index_62
Router Security Configuration Guide
UNCLASSIFIED
62
UNCLASSIFIED
Version 1.0g
Finger Server
The IOS finger server supports the Unix ‘finger’ protocol, which is used for querying
a host about its logged in users. On a Cisco router, the show users command may
be used to list the logged in users. Typically, users who are not authorized to log in to
the router have no need to know who is logged in. The example below shows how to
test and disable the finger server.
Central# connect 14.2.9.250 finger
Trying 14.2.9.250, 79 ... Open
Welcome to the CENTRAL router.
Line User Host(s) Idle Location
130 vty 0 14.2.9.6 00:00:00 goldfish
*131 vty 1 idle 00:00:00 central
[Connection to 14.2.9.250 closed by foreign host]
Central# config t
Enter configuration commands, one per line. End with
CNTL/Z.
Central(config)# no ip finger
Central(config)# no service finger
Central(config)# exit
Central# connect 14.2.9.250 finger
Trying 14.2.9.250, 79 ...
% Connection refused by remote host
Central#
HTTP Server
Newer Cisco IOS releases support web-based remote administration using the HTTP
protocol. While the web access features are fairly rudimentary on most Cisco router
IOS releases, they are a viable mechanism for monitoring, configuring, and attacking
a router. If web-based remote administration is not needed, then it should be disabled
as shown below.
Central# config t
Enter configuration commands, one per line. End with
CNTL/Z.
Central(config)# no ip http server
Central(config)# exit
Central# connect 14.2.9.250 www
Trying 14.2.9.250, 80 ...
% Connection refused by remote host
Central#
Web-based remote administration is useful primarily when intervening routers or
firewalls prevent use of Telnet for that purpose. However, it is important to note that
both Telnet and web-based remote administration reveal critical passwords in the
clear. Further, web-based administration imposes the requirement that users log in at
full (level 15) privilege. Therefore, web-based remote administration should be