Posted by The Blogging Desk on Mon, Mar 14, 2011
- by Chad, "The Dream", Weaver
It’s time once again for some simple Cisco tips. So you got that nice shiny router and or switch running an up to date version of the software. Plus you have it all configured up but you shouldn’t stop there. How about some basic security for the device itself and some logging? Why logging you ask; well if something happens, how will you know what it was if there are no logs to look at - perhaps guessing? There are very complicated ways to secure your device, but for this, the only two items I will touch on is limiting access to the terminal through an access-list and switching over to SSH for a little encryption action. This article follows the assumption that you have a syslog server all fired up somewhere and have taken care of that configuration. If you are looking for a decent syslog server the folks over at Solarwinds have the good old Kiwi syslog server, take a look if you need one.
First let’s get the logging working to the syslog server. You need to tell the device where to send messages to. From configure mode you need to enter this command to get things started.
Router(config)#logging X.X.X.X
You can also adjust what types of messages are sent to the syslog server by setting the following command.
Router(config)#logging trap 1-7
Where 1-7 is the level of logging you wish to see, with one being the lowest and 7 being probably more than you would ever need. From here it is a really good idea to turn on configuration change logging; this will record every change that was made to the configuration. This is a good idea for any device; it can prevent being in the dark about what another admin had changed. Plus if you know what commands were changed it can give you a good idea how to undo them. We use the special feature called archive logging for this.
Router(config)#archive
Router(config-archive)#log config
Router(config-archive-log-cfg)#logging enable
Router(config-archive-log-cfg)#hidekeys
Router(config-archive-log-cfg)#notify syslog
What that will give you is a syslog message of every command that was run on the device, and if you are using authentication, with usernames and passwords or RADIUS, you will see the name of the admin who entered the command. Plus you should be using usernames and passwords, keeps it clearly defined for who did what for auditing purposes. There are just a few other commands you should consider to get started with.
Router(config)#login on-success log
Router(config)#login on-failure log
This will let you know via your syslog every attempt to login to the device via any means always great information to have.
Next let’s protect that terminal, by setting up SSH and turning off telnet. SSH is much more secure because it encrypts management traffic preventing it from being sniffed out on a network, unlike telnet which is plain text. We do need to turn it on though; it is not configured by default. Most importantly you need an IOS image that supports crypto functions, so double check that. Then you need to define a domain name for the device via the ip domain-name command. Once you have completed that you need to generate your RSA keys. The command for that is crypto key generate rsa enter a number from 512 -2048 this is the size of the key modulus it can be the smaller, but in this case bigger is better, well at least stronger. The moment you create you rsa key your ssh server is turned on. From here make sure to set it to version 2 for extra security, ip ssh version 2. Now all that is left is to configure your vty lines to only accept SSH and you there you are. You can also configure your access list here to limit access to the provided access list, preventing general access to the terminal.
Router(config)line vty 0 15
Router(config-line)transport input ssh
Router(config-line)access-class (access-list name or number here) in
There you have it a couple simple ways to secure, and log changes for a Cisco device. Don't sweat the big stuff, let Trigon help you out!
