout of these ports on the port. For example, suppose you want to disable the default 10-minute timeout on the VTY line. Use the exec-timeout00 command in line configuration mode so that the router never exits.

10. Record System messages in the vro buffer or System Log Server

Capturing router errors and events and monitoring the console are the key to solving the problem. By default, the router does not send buffered event records to the router memory.

However, you can configure a router to send buffered event records to the memory. Example:

The Router (config) # logging buffered 16384

You can also send a router event to a system log server. Because the server is outside the vro, there is an additional advantage: even if the vro is powered off, the event records are retained.