Scribd
Upload
11 views14 pages

K036 CF Lab5

The document outlines Experiment 5 for securing routers for administrative access in a B. Tech Cybersecurity course. It includes objectives such as configuring encrypted passwords, login banners, and SSH servers, along with a detailed procedure for setting up a multi-router network and implementing various security measures. The experiment emphasizes the importance of router security in network management and provides step-by-step instructions for configuration and verification tasks.

Uploaded by

spotifyuserforphone
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as DOCX, PDF, TXT or read online on Scribd
11 views14 pages

K036 CF Lab5

The document outlines Experiment 5 for securing routers for administrative access in a B. Tech Cybersecurity course. It includes objectives such as configuring encrypted passwords, login banners, and SSH servers, along with a detailed procedure for setting up a multi-router network and implementing various security measures. The experiment emphasizes the importance of router security in network management and provides step-by-step instructions for configuration and verification tasks.

Uploaded by

spotifyuserforphone
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as DOCX, PDF, TXT or read online on Scribd
You are on page 1/ 14

Name: Arjun Mehta Roll Number: K036 Semester: 5

Course: B. Tech Specialization: CSE Batch: K1


Cybersecurity

Date: 11-08-2025

Experiment 5: To Secure the Router for Administrative Access


Aim: To secure the router for administrative access.

Learning Outcomes:

After completion of this experiment, student should be able to


1. Configure and encrypt passwords.
2. Configure a login-warning banner.
3. Configure enhanced username password security.
4. Configure enhanced virtual login security.
5. Configure an SSH server.

Theory: The router is a critical component in any network. It controls the movement of data
into and out of the network and between devices within the network. It is particularly
important to protect network routers because the failure of a routing device could make
sections of the network, or the entire network, inaccessible. Controlling access to routers and
enabling reporting on routers is critical to network security and should be part of a
comprehensive security policy.

In this lab, you will build a multi-router network and configure the routers and hosts. Use
various CLI tools to secure local and remote access to the routers.
Topology:

MY OUTPUT SCREENSHOT:
IP Address Table:

Device Interface IP Address Subnet Mask Default Gateway

G0/1 192.168.1.1 255.255.255.0 N/A


R1
S0/0/0 (DCE) 10.1.1.1 255.255.255.252 N/A
S0/0/0 10.1.1.2 255.255.255.252 N/A
R0
S0/0/1 (DCE) 10.2.2.2 255.255.255.252 N/A
G0/1 192.168.2.1 255.255.255.0 N/A
R2
S0/0/1 10.2.2.1 255.255.255.252 N/A
PC-A NIC 192.168.1.2 255.255.255.0 192.168.1.1
PC-C NIC 192.168.2.2 255.255.255.0 192.168.2.1

MY OUTPUT SCREENSHOT OF THESE CONFIGURATIONS:


Procedure:

 Create the topology as shown above in the packet tracer.


 Allocate the IP address as per table above.
 Configure OSPF to enable routing.

 Use the router ospf command in global configuration mode to


enable OSPF on R1.
R1(config)# router ospf 1
 Configure the network statements for the networks on R1. Use
an area ID of 0.
R1(config-router)# network 192.168.1.0 0.0.0.255 area 0
R1(config-router)# network 10.1.1.0 0.0.0.3 area 0
 Configure OSPF on R2 and R3.
 Issue the passive-interface command to change the G0/1
interface on R1 and R3 to passive.
R1(config)# router ospf 1
R1(config-router)# passive-interface g0/1
R3(config)# router ospf 1
R3(config-router)# passive-interface g0/1
 Verify the OSPF neighbors and routing information using show ip ospf neighbor and
show ip route command.
 Verify connectivity between PC’s
 Perform the following task and answer questions highlighted in yellow.
Task 1: Configure and Encrypt Passwords on Routers R1 and R3.

Step 1: Configure a minimum password length for all router passwords.

Use the security passwords command to set a minimum password length of 10


characters.
R1(config)# security passwords min-length 10
Step 2: Configure the enable secret password.

Configure the enable secret encrypted password on both routers.


R1(config)# enable secret mpstme1234
How does configuring an enable secret password help protect a router from being
compromised by an attack?
ANSWER: Configuring an enable secret password protects a router by requiring a
strongly encrypted (MD5-hashed) credential to access privileged EXEC mode, preventing
unauthorized users from viewing or altering configurations, which reduces the risk of attacks
like privilege escalation or remote compromise.
Step 3: Configure basic console, auxiliary port, and virtual access lines.

a. Configure a console password and enable login for routers. For additional security,
the exec-timeout command causes the line to log out after 5 minutes of inactivity.
The logging synchronous command prevents console messages from interrupting
command entry.
R1(config)# line console 0
R1(config-line)# password mpstme
R1(config-line)# exec-timeout 5 0
R1(config-line)# login
R1(config-line)# logging synchronous
When you configured the password for the console line, what message was displayed?
MY OUTPUT SCREENSHOT:

b. Configure a new password of mpstme1234 for the console.


c. Configure a password for the AUX port for router R1.
R1(config)# line aux 0
R1(config-line)# password mpstme1234
R1(config-line)# exec-timeout 5 0
R1(config-line)# login
MY OUTPUT SCREENSHOT:

d. Telnet from R2 to R1.


R2> telnet 10.1.1.1
Were you able to login? Explain.
What messages were displayed?

MY OUTPUT SCREENSHOT:

e. Configure the password on the vty lines for router R1.


R1(config)# line vty 0 4
R1(config-line)# password ciscovtypass
R1(config-line)# exec-timeout 5 0
R1(config-line)# transport input telnet
R1(config-line)# login
Telnet from R2 to R1 again. Were you able to login this time?
MY OUTPUT SCREENSHOT:

f. Enter privileged EXEC mode and issue the show run command. Can you read the
enable secret password? Explain.
Can you read the console, aux, and vty passwords? Explain.
g. Repeat the configuration portion of steps 3a through 3g on router R3.
Step 4: Encrypt clear text passwords.

a. Use the service password-encryption command to encrypt the console, aux, and vty
passwords.
R1(config)# service password-encryption
b. Issue the show run command. Can you read the console, aux, and vty passwords?
Explain.
At what level (number) is the default enable secret password encrypted?
______________
At what level (number) are the other passwords encrypted? ______________
Which level of encryption is harder to crack and why?
Task 2: Configure a Login Warning Banner on Routers R1 and R3.

Step 1: Configure a warning message to display prior to login.

a. Configure a warning to unauthorized users with a message-of-the-day (MOTD)


banner using the banner motd command. When a user connects to one of the routers,
the MOTD banner appears before the login prompt. In this example, the dollar sign
($) is used to start and end the message.
R1(config)# banner motd $Unauthorized access strictly prohibited!$
R1(config)# exit
b. Issue the show run command. What does the $ convert to in the output?

Task 3: Configure Enhanced Username Password Security on Routers R1 and R3.

Step 1: Investigate the options for the username command.

In global configuration mode, enter the following command:


R1(config)# username user01 ?
What options are available?

Step 2: Create a new user account with a secret password.


a. Create a new user account with encrypted password.
R1(config)# username user01 secret user01pass
b. Exit global configuration mode and save your configuration.
c. Display the running configuration. Which hashing method is used for the
password?

Step 3: Test the new account by logging in to the console.


a. Set the console line to use the locally defined login accounts.
R1(config)# line console 0
R1(config-line)# login local
R1(config-line)# end
R1# exit
a. Exit to the initial router screen which displays: R1 con0 is now available, Press
RETURN to get started.
b. Log in using the previously defined username user01 and the password
user01pass.
What is the difference between logging in at the console now and previously?
c. After logging in, issue the show run command. Were you able to issue the
command? Explain.
d. Enter privileged EXEC mode using the enable command. Were you prompted for
a password? Explain.

Step 4: Test the new account by logging in from a Telnet session.


a. From PC-O, establish a Telnet session with R1.
PC> telnet 192.168.1.1
Were you prompted for a user account? Explain.
b. Set the vty lines to use the locally defined login accounts.
R1(config)# line vty 0 4
R1(config-line)# login local
c. From PC-O, telnet to R1 again.
PC> telnet 192.168.1.1
Were you prompted for a user account? Explain.
d. Log in as user01 with a password of user01pass.
e. During the Telnet session to R1, access privileged EXEC mode with the enable
command.
What password did you use?
f. For added security, set the AUX port to use the locally defined login accounts.
R1(config)# line aux 0
R1(config-line)# login local
g. End the Telnet session with the exit command.

Task 4: Configure the SSH Server on Router R1 and R3.

In this task, use the CLI to configure the router to be managed securely using SSH instead
of Telnet. Secure Shell (SSH) is a network protocol that establishes a secure terminal
emulation connection to a router or other networking device. SSH encrypts all
information that passes over the network link and provides authentication of the remote
computer. SSH is rapidly replacing Telnet as the remote login tool of choice for network
professionals.
Note: For a router to support SSH, it must be configured with local authentication, (AAA
services, or username) or password authentication. In this task, you configure an SSH
username and local authentication.
Step 1: Configure a domain name.

Enter global configuration mode and set the domain name.


R1# conf t
R1(config)# ip domain-name nmims.edu
Step 2: Configure a privileged user for login from the SSH client.

a. Use the username command to create the user ID with the highest possible
privilege level and a secret password.
R1(config)# username admin privilege 15 secret cisco12345
b. Exit to the initial router login screen. Log in with the username admin and the
associated password. What was the router prompt after you entered the password?

Step 3: Configure the incoming vty lines.

Specify a privilege level of 15 so that a user with the highest privilege level (15) will
default to privileged EXEC mode when accessing the vty lines. Other users will default to
user EXEC mode. Use the local user accounts for mandatory login and validation and
accept only SSH connections.
R1(config)# line vty 0 4
R1(config-line)# privilege level 15
R1(config-line)# login local
R1(config-line)# transport input ssh
R1(config-line)# exit
Note: The login local command should have been configured in a previous step. It is
included here to provide all commands, if you are doing this for the first time.
Note: If you add the keyword telnet to the transport input command, users can log in
using Telnet as well as SSH, however, the router will be less secure. If only SSH is
specified, the connecting host must have an SSH client installed.

Step 4:Erase existing key pairs on the router.

R1(config)# crypto key zeroize rsa


Note: If no keys exist, you might receive this message: % No Signature RSA Keys found
in configuration.

Step 5: Generate the RSA encryption key pair for the router.

The router uses the RSA key pair for authentication and encryption of transmitted SSH
data.
a. Configure the RSA keys with 1024 for the number of modulus bits. The default is
512, and the range is from 360 to 2048.
R1(config)# crypto key generate rsa
Step 6: Verify the SSH configuration.

b. Use the show ip ssh command to see the current settings.


R1# show ip ssh
c. Fill in the following information based on the output of the show ip ssh command.
SSH version enabled: ________________________________________
Authentication timeout: ________________________________________
Authentication retries:________________________________________

Step 7: Configure SSH timeouts and authentication parameters.

The default SSH timeouts and authentication parameters can be altered to be more
restrictive using the following commands.
R1(config)# ip ssh time-out 90
R1(config)# ip ssh authentication-retries 2

You might also like