Netband Project - Device hardening

<accesscontrol>NetBand</accesscontrol> This page is part of the Netband Project

Exclusive Configuration Change Access

• ensures that only one administrator makes configuration changes to a Cisco IOS device at a given time.

B1rt1(config)#configuration mode exclusive auto
!
B1rt1#conf t
Enter configuration commands, one per line.  End with CNTL/Z.
B1rt1(config)#
Apr 16 13:02:58.746:  Configuration mode locked exclusively. The lock will be cleared once you exit out of configuration mode using end/exit

B1rt1(config)#interface fa0/0
Configuration mode locked exclusively by user 'admin' process '56' from terminal '195'. Please try later.

For more information see: Exclusive Configuration Change Access

Cisco IOS Software Resilient Configuration

• stores a copy of the Cisco IOS software image and device configuration that is currently being used by a Cisco IOS device.
• Can only be disabled through console access

secure boot-image
secure boot-config

B1rt1#sh secure bootset
IOS resilience router id FCZ111910E5

IOS image resilience version 12.4 activated at 11:05:51 UTC Thu Apr 16 2009
Secure archive flash:c2801-advipservicesk9-mz.124-9.T.bin type is image (elf) []
  file size is 30588892 bytes, run size is 30754576 bytes
  Runnable image, entry point 0x8000F000, run from ram

IOS configuration resilience version 12.4 activated at 11:06:11 UTC Thu Apr 16 2009
Secure archive flash:.runcfg-20090416-110611.ar type is config
configuration archive size 4555 bytes

B1rt1(config)#no secure boot-config
%You must be logged on the console to apply this command

B1rt1(config)#secure boot-config restore flash:rescueconf
ios resilience:configuration successfully restored as flash:rescueconf

For more information see: Cisco IOS Resilient Configuration

Reserve Memory for Console Access

• used in order to reserve enough memory to ensure console access to a Cisco IOS device

memory reserve console 4096

For more information see: Reserve Memory for Console Access

Memory Leak Detector

• used in order to check the memory structures of a device and acquire the latest crash information to determine what processes corrupt the chunks.

scheduler heapcheck process memory

For more information see: Memory Leak Detector

Buffer Overflow: Detection and Correction of Redzone Corruption

• A memory block overflow problem is detected in the Cisco IOS software when the value of an area in the memory block called the "redzone" is checked
• When a memory block overflow problem is detected in packet memory, software will change the memory block header data back to its correct value.

exception memory ignore overflow io
exception memory ignore overflow processor

show memory overflow

For more information see: Buffer Overflow: Detection and Correction of Redzone Corruption

EXEC Timeout

• logs out sessions on vty or tty lines that are left idle.
• Default is 10 minutes

line con 0
 exec-timeout 5
line vty 0 4
 exec-timeout 5

Disable Unused Services

no ip finger
ip dhcp bootp ignore
no service pad
no ip http server 
no service config

On versions prior to 12.0, also do:
no service udp-small-servers
no service tcp-small-servers

No Service Password-Recovery

• Disables password recovery through ROMMON
• The router can be reset to factory default configuration, but the stored configuration is lost

no service password-recovery

For more information see: No Service Password-Recovery

Password Management

• Uses Message Digest 5 (MD5) for password hashing

enable secret cisco

• prevents casual observers from reading passwords
• weak password encryption

service password-encryption

Login Password Retry Lockout

• locks an user account after a configured number of failed attempts
• A user with privilege level 15 cannot be locked out

aaa new-model
aaa local authentication attempts max-fail 3
aaa authentication login default local
!
username admin2 privilege 14 secret cisco

Apr 16 12:36:41.257: %AAA-5-USER_LOCKED: User admin2 locked out on authentication failure

B1rt1#clear aaa local user lockout username admin2

Apr 16 12:39:57.474: %AAA-5-USER_UNLOCKED: User admin2 unlocked by admin on vty0 (192.168.0.11)

For more information see: Login Password Retry Lockout

Cisco IOS Login Enhancements

• adds a delay between successive logins
• login shutdown(quiet mode) for a specified period of time
• Allows for speficied hosts or subnets to login in during quiet mode

login block-for 120 attempts 2 within 30
login delay 2
login on-failure log
login quiet-mode access-class 2
access-list 2 permit 10.0.0.0 0.255.255.255

Apr 16 15:30:29.249: %SEC_LOGIN-1-QUIET_MODE_ON: Still timeleft for watching failures is 0 secs, [user: ] [Source: 192.168.3.12] [localport: 22] [Reason: Login Authentication Failed] [ACL: sl_def_acl] at 15:30:29 UTC Thu Apr 16 2009

Note: The sl_def_acl is created by the system and cannot be removed or modified
Extended IP access list sl_def_acl
    10 deny tcp any any eq telnet log
    20 deny tcp any any eq www log
    30 deny tcp any any eq 22 log
    40 permit tcp any any eq 22 log

Apr 16 15:32:29.252: %SEC_LOGIN-5-QUIET_MODE_OFF: Quiet Mode is OFF, because block period timed out at 15:32:29 UTC Thu Apr 16 2009

B1rt1#sh login failures
Total failed logins: 7
Detailed information about last 50 failures

Username        SourceIPAddr    lPort Count TimeStamp
                10.248.10.98    22    2     07:30:17 UTC Sun Dec 14 2008
                10.1.0.53       22    1     21:27:15 UTC Mon Dec 22 2008
                192.168.3.10    22    2     15:02:23 UTC Thu Jan 8 2009
                192.168.3.12    22    2     15:30:17 UTC Thu Apr 16 2009

B1rt1#sh login
     A login delay of 2 seconds is applied.
     Quiet-Mode access list 2 is applied.

     Router enabled to watch for login Attacks.
     If more than 2 login failures occur in 30 seconds or less,
     logins will be disabled for 120 seconds.

     Router presently in Normal-Mode.
     Current Watch Window
         Time remaining: 8 seconds.
         Login failures for current window: 0.
     Total login failures: 7.

Encrypting Management Sessions

• use SSH instead of telnet
• use HTTPS instead of HTTP

ip domain-name netband.dk
!
B1rt1(config)#crypto key generate rsa
Choose the size of the key modulus in the range of 360 to 2048 for your
  General Purpose Keys. Choosing a key modulus greater than 512 may take
  a few minutes.

How many bits in the modulus [512]:2048
% Generating 2048 bit RSA keys, keys will be non-exportable...[OK]

B1rt1(config)#
Apr 16 12:50:47.916: %SSH-5-ENABLED: SSH 2.0 has been enabled

B1rt1(config)#ip ssh time-out 60
B1rt1(config)#ip ssh authentication-retries 3

B1rt1#sh ip ssh
SSH Enabled - version 2.0
Authentication timeout: 60 secs; Authentication retries: 3

B1rt1(config)#no ip http server
B1rt1(config)#ip http secure-server
% Generating 1024 bit RSA keys, keys will be non-exportable...[OK]

Control vty and tty Lines

• Disable unwanted access methods to and from the virtual lines
• Use access-lists to control access to the virtual lines

line vty 0 4
 transport input ssh
 transport output ssh
 access-class 2 in
line vty 5
 transport input ssh
 transport input ssh
 access-class 2 in
!
access-list 2 permit 10.0.0.0 0.255.255.255

External links

Cisco Guide to Harden Cisco IOS Devices