Cisco Router: startup auto secure

Pocket

AutoSecure

auto secure

推奨セキュリティ設定機能。
ネットワークエンジニアは普通使わないとのこと。

R1#auto secure
                --- AutoSecure Configuration ---

*** AutoSecure configuration enhances the security of
the router, but it will not make it absolutely resistant
to all security attacks ***

AutoSecure will modify the configuration of your device.
All configuration changes will be shown. For a detailed
explanation of how the configuration changes enhance security
and any possible side effects, please refer to Cisco.com for
Autosecure documentation.
At any prompt you may enter '?' for help.
Use ctrl-c to abort this session at any prompt.

Gathering information about the router for AutoSecure

Is this router connected to internet? [no]:

Securing Management plane services...

Disabling service finger
Disabling service pad
Disabling udp & tcp small servers
Enabling service password encryption
Enabling service tcp-keepalives-in
Enabling service tcp-keepalives-out
Disabling the cdp protocol

Disabling the bootp server
Disabling the http server
Disabling the finger service
Disabling source routing
Disabling gratuitous arp

Here is a sample Security Banner to be shown
at every access to device. Modify it to suit your
enterprise requirements.

Authorized Access only
  This system is the property of So-&-So-Enterprise.
  UNAUTHORIZED ACCESS TO THIS DEVICE IS PROHIBITED.
  You must have explicit permission to access this
  device. All activities performed on this device
  are logged. Any violations of access policy will result
  in disciplinary action.

Enter the security banner {Put the banner between
k and k, where k is any character}:

k
k
Enable secret is either not configured or
 is the same as enable password
Enter the new enable secret:
Confirm the enable secret :
Enter the new enable password:
Choose a password that's different from secret
Enter the new enable password:
Choose a password that's different from secret
Enter the new enable password:
Confirm the enable password:

Configuration of local user database
Enter the username: wataru
Enter the password:
Confirm the password:
Configuring AAA local authentication
Configuring Console, Aux and VTY lines for
local authentication, exec-timeout, and transport
Securing device against Login Attacks
Configure the following parameters

Blocking Period when Login Attack detected: 1

Maximum Login failures with the device:
Device not secured against 'login attacks'.


Configure SSH server? [yes]:
Enter the domain-name:
% No defaulting allowed
Enter the domain-name:
だるくなってきたので ^C で中断
R1#

auto secure no-interact

フルオートで running-config に設定が反映されていくとのこと。
稼働環境で使うのは禁忌らしい。

R1#terminal length 0
R1#sh run
Building configuration...

Current configuration : 1398 bytes
!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname R1
!
boot-start-marker
boot-end-marker
!
!
no aaa new-model
memory-size iomem 5
no ip icmp rate-limit unreachable
ip cef
!
!
!
!
no ip domain lookup
!
multilink bundle-name authenticated
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
archive
 log config
  hidekeys
!
!
!
!
ip tcp synwait-time 5
!
!
!
!
interface FastEthernet0/0
 no ip address
 shutdown
 duplex auto
 speed auto
!
interface Serial0/0
 no ip address
 shutdown
 clock rate 2000000
!
interface FastEthernet0/1
 no ip address
 shutdown
 duplex auto
 speed auto
!
interface Serial0/1
 no ip address
 shutdown
 clock rate 2000000
!
interface FastEthernet1/0
 no ip address
 shutdown
 duplex auto
 speed auto
!
interface Serial2/0
 no ip address
 shutdown
 serial restart-delay 0
!
interface Serial2/1
 no ip address
 shutdown
 serial restart-delay 0
!
interface Serial2/2
 no ip address
 shutdown
 serial restart-delay 0
!
interface Serial2/3
 no ip address
 shutdown
 serial restart-delay 0
!
ip forward-protocol nd
!
!
no ip http server
no ip http secure-server
!
no cdp log mismatch duplex
!
!
!
!
!
!
control-plane
!
!
!
!
!
!
!
!
!
!
line con 0
 exec-timeout 0 0
 privilege level 15
 logging synchronous
line aux 0
 exec-timeout 0 0
 privilege level 15
 logging synchronous
line vty 0 4
 login
!
!
end
R1#auto secure no-interact
                --- AutoSecure Configuration ---

*** AutoSecure configuration enhances the security of
the router, but it will not make it absolutely resistant
to all security attacks ***

AutoSecure will modify the configuration of your device.
All configuration changes will be shown. For a detailed
explanation of how the configuration changes enhance security
and any possible side effects, please refer to Cisco.com for
Autosecure documentation.

Securing Management plane services...

Disabling service finger
Disabling service pad
Disabling udp & tcp small servers
Enabling service password encryption
Enabling service tcp-keepalives-in
Enabling service tcp-keepalives-out
Disabling the cdp protocol

Disabling the bootp server
Disabling the http server
Disabling the finger service
Disabling source routing
Disabling gratuitous arp

Configuring interface specific AutoSecure services
Disabling the following ip services on all interfaces:

 no ip redirects
 no ip proxy-arp
 no ip unreachables
 no ip directed-broadcast
 no ip mask-reply
Disabling mop on Ethernet interfaces

Securing Forwarding plane services...

Enabling CEF (This might impact the memory requirements for your platform)

This is the configuration generated:

no service finger
no service pad
no service udp-small-servers
no service tcp-small-servers
service password-encryption
service tcp-keepalives-in
service tcp-keepalives-out
no cdp run
no ip bootp server
no ip http server
no ip finger
no ip source-route
no ip gratuitous-arps
no ip identd
security passwords min-length 6
security authentication failure rate 10 log
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
logging facility local2
logging trap debugging
service sequence-numbers
logging console critical
logging buffered
interface FastEthernet0/0
 no ip redirects
 no ip proxy-arp
 no ip unreachables
 no ip directed-broadcast
 no ip mask-reply
 no mop enabled
interface Serial0/0
 no ip redirects
 no ip proxy-arp
 no ip unreachables
 no ip directed-broadcast
 no ip mask-reply
interface FastEthernet0/1
 no ip redirects
 no ip proxy-arp
 no ip unreachables
 no ip directed-broadcast
 no ip mask-reply
 no mop enabled
interface Serial0/1
 no ip redirects
 no ip proxy-arp
 no ip unreachables
 no ip directed-broadcast
 no ip mask-reply
interface FastEthernet1/0
 no ip redirects
 no ip proxy-arp
 no ip unreachables
 no ip directed-broadcast
 no ip mask-reply
 no mop enabled
interface Serial2/0
 no ip redirects
 no ip proxy-arp
 no ip unreachables
 no ip directed-broadcast
 no ip mask-reply
interface Serial2/1
 no ip redirects
 no ip proxy-arp
 no ip unreachables
 no ip directed-broadcast
 no ip mask-reply
interface Serial2/2
 no ip redirects
 no ip proxy-arp
 no ip unreachables
 no ip directed-broadcast
 no ip mask-reply
interface Serial2/3
 no ip redirects
 no ip proxy-arp
 no ip unreachables
 no ip directed-broadcast
 no ip mask-reply
ip cef
!
end


Applying the config generated to running-config

R1#sh run
Building configuration...

Current configuration : 2328 bytes
!
version 12.4
no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
service password-encryption
service sequence-numbers
!
hostname R1
!
boot-start-marker
boot-end-marker
!
security authentication failure rate 10 log
security passwords min-length 6
logging buffered 4096
logging console critical
!
no aaa new-model
memory-size iomem 5
no ip source-route
no ip gratuitous-arps
no ip icmp rate-limit unreachable
ip cef
!
!
!
!
no ip bootp server
no ip domain lookup
!
multilink bundle-name authenticated
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
archive
 log config
  logging enable
  hidekeys
!
!
!
!
ip tcp synwait-time 5
!
!
!
!
interface FastEthernet0/0
 no ip address
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 shutdown
 duplex auto
 speed auto
 no mop enabled
!
interface Serial0/0
 no ip address
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 shutdown
 clock rate 2000000
!
interface FastEthernet0/1
 no ip address
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 shutdown
 duplex auto
 speed auto
 no mop enabled
!
interface Serial0/1
 no ip address
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 shutdown
 clock rate 2000000
!
interface FastEthernet1/0
 no ip address
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 shutdown
 duplex auto
 speed auto
 no mop enabled
!
interface Serial2/0
 no ip address
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 shutdown
 serial restart-delay 0
!
interface Serial2/1
 no ip address
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 shutdown
 serial restart-delay 0
!
interface Serial2/2
 no ip address
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 shutdown
 serial restart-delay 0
!
interface Serial2/3
 no ip address
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 shutdown
 serial restart-delay 0
!
ip forward-protocol nd
!
!
no ip http server
no ip http secure-server
!
logging trap debugging
logging facility local2
no cdp log mismatch duplex
no cdp run
!
!
!
!
!
!
control-plane
!
!
!
!
!
!
!
!
!
!
line con 0
 exec-timeout 0 0
 privilege level 15
 logging synchronous
line aux 0
 exec-timeout 0 0
 privilege level 15
 logging synchronous
line vty 0 4
 login
!
!
end

差分を比較するとこうなる。

--- D:/junk/startup-config-a.txt    Sat Jan 06 09:58:24 2018
+++ D:/junk/startup-config-b.txt    Sat Jan 06 09:58:32 2018
@@ -1,27 +1,38 @@
 R1#sh run
 Building configuration...

-Current configuration : 1398 bytes
+Current configuration : 2328 bytes
 !
 version 12.4
-service timestamps debug datetime msec
-service timestamps log datetime msec
-no service password-encryption
+no service pad
+service tcp-keepalives-in
+service tcp-keepalives-out
+service timestamps debug datetime msec localtime show-timezone
+service timestamps log datetime msec localtime show-timezone
+service password-encryption
+service sequence-numbers
 !
 hostname R1
 !
 boot-start-marker
 boot-end-marker
 !
+security authentication failure rate 10 log
+security passwords min-length 6
+logging buffered 4096
+logging console critical
 !
 no aaa new-model
 memory-size iomem 5
+no ip source-route
+no ip gratuitous-arps
 no ip icmp rate-limit unreachable
 ip cef
 !
 !
 !
 !
+no ip bootp server
 no ip domain lookup
 !
 multilink bundle-name authenticated
@@ -48,6 +59,7 @@
 !
 archive
  log config
+  logging enable
   hidekeys
 !
 !
@@ -60,49 +72,79 @@
 !
 interface FastEthernet0/0
  no ip address
+ no ip redirects
+ no ip unreachables
+ no ip proxy-arp
  shutdown
  duplex auto
  speed auto
+ no mop enabled
 !
 interface Serial0/0
  no ip address
+ no ip redirects
+ no ip unreachables
+ no ip proxy-arp
  shutdown
  clock rate 2000000
 !
 interface FastEthernet0/1
  no ip address
+ no ip redirects
+ no ip unreachables
+ no ip proxy-arp
  shutdown
  duplex auto
  speed auto
+ no mop enabled
 !
 interface Serial0/1
  no ip address
+ no ip redirects
+ no ip unreachables
+ no ip proxy-arp
  shutdown
  clock rate 2000000
 !
 interface FastEthernet1/0
  no ip address
+ no ip redirects
+ no ip unreachables
+ no ip proxy-arp
  shutdown
  duplex auto
  speed auto
+ no mop enabled
 !
 interface Serial2/0
  no ip address
+ no ip redirects
+ no ip unreachables
+ no ip proxy-arp
  shutdown
  serial restart-delay 0
 !
 interface Serial2/1
  no ip address
+ no ip redirects
+ no ip unreachables
+ no ip proxy-arp
  shutdown
  serial restart-delay 0
 !
 interface Serial2/2
  no ip address
+ no ip redirects
+ no ip unreachables
+ no ip proxy-arp
  shutdown
  serial restart-delay 0
 !
 interface Serial2/3
  no ip address
+ no ip redirects
+ no ip unreachables
+ no ip proxy-arp
  shutdown
  serial restart-delay 0
 !
@@ -112,7 +154,10 @@
 no ip http server
 no ip http secure-server
 !
+logging trap debugging
+logging facility local2
 no cdp log mismatch duplex
+no cdp run
 !
 !
 !
@@ -143,3 +188,4 @@
 !
 !
 end
+

References

  1. Ciscoルータ – はじめての起動

One Reply to “Cisco Router: startup auto secure”

Leave a Reply

Your email address will not be published. Required fields are marked *