Difference between revisions of "Netband Project - Device hardening"
From Teknologisk videncenter
(→No Service Password-Recovery) |
m |
||
(41 intermediate revisions by 3 users not shown) | |||
Line 1: | Line 1: | ||
− | + | =Device hardening= | |
This page is part of the [[Netband_Project|Netband Project]]<br/> | This page is part of the [[Netband_Project|Netband Project]]<br/> | ||
− | |||
− | |||
− | |||
− | |||
==Exclusive Configuration Change Access== | ==Exclusive Configuration Change Access== | ||
*ensures that only one administrator makes configuration changes to a Cisco IOS device at a given time. | *ensures that only one administrator makes configuration changes to a Cisco IOS device at a given time. | ||
− | < | + | <source lang=cli> |
+ | B1rt1(config)#<input>configuration mode exclusive auto</input> | ||
! | ! | ||
− | B1rt1(config)#interface fa0/0 | + | B1rt1#<input>conf t</input> |
+ | Enter configuration commands, one per line. End with CNTL/Z. | ||
+ | B1rt1(config)# | ||
+ | Apr 16 13:02:58.746: Configuration mode locked exclusively. The lock will be cleared once you exit out of configuration mode using end/exit | ||
+ | </source> | ||
+ | |||
+ | <source lang=cli>B1rt1(config)#<input>interface fa0/0</input> | ||
Configuration mode locked exclusively by user 'admin' process '56' from terminal '195'. Please try later. | Configuration mode locked exclusively by user 'admin' process '56' from terminal '195'. Please try later. | ||
− | </ | + | </source> |
For more information see: [http://www.cisco.com/en/US/docs/ios/12_3t/12_3t14/feature/guide/gt_exclu.html Exclusive Configuration Change Access] | For more information see: [http://www.cisco.com/en/US/docs/ios/12_3t/12_3t14/feature/guide/gt_exclu.html Exclusive Configuration Change Access] | ||
Line 21: | Line 24: | ||
secure boot-config | secure boot-config | ||
</pre> | </pre> | ||
− | < | + | <source lang=cli>B1rt1#<input>sh secure bootset</input> |
IOS resilience router id FCZ111910E5 | IOS resilience router id FCZ111910E5 | ||
Line 32: | Line 35: | ||
Secure archive flash:.runcfg-20090416-110611.ar type is config | Secure archive flash:.runcfg-20090416-110611.ar type is config | ||
configuration archive size 4555 bytes | configuration archive size 4555 bytes | ||
− | </ | + | </source> |
− | < | + | <source lang=cli>B1rt1(config)#<input>no secure boot-config</input> |
%You must be logged on the console to apply this command | %You must be logged on the console to apply this command | ||
− | </ | + | </source> |
− | < | + | <source lang=cli>B1rt1(config)#<input>secure boot-config restore flash:rescueconf</input> |
ios resilience:configuration successfully restored as flash:rescueconf | ios resilience:configuration successfully restored as flash:rescueconf | ||
− | </ | + | </source> |
For more information see: [http://www.cisco.com/en/US/docs/ios/12_3t/12_3t8/feature/guide/gtrescfg.html Cisco IOS Resilient Configuration] | For more information see: [http://www.cisco.com/en/US/docs/ios/12_3t/12_3t8/feature/guide/gtrescfg.html Cisco IOS Resilient Configuration] | ||
==Reserve Memory for Console Access== | ==Reserve Memory for Console Access== | ||
*used in order to reserve enough memory to ensure console access to a Cisco IOS device | *used in order to reserve enough memory to ensure console access to a Cisco IOS device | ||
− | < | + | <source lang=cli>memory reserve console 4096 |
− | </ | + | </source> |
For more information see: [http://www.cisco.com/en/US/docs/ios/12_0s/feature/guide/ftresmem.html Reserve Memory for Console Access] | For more information see: [http://www.cisco.com/en/US/docs/ios/12_0s/feature/guide/ftresmem.html Reserve Memory for Console Access] | ||
==Memory Leak Detector== | ==Memory Leak Detector== | ||
*used in order to check the memory structures of a device and acquire the latest crash information to determine what processes corrupt the chunks. | *used in order to check the memory structures of a device and acquire the latest crash information to determine what processes corrupt the chunks. | ||
− | < | + | <source lang=cli> |
scheduler heapcheck process memory | scheduler heapcheck process memory | ||
− | </ | + | </source> |
+ | For more information see: [http://www.cisco.com/en/US/docs/ios/12_3t/12_3t7/feature/guide/gtmleakd.html Memory Leak Detector] | ||
+ | |||
==Buffer Overflow: Detection and Correction of Redzone Corruption== | ==Buffer Overflow: Detection and Correction of Redzone Corruption== | ||
*A memory block overflow problem is detected in the Cisco IOS software when the value of an area in the memory block called the "redzone" is checked | *A memory block overflow problem is detected in the Cisco IOS software when the value of an area in the memory block called the "redzone" is checked | ||
*When a memory block overflow problem is detected in packet memory, software will change the memory block header data back to its correct value. | *When a memory block overflow problem is detected in packet memory, software will change the memory block header data back to its correct value. | ||
− | < | + | <source lang=cli>exception memory ignore overflow io |
exception memory ignore overflow processor | exception memory ignore overflow processor | ||
− | </ | + | </source> |
− | < | + | <source lang=cli> |
show memory overflow | show memory overflow | ||
− | </ | + | </source> |
+ | For more information see: [http://www.cisco.com/en/US/docs/ios/12_3t/12_3t7/feature/guide/gtbufflo.html Buffer Overflow: Detection and Correction of Redzone Corruption] | ||
+ | |||
==EXEC Timeout== | ==EXEC Timeout== | ||
*logs out sessions on vty or tty lines that are left idle. | *logs out sessions on vty or tty lines that are left idle. | ||
*Default is 10 minutes | *Default is 10 minutes | ||
− | < | + | <source lang=cli> |
line con 0 | line con 0 | ||
exec-timeout 5 | exec-timeout 5 | ||
line vty 0 4 | line vty 0 4 | ||
exec-timeout 5 | exec-timeout 5 | ||
− | </ | + | </source> |
+ | *on some older IOS versions the default is, no timeout | ||
+ | *when all lines are occupied, no one can log in until the device is restarted or the sessions are cleared through the console | ||
+ | <source lang=cli>B1rt1#<input>sh users</input> | ||
+ | Line User Host(s) Idle Location | ||
+ | * vty 194 admin idle 00:00:00 10.1.2.50 | ||
+ | vty 195 admin2 idle 00:00:03 10.1.2.50 | ||
+ | |||
+ | B1rt1#<input>clear line 195</input> | ||
+ | [confirm] | ||
+ | [OK] | ||
+ | B1rt1# | ||
+ | </source> | ||
+ | |||
==Disable Unused Services== | ==Disable Unused Services== | ||
− | < | + | <source lang=cli>no ip finger |
ip dhcp bootp ignore | ip dhcp bootp ignore | ||
no service pad | no service pad | ||
Line 81: | Line 101: | ||
no service udp-small-servers | no service udp-small-servers | ||
no service tcp-small-servers | no service tcp-small-servers | ||
− | </ | + | </source> |
==No Service Password-Recovery== | ==No Service Password-Recovery== | ||
*Disables password recovery through ROMMON | *Disables password recovery through ROMMON | ||
*The router can be reset to factory default configuration, but the stored configuration is lost | *The router can be reset to factory default configuration, but the stored configuration is lost | ||
− | < | + | <source lang=cli>no service password-recovery |
− | </ | + | </source> |
For more information see: [http://www.cisco.com/en/US/docs/ios/12_3/12_3y/12_3ya8/gtnsvpwd.html#wp1056707 No Service Password-Recovery] | For more information see: [http://www.cisco.com/en/US/docs/ios/12_3/12_3y/12_3ya8/gtnsvpwd.html#wp1056707 No Service Password-Recovery] | ||
==Password Management== | ==Password Management== | ||
− | < | + | *Uses Message Digest 5 (MD5) for password hashing |
− | enable secret cisco | + | <source lang=cli>enable secret cisco |
− | </ | + | </source> |
− | * prevents casual observers from reading passwords | + | *prevents casual observers from reading passwords |
− | < | + | *weak password encryption |
+ | <source lang=cli> | ||
service password-encryption | service password-encryption | ||
− | </ | + | </source> |
+ | |||
+ | ==Login Password Retry Lockout== | ||
+ | *locks an user account after a configured number of failed attempts | ||
+ | *must be manually unlocked again | ||
+ | *A user with privilege level 15 cannot be locked out | ||
+ | <source lang=cli> | ||
+ | aaa new-model | ||
+ | aaa local authentication attempts max-fail 3 | ||
+ | aaa authentication login default local | ||
+ | ! | ||
+ | username admin2 privilege 14 secret cisco | ||
+ | </source> | ||
+ | <source lang=cli>Apr 16 12:36:41.257: %AAA-5-USER_LOCKED: User admin2 locked out on authentication failure | ||
+ | |||
+ | B1rt1#<input>clear aaa local user lockout username admin2</input> | ||
+ | |||
+ | Apr 16 12:39:57.474: %AAA-5-USER_UNLOCKED: User admin2 unlocked by admin on vty0 (192.168.0.11) | ||
+ | </source> | ||
+ | For more information see: [http://www.cisco.com/en/US/docs/ios/12_3t/12_3t14/feature/guide/g_cilprl.html Login Password Retry Lockout] | ||
+ | |||
+ | ==Cisco IOS Login Enhancements== | ||
+ | *adds a delay between successive logins | ||
+ | *login shutdown(quiet mode) for a specified period of time | ||
+ | *Allows for speficied hosts or subnets to login in during quiet mode | ||
+ | <source lang=cli>login block-for 120 attempts 2 within 30 | ||
+ | login delay 2 | ||
+ | login on-failure log | ||
+ | login quiet-mode access-class 2 | ||
+ | access-list 2 permit 10.0.0.0 0.255.255.255 | ||
+ | </source> | ||
+ | |||
+ | <source lang=cli>Apr 16 15:30:29.249: %SEC_LOGIN-1-QUIET_MODE_ON: Still timeleft for watching failures is 0 secs, [user: ] [Source: 192.168.3.12] [localport: 22] [Reason: Login Authentication Failed] [ACL: sl_def_acl] at 15:30:29 UTC Thu Apr 16 2009 | ||
+ | |||
+ | Note: The sl_def_acl is created by the system and cannot be removed or modified | ||
+ | Extended IP access list sl_def_acl | ||
+ | 10 deny tcp any any eq telnet log | ||
+ | 20 deny tcp any any eq www log | ||
+ | 30 deny tcp any any eq 22 log | ||
+ | 40 permit tcp any any eq 22 log | ||
+ | |||
+ | Apr 16 15:32:29.252: %SEC_LOGIN-5-QUIET_MODE_OFF: Quiet Mode is OFF, because block period timed out at 15:32:29 UTC Thu Apr 16 2009 | ||
+ | </source> | ||
+ | <source lang=cli>B1rt1#<input>sh login failures</input> | ||
+ | Total failed logins: 7 | ||
+ | Detailed information about last 50 failures | ||
+ | |||
+ | Username SourceIPAddr lPort Count TimeStamp | ||
+ | 10.248.10.98 22 2 07:30:17 UTC Sun Dec 14 2008 | ||
+ | 10.1.0.53 22 1 21:27:15 UTC Mon Dec 22 2008 | ||
+ | 192.168.3.10 22 2 15:02:23 UTC Thu Jan 8 2009 | ||
+ | 192.168.3.12 22 2 15:30:17 UTC Thu Apr 16 2009 | ||
+ | </source> | ||
+ | <source lang=cli>B1rt1#<input>sh login</input> | ||
+ | A login delay of 2 seconds is applied. | ||
+ | Quiet-Mode access list 2 is applied. | ||
+ | |||
+ | Router enabled to watch for login Attacks. | ||
+ | If more than 2 login failures occur in 30 seconds or less, | ||
+ | logins will be disabled for 120 seconds. | ||
+ | |||
+ | Router presently in Normal-Mode. | ||
+ | Current Watch Window | ||
+ | Time remaining: 8 seconds. | ||
+ | Login failures for current window: 0. | ||
+ | Total login failures: 7. | ||
+ | </source> | ||
+ | |||
+ | ==Encrypting Management Sessions== | ||
+ | *use SSH instead of telnet | ||
+ | *use HTTPS instead of HTTP | ||
+ | <source lang=cli> | ||
+ | ip domain-name netband.dk | ||
+ | ! | ||
+ | B1rt1(config)#<input>crypto key generate rsa</input> | ||
+ | Choose the size of the key modulus in the range of 360 to 2048 for your | ||
+ | General Purpose Keys. Choosing a key modulus greater than 512 may take | ||
+ | a few minutes. | ||
+ | |||
+ | How many bits in the modulus [512]:2048 | ||
+ | % Generating 2048 bit RSA keys, keys will be non-exportable...[OK] | ||
+ | |||
+ | B1rt1(config)# | ||
+ | Apr 16 12:50:47.916: %SSH-5-ENABLED: SSH 2.0 has been enabled | ||
+ | |||
+ | B1rt1(config)#<input>ip ssh time-out 60</input> | ||
+ | B1rt1(config)#<input>ip ssh authentication-retries 3</input> | ||
+ | |||
+ | B1rt1#<input>sh ip ssh</input> | ||
+ | SSH Enabled - version 2.0 | ||
+ | Authentication timeout: 60 secs; Authentication retries: 3 | ||
+ | </source> | ||
+ | |||
+ | <source lang=cli>B1rt1(config)#<input>no ip http server</input> | ||
+ | B1rt1(config)#<input>ip http secure-server</input> | ||
+ | % Generating 1024 bit RSA keys, keys will be non-exportable...[OK] | ||
+ | </source> | ||
+ | |||
+ | == Control vty and tty Lines == | ||
+ | |||
+ | *Disable unwanted access methods to and from the virtual lines | ||
+ | *Use access-lists to control access to the virtual lines | ||
+ | <source lang=cli>line vty 0 4 | ||
+ | transport input ssh | ||
+ | transport output ssh | ||
+ | access-class 2 in | ||
+ | line vty 5 | ||
+ | transport input ssh | ||
+ | transport output ssh | ||
+ | access-class 2 in | ||
+ | ! | ||
+ | access-list 2 permit 10.0.0.0 0.255.255.255 | ||
+ | </source> | ||
+ | |||
+ | ==Mangement Plane Protection== | ||
+ | *restricts management to one or more logical or physical interfaces | ||
+ | *Can be used as an alternative to vty access-list and interface access-lists | ||
+ | *Works with ftp, http, https, ssh, telnet, tftp and snmp | ||
+ | <source lang=cli>control-plane host | ||
+ | management-interface FastEthernet0/0 allow ssh | ||
+ | |||
+ | Apr 16 20:04:32.067: %CP-5-FEATURE: Management-Interface feature enabled on Control plane host path | ||
+ | </source> | ||
+ | <source lang=cli>B1rt1#<input>show management-interface</input> | ||
+ | Management interface FastEthernet0/0 | ||
+ | Protocol Packets processed | ||
+ | ssh 223981 | ||
+ | </source> | ||
+ | For more information see: [http://www.cisco.com/en/US/docs/ios/12_4t/12_4t11/htsecmpp.html#wp1049489 Management Plane Protection] | ||
==External links== | ==External links== | ||
[http://www.cisco.com/en/US/tech/tk648/tk361/technologies_tech_note09186a0080120f48.shtml Cisco Guide to Harden Cisco IOS Devices] | [http://www.cisco.com/en/US/tech/tk648/tk361/technologies_tech_note09186a0080120f48.shtml Cisco Guide to Harden Cisco IOS Devices] | ||
+ | {{Source cli}} | ||
+ | [[Category:network]][[Category:CCNP]][[category:students]][[Category:CCNP4]] |
Latest revision as of 19:54, 30 June 2010
Contents
- 1 Device hardening
- 1.1 Exclusive Configuration Change Access
- 1.2 Cisco IOS Software Resilient Configuration
- 1.3 Reserve Memory for Console Access
- 1.4 Memory Leak Detector
- 1.5 Buffer Overflow: Detection and Correction of Redzone Corruption
- 1.6 EXEC Timeout
- 1.7 Disable Unused Services
- 1.8 No Service Password-Recovery
- 1.9 Password Management
- 1.10 Login Password Retry Lockout
- 1.11 Cisco IOS Login Enhancements
- 1.12 Encrypting Management Sessions
- 1.13 Control vty and tty Lines
- 1.14 Mangement Plane Protection
- 1.15 External links
Device hardening
This page is part of the Netband Project
Exclusive Configuration Change Access
- ensures that only one administrator makes configuration changes to a Cisco IOS device at a given time.
B1rt1(config)#<input>configuration mode exclusive auto</input>
!
B1rt1#<input>conf t</input>
Enter configuration commands, one per line. End with CNTL/Z.
B1rt1(config)#
Apr 16 13:02:58.746: Configuration mode locked exclusively. The lock will be cleared once you exit out of configuration mode using end/exit
B1rt1(config)#<input>interface fa0/0</input>
Configuration mode locked exclusively by user 'admin' process '56' from terminal '195'. Please try later.
For more information see: Exclusive Configuration Change Access
Cisco IOS Software Resilient Configuration
- stores a copy of the Cisco IOS software image and device configuration that is currently being used by a Cisco IOS device.
- Can only be disabled through console access
secure boot-image secure boot-config
B1rt1#<input>sh secure bootset</input>
IOS resilience router id FCZ111910E5
IOS image resilience version 12.4 activated at 11:05:51 UTC Thu Apr 16 2009
Secure archive flash:c2801-advipservicesk9-mz.124-9.T.bin type is image (elf) []
file size is 30588892 bytes, run size is 30754576 bytes
Runnable image, entry point 0x8000F000, run from ram
IOS configuration resilience version 12.4 activated at 11:06:11 UTC Thu Apr 16 2009
Secure archive flash:.runcfg-20090416-110611.ar type is config
configuration archive size 4555 bytes
B1rt1(config)#<input>no secure boot-config</input>
%You must be logged on the console to apply this command
B1rt1(config)#<input>secure boot-config restore flash:rescueconf</input>
ios resilience:configuration successfully restored as flash:rescueconf
For more information see: Cisco IOS Resilient Configuration
Reserve Memory for Console Access
- used in order to reserve enough memory to ensure console access to a Cisco IOS device
memory reserve console 4096
For more information see: Reserve Memory for Console Access
Memory Leak Detector
- used in order to check the memory structures of a device and acquire the latest crash information to determine what processes corrupt the chunks.
scheduler heapcheck process memory
For more information see: Memory Leak Detector
Buffer Overflow: Detection and Correction of Redzone Corruption
- A memory block overflow problem is detected in the Cisco IOS software when the value of an area in the memory block called the "redzone" is checked
- When a memory block overflow problem is detected in packet memory, software will change the memory block header data back to its correct value.
exception memory ignore overflow io
exception memory ignore overflow processor
show memory overflow
For more information see: Buffer Overflow: Detection and Correction of Redzone Corruption
EXEC Timeout
- logs out sessions on vty or tty lines that are left idle.
- Default is 10 minutes
line con 0
exec-timeout 5
line vty 0 4
exec-timeout 5
- on some older IOS versions the default is, no timeout
- when all lines are occupied, no one can log in until the device is restarted or the sessions are cleared through the console
B1rt1#<input>sh users</input>
Line User Host(s) Idle Location
* vty 194 admin idle 00:00:00 10.1.2.50
vty 195 admin2 idle 00:00:03 10.1.2.50
B1rt1#<input>clear line 195</input>
[confirm]
[OK]
B1rt1#
Disable Unused Services
no ip finger
ip dhcp bootp ignore
no service pad
no ip http server
no service config
On versions prior to 12.0, also do:
no service udp-small-servers
no service tcp-small-servers
No Service Password-Recovery
- Disables password recovery through ROMMON
- The router can be reset to factory default configuration, but the stored configuration is lost
no service password-recovery
For more information see: No Service Password-Recovery
Password Management
- Uses Message Digest 5 (MD5) for password hashing
enable secret cisco
- prevents casual observers from reading passwords
- weak password encryption
service password-encryption
Login Password Retry Lockout
- locks an user account after a configured number of failed attempts
- must be manually unlocked again
- A user with privilege level 15 cannot be locked out
aaa new-model
aaa local authentication attempts max-fail 3
aaa authentication login default local
!
username admin2 privilege 14 secret cisco
Apr 16 12:36:41.257: %AAA-5-USER_LOCKED: User admin2 locked out on authentication failure
B1rt1#<input>clear aaa local user lockout username admin2</input>
Apr 16 12:39:57.474: %AAA-5-USER_UNLOCKED: User admin2 unlocked by admin on vty0 (192.168.0.11)
For more information see: Login Password Retry Lockout
Cisco IOS Login Enhancements
- adds a delay between successive logins
- login shutdown(quiet mode) for a specified period of time
- Allows for speficied hosts or subnets to login in during quiet mode
login block-for 120 attempts 2 within 30
login delay 2
login on-failure log
login quiet-mode access-class 2
access-list 2 permit 10.0.0.0 0.255.255.255
Apr 16 15:30:29.249: %SEC_LOGIN-1-QUIET_MODE_ON: Still timeleft for watching failures is 0 secs, [user: ] [Source: 192.168.3.12] [localport: 22] [Reason: Login Authentication Failed] [ACL: sl_def_acl] at 15:30:29 UTC Thu Apr 16 2009
Note: The sl_def_acl is created by the system and cannot be removed or modified
Extended IP access list sl_def_acl
10 deny tcp any any eq telnet log
20 deny tcp any any eq www log
30 deny tcp any any eq 22 log
40 permit tcp any any eq 22 log
Apr 16 15:32:29.252: %SEC_LOGIN-5-QUIET_MODE_OFF: Quiet Mode is OFF, because block period timed out at 15:32:29 UTC Thu Apr 16 2009
B1rt1#<input>sh login failures</input>
Total failed logins: 7
Detailed information about last 50 failures
Username SourceIPAddr lPort Count TimeStamp
10.248.10.98 22 2 07:30:17 UTC Sun Dec 14 2008
10.1.0.53 22 1 21:27:15 UTC Mon Dec 22 2008
192.168.3.10 22 2 15:02:23 UTC Thu Jan 8 2009
192.168.3.12 22 2 15:30:17 UTC Thu Apr 16 2009
B1rt1#<input>sh login</input>
A login delay of 2 seconds is applied.
Quiet-Mode access list 2 is applied.
Router enabled to watch for login Attacks.
If more than 2 login failures occur in 30 seconds or less,
logins will be disabled for 120 seconds.
Router presently in Normal-Mode.
Current Watch Window
Time remaining: 8 seconds.
Login failures for current window: 0.
Total login failures: 7.
Encrypting Management Sessions
- use SSH instead of telnet
- use HTTPS instead of HTTP
ip domain-name netband.dk
!
B1rt1(config)#<input>crypto key generate rsa</input>
Choose the size of the key modulus in the range of 360 to 2048 for your
General Purpose Keys. Choosing a key modulus greater than 512 may take
a few minutes.
How many bits in the modulus [512]:2048
% Generating 2048 bit RSA keys, keys will be non-exportable...[OK]
B1rt1(config)#
Apr 16 12:50:47.916: %SSH-5-ENABLED: SSH 2.0 has been enabled
B1rt1(config)#<input>ip ssh time-out 60</input>
B1rt1(config)#<input>ip ssh authentication-retries 3</input>
B1rt1#<input>sh ip ssh</input>
SSH Enabled - version 2.0
Authentication timeout: 60 secs; Authentication retries: 3
B1rt1(config)#<input>no ip http server</input>
B1rt1(config)#<input>ip http secure-server</input>
% Generating 1024 bit RSA keys, keys will be non-exportable...[OK]
Control vty and tty Lines
- Disable unwanted access methods to and from the virtual lines
- Use access-lists to control access to the virtual lines
line vty 0 4
transport input ssh
transport output ssh
access-class 2 in
line vty 5
transport input ssh
transport output ssh
access-class 2 in
!
access-list 2 permit 10.0.0.0 0.255.255.255
Mangement Plane Protection
- restricts management to one or more logical or physical interfaces
- Can be used as an alternative to vty access-list and interface access-lists
- Works with ftp, http, https, ssh, telnet, tftp and snmp
control-plane host
management-interface FastEthernet0/0 allow ssh
Apr 16 20:04:32.067: %CP-5-FEATURE: Management-Interface feature enabled on Control plane host path
B1rt1#<input>show management-interface</input>
Management interface FastEthernet0/0
Protocol Packets processed
ssh 223981
For more information see: Management Plane Protection