---
title: IOS Security Configuration
tags: Cisco IOS, networking, manual, reference, router, switch, technical
---
<header>
<h6>IOS Security Configuration</h6>
> [toc]
</header>
---
{%hackmd r8ZvM3noSwKf-NviH6Qb3Q %}
# Secure Administrative Access
## Authentication
To secure user EXEC mode access, enter line console configuration mode using the **`line console 0`** global configuration command. Specify the user EXEC mode password using the <code>**password** *password*</code> command. Finally, enable user EXEC access using the **`login`** command.
```pug
S1# configure terminal
S1(config)# line console 0
S1(config-line)# password cisco
S1(config-line)# login
S1(config-line)# exit
S1(config)#
// Virtual terminal (VTY) lines enable remote access
// using Telnet or SSH to the device.
S1(config)# line vty 0 15
S1(config-line)# password cisco
S1(config-line)# login
S1(config-line)# end
S1#
```
To secure privileged EXEC access, use the <code>**enable secret** *password*</code> global config command, as shown in the example.
```pug
S1# configure terminal
S1(config)# enable secret class
S1(config)# exit
S1#
```
### Password Encryption
The startup-config and running-config files display most passwords in plaintext. To encrypt all plaintext passwords, use the <code>**service password-encryption**</code> global config command.
```pug
R1(config)# service password-encryption
R1(config)# security passwords min-length 8
R1(config)# login block-for 120 attempts 3 within 60
R1(config)# line vty 0 4
R1(config-line)# password cisco
R1(config-line)# exec-timeout 5 30
R1(config-line)# transport input ssh
R1(config-line)# end
R1#
```
MD5 hashes are no longer considered secure because attackers can reconstruct valid certificates. The <code>**enable secret** *password*</code> command shown in the figure uses an MD5 hash by default. Therefore, it is now recommended that you configure all secret passwords using either **type 8** or **type 9** passwords. Type 8 and type 9 were introduced in Cisco IOS 15.3(3)M.
**To set an encrypted password, use the enable algorithm-type command syntax:**
```pug
// enable algorithm-type { md5 | scrypt | sha256 | secret } <password>
R1(config)# enable algorithm-type scrypt secret cisco12345
```
The options for the command are described below:
| Algorithm Keyword | Description |
| ------------------- | -------- |
| <div class='mono'>**md5**</div> | Type 5; selects the message digest algorithm 5 (MD5) as the hashing algorithm. |
| <div class='mono'>**scrypt**</div> | Type 9; selects scrypt as the hashing algorithm. *[best option]* |
| <div class='mono'>**sha256**</div> | Type 8; selects Password-Based Key Derivation Function 2 (PBKDF2) with Secure Hash Algorithm, 256-bits (SHA-256) as the hashing algorithm. |
| <div class='mono'>**secret**</div> | stores the password in plaintext |
Type 8 and type 9 encryption was also introduced in Cisco IOS 15.3(3)M for the **`username secret`** command:
```pug
// username <name> algorithm-type { md5 | scrypt | sha256 | secret } <password>
R1(config)# username Bob algorithm-type scrypt secret cisco54321
```
### Additional Login Security
:::info
These login enhancements can only be enabled if the local database is used for authentication for local and remote access. If the lines are configured for password authentication only, then the enhanced login features are not enabled.
:::
```pug
R1(config)# login block-for 15 attempts 5 within 60
R1(config)# ip access-list standard PERMIT-ADMIN
R1(config-std-nacl)# remark Permit only Administrative hosts
R1(config-std-nacl)# permit 192.168.10.10
R1(config-std-nacl)# permit 192.168.11.10
R1(config-std-nacl)# exit
R1(config)# login quiet-mode access-class PERMIT-ADMIN
R1(config)# login delay 10
R1(config)# login on-success log
R1(config)# login on-failure log every 3
R1(config)#
```
All login enhancement features are disabled until the **`login block-for`** command is configured.
The login enhancement configuration commands are described below:
| Command | Importance |
| ------- | ---------- |
| <div class='mono'>**login block-for**</div> | Can defend against DoS attacks by disabling logins after a specified number of failed login attempts. When implemented, a one-second delay between login attempts is automatically invoked. |
| <div class='mono'>**login quiet-mode**</div> | Maps to an ACL that identifies the permitted hosts. This ensures that only authorized hosts can attempt to login to the router. Reset using the **`login normal-mode`** command. |
| <div class='mono'>**login delay**</div> | Specifies a number of seconds the user must wait between unsuccessful login attempts. Defaults to **one second**. |
| <div class='mono'>**login on-[success\|failure]**</div> | Log successful and unsuccessful login attempts. The number of login attempts before a logging message is generated can be specified by appending <code>**every** *attempts*</code> to the command, where the default *attempts* value is 1 attempt. The valid range is from 1 to 65,535. |
:::danger
These login configuration commands do not apply to console connections. When dealing with console connections, it is assumed that only authorized personnel have physical access to the devices.
:::
As an alternative to the **`login on-failure log`** command, the **`security authentication failure rate`** command can be configured to generate a log message when the login failure rate is exceeded.
```pug
R1(config)# security authentication failure rate <count> log
```
## Enable SSH
<ol class='step-list'>
<li>Configure a unique device hostname.</li>
<li>Configure the IP domain.</li>
<li>Configure SSH key pairs using the RSA algorithm.</li>
<li>Verify or create an admin user with any necessary privileges.</li>
<li>Enable SSH version 2.</li>
<li>Configure desired SSH security settings.</li>
<li>Configure console VTY lines to only allow SSH connections.</li>
<li>Configure either a local or remote database for authentication.</li>
<li>Set the router to automatically disconnect an inactive user on a VTY line if the line has been idle for 5 minutes and 30 seconds.</li>
</ol>
```pug
Switch(config)# hostname S1
S1(config)# ip domain name example.com
S1(config)# crypto key zeroize rsa
S1(config)# crypto key generate rsa general-keys modulus 1024
S1(config)# username SSHadmin privilege 15 secret ciscosshpa55
S1(config)# ip ssh version 2
S1(config)# ip ssh timeout 90
S1(config)# ip ssh authentication-retries 2
S1(config)# line vty 0 15
S1(config-line)# transport input ssh
S1(config-line)# login local
S1(config-line)# exec-timeout 5 30
S1(config-line)# end
S1# show crypto key mypubkey rsa
! % Key pair was generated at: 21:18:41 UTC Feb 16 2015
! Key name: S1.example.com
! Key type: RSA KEYS
!
! <...output omitted...>
```
### Inter-Router SSH Connections
A Cisco router can connect via SSH to another SSH-enabled router using the <code>**ssh -l** *username* *ip-address*</code> command:
```pug
R1# ssh -l Bob 192.168.2.101
Password:
R2> enable
R2# show ssh
! Connection Version Mode Encryption Hmac State ! Username
! 0 2.0 IN aes128-cbc hmac-sha1 Session started ! Bob
! 0 2.0 OUT aes128-cbc hmac-sha1 Session started ! Bob
! %No SSHv1 server connections running.
R2#
```
## Privilege Levels
There are 16 privilege levels in total, as listed below. Commands that are available at lower privilege levels are also executable at higher levels.
* **Level 0** — Predefined for user-level access privileges. Seldom used, but includes five commands: `disable`, `enable`, `exit`, `help`, and `logout`.
* **Level 1** — The default level for login with the router prompt **Router >**. A user cannot make any changes or view the running configuration file.
* **Levels 2-14** — May be customized for user-level privileges. Commands from lower levels may be moved up to another higher level, or commands from higher levels may be moved down to a lower level.
* **Level 15** — Reserved for the **`enable`** (privileged EXEC) mode privileges (`enable` command). Users can change configurations and view configuration files.
To assign commands to a custom privilege level, use the **`privilege`** global configuration mode:
```pug
// privilege <mode> [level {<level>|reset} <command>]
Router(config)# privilege exec level 5 ping
```
:::warning
**The use of privilege levels has its limitations:**
<br>
<ul style="padding-left: 3.2em; text-align: justify; text-justify: inter-character;">
<li>There is no access control for interfaces, ports, logical interfaces, and slots on a router.</li>
<li>Commands available at lower privilege levels are always executable at higher levels.</li>
<li>Commands specifically set at a higher privilege level are not available to lower privileged users.</li>
<li>Assigning a command with multiple keywords allows access to all commands that use those keywords. For example, allowing access to <b><code>show ip route</code></b> allows the user access to all <b><code>show</code></b> and <b><code>show ip</code></b> commands.</li>
</ul>
:::
There are two methods to create passwords for the various privilege levels:
```pug
Router(config)# username <name> privilege <level> secret <password>
Router(config)# enable [algorithm-type <type>] secret level <level> <password>
```
:::success
Both the username secret and the enable secret commands are configured for **type 9** encryption.
:::
## Role-Based Access
This feature provides granular access to the OS by controlling which commands are available to specific roles. Each **view** defines the CLI commands that each user can access. Additionally, administrators can control user access to specific ports, logical interfaces, and slots on a router.
**Role-based CLI provides three types of views that dictate which commands are available:**
* **Root View** — Has the same access privileges as a user who has level 15 privileges. Only a root view user can configure a new view and add or remove commands from the existing views.
* **CLI View** — Bundled set of available commands. Each view must be assigned all commands associated with that view. Views cannot inherit commands from other views.
* **Superview** — Consists of one or more CLI views. Superviews allow a network administrator to assign users and groups of users multiple CLI views at once. Superviews cannot directly be assigned a command. Each superview has a password that is used to access it.
### View Configuration
Before an administrator can create a view, AAA must be enabled using the **`aaa new-model`** command. To configure and edit views, an administrator must log in as the root view using the **`enable view [root]`** command. When prompted, enter the **`enable secret`** password.
:::info
Excluding the root view, there is a maximum limit of **15 views**.
:::
There are three steps to create and manage a specific **view**:
<ol class='step-list'>
<li>Create a view using the <code><b>parser view</b> <i>view-name</i></code> global configuration command.</li>
<li>Assign a secret password to the view using the <code><b>secret</b> <i>password</i></code> view configuration command. The password must be created immediately after creating a view, otherwise, an error message will appear.
</li>
<li>Assign commands to the selected view using the <code><b>commands</b> <i>parser-mode</i></code> command.</li>
</ol>
```pug
Router(config-view)# commands parser-mode {include | include-exclusive | exclude} [all] [interface interface-name | command]
```
The options for the command are described below:
| Parameter | Description |
| --------- | ----------- |
| <div class='mono'>*parser-mode*</div> | The mode in which the specified command exists; for example, EXEC mode. |
| <div class='mono'>**include**</div> | Adds a command or an interface to the view and allows the same command or interface to be added to other views. |
| <div class='mono'>**include-exclusive**</div> | Adds a command or an interface to the view and excludes the same command or interface from being added to all other views. |
| <div class='mono'>**exclude**</div> | Excludes a command or an interface from the view. |
| <div class='mono'>**all**</div> | A "wildcard" that allows every command in a specified configuration mode that begins with the same keyword or every subinterface for a specified interface to be part of the view. |
| <div class='mono'>**interface** *interface-name*</div><br><div class='mono'>*command*</div> | <div>Interface that is added to the view.</div><br><div>Command that is added to the view.</div> |
### Superview Configuration
There are three steps to create and manage a **superview**:
<ol class='step-list'>
<li>Create a superview using the <code><b>parser view</b> <i>view-name</i> <b>superview</b></code> global configuration command.</li>
<li>Assign a secret password to the view using the <code><b>secret</b> <i>password</i></code> view configuration command. The password must be created immediately after creating the superview, otherwise, an error message will appear.
</li>
<li>Assign an existing view using the <code><b>view</b> <i>view-name</i></code> command.</li>
</ol>
To verify view configuration, use **`show parser view [all]`**
# IOS Hardening
Cisco IOS **Resilient Configuration** features allow for faster recovery if someone maliciously or unintentionally reformats flash memory or erases the startup configuration file in NVRAM.
These features maintain a secure working copy of the device's IOS image file or the running configuration file. These secure files cannot be removed by the user and are referred to as the **primary bootset**.
:::info
**IOS Image Resilience** is only available on older routers that support a PCMCIA Advanced Technology Attachment (ATA) flash interface. Newer routers such as the ISR 4000 do not support this feature.
:::
Cisco IOS file system prevents secured files from being listed in the output of the **`dir`** command. Use the show **`secure bootset`** command to verify the existence of a secured archive or IOS image.
## Enable IOS Image Resilience
To secure the **IOS image** and enable Cisco IOS image resilience, use the **`secure boot-image`** global configuration mode command. When enabled for the first time, the running Cisco IOS image is secured and a log entry is generated.
:::danger
**Image Resilience** can only be disabled through a console session using the **`no secure boot-image`** global configuration command.
:::
This command functions properly only when the system is configured to run an image from a flash drive with an ATA interface. Additionally, the running image must be loaded from persistent storage to be secured as primary.
:::warning
Images that are loaded from a remote location, such as a TFTP server, cannot be secured.
:::
## Enable Running-Configuration Resilience
To copy the **running-configuration** and securely archive it in persistent storage, use the **`secure boot-config`** global configuration command. The configuration archive is hidden and cannot be viewed or removed directly from the CLI prompt.
Subsequent use of the **`secure boot-config`** command will update the archived configuration to match the latest version.
:::success
The configuration file in the primary bootset is a copy of the running configuration that was in use when the feature was first enabled.
:::
## Remote Backup of Secure Archives
Secure Copy Protocol (SCP) is used to remotely backup Resilient Configuration files. SCP provides a secure and authenticated method for copying router configuration or router image files to a remote location.
:::success
SCP requires the SSH and AAA features to be enabled.
:::
Use the following steps to configure a router or switch for server-side SCP with local AAA:
<ol class='step-list'>
<li>Use the <code><b>aaa authentication login default local</b></code> command to use the local database for authentication.</li>
<li>Use the <code><b>aaa authorization exec default local</b></code> command to configure command authorization.</li>
<li>Enable SCP server-side functionality with the <code><b>ip scp server enable</b></code> command.</li>
</ol>
```pug
R1(config)# aaa authentication login default local
R1(config)# aaa authorization exec default local
R1(config)# ip scp server enable
```
To copy a file to a remote location using SCP, use the <code><b>copy</b> <i>source</i> <b>scp:</b></code> command. A series of prompts will be presented in order to configure the destination of the SCP action:
```pug
R2# copy 'flash0:R2backup.cfg' scp:
Address or name of remote host []? '10.1.1.1'
Destination username [R1]? 'Bob'
Destination filename [R2backup.cfg]?
! Writing R2backup.cfg
Password: <cisco12345>
!
! 1381 bytes copied in 8.596 secs (161 bytes/sec)
R2#
```
The most common authentication issue is an incorrect username/password combination. There is also an authentication failure if the username/password combination was not assigned the **`privilege 15`** configuration on the SCP server.
Enter the **`debug ip scp`** command to watch the transfer proceed, if verification is needed.
## Restoring the Primary Bootset
To restore the primary bootset from a secure archive:
<ol class='step-list'>
<li>Restart the router using the <code><b>reload</b></code> command. If necessary, issue the break sequence to enter <b>ROM monitor</b> (ROMmon) mode.</li>
<li>From ROMmon mode, enter the <code><b>dir</b> <i>drive</i></code> command to list the contents of the storage device that contains the secure bootset file.</li>
<li>Boot the router with the secure bootset image using the <code><b>boot</b> <i>filepath</i></code> command, pointing to the secure archive found in <b>Step 2</b>.</li>
<li>Enter <b>global configuration</b> mode and restore the secure configuration to a filepath of your choice using the <code><b>secure boot-config restore</b> <i>filepath</i></code> command.</li>
<li>Exit global configuration mode and issue the <code><b>copy</b> <i>source</i> <b>running-configuration</b></code> command (using the restored file from <b>Step 3</b> as the source) to copy the rescued configuration file to the running configuration.</li>
</ol>
## Recovery Mode
If a router is compromised or needs to be recovered from a misconfigured password, an administrator must follow the password recovery procedure. Depending on the device, this procedure may vary.
**Password Recovery Procedure**
<ol class='step-list'>
<li>Connect to the device's console port.</li>
<li>Use the <code><b>show version</b></code> command to display the configuration register setting and document the value (e.g., 0x2102`).</li>
<li>Power cycle the router.</li>
<li>Issue the break sequence (e.g., <b>CTRL-BREAK</b>) to enter <b>ROMMON</b> mode.</li>
<li>Change the default configuration register with the <b>confreg 0x2142</b> command.</li>
<li>Reboot the device using the <code><b>reset</b></code> command.</li>
<li>Press <code><b>CTRL-C</b></code> to skip the initial setup procedure.</li>
<li>Enter <b>privileged EXEC</b> mode.</li>
<li>Copy the startup configuration to the running configuration using the <code><b>copy startup-config running-config</b></code> command.</li>
<li>Verify the configuration.</li>
<li>Change the enable secret password.</li>
<li>restore the <b>configuration register</b> to the previous setting that was documented in <b>Step 2</b> using the <code><b>config-register</b> <i>address</i></code> global configuration command.</li>
<li>Save the configuration changes using the <code><b>copy running-config startup-config</b></code> command. On the next reboot, the router will load the new startup configuration file that contains the changed password.</li>
</ol>
:::warning
For security reasons, password-recovery requires the administrator to have physical access to the router through a console cable.
:::
If an attacker gains physical access to a router or switch, they could potentially gain control of the device through the password recovery procedure. This leaves the router configuration intact, making this type of attack difficult to detect.
Administrators can mitigate this potential risk by using the **`no service password-recovery`** global configuration command. Once password-recovery is disabled, all access to **ROMmon** mode is disabled.
:::danger
An attacker may use the password-recovery method to discover the device configuration and other pertinent information about the network, such as traffic flows and access control restrictions.
:::
To recover a device after the password-recovery service is disabled, initiate the break sequence within five seconds after the image decompresses during the boot. You will be prompted to confirm the break key action. After confirmation, the startup configuration is completely erased, and the router boots with the factory default configuration. If you do not confirm the break action, the router boots normally with the password-recovery feature still disabled.
---
*[NVRAM]: Nonvolatile Random-Access Memory
---
{%hackmd 7PGmjAHeTXak2VUM3iw5Wg %}
Sign in with Wallet
Connect another wallet