need some advice on our cisco routers..

Mark Jayson Alvarez jay2xra at yahoo.com
Wed Feb 8 22:07:06 PST 2006 

Hi,
 
 We have a couple of cisco routers. There was one time when suddenly we cannot login remotely via telnet. I investigate further and was shocked when I found out that there where 16 telnet connections coming from outsiders ip addresses. I immediately called our Director(the only cisco certified guy in the office) and he begin kicking each of the telnet connections one by one. He then replaced every "secret/password" and deleted all unnecessary local accounts. However, we're still wondering how those hackers got into the system. Now this cisco's aaa is default to a radius server. Since then, outsiders have gone away.. Perhaps the hackers got one of the router's local accounts, and trying to brute force their way to enable mode.
 
 Now, I have few questions:
 1. Is it possible to think that they still haven't cracked the enable password yet or they already know it and just silently been playing with our router?? What for? If you are a hacker, what would you do if you got an access to an ISP's router??:-)
 2. What will you do if the same thing happened to you??
 3.How do you secure your cisco routers in your office?? Our director said that we should look for best practices in securing our routers. 
 
 Our company is an ISP for broadband internet for R&D institutions. We offer no dial up connections, only E1's etc. We have 2 stm1(155Mbps) outgoing pipes. One cisco 7206 and one cisco 7304.
 We have a radius server running some old version of freebsd(4.6 I guess) but the accounting is not working anymore. Only authentication, and radius uses the accounts listed in /etc/passwd.
 
 Now, I am trying to configure a new radius server(to replace the old server configured by the former net/sys admins) only not sure if it is really what we need.. My initial idea of radius is that it ties up authentication, authorization and accounting.. however as I have said, I guess we don't need any accounting since we don't offer dial up services. In authentication, I tried once to make our router work with our kerberos  setup so that telnet password doesnt have to be sent but unfortunately, I failed to make it work with our heimdal installation(seems like they are having incompatibility issues with encryption, though I haven't tried it with MIT yet). Authorization: We currently have an ldap directory used only for email services, don't know if it is still needed. We also have remote logging through that radius server also, and guess what, its not working anymore. I compared the config of that compromised router with the other one and found out that the logging lines are
 gone(hmmm..)
 
 I need some tips here. The tools you are currently using. Also some of the best practices you are implementing in your noc.. I'm the new admin and the services are poorly documented.. Now I am trying to start everything from scratch, this time documenting everything I am doing.. Load balancer, proxy server, email, dns, web, ldap, kerberos, etc. Unfortunately I don't have any cisco training yet and I'm glad that my supervisor is kind enough to lend me the enable password (the rest, google and google)
 
 Thank's for your time.
 
 Sincerely 
 -jay
 
 
 
 
 
 
 
 
 
 
 
		
---------------------------------
Brings words and photos together (easily) with
 PhotoMail  - it's free and works with Yahoo! Mail.

More information about the freebsd-questions mailing list