Networking

How to properly secure your Cisco router with passwords

Some of the worst security breaches occur because people neglect basic security measures. David Davis discusses the importance of maintaining proper passwords on your router, explains the three modes for the Cisco IOS, and shows you how to configure the five main passwords that protect your network.

David DavisWhy do you need to secure your router with passwords?

The question you might ask is: Doesn't the router already have default passwords? The answer is NO, it doesn't. There is no automatic password defense that comes with your router.

As a Cisco admin, this should be taken very seriously. It is so important and so easy to set up passwords.

First, let's discuss the different modes of the Cisco IOS. They are set up in a hierarchical manner, which means that the deeper the access, the more privilege you have and, hopefully, the more passwords you have set up for each level. For additional information on security for your router, please see another of my TechRepublic articles, "Fundamentals: Five Ways to Secure Your Cisco Routers and Switches."

What are the three modes of the Cisco IOS?

Before I can tell you how to secure your router with passwords, I need to first make sure you know the three modes of the Cisco IOS. They are:

User: In User mode, basic interface information on the router is displayed. Well-known Cisco CCNA author, Todd Lammle, once called the user mode "useless mode" because no configuration changes can be made, nor can you view anything important at this level. It is also called user exec mode. Privileged: Sometimes called the privileged exec (or just priv mode), configuration views and changes are made at this level. In my opinion, this is the first point at which it is absolutely critical to have a password set (although you should have password access even at user mode). To move from user mode to priv mode, you just type enable while in user exec mode and press [Enter]:
Router> enable
Router#
Global Configuration: From the exec priv mode, we can now access the global configuration mode. This is where you would make changes that would affect your whole router, including configuration changes. You will need to step in a little deeper in the router's commands to make changes to your configuration.

Here's an example of how to access that mode:

Router# configure terminal
Router(config)#
Note: you can also just type conf t.

How to configure the five main passwords of the Cisco IOS

The five main passwords of the Cisco IOS are:

  • Console
  • Aux
  • VTY
  • Enable password
  • Enable secret

Console

If you have no password set on the router's console, by default, you can access user mode (and then on to the other modes if no passwords are set there either). The console port is where you would initially start to configure a new router. It is critical to set a password on the console port of the router to protect someone from physically walking up to the router, connecting, and gaining access to user mode (and, potentially, much more).

Because there is only one console port per router, you would use the command line console 0 in global configuration mode, and then use the login and password commands to finish up the configuration. The command, login, tells the router to look under the console line configuration for the password. The command, password, sets the actual password.

Here is what it looks like:

Router# config t
Router(config)# line console 0
Router(config-line)# password SecR3t!pass
Router(config-line)# login
Note: Complex passwords are important to keep someone from guessing your password.

Aux

This is short for auxiliary port. This is also a physical access port on the router. Not all routers have this port. As the aux port is a backup configuration port for the console, it is equally important to configure a password on it.

Router# config t
Router(config)# line aux 0
Router(config-line)#password SecR3t!pass
Router(config-line)# login

VTY

The "virtual tty" line is not a physical connection, but a virtual connection. You would use this line to Telnet or SSH into the router (for SSH configuration, see my article "Configure SSH on Your Cisco Router"). Of course, you would need to have an active LAN or WAN interface set up on your router for Telnet to work. As different routers and switches can have a different number of vty ports, you should see how many you have before you configure them. To do this, just type line ? in privileged mode.

Here's an example of configuring vty lines:

Router# config t
Router(config)# line vty 0 4
Router(config-line)# password SecR3t!pass
Router(config-line)# login

Enable password

The enable password prevents someone from getting full access to your router. The enable command is actually used to change between different security levels on the router (there are 0-15 levels of security). However, it is typically used to go from user mode (level 1) to privileged mode (level 15). In fact, if you are at user mode and you just type enable, it assumes you want to go to privileged mode.

To set a password to control access from user mode to privileged mode, go to the global configuration mode and use the enable password command, like this:

Router# config t
Router(config)# enable password SecR3t!enable
Router(config)# exit

The downside of the enable password is that it can be easily unencrypted by someone, and that is why you should use enable secret instead.

Enable secret

The enable secret password has the same function as the enable password, but with enable secret, the password is stored in a much stronger form of encryption:

Router(config)# enable secret SecR3t!enable
Conclusion

I've introduced you to the different modes of the Cisco IOS and the five different types of passwords you need to set to ensure that your Cisco router or switch is secure. Remember that, many times, entire networks can be brought down due to the lack of simple password security. Make sure that your Cisco router and switch passwords are set properly.

For more information, visit:

David Davis has worked in the IT industry for twelve years and holds several certifications, including CCIE, MCSE+I, CISSP, CCNA, CCDA, and CCNP. He currently manages a group of systems/network administrators for a privately owned retail company and performs networking/systems consulting on a part-time basis.

Want to learn more about router and switch management? Automatically sign up for our free Cisco Routers and Switches newsletter, delivered each Friday!

15 comments
Photogenic Memory
Photogenic Memory

I've never done this; but it looks simple enough. http://www.tech-faq.com/cisco-password-recovery.shtml However, you should definitely attempt to not loose that info in the first place, LOL! It could come in handy though if you buy something from Ebay. Although there's nothing you can do if it's a Chinese knock-off with "special" backdoor chips. Toodles!

PapaDuck
PapaDuck

You should also consider using the "service password-encryption" command. The following is an excerpt from the Cisco IOS Security Command Reference documentation: The actual encryption process occurs when the current configuration is written or when a password is configured. Password encryption is applied to all passwords, including username passwords, authentication key passwords, the privileged command password, console and virtual terminal line access passwords, and Border Gateway Protocol neighbor passwords. This command is primarily useful for keeping unauthorized individuals from viewing your password in your configuration file.

glee88
glee88

how do you add password if you are managing over 100 switches and 50 routers? i work in a campus enviroment that has multi buildings with multi floors.

gfindlay
gfindlay

With the exception of enable secret all of these passwords will be encrypted with Cisco's type 7. If someone get's hold of your config they can easily decrypt them using freeware and commercial tools. Solarwinds provide one in their engineers toolkit I seem to recall. I'd recommend instead doing something like the following username admin secret Passw0rd With the secret command we then use the type 5 passwords (md5). (username admin password Passw0rd would also use type 7 so avoid that) Then under you're aux,vty,con ports remove the "password" and "login" commands and add "login local". David I'd be interested to hear your opinion on my comment. Regards George

BALTHOR
BALTHOR

They can even enter your DSL box and your TV's analog to digital converter.They're right in the BIOS.

john.jelks
john.jelks

Cisco has model-specific pwd recovery processes listed on their site. The premise is that since you have physical access, can connect a console cable and reset, then security is a non-issue. Or you can call Danny Ocean . . .

jason
jason

The issue you are faced with is strictly fundamental. I don't know your situation if you inherited the network of if this was a project, but the fundamental issue here is no matter who set these up the security was an after thought. Would you deploy a new server without a password? If you were to create a router template that had this information in, going forward you wouldn't have to worry about security at the console level. As an alternative to the AAA (which is a great option) you could modify each config - I'm sure you have those backed up somewhere - and then use an tftp server to deploy these new configs down...whether you use AAA or setup the security manually you will have to touch every piece of equipment at least once. Jason

Jellimonsta
Jellimonsta

You will want to look at using Triple A (Authentication, Authorization, Accounting). You could set up a Windows Radius box and use AD credentials for login.

LJD1500
LJD1500

For multiple Cisco devices, I would recommend using a TACACS server and configure your devices to look at the TACACS server for authentication. However, at a minimum use the command lines like David suggested for the Console and AUX ports on the off chance that your TACACS server goes offline. The TACACS simplifies you changing access levels and users without having to tap each device individually.

gfindlay
gfindlay

Typically on the majority of the new kit the password recovery process is dead simple. CTRL+BREAK to get to ROMMON. confreg 0x2142 reset Then go to router# and copy start run. You've got privilege 15 and can change the passwords. Don't forget to wr me and do a config-register 0x2102 from conf t. reload and your all set. Entire process takes about 10 minutes.

Dumphrey
Dumphrey

of "backdoor" passwords used by the design coders to access low level programming of chips, OEM passwords to computer bios, and the fact that many exploits require a deep understanding of hardware/software interaction. If they can then install micro code in your motherboard bios (really any boot time bios), guess what, they now call you Sally and you get to electronically walk around holding their digital pocket. Or he meant that small, evil beings live in your bios and make it do bad things to flight-less water fowl.

Photogenic Memory
Photogenic Memory

I remember the panic about hearing stories about cisco knock off's or other networking equipment that's had it's original chips "replaced". So my question is who does this? Individuals? Competitor companies, or nations against nations? And why? If it's to control or dominate the net; then the societies who are more technlogically powerful are at tremendous risk. Countries that are poorer are even in more danger considering they may buy this "pre-rooted" equipment through different channels ;. In any event; is it too late to find out what's genuine or not? Or are we in for one helluva-ride if someone get's a mad hard-on!