Cisco Device Hardening,Securing Cisco Router Installations and Administrative Access,Configuring Router Passwords,Configuring Router Passwords,A console is a terminal connected to a router console port.Console是作为终端管理设备连接到路由器的管理接口.The terminal can be a dumb terminal or a PC with terminal emulation software.管理设备通常安装有终端管理软件的PC主机,比如安装有超级终端的PC主机,Password Creation Rules,Passwords can be 1 to 25 characters in length. 密码可以为1到25个字符的长度Passwords can include:密码可以包含如下字符:Alphanumeric characters阿拉伯字母Uppercase and lowercase characters大小写敏感Symbols and spaces符号字符和空格Password-leading spaces are ignored, but any spaces after the first character are not ignored.密码的首位的空格不作为密码一部分，但是密码尾部的空格将认定为密码字符.Change passwords. 可以修改密码,Initial Configuration Dialog,Would you like to enter the initial configuration dialog? yes/no yConfiguring global parameters:Enter host name Router: BostonThe enable secret is a password used to protect access to privileged EXEC and configuration modes. This password, after entered, becomes encrypted in the configuration.Enter enable secret: CantGuessMeThe enable password is used when you do not specify an enable secret password, with some older software versions, and some boot images.Enter enable password: WontGuessMeThe virtual terminal password is used to protect access to the router over a network interface.Enter virtual terminal password: CantGuessMeVTY,Configure the Line-Level Password,router(config)#,line console 0line aux 0line vty 0 4,router(config-line)#,login,router(config-line)#,password password,Enters line configuration mode (console, auxiliary, or vty)进入线路配置模式,Enables password checking at login启用登录时密码检测,Sets the line-level password 配置线路级别密码,Boston(config)#line con 0Boston(config-line)#loginBoston(config-line)#password ConUser1,Password Minimum Length Enforcement,router(config)#,security passwords min-length length,Sets the minimum length of all Cisco IOS passwords指定用于Cisco IOS的最小密码长度,Boston(config)#security passwords min-length 10,Encrypting Passwords Using theservice password-encryption Command,service password-encryption,Encrypts all passwords in the router configuration file加密所有路由器配置文件中的明文密码,router(config)#,Boston(config)#service password-encryptionBoston(config)#exitBoston#show running-configenable password 7 06020026144A061E!line con 0password 7 0956F57A109A!line vty 0 4password 7 034A18F366A0!line aux 0password 7 7A4F5192306A,Enhanced Username Password Security,router(config)#,username name secret 0 password | 5 encrypted-secret,Uses MD5 hashing for strong password protection使用MD5散列算法提供强壮的密码保护Better than the type 7 encryption found in service password-encryption command相对于service password-encryption命令的类型7的加密更为优异,Boston(config)#username rtradmin secret 0 Curium96Boston(config)#username rtradmin secret 5 $1$feb0$a104Qd9UZ./Ak007,router(config)#,username name password 0 password | 7 hidden-password,Traditional user configuration with plaintext password为用户配置密码,Securing ROMMON with the no password-recovery Command,router(config)#,no service password-recovery,By default, Cisco routers are factory configured with the service password-recovery set.默认情况下，Cisco路由器的配置是service password-recovery，即可以进行密码恢复操作。The no service password-recovery command prevents console from accessing ROMMON.此命令阻止了通过ROMMON模式进行密码恢复操作,Boston(config)#no service password-recoveryWARNING:Executing this command will disable password recovery mechanism. Do not execute this command without another plan for password recovery.Are you sure you want to continue? yes/no: yesBoston(config)#,在任何设备上请慎用此命令！,Setting a Login Failure Rate,Authentication Failure Rate with Login,router(config)#,security authentication failure rate threshold-rate log,Configures the number of allowable unsuccessful login attempts配置允许客户有多少次失败的登录操作By default, router allows 10 login failures before initiating a 15-second delay默认的路由器在10次失败登录后将产生15秒的延迟Generates a syslog message when rate is exceeded如果超出失败次数将产生syslog消息,Boston(config)#security authentication failure rate 10 log,Setting a Login Failure Blocking Period,router(config)#,login block-for seconds attempts tries withinseconds,Blocks access for a quiet period after a configurable number of failed login attempts within a specified period当用户对路由器超过失败登录的次数后，即阻止多长时间周期内不允许再次访问，此过程被为“Quiet Period”Must be entered before any other login command必须在任何login命令之前配置Mitigates DoS and break-in attacks减轻DoS的攻击,Boston(config)#login block-for 100 attempts 2 within 100,Excluding Addresses from Login Blocking,router(config)#,login quiet-mode access-class acl-name | acl-number,Specifies an ACL that is applied to the router when it switches to the quiet mode.当交换机切换到quiet mode时，配置ACL指出哪些源是否受限制的If not configured, all login requests will be denied during the quiet mode. 如果没有配置，哪么在quiet mode周期内所有的登录请求将拒绝Excludes IP addresses from failure counting for login block-for command.排除Login block-for命令对某些IP的计数,Boston(config)#login quiet-mode access-class myacl,