secure switch config
We want a console password that is not visible in the running-config.
We want an enable secret
We want to use ssh from far and wide
- switch configuration
Cisco Internetwork Operating System Software IOS (tm) C2950 Software (C2950-I6Q4L2-M), Version 12.1(22)EA4, RELEASE SOFTWARE(fc1) Copyright (c) 1986-2005 by cisco Systems, Inc. Compiled Wed 18-May-05 22:31 by jharirba Press RETURN to get started! %LINK-5-CHANGED: Interface FastEthernet0/1, changed state to up %LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet0/1, changed state to up Switch> enable Switch# configure terminal Enter configuration commands, one per line. End with CNTL/Z. Switch(config)# hostname S1 S1(config)# enable secret en12345 S1(config)# line console 0 S1(config-line)# password con12345 S1(config-line)# login S1(config-line)# exit S1(config)# service password-encryption S1(config)# interface vlan 1 S1(config-if)# ip address 192.168.1.201 255.255.255.0 S1(config-if)# no shutdown S1(config-if)# exit %LINK-5-CHANGED: Interface Vlan1, changed state to up %LINEPROTO-5-UPDOWN: Line protocol on Interface Vlan1, changed state to up S1(config)# ip domain-name thisdomain.net S1(config)# crypto key generate rsa The name for the keys will be: S1.thisdomain.net Choose the size of the key modulus in the range of 360 to 2048 for your General Purpose Keys. Choosing a key modulus greater than 512 may take a few minutes. How many bits in the modulus [512]: 2048 % Generating 2048 bit RSA keys, keys will be non-exportable...[OK] S1(config)# user weareroot secret ssh12345 *Mar 1 0:3:32.920: %SSH-5-ENABLED: SSH 1.99 has been enabled S1(config)# line vty 0 15 S1(config-line)# login local S1(config-line)# transport input ssh S1(config-line)# exec-timeout 5 S1(config-line)# end S1# %SYS-5-CONFIG_I: Configured from console by console S1# copy run start Destination filename [startup-config]? Building configuration... [OK] S1# - login from packettracer CLI-tab
Cisco Internetwork Operating System Software IOS (tm) C2950 Software (C2950-I6Q4L2-M), Version 12.1(22)EA4, RELEASE SOFTWARE(fc1) Copyright (c) 1986-2005 by cisco Systems, Inc. Press RETURN to get started! User Access Verification Password: con12345 ! this is what we type but do not see S1> enable Password: en12345 ! this is what we type but do not see S1# - running-config
show running-config Building configuration... Current configuration : 1279 bytes ! version 12.1 no service timestamps log datetime msec no service timestamps debug datetime msec service password-encryption ! hostname S1 ! enable secret 5 $1$mERr$z5rrmPNmDri/9pcNOiP4X1 ! ip domain-name thisdomain.net ! username weareroot secret 5 $1$mERr$z3NR48hOwWrawIvgupWtn1 ! ! spanning-tree mode pvst ! interface FastEthernet0/1 ! ( snipped ) ! interface FastEthernet0/24 ! interface GigabitEthernet0/1 ! interface GigabitEthernet0/2 ! interface Vlan1 ip address 192.168.1.201 255.255.255.0 ! line con 0 password 7 08224340584B564347 login ! line vty 0 4 login local transport input ssh line vty 5 15 login local transport input ssh ! ! end - WARNINGS
Notice that the console password uses service 7 encryption, which can be reversed immediately ...Decrypt Cisco Type 7 Passwords iBeast Business Solutions Password to Decrypt: 08224340584B564347 Your Password is con12345For
enable secret 5 $1$mERr$z5rrmPNmDri/9pcNOiP4X1
and forusername weareroot secret 5 $1$mERr$z3NR48hOwWrawIvgupWtn1
a brute force attack will yield your password sooner or later depending on the length of this password.
DO NOT USE THE SAME PASSWORD for CONSOLE as for SSH
DO NOT USE OUR CONSOLE PASSWORD FOR ANYTHING ELSE ...
DO NOT USE YOUR SSH-PASSWORD anywhere else
- login from PC-1
PC-1> ssh -l weareroot 192.168.1.201 Open Password: ssh12345 S1>enable Password: en12345 S1#