home       basis       advanced       routing       switching       testen       overig      

secure switch config

We want a console password that is not visible in the running-config.
We want an enable secret
We want to use ssh from far and wide

secure-switch-config
  1. switch configuration
    Cisco Internetwork Operating System Software
    IOS (tm) C2950 Software (C2950-I6Q4L2-M), Version 12.1(22)EA4, RELEASE SOFTWARE(fc1)
    Copyright (c) 1986-2005 by cisco Systems, Inc.
    Compiled Wed 18-May-05 22:31 by jharirba
     
      Press RETURN to get started!
     
      %LINK-5-CHANGED: Interface FastEthernet0/1, changed state to up
      %LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet0/1, changed state to up
     
    Switch> enable
    Switch# configure terminal
      Enter configuration commands, one per line.  End with CNTL/Z.
     
    Switch(config)#  hostname S1
     
    S1(config)#      enable secret en12345
    S1(config)#      line console 0
    S1(config-line)# password con12345
    S1(config-line)# login
    S1(config-line)# exit
    S1(config)#      service password-encryption
     
    S1(config)#      interface vlan 1
    S1(config-if)#   ip address 192.168.1.201 255.255.255.0
    S1(config-if)#   no shutdown
    S1(config-if)#   exit
     
      %LINK-5-CHANGED: Interface Vlan1, changed state to up
      %LINEPROTO-5-UPDOWN: Line protocol on Interface Vlan1, changed state to up
     
    S1(config)#      ip domain-name thisdomain.net
    S1(config)#      crypto key generate rsa
     
      The name for the keys will be: S1.thisdomain.net
      Choose the size of the key modulus in the range of 360 to 2048 for your
      General Purpose Keys. Choosing a key modulus greater than 512 may take
      a few minutes.
     
    How many bits in the modulus [512]:     2048
      % Generating 2048 bit RSA keys, keys will be non-exportable...[OK]
     
    S1(config)#     user weareroot secret ssh12345
      *Mar 1 0:3:32.920:  %SSH-5-ENABLED: SSH 1.99 has been enabled 
     
    S1(config)#      line vty 0 15
    S1(config-line)# login local
    S1(config-line)# transport input ssh
    S1(config-line)# exec-timeout 5
    S1(config-line)# end
    S1#
     
      %SYS-5-CONFIG_I: Configured from console by console
     
    S1#              copy run start
    Destination filename [startup-config]? 
      Building configuration...
      [OK]
    S1#

     

  2. login from packettracer CLI-tab
    Cisco Internetwork Operating System Software
    IOS (tm) C2950 Software (C2950-I6Q4L2-M), Version 12.1(22)EA4, RELEASE SOFTWARE(fc1)
    Copyright (c) 1986-2005 by cisco Systems, Inc.
    Press RETURN to get started!
      User Access Verification
    Password:  con12345     ! this is what we type but do not see
     
    S1> enable
    Password:  en12345     ! this is what we type but do not see
    S1#

     

  3. running-config
    show running-config
    Building configuration...
     
    Current configuration : 1279 bytes
    !
    version 12.1
    no service timestamps log datetime msec
    no service timestamps debug datetime msec
    service password-encryption
    !
    hostname S1
    !
    enable secret 5 $1$mERr$z5rrmPNmDri/9pcNOiP4X1
    !
    ip domain-name thisdomain.net
    !
    username weareroot secret 5 $1$mERr$z3NR48hOwWrawIvgupWtn1
    !
    !
    spanning-tree mode pvst
    !
    interface FastEthernet0/1
    !
    ( snipped )
    !
    interface FastEthernet0/24
    !
    interface GigabitEthernet0/1
    !
    interface GigabitEthernet0/2
    !
    interface Vlan1
    ip address 192.168.1.201 255.255.255.0
    !
    line con 0
    password 7 08224340584B564347
    login
    !
    line vty 0 4
    login local
    transport input ssh
    line vty 5 15
    login local
    transport input ssh
    !
    !
    end

     

  4. WARNINGS
    Notice that the console password uses service 7 encryption, which can be reversed immediately ...
    Decrypt Cisco Type 7 Passwords
    iBeast Business Solutions
     
    Password to Decrypt: 08224340584B564347
     
    Your Password is con12345

    For enable secret 5 $1$mERr$z5rrmPNmDri/9pcNOiP4X1
    and for username weareroot secret 5 $1$mERr$z3NR48hOwWrawIvgupWtn1
    a brute force attack will yield your password sooner or later depending on the length of this password.
     
    DO NOT USE THE SAME PASSWORD for CONSOLE as for SSH
    DO NOT USE OUR CONSOLE PASSWORD FOR ANYTHING ELSE ...
    DO NOT USE YOUR SSH-PASSWORD anywhere else
     

  5. login from PC-1
    PC-1> ssh -l  weareroot 192.168.1.201
    Open
    Password:  ssh12345
    S1>enable
    Password:  en12345
    S1#