Re: blocking password recovery

farshid_sh · ‎11-13-2005

Hi

I want to block password recovery procedure ,what confreg do i use ?

Best Regards

farshid

Marvin Rhoads · ‎11-13-2005

You can't. If a knowledgable person has physical access to your network device, they can recover the passwords and 'own' it. The best you can do is log accesses and events remotely so you will know if the system has been compromised.

spremkumar · ‎11-13-2005

Hi

You mite want to check this link for disabling the same..

http://www.cisco.com/en/US/partner/products/hw/routers/ps274/products_configuration_example09186a00801d8113.shtml

you can do it with no service password-recovery command in the global config mode..

but i dont suggest to do something inline with that..

regds

farshid_sh · ‎11-14-2005

Hi

thank u for your recommendations ,

no knowlgable person is gonna hae access to router,

and i think they only know basic key combinations for entering rommon , the only thing i need to do is to disbla break and Ctrl+break key combination .

and by the way the link you offered requires a previledged cco account and unfortunatly i don't have one .

Best Wishes

Farshid

spremkumar · ‎11-14-2005

Hi

sorry about the link ...

do check this one...

http://www.cisco.com/en/US/products/hw/routers/ps274/products_configuration_example09186a00801d8113.shtml

regds

farshid_sh · ‎11-14-2005

Hi

i have just been checking the link u offered

when i tried to test the command (no service password-encryption) i foun out that the router does not support it .

the router that i am testing the command on , is a 3620 router , but the router that i want to disable password recovery is a 3745 router with its default ios , i wanna know if the 3745 router supports the command or not .

Thank you

spremkumar · ‎11-14-2005

Hi

Its well mentioned in the link sent by me...

Cisco 2691, 3631, 3725, and 3745 Routers—no minimum ROMMON or Cisco IOS® software requirements

Cisco 3600 Series Routers—minimum ROMMON version 11.1(17)AA (orderable as BOOT-3600=) Minimum Cisco IOS Software Release 11.2(12)P or 11.3(3)T

Cisco 2600 Series Routers—all ROMMON and Cisco IOS software versions

Cisco 1700 Series Routers—requires minimum ROMMON 12.1(5r)T1. This is not orderable as a spare, so you cannot upgrade an existing 1720 or 1750. All 1710, and 1751 routers have this ROMMON.

Again its no service password-recovery not password-encryption...

regd

farshid_sh · ‎11-14-2005

Thank u very much

i realy do appreciate your help

i have got one more question ,is it possible to disable the console port so it does not respond to any connection even during startup ?

spremkumar · ‎11-14-2005

Hi

Console access is very much reqd to troubleshoot or diagnoise booting issues or issues during startup.

AFAIK i dont think its possible to disable during the startup and its not a wise decision to do so.

Better i would suggest to configure with non guessable passwds to secure the access..

regds

farshid_sh · ‎11-14-2005

Hi

the reason that makes me do such a thing is, not to let anybody have access to router rommon ,

if there is any other solution preventing users from accessing rommon and changing config register, i would prefer that way .

Thanks

spremkumar · ‎11-14-2005

Hi

Do check this link for more info in securing your router..

http://www.cisco.com/en/US/tech/tk648/tk361/technologies_tech_note09186a0080120f48.shtml

regds

farshid_sh · ‎11-14-2005

Thank u for your time kumar i hope your greatful in your life.

BestWishes

farshid.sh

spremkumar · ‎11-14-2005

Hi

Good to hear that my post helped ur process out...

regds