CCNA Security section

Router(config)#security passwords min-length length. It is strongly recommended that the minimum password length be set to at least 10 characters Router(config)#security authentication failure rate threshold-rate log command generates a log message when the login failure rate is exceeded. Router(config-line)#no exec It is also possible to turn off the exec process for a specific line, such as on the auxiliary port, using the no exec command within the line configuration mode Router(config-line)#exec-timeout Timeout in minutes Router(config)#service password-encryption running config !"#! Router(config)#ena le secret command is far more secure because it encrypts the password using MD5, which is a stronger algorithm. Router(config)#username name password password Router(config)#username name secret password ! $ secure $ md5 Router(config)# login loc!-for seconds attempts tries within seconds Router(config)# login "uiet-mode access-class "acl name # acl number$ ! $ access list permit ip admin host Router(config)# login delay seconds The login delay command introduces a uniform delay between successi%e login attempts. The delay occurs for all login attempts, including failed or successful attempts. Router(config)# login on-failure log &e%ery login' The number of login attempts before a message is generated can be specified using the &e%ery login' parameter. The default %alue is 1 attempt. The %alid range is from 1 to (5,5)5. Router(config)# login on-success log &e%ery login' The number of login attempts before a message is generated can be specified using the &e%ery login' parameter. The default %alue is 1 attempt. The %alid range is from 1 to (5,5)5. Router#show login use the show login command. The router is in either normal or *uite mode, depending on whether login thresholds were exceeded. Router#show login failures command displays more information regarding the failed attempts, such as the I+ address from which the failed login attempts originated. Router#show crypto !ey mypu !ey rsa ! public ,ey %& #$ crypto !ey #eroi#e rsa $& ,ey '( full domain name command )% Router(config)#ip ssh time-out seconds The time inter%al that the router waits for the --. client to respond during the --. negotiation phase Router(config)#ip ssh authentication-retries integer /y default, a user logging in has three attempts before being disconnected. To configure a different number of consecuti%e --. retries. $se Syslog server Router(config)#logging host ip-address Router(config)#logging trap level Router(config)#logging source-interface f0/0 Router(config)#logging on Router(config)#logging buffered, logging monitor, and logging

Config %rivilege &evel Router(config)#privilege exec level ' ping ! to assign le%el 5 the ping command, use the following command se*uence. 0 ping #% le%el 5 #'( le%el 11 Router(config)#ena le secret level ' cisco' ! To assign a password to le%el 5, enter the following command. 0! ) le%el 51 Router(config)#username support privilege ' secret testing ! To assign a specific username to pri%ilege le%el 5, enter the following command. 0 * + le%el 5 ) username support ! testing ) username1 Router#show privilege ! It is sometimes easy to forget which le%el of access a user currently has Role-(ased C&) Access Router(config)#aaa new-model ! /efore an administrator can create a %iew, 222 must be enabled. Router#ena le view root ! To configure and alter %iews, an administrator must log in as the root %iew, using the ena le view pri%ileged 3435 command. The ena le view root command can also be used. 6hen prompted, enter the enable secret password0le%el 151. Create C&) *iew Router(config)#parser view SHOWVIEW ! This enables the %iew configuration mode. 3xcluding the root %iew, there is a maximum limit of 15 %iews in total. Router(config-view)#secret encrypted-password ! 2ssign a secret password to the %iew. Router(config-view)#parser mode "include # include exclusi%e # exclude$ &all' &interface interface name # command' Router(config-view)#command exec include show Router(config)#parser view VERIFYVIEW Router(config-view)#command exec include ping Router(config)#parser view RELOADVIEW Router(config-view)#command exec include reload ! 2ssign commands to the selected %iew Create Super *iew 0 57I 8iew ##1 Router(config)#parser view superview name superview Router(config-view)#secret encrypted-password Router(config-view)#view S+,-*).Router(config-view)#view *.R)/0*).Router(config-view)#veiw R.&,A1*).$se Super *iew Router#ena le view superview name ! use super %iew. Router#show parser view ! show current %iew. Router#show parser view all 9rom the root %iew, use command to see a summary of all %iews.

),S Resilient Router(config)#secure oot-image ! $!) image boot !&%# 0$%,$ run an image from a flash dri%e with an 2T2 interface.1 Router(config)#secure oot-config ! To ta,e a snapshot of the router running configuration and securely archi%e it in persistent storage. rommon 2 3 show secure ootset ! /ecause the running image and running configuration archi%es are not %isible in the dir command output, use the our command to %erify the existence of the archi%e. Router#show secure ootset ! /ecause the running image and running configuration archi%es are not %isible in the dir command output, use the our command to %erify the existence of the archi%e. Router(config)# config-register 4x5245 ! Default Router(config)# config-register 4x5265 ! bypass startup config

Router(config)#no service password-recovery ! ' %# reset password *' ! reset , # !# issue the brea, se*uence within fi%e seconds after the image decompresses during the boot. :ou are prompted to confirm the brea, action. 2fter the action is confirmed, the startup configuration is completely erased, the password reco%ery procedure is enabled,

.na le SN7% Router(config)#snmp-server community cisco258 ro ro 2ssigns a read only community string. rw 2ssigns a read write community string. N9% 7aster:Client Router(config)#ntp master 2 ! In an ;T+ configured networ,, one or more routers are designated as the master cloc, ,eeper 0,nown as an ;T+ master1 using the ntp master global configuration command Router(config)#ntp server ntp-server-address ! ;T+ clients either contact the master or listen for messages from the master to synchroni<e their cloc,s. To contact the master. Router(config-if)#ntp roadcast client ! In a 72; en%ironment, ;T+ can be configured to use I+ broadcast messages instead by using the ntp roadcast client Router#show cloc! Router#show ntp status To secure ;T+ traffic, it is strongly recommended that ;T+ %ersion ) or later is implemented. =se the following commands on both the ;T+ master and the ;T+ client. Router(config)#ntp authenticate Router(config)#ntp authentication-!ey key-number( ) md' key-value Router(config)#ntp trusted-!ey key-number( ) Router#show ntp associations detail ! confirm that the ser%er is an authenticated source. use %erify as ntp client. Router#auto secure > ! default of auto secure is full .na le AAA Router(config)#aaa new-model ! default applies -. int,line " default #& aaa authentication login default local #!- ? ) telnet (/ Router(config)#aaa authentication login default local Router(config)#aaa authentication login ;N Router(config-line)#login authentication ;N ! #/& default # applies %- line,interface Router(config)#aaa local authentication attempts max-fail number-of-unsuccessful-attempts This command secures 222 user accounts by loc,ing out accounts that ha%e excessi%e failed attempts. To remo%e the number of unsuccessful attempts that was set, use the no form of this command. Router#show aaa local user loc!out ! To display a list of all loc,ed out users Router#clear aaa local user loc!out "username username # all$ Router#show aaa user "all # unique id$ Router#show aaa sessions ! show uni* id ! Router#de ug aaa authentication Router(config)#tacacs-server host ip-address single-connection ! ) 25- enhances T5+ performance by maintaining a single T5+ connection for the life of the session. Router(config)#tacacs-server host ip-address Router(config)#tacacs-server host 10 0 1 1 !ey !"#"#$%&a''w0rd Router(config)#tacacs-server !ey key ! ) ,ey

Router(config)#radius-server host ip-address ! ip for radius ser%er. If re*uired, multiple @2DI=- ser%ers can be identified by entering command for each ser%er. Router(config)#radius-server !ey key ! ) ,ey Router(config)#aaa authentication login default group tacacsA group radius local case Router#de ug tacacs Router#de ug radius Router#de ug tacacs events Router(config)#aaa authori#ation "networ! # exec # commands level for e(ec (shell) commands$ "default # list name$ method1...&methodB' commands level for exec 0shell1 commands exec for starting an exec 0shell1 networ! for networ, ser%ices 0+++, -7I+, 2@2+1 Router(config)#aaa authori#ation exec default group radius Router(config)#aaa authori#ation commands 4 ;N-<Roup local Router(config)#aaa authori#ation networ! default local group radius Router(config)#aaa accounting exec default start-stop group tacacs= Router(config)#aaa accounting networ! ;N start-stop group radius