HostedDB - Dedicated UNIX Servers
index_50
Router Security Configuration Guide UNCLASSIFIED 50 UNCLASSIFIED Version 1.0g The auxiliary port, if at all possible, should be disabled.  Router Central, in the sample network diagram (Figure 4-1), has no need for the aux port.  The example below shows how to disable login on the auxiliary port (login to enable mode first): Central# config t Enter configuration commands, one per line.  End with CNTL/Z. Central(config)# line aux 0 Central(config-line)# transport input none Central(config-line)# login local Central(config-line)# exec-timeout 0 1 Central(config-line)# no exec Central(config-line)# end Central# Section 4.1.5 discusses configuration of the auxiliary port if it is required for a modem.  If the auxiliary port is required for a second local serial connection then configure it as shown below. Central# config t Enter configuration commands, one per line.  End with CNTL/Z. Central(config)# line aux 0 Central(config-line)# exec-timeout 5 0 Central(config-line)# login local Central(config-line)# transport input none Central(config-line)# exec Central(config-line)# end Central# The primary mechanism for remote administration of Cisco routers is logging in via Telnet; these connections are called virtual terminal lines.  Login on the virtual terminal lines should be disabled if remote administration is not absolutely necessary.   Remote administration is inherently dangerous because anyone with a network sniffer on the right LAN segment can acquire the router passwords and would than be able to take control of the router. To disable network virtual terminal connections to the router, create an access list and apply it to the virtual terminal lines as shown in the example below.  [Note: perform these commands only when connected to the aux or console port, do not perform them while logged into the router via Telnet.] South# config t Enter configuration commands, one per line.  End with CNTL/Z. South(config)# no access-list 90 South(config)# access-list 90 deny any log South(config)# line vty 0 4 South(config-line)# access-class 90 in South(config-line)# transport input none South(config-line)# login local South(config-line)# exec-timeout 0 1 South(config-line)# no exec South(config-line)# end South# If remote administration is necessary, see Section 4.1.5 for details on configuring remote administration.