Siguran administrativni pristup prekidaču
Summary
TLDRThe video demonstrates how to secure access to a network switch by configuring password protections for both console and virtual terminal (vty) access. It walks through the steps of setting up passwords in user and privilege exec modes, encrypting them to enhance security, and configuring a message of the day (MOTD) banner as a legal warning. The video emphasizes using strong, complex passwords and shows how to view and verify configurations using the command line interface (CLI) of a Cisco switch.
Takeaways
- 🔐 It's important to secure access to network devices so only administrators can make changes.
- 🖥️ The initial configuration is done using a terminal emulation program to access the command line interface of the switch.
- ⚠️ A security risk exists if no password is required for user exec mode or privilege exec mode.
- 🔑 To secure the console connection, a password must be set using the 'password' and 'login' commands in line configuration mode.
- 🛡️ Privilege exec mode should also be secured by setting an 'enable secret' password, which is encrypted in the configuration file.
- 🔍 To verify passwords, use the 'show running-config' command to check the console and vty line settings.
- 💻 Virtual terminal (vty) access should be secured by configuring a password for remote logins.
- 🔒 Password encryption can be added using the 'service password-encryption' command, providing light encryption for all passwords.
- ⚠️ Setting a banner message with 'Banner motd' serves as a legal warning to unauthorized users when they attempt to log in.
- ✅ After securing the device, verifying configurations with the 'show running-config' command ensures that all settings, including encryption, are in place.
Q & A
What is the initial security risk mentioned when accessing the switch?
-The initial security risk is that no password is required to access the switch's command line interface, allowing unrestricted access to both user exec mode and privilege exec mode.
What is the purpose of securing access to the console connection?
-The purpose is to prevent unauthorized users from accessing the switch's command line interface by requiring a password before entering user exec mode.
What command is used to enter Global configuration mode?
-The command 'config T' is used to enter Global configuration mode.
How can you set a password for the console connection?
-To set a password for the console connection, enter line configuration mode using the command 'line console 0' and then set the password with the command 'password <password>'. In this example, the password 'Cisco' was used.
What is the difference between the 'enable' and 'enable secret' commands?
-The 'enable' command simply sets a password for privilege exec mode, while 'enable secret' encrypts the password to enhance security.
What command is used to view the running configuration of the switch?
-The 'show running config' command is used to view the current running configuration of the switch.
How do you secure virtual terminal (VTY) access for remote logins?
-To secure virtual terminal access, you enter the command 'line vty 0 15' from Global configuration mode, then set a password with 'password <password>' and enable login with the 'login' command.
What command can you use to encrypt passwords in the configuration file?
-The command 'service password-encryption' is used to apply encryption to all passwords in the switch’s configuration file.
Why is it important to set a banner message on the switch, and how do you configure it?
-A banner message is important as it serves as a legal warning for unauthorized users. It can be configured using the 'banner motd' command, followed by the message framed between delimiters (e.g., '#').
How can you verify that the console password and banner message are properly configured?
-You can verify the console password by exiting the switch and re-entering to check if the password prompt appears. The banner message will be displayed immediately after pressing 'Enter' when trying to access the switch.
Outlines
🔐 Securing Console and Privileged Access
This paragraph emphasizes the importance of securing network devices to ensure only administrators can access them. It begins with establishing a console connection to a switch, where the lack of password protection presents a security risk. The steps to secure access include setting passwords for both the console connection and privileged exec mode. A password 'Cisco' is used for the console, and 'class' for the privileged exec mode. The use of 'enable secret' ensures the privileged exec mode password is encrypted, enhancing security. The verification process confirms these security measures are in place, with access now requiring passwords.
🔒 Encrypting Passwords and Setting Login Banner
This section covers additional security configurations, including encrypting passwords to prevent them from being displayed in plain text in the configuration file. The command 'service password-encryption' is used to apply a basic level of encryption to all passwords. It also describes how to set a 'message of the day' (MOTD) banner, which provides a legal warning to unauthorized users attempting to access the switch. The steps conclude with testing the configuration, where both the encrypted passwords and the banner are displayed before allowing access.
Mindmap
Keywords
💡Console connection
💡User EXEC mode
💡Privilege EXEC mode
💡Global configuration mode
💡Password encryption
💡Enable secret
💡VTY lines
💡Banner message
💡Running configuration file
💡Service password-encryption
Highlights
Securing access to devices is crucial to prevent unauthorized changes and maintain network security.
The process begins with configuring the device through the command line interface (CLI) of the switch.
User exec mode is accessible without a password, presenting a security risk.
Privilege exec mode can also be accessed without authentication, adding to the vulnerability.
Access to the console connection should be secured by entering Global configuration mode and setting a password.
In line configuration mode, the 'password' and 'login' commands are used to set a console connection password.
To secure access to privilege exec mode, the 'enable secret' command is used, which ensures the password is encrypted.
After setting passwords, attempting to access the switch prompts for authentication, both for user and privilege exec modes.
The 'show running-config' command verifies that the enable secret password is hashed in the configuration file.
The 'line vty' command is used to secure virtual terminal access, which allows remote login to the switch.
By configuring all 16 vty lines (0-15), multiple remote logins can be managed and secured with a password.
The 'service password-encryption' command ensures that passwords are encrypted in the configuration file.
A 'banner motd' (message of the day) command is set to display a legal warning upon login attempts.
The banner warns unauthorized users and potential hackers about legal consequences for unauthorized access.
Verifying the setup confirms that both console and virtual terminal passwords are encrypted and a banner is displayed.
Transcripts
when installing a device on a network
it's important to secure access to the
device so only an administrator will be
able to access it and make changes to do
this we'll need to perform some initial
configuration settings I'll click on
pc1 I'll click on the terminal emulation
program and now you can see that I have
a console connection into the switch
command line I'll press
enter and this takes me to the command
line interface as you can see I'm logged
into the switch and user exec mode no
password was required to access the
command line This is a security risk if
I type the enable command you can see
that I have now entered privilege exec
mode also without any type of
authentication this presents a great
security risk since from privilege exec
mode I have access to configure the
switch the first thing you'll want to do
is secure access to both the console
connection and to privilege exec mode
first I'll control access to the console
connection to do that I'll get into
Global configuration mode with the
config T command and then I'll type in
line console 0 to enter line
configuration mode I can now put in a
password for my console Connection by
typing the command password and a
password of Cisco Breeze of this
demonstration I'm using simple passwords
but you'll want to use strong complex
passwords whenever possible I'll type in
the login command which will require the
password prior to entering user exec
mode next I'll secure access to
privilege exec mode to do this I'll type
exit to return to Global configuration
mode then I'll enter the command enable
secret followed by the password class
the secret parameter that I used assures
me that the password class will be
encrypted in the configuration file
let's see if our passwords have been set
correctly I'll do a contrl c to get to
privilege exec mode and then I'll exit
the switch now when I press enter I
should be prompted for a password before
establishing a console connection and it
does this password should be Cisco as I
type in the password for security
purposes you won't be able to see any
characters if I type it in correctly it
should take me into user exec mode and
it does and from here I'll type enable
and you can see that now I'm prompted
for another password this time I'll type
in class and press enter and you can see
now that I'm in privilege exec mode only
those with a knowledge of the correct
passwords will be able to configure this
device let's take a look at our running
configuration file up to this point I'll
do that by typing in the command show
running config you can see at the top of
the running running configuration file
that the enable secret password has been
hashed within the file to see the rest
of the configuration I'll press the
space bar on my keyboard and I'll go
down towards the bottom where you can
see the configuration for the console
line here it shows a password of Cisco
and you can see it in plain text we'll
change this a little later now that I've
secured access to the console Port I'll
also want to secure virtual terminal
access for remote logins from global
configuration
mode I'll type in the command line
vty and then how many lines I want to
allow remote access to the Cisco switch
supports 16 simultaneous remote logins
through virtual terminals to configure
all 16 I simply type in zero a space and
15 and press enter and then I'll put in
the command password Cisco and then
login let's take a look at these
passwords in our running configuration
file I'll do a contrl c to get to
privilege exec mode and then I'll do a
show run which is short for show running
config I'll space bar all the way down
to the end and you can see under the
configuration for the console line is
the vty line configuration the iOS
automatically breaks this down into two
groups the first five lines 0 through 4
followed by the next 10 lines 5 through
15 team as with the console password you
can see that the vty line passwords are
also seen in plain text we can add
greater security to the switch if we can
encrypt these passwords so that they are
obscured in the configuration file to do
this I'll go back to Global
configuration mode then I'll enter the
command
service
password
encryption this command will put a light
level of encryption on all passwords on
the switch to verify that password
encryption has been set I'll exit Global
configuration
mode and type Show run to view the
running configuration file if I space
bar down to the end you can now see that
the console password as well as the vty
line password has been encrypted another
important initial configuration command
is setting a banner message this is a
message that will be presented to users
when they log in and serves as a legal
warning for any wouldbe hackers to do
this I'll go to Global configuration
mode and then I'll type in the command
Banner motd that stands for message of
the day the message that I type will
need to be framed between two delimiters
or characters just make sure that
whatever character you choose is not
used within the body of your message for
instance I'll use a pound sign for my
delimiters and then in between I'll put
in the message
authorized access only
violators will be
prosecuted to the full extent of the
law and then I'll end it with another
pound sign and now the banner is set now
let's verify it I'll do a contrl c and
then type exit to leave the switch and
then I'll press enter notice that I'm
presented with the Banner warning I just
typed in as well as a request for a
password just to get access to the
console I'll put in the password Cisco
and press enter and now I'm in user exec
mode and then I'll type the command
enable and I'm asked for another
password to reach privilege exec mode
I'll type in class and now I have full
access to the switch
関連動画をさらに表示
Kretanje između IOS načina rada
Free CCNA | Basic Device Security | Day 4 Lab | CCNA 200-301 Complete Course
2.9.1 Packet Tracer - Basic Switch and End Device Configuration
IOS CLI primarni načini naredbe
2.9.2 Lab - Basic Switch and End Device Configuration
CCNA1-ITNv7 - Module 02 - Basic Switch and End Device Configuration config
5.0 / 5 (0 votes)