Buy or Renew
Buy or Renew
Notice: The file download function is disabled. We apologize for the inconvenience.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2023
Views
5
Helpful
6
Replies

Cisco router C1101-4P

Go to solution
zeljkosan
Level 1
Level 1

‎08-21-2025 05:45 AM

Hello team,

I have temporary solution at client place in which we had to put router on open static public IP instead of firewall.

So, I need to put complex password encryption, but so far I have these lines:

username some_user privilege 0 secret 9

and

enable password 7

 

What can I do more to secure connection to router (access list for certain public IP does is not recommended since there are larger number of public IP which must connect to it)

 

 

Labels:
0 Helpful
2 Accepted Solutions

Accepted Solutions

Go to solution
M02@rt37
VIP
VIP

‎08-21-2025 07:02 AM - edited ‎08-21-2025 07:04 AM

Hello @zeljkosan 

use enable secret insteaf of enable password. Secret type 5 or 9 are much stronger , never use type 7...

Also, restric SSH connection on VTYs:

line vty 0 4

transport input ssh

ip ssh autehtication-retries 3

access-class 1 in

-> add standard acl (1) if possible that match IP sources authorized to SSH that routeur. 

Disable also protocols not needed, as an example:

no ip http server

no ip http secrue-server

no ip bootp server

-> you could find others commands...

Send log to syslog server so you can see login attemps !

Prefer using TACACS+ than radius or local username _ if you can... in that way you can centralized logging, per user accountability, command authorization and fallback for resilience...

 

 

Best regards
.ı|ı.ı|ı. If This Helps, Please Rate .ı|ı.ı|ı.

View solution in original post

0 Helpful

Go to solution
Rich R
VIP
VIP
In response to M02@rt37

‎08-22-2025 07:27 AM

Note MD5 hash is not considered to be secure anymore M02@rt37 - it can be cracked very easily by modern cracking tools with current CPU capabilities - doesn't even require advanced hardware.

Some reference material to read ...

Harden IOS Devices

Cisco IOS XE Software Hardening Guide

Understanding the differences between the Cisco password \ secret Types

Cisco Password Types: Best Practices

And remember IOS-XE has zone based firewall built in as long as you have the right license.

------------------------------
Please click Helpful if this post helped you and Accept as Solution (drop down menu at top right of this reply) if this answered your query.
------------------------------
TAC recommended codes for AireOS WLC's   and   TAC recommended codes for 9800 WLC's
Best Practices for AireOS WLC's,   Best Practices for 9800 WLC's   and   Cisco Wireless compatibility matrix
Check your 9800 WLC config with Wireless Config Analyzer using "show tech wireless" output or "config paging disable" then "show run-config" output on AireOS and use Wireless Debug Analyzer to analyze your WLC client debugs
Field Notice: FN63942 APs and WLCs Fail to Create CAPWAP Connections Due to Certificate Expiration
Field Notice: FN72424 Later Versions of WiFi 6 APs Fail to Join WLC - Software Upgrade Required
Field Notice: FN72524 IOS APs stuck in downloading state after 4 Dec 2022 due to Certificate Expired
- Fixed in 8.10.196.0, latest 9800 releases, 8.5.182.12 (8.5.182.13 for 3504) and 8.5.182.109 (IRCM, 8.5.182.111 for 3504)
Field Notice: FN70479 AP Fails to Join or Joins with 1 Radio due to Country Mismatch, RMA needed
How to avoid boot loop due to corrupted image on Wave 2 and Catalyst 11ax Access Points (CSCvx32806)
Field Notice: FN74035 - Wave2 APs DFS May Not Detect Radar After Channel Availability Check Time
Leo's list of bugs affecting 2800/3800/4800/1560 APs
Default AP console baud rate from 17.12.x is 115200 - introduced by CSCwe88390

View solution in original post

6 Replies 6

Go to solution
M02@rt37
VIP
VIP

‎08-21-2025 07:02 AM - edited ‎08-21-2025 07:04 AM

Hello @zeljkosan 

use enable secret insteaf of enable password. Secret type 5 or 9 are much stronger , never use type 7...

Also, restric SSH connection on VTYs:

line vty 0 4

transport input ssh

ip ssh autehtication-retries 3

access-class 1 in

-> add standard acl (1) if possible that match IP sources authorized to SSH that routeur. 

Disable also protocols not needed, as an example:

no ip http server

no ip http secrue-server

no ip bootp server

-> you could find others commands...

Send log to syslog server so you can see login attemps !

Prefer using TACACS+ than radius or local username _ if you can... in that way you can centralized logging, per user accountability, command authorization and fallback for resilience...

 

 

Best regards
.ı|ı.ı|ı. If This Helps, Please Rate .ı|ı.ı|ı.
0 Helpful

Go to solution
Rich R
VIP
VIP
In response to M02@rt37

‎08-22-2025 07:27 AM

Note MD5 hash is not considered to be secure anymore M02@rt37 - it can be cracked very easily by modern cracking tools with current CPU capabilities - doesn't even require advanced hardware.

Some reference material to read ...

Harden IOS Devices

Cisco IOS XE Software Hardening Guide

Understanding the differences between the Cisco password \ secret Types

Cisco Password Types: Best Practices

And remember IOS-XE has zone based firewall built in as long as you have the right license.

------------------------------
Please click Helpful if this post helped you and Accept as Solution (drop down menu at top right of this reply) if this answered your query.
------------------------------
TAC recommended codes for AireOS WLC's   and   TAC recommended codes for 9800 WLC's
Best Practices for AireOS WLC's,   Best Practices for 9800 WLC's   and   Cisco Wireless compatibility matrix
Check your 9800 WLC config with Wireless Config Analyzer using "show tech wireless" output or "config paging disable" then "show run-config" output on AireOS and use Wireless Debug Analyzer to analyze your WLC client debugs
Field Notice: FN63942 APs and WLCs Fail to Create CAPWAP Connections Due to Certificate Expiration
Field Notice: FN72424 Later Versions of WiFi 6 APs Fail to Join WLC - Software Upgrade Required
Field Notice: FN72524 IOS APs stuck in downloading state after 4 Dec 2022 due to Certificate Expired
- Fixed in 8.10.196.0, latest 9800 releases, 8.5.182.12 (8.5.182.13 for 3504) and 8.5.182.109 (IRCM, 8.5.182.111 for 3504)
Field Notice: FN70479 AP Fails to Join or Joins with 1 Radio due to Country Mismatch, RMA needed
How to avoid boot loop due to corrupted image on Wave 2 and Catalyst 11ax Access Points (CSCvx32806)
Field Notice: FN74035 - Wave2 APs DFS May Not Detect Radar After Channel Availability Check Time
Leo's list of bugs affecting 2800/3800/4800/1560 APs
Default AP console baud rate from 17.12.x is 115200 - introduced by CSCwe88390

Go to solution
M02@rt37
VIP
VIP
In response to Rich R

‎08-22-2025 07:56 AM

Hello @Rich R 

Exactly! Thanks to notice this. Modern CPU and GPU can compute billions of MD5 hashes per second... making brute-force and dictionnary attacks trivial !

Thanks again.

 

Best regards
.ı|ı.ı|ı. If This Helps, Please Rate .ı|ı.ı|ı.

Go to solution
David Ruess
VIP
VIP

‎08-21-2025 07:45 AM

IN addition to the already suggested methods you could also place an ACL on the interface itself restricting traffic further from reaching the device. You could start with an ACL defining the Private IP spaces as you shouldn't see private IPs as a source coming from a public facing internet. As you identify more traffic you can either block or permit as needed.

 

-David

0 Helpful

Go to solution
MHM Cisco World
VIP
VIP

‎08-21-2025 07:50 AM

Be evil LOL

Use rotary under vty this prevents any any hacker to try telnet/ssh to router because he dont know this new port

And then block port 22/23 

MHM

Go to solution
zeljkosan
Level 1
Level 1

‎08-27-2025 02:39 AM

Hello team, thank you for help. We will install some smaller firewall there in near future

0 Helpful
Customers Also Viewed These Support Documents