07-03-2012 04:31 AM - edited 03-04-2019 04:51 PM
Hi
Got some security question, looking for some kind input
thanks all
SJ
Solved! Go to Solution.
07-03-2012 05:52 AM
A lot of your snmp questions can be addressed with configuring snmp v3:
http://www.cisco.com/en/US/docs/ios/12_0t/12_0t3/feature/guide/Snmp3.html
1. You would go under the interface and enter "no cdp enable". You'd do this for every interface that you'd want to disable it on.
5. For encryption of your isakmp key, depending on the IOS version I believe, you could do the following:
password encryption aes
key config-key password-encrypt testing123
6. SSH is configured by creating a domain-name, setting the hostname of the router, and creating an rsa key:
ip domain-name
hostname R1
crypto key generate rsa modul 768 (768 minimum is required for ssh v2)
Enable aaa:
aaa new-model
aaa authentication login SSH local
username cisco password cisco
enable secre cisco
line vty 0 4
login authentication SSH
transport input ssh
transport output ssh
When enabling aaa, be careful not to get locked out of the router. I always test my aaa configuration first by opening another ssh session to make sure that the configuration works before I exit out of my first session. Otherwise, you'll need to do a password reset on the router and that's never fun.
HTH,
John
07-03-2012 05:52 AM
A lot of your snmp questions can be addressed with configuring snmp v3:
http://www.cisco.com/en/US/docs/ios/12_0t/12_0t3/feature/guide/Snmp3.html
1. You would go under the interface and enter "no cdp enable". You'd do this for every interface that you'd want to disable it on.
5. For encryption of your isakmp key, depending on the IOS version I believe, you could do the following:
password encryption aes
key config-key password-encrypt testing123
6. SSH is configured by creating a domain-name, setting the hostname of the router, and creating an rsa key:
ip domain-name
hostname R1
crypto key generate rsa modul 768 (768 minimum is required for ssh v2)
Enable aaa:
aaa new-model
aaa authentication login SSH local
username cisco password cisco
enable secre cisco
line vty 0 4
login authentication SSH
transport input ssh
transport output ssh
When enabling aaa, be careful not to get locked out of the router. I always test my aaa configuration first by opening another ssh session to make sure that the configuration works before I exit out of my first session. Otherwise, you'll need to do a password reset on the router and that's never fun.
HTH,
John
07-03-2012 06:09 AM
Hello Joseph,
1) how to disable cdp on specific interface on a router
Get onto the interface & issue the command no cdp enable
2) how to tight the snmp security for RW access ( not only with password )
http://www.cisco.com/en/US/tech/tk648/tk362/technologies_tech_note09186a0080094489.shtml <-- this section will explain the SNMP security
3) how to check if SNMP is a dictionary based string
Requires clarification, do you mean if SNMP string is a dictionary word? Is your question more aligned towards dictionary attacks?
4) how to encrypt snmp password - normally its clear text
Using SNMP v3 would provide you an option to encrypt your pwd using AES or 3DES
5) how to encrypt isakmp key - normally its clear text
You need to setup an AES Master key
R1(config)#key config-key password-encrypt 1LoVenCrypti0N <--- This is the master key
R1(config)#password encryption aes
R1(config)#crypto isakmp key 0 c1sc0 address 192.168.1.100 0.0.0.0
By doing the above, when you do a show run, you would see your crypto isakmp key to be in encrypted format. Remember most important, if you deleted your master key, then you need to recreate your ISAKMP keys as well.
6) correct steps to configure SSH on router and switch
Firstly, you must have an image with supports SSH Below is a link you can visit to get details
https://supportforums.cisco.com/docs/DOC-4662
Thanks
Vivek
07-03-2012 06:19 AM
Hi,
1) no cdp enable on the interface
2)http://www.cisco.com/en/US/docs/ios/12_0t/12_0t3/feature/guide/Snmp3.html
http://www.cisco.com/en/US/docs/ios/12_2/configfun/configuration/guide/fcf014.html
3) use some external tools for snmp attack
4)http://www.cisco.com/en/US/docs/ios/12_4t/12_4t2/snmpv3ae.html
5) http://www.cisco.com/en/US/tech/tk583/tk372/technologies_configuration_example09186a00801f2336.shtml
6)http://www.cisco.com/en/US/tech/tk583/tk617/technologies_tech_note09186a00800949e2.shtml
Regards.
Alain.
Don't forget to rate helpful posts.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide