Disabling Router Lines

Problem

You want to disable your router's AUX port to help prevent unauthorized access.

Solution

To completely disable access via the router's AUX port, use the following set of commands:

Router1#configure terminal Enter configuration commands, one per line. End with CNTL/Z. Router1(config)#line aux 0 Router1(config-line)#transport input none Router1(config-line)#no exec Router1(config-line)#exec-timeout 0 1 Router1(config-line)#no password Router1(config-line)#exit Router1(config)#end Router1#

You can disable access to the router through the VTY lines as follows:

Router1#configure terminal Enter configuration commands, one per line. End with CNTL/Z. Router1(config)#access-list 98 deny any log Router1(config)#line vty 0 4 Router1(config-line)#transport input none Router1(config-line)#exec-timeout 0 1 Router1(config-line)#no exec Router1(config-line)#access-class 98 in Router1(config-line)#exit Router1(config)#end Router1#

 

Discussion

It is extremely important to secure access to your routers. The most effective way to secure router ports is to simply disable them if they aren't needed. Of course, it isn't always feasible to disable all router ports, but you can improve security by disabling any unused ones. For instance, network administrators rarely use the router's AUX port, so they should consider disabling it. If your routers are physically close to the administrators so that remote access is not necessary, you might want to disable the VTY ports as well to provide greater security.

Our first example shows a somewhat paranoid method of disabling a router's AUX port. We say paranoid because it involves using several different techniques, each of which should be sufficient alone, strung together for added protection. The transport i nput none command prevents reverse TELNET access from the network (see Recipe 3.10). The no exec command prevents the AUX port from running an EXEC session. Without an EXEC process, you will get no response when you connect a terminal to the port. Further, the exec-timeout command sets the EXEC timeout to one second (see Recipe 3.9). This effectively limits the ability to submit commands in case an attacker somehow manages to start an EXEC process. Finally, no password forces the router to clear its line password, so there is no way to authenticate if somebody is able to connect.

The example of disabling VTY ports is also paranoid but effective. This example also illustrates several different methods to disable connectivity in a single example. In reality, any one of these methods would work, but we recommend including at least one secondary method as a safety measure. It is important to note that these extra precautions don't cost anything. They don't increase the router's CPU load or memory consumption appreciably. So for the extra level of safety, you might as well string together several methods as we have shown.

To disable the VTY interfaces, we first set the transport input to none (see Recipe 3.10) to disable all inbound transport methods. We also set the exec-timeout to one second (see Recipe 3.9). Then we disable the EXEC process on this line, which renders the VTY port useless. Finally, we implement an input access-class that prevents all IP addresses from accessing the VTY ports (see Recipe 3.16).

If you try to connect to a VTY line that is disabled, as shown in this recipe, the router will refuse the connection:

Freebsd% telnet Router1 Trying 172.22.1.4... telnet: connect to address 172.22.1.4: Connection refused telnet: Unable to connect to remote host Freebsd%

The console port is the most important access line your router has. It is the last place you can still connect to when everything else goes wrong, so we do not recommend disabling it. However, we do recommend increasing the security of your console port to provide maximum protection. By default, the console port will not prompt for a login or password. This means that unauthorized users can easily gain access to your router's EXEC without effort. Of course, the router is always vulnerable to console access via the password recovery process, which highlights why physical security is important. You should always house routers in restricted rooms or closets to ensure physical security.

To increase the security of a router's console port, use the following set of configuration commands:

Router1#configure terminal Enter configuration commands, one per line. End with CNTL/Z. Router1(config)#line con 0 Router1(config-line)#exec-timeout 5 0 Router1(config-line)#password ora22bkz Router1(config-line)#login Router1(config-line)#exit Router1(config)#end Router1#

This example enables a login prompt by configuring the login and password commands, and reduces the exec-timeout to five minutes to ensure that console sessions will disconnect themselves if somebody walks away from the terminal. Note however, that login and password commands become unnecessary if you configure your router to use local authentication or AAA. The stronger authentication method overrides the configurations of all of the lines, including the console port.

See Also

Recipe 3.1; Recipe 3.9; Recipe 3.10; Recipe 3.16; Chapter 4

Категории