need some advice on our cisco routers..
derek at computinginnovations.com
Thu Feb 9 02:47:13 PST 2006
The best practice I follow for securing routers, is to disable any remote
access unless remote access is really necessary. If remote access is
required, I always limit the access to a small number, usually 1-3 remote IP's.
It is also a good idea to enable remote logging to keep a record of events
and access as all routers have limited logging space internally.
Cisco among other brands all have had a number of exploits found and
reported on the web. I expect that is how your telnet users got into your
router. So it also is in your best interest and practices to regularly
check and update any firmware on your routers.
Hope this helps.
At 12:07 AM 2/9/2006, Mark Jayson Alvarez wrote:
> We have a couple of cisco routers. There was one time when suddenly we
> cannot login remotely via telnet. I investigate further and was shocked
> when I found out that there where 16 telnet connections coming from
> outsiders ip addresses. I immediately called our Director(the only cisco
> certified guy in the office) and he begin kicking each of the telnet
> connections one by one. He then replaced every "secret/password" and
> deleted all unnecessary local accounts. However, we're still wondering
> how those hackers got into the system. Now this cisco's aaa is default to
> a radius server. Since then, outsiders have gone away.. Perhaps the
> hackers got one of the router's local accounts, and trying to brute force
> their way to enable mode.
> Now, I have few questions:
> 1. Is it possible to think that they still haven't cracked the enable
> password yet or they already know it and just silently been playing with
> our router?? What for? If you are a hacker, what would you do if you got
> an access to an ISP's router??:-)
> 2. What will you do if the same thing happened to you??
> 3.How do you secure your cisco routers in your office?? Our director
> said that we should look for best practices in securing our routers.
> Our company is an ISP for broadband internet for R&D institutions. We
> offer no dial up connections, only E1's etc. We have 2 stm1(155Mbps)
> outgoing pipes. One cisco 7206 and one cisco 7304.
> We have a radius server running some old version of freebsd(4.6 I guess)
> but the accounting is not working anymore. Only authentication, and
> radius uses the accounts listed in /etc/passwd.
> Now, I am trying to configure a new radius server(to replace the old
> server configured by the former net/sys admins) only not sure if it is
> really what we need.. My initial idea of radius is that it ties up
> authentication, authorization and accounting.. however as I have said, I
> guess we don't need any accounting since we don't offer dial up services.
> In authentication, I tried once to make our router work with our
> kerberos setup so that telnet password doesnt have to be sent but
> unfortunately, I failed to make it work with our heimdal
> installation(seems like they are having incompatibility issues with
> encryption, though I haven't tried it with MIT yet). Authorization: We
> currently have an ldap directory used only for email services, don't know
> if it is still needed. We also have remote logging through that radius
> server also, and guess what, its not working anymore. I compared the
> config of that compromised router with the other one and found out that
> the logging lines are
> I need some tips here. The tools you are currently using. Also some of
> the best practices you are implementing in your noc.. I'm the new admin
> and the services are poorly documented.. Now I am trying to start
> everything from scratch, this time documenting everything I am doing..
> Load balancer, proxy server, email, dns, web, ldap, kerberos, etc.
> Unfortunately I don't have any cisco training yet and I'm glad that my
> supervisor is kind enough to lend me the enable password (the rest,
> google and google)
> Thank's for your time.
>Brings words and photos together (easily) with
> PhotoMail - it's free and works with Yahoo! Mail.
>freebsd-questions at freebsd.org mailing list
>To unsubscribe, send any mail to "freebsd-questions-unsubscribe at freebsd.org"
More information about the freebsd-questions