Netband Project - Device hardening
From Teknologisk videncenter
<accesscontrol>NetBand</accesscontrol>
This page is part of the Netband Project
Contents
- 1 Exclusive Configuration Change Access
- 2 Cisco IOS Software Resilient Configuration
- 3 Reserve Memory for Console Access
- 4 Memory Leak Detector
- 5 Buffer Overflow: Detection and Correction of Redzone Corruption
- 6 EXEC Timeout
- 7 Disable Unused Services
- 8 No Service Password-Recovery
- 9 Password Management
- 10 Login Password Retry Lockout
- 11 Encrypting Management Sessions
- 12 Control vty and tty Lines
- 13 External links
Exclusive Configuration Change Access
- ensures that only one administrator makes configuration changes to a Cisco IOS device at a given time.
B1rt1(config)#configuration mode exclusive auto ! B1rt1#conf t Enter configuration commands, one per line. End with CNTL/Z. B1rt1(config)# Apr 16 13:02:58.746: Configuration mode locked exclusively. The lock will be cleared once you exit out of configuration mode using end/exit
B1rt1(config)#interface fa0/0 Configuration mode locked exclusively by user 'admin' process '56' from terminal '195'. Please try later.
For more information see: Exclusive Configuration Change Access
Cisco IOS Software Resilient Configuration
- stores a copy of the Cisco IOS software image and device configuration that is currently being used by a Cisco IOS device.
- Can only be disabled through console access
secure boot-image secure boot-config
B1rt1#sh secure bootset IOS resilience router id FCZ111910E5 IOS image resilience version 12.4 activated at 11:05:51 UTC Thu Apr 16 2009 Secure archive flash:c2801-advipservicesk9-mz.124-9.T.bin type is image (elf) [] file size is 30588892 bytes, run size is 30754576 bytes Runnable image, entry point 0x8000F000, run from ram IOS configuration resilience version 12.4 activated at 11:06:11 UTC Thu Apr 16 2009 Secure archive flash:.runcfg-20090416-110611.ar type is config configuration archive size 4555 bytes
B1rt1(config)#no secure boot-config %You must be logged on the console to apply this command
B1rt1(config)#secure boot-config restore flash:rescueconf ios resilience:configuration successfully restored as flash:rescueconf
For more information see: Cisco IOS Resilient Configuration
Reserve Memory for Console Access
- used in order to reserve enough memory to ensure console access to a Cisco IOS device
memory reserve console 4096
For more information see: Reserve Memory for Console Access
Memory Leak Detector
- used in order to check the memory structures of a device and acquire the latest crash information to determine what processes corrupt the chunks.
scheduler heapcheck process memory
For more information see: Memory Leak Detector
Buffer Overflow: Detection and Correction of Redzone Corruption
- A memory block overflow problem is detected in the Cisco IOS software when the value of an area in the memory block called the "redzone" is checked
- When a memory block overflow problem is detected in packet memory, software will change the memory block header data back to its correct value.
exception memory ignore overflow io exception memory ignore overflow processor
show memory overflow
For more information see: Buffer Overflow: Detection and Correction of Redzone Corruption
EXEC Timeout
- logs out sessions on vty or tty lines that are left idle.
- Default is 10 minutes
line con 0 exec-timeout 5 line vty 0 4 exec-timeout 5
Disable Unused Services
no ip finger ip dhcp bootp ignore no service pad no ip http server no service config On versions prior to 12.0, also do: no service udp-small-servers no service tcp-small-servers
No Service Password-Recovery
- Disables password recovery through ROMMON
- The router can be reset to factory default configuration, but the stored configuration is lost
no service password-recovery
For more information see: No Service Password-Recovery
Password Management
- Uses Message Digest 5 (MD5) for password hashing
enable secret cisco
- prevents casual observers from reading passwords
- weak password encryption
service password-encryption
Login Password Retry Lockout
- locks an user account after a configured number of failed attempts
- A user with privilege level 15 cannot be locked out
aaa new-model aaa local authentication attempts max-fail 3 aaa authentication login default local ! username admin2 privilege 14 secret cisco
Apr 16 12:36:41.257: %AAA-5-USER_LOCKED: User admin2 locked out on authentication failure B1rt1#clear aaa local user lockout username admin2 Apr 16 12:39:57.474: %AAA-5-USER_UNLOCKED: User admin2 unlocked by admin on vty0 (192.168.0.11)
For more information see: Login Password Retry Lockout
Encrypting Management Sessions
- use SSH instead of telnet
- use HTTPS instead of HTTP
ip domain-name netband.dk ! B1rt1(config)#crypto key generate rsa Choose the size of the key modulus in the range of 360 to 2048 for your General Purpose Keys. Choosing a key modulus greater than 512 may take a few minutes. How many bits in the modulus [512]:2048 % Generating 2048 bit RSA keys, keys will be non-exportable...[OK] B1rt1(config)# Apr 16 12:50:47.916: %SSH-5-ENABLED: SSH 2.0 has been enabled B1rt1(config)#ip ssh time-out 60 B1rt1(config)#ip ssh authentication-retries 3 B1rt1#sh ip ssh SSH Enabled - version 2.0 Authentication timeout: 60 secs; Authentication retries: 3
B1rt1(config)#no ip http server B1rt1(config)#ip http secure-server % Generating 1024 bit RSA keys, keys will be non-exportable...[OK]
Control vty and tty Lines
- Disable uwanted access methods to the virtual lines
line vty 0 4 logging synchronous transport input ssh line vty 5 transport input ssh