0% found this document useful (0 votes)
76 views4 pages

Config Autosecure

The document describes securing a router named R1 using AutoSecure. It involves: 1) Configuring Serial0/0/0 as the internet-facing interface. 2) Creating a login banner with text "Unauthorized Access is Prohibited!". 3) Configuring a local user "Admin01" with password "Admin01pa55". 4) Applying the AutoSecure configuration to enhance the router's security.

Uploaded by

erojas
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as TXT, PDF, TXT or read online on Scribd
0% found this document useful (0 votes)
76 views4 pages

Config Autosecure

The document describes securing a router named R1 using AutoSecure. It involves: 1) Configuring Serial0/0/0 as the internet-facing interface. 2) Creating a login banner with text "Unauthorized Access is Prohibited!". 3) Configuring a local user "Admin01" with password "Admin01pa55". 4) Applying the AutoSecure configuration to enhance the router's security.

Uploaded by

erojas
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as TXT, PDF, TXT or read online on Scribd
You are on page 1/ 4

In this Syntax Checker, you will use AutoSecure to secure R1.

Configure Serial0/0/0 as the interface facing the Internet.


Create an motd banner using #Unauthorized Access is Prohibited!#.
Create a local username Admin01 and password Admin01pa55 to access the router.
Configure a 60 second login shutdown if two failed login attempts are made within
30 seconds.
Use ccnasecurity.com as the domain name for the SSH server.
Do not configure CBAC firewall.
Apply the configuration from AutoSecure to the running-config.

Use the AutoSecure to lock down the router.


R1# auto secure
--- AutoSecure Configuration ---

*** AutoSecure configuration enhances the security of


the router, but it will not make it absolutely resistant
to all security attacks ***

AutoSecure will modify the configuration of your device.


All configuration changes will be shown. For a detailed
explanation of how the configuration changes enhance security
and any possible side effects, please refer to Cisco.com for
AutoSecure documentation.
At any prompt you may enter '?' for help.
Use ctrl-c to abort this session at any prompt.

Gathering information about the router for AutoSecure


Is this router connected to internet? [no]# yes
Enter the number of interfaces facing the internet [1]# 1
Interface IP-Address OK? Method Status
Protocol
Embedded-Service-Engine0/0 unassigned YES unset administratively down down
GigabitEthernet0/0 unassigned YES unset administratively down down
GigabitEthernet0/1 192.168.1.1 YES manual up up
Serial0/0/0 10.1.1.1 YES manual up up
Serial0/0/1 unassigned YES unset administratively down down
Enter the interface name that is facing the internet# serial0/0/0

Securing Management plane services...

Disabling service finger


Disabling service pad
Disabling udp & tcp small servers
Enabling service password encryption
Enabling service tcp-keepalives-in
Enabling service tcp-keepalives-out
Disabling the cdp protocol

Disabling the bootp server


Disabling the http server
Disabling the finger service
Disabling source routing
Disabling gratuitous arp

Here is a sample Security Banner to be shown


at every access to device. Modify it to suit your
enterprise requirements.

Authorized Access only


This system is the property of So-&-So-Enterprise.
UNAUTHORIZED ACCESS TO THIS DEVICE IS PROHIBITED.
You must have explicit permission to access this
device. All activities performed on this device
are logged. Any violations of access policy will result
in disciplinary action.

Enter the security banner {Put the banner between


k and k, where k is any character}:
# #Unauthorized Access is Prohibited!#

Configuration of local user database


Enter the username# Admin01
Enter the password# Admin01pa55
Confirm the password# Admin01pa55
Configuring AAA local authentication
Configuring console, Aux and vty lines for
local authentication, exec-timeout, transport
Securing device against Login Attacks
Configure the following parameters
Blocking Period when Login Attack detected# 60
Maximum Login failures with the device# 2
Maximum time period for crossing the failed login attempts# 30
Configure SSH server? [yes]# yes
Enter the domain-name# ccnasecurity.com

Configuring interface specific AutoSecure services


Disabling the following ip services on all interfaces:

no ip redirects
no ip proxy-arp
no ip unreachables
no ip directed-broadcast
no ip mask-reply
Disabling mop on Ethernet interfaces

Securing Forwarding plane services...

Enabling unicast rpf on all interfaces connected


to internet
Configure CBAC Firewall feature? [yes/no]# no
This is the configuration generated:

no service finger
no service pad
no service udp-small-servers
no service tcp-small-servers
service password-encryption
service tcp-keepalives-in
service tcp-keepalives-out
no cdp run
no ip bootp server
no ip http server
no ip finger
no ip source-route
no ip gratuitous-arps
no ip identd
banner motd ^CUnauthorized Access is PROHIBITED^C
security passwords min-length 6
security authentication failure rate 10 log
username Admin01 password 7 15330F010D247B7538326077
aaa new-model
aaa authentication login local_auth local
line console 0
login authentication local_auth
exec-timeout 5 0
transport output telnet
line aux 0
login authentication local_auth
exec-timeout 10 0
transport output telnet
line vty 0 4
login authentication local_auth
transport input telnet
line tty 1 2
login authentication local_auth
exec-timeout 15 0
login block-for 60 attempts 2 within 30
ip domain-name ccnasecurity.com
crypto key generate rsa general-keys modulus 1024
ip ssh time-out 60
ip ssh authentication-retries 2
line vty 0 4
transport input ssh telnet
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
logging facility local2
logging trap debugging
service sequence-numbers
logging console critical
logging buffered
interface Embedded-Service-Engine0/0
no ip redirects
no ip proxy-arp
no ip unreachables
no ip directed-broadcast
no ip mask-reply
no mop enabled
interface GigabitEthernet0/0
no ip redirects
no ip proxy-arp
no ip unreachables
no ip directed-broadcast
no ip mask-reply
no mop enabled
interface GigabitEthernet0/1
no ip redirects
no ip proxy-arp
no ip unreachables
no ip directed-broadcast
no ip mask-reply
no mop enabled
interface Serial0/0/0
no ip redirects
no ip proxy-arp
no ip unreachables
no ip directed-broadcast
no ip mask-reply
interface Serial0/0/1
no ip redirects
no ip proxy-arp
no ip unreachables
no ip directed-broadcast
no ip mask-reply
access-list 100 permit udp any any eq bootpc
interface Serial0/0/0
ip verify unicast source reachable-via rx allow-default 100
!
end
Apply this configuration to running-config? [yes]# yes

Applying the config generated to running-config


The name for the keys will be: R1.ccnasecurity.com

% The key modulus size is 1024 bits


% Generating 1024 bit RSA keys, keys will be non-exportable...
[OK] (elapsed time was 3 seconds)

R1#
000046: *Dec 30 22:44:35.503 UTC: %AUTOSEC-1-MODIFIED: AutoSecure configuration has
been Modified on this device
You successfully secured R1 using AutoSecure.

You might also like