Is it national hack a router day? in Cisco http://www.dslreports.com/forum/r20764090 en Wed, 03 Dec 2008 03:00:38 EDT Wed, 03 Dec 2008 03:00:38 EDT Re: Is it national hack a router day? http://www.dslreports.com/forum/remark,20870417 Phraxos : I appreciate the suggestion.

I see what you are saying now and it is sort of the solution I have at the moment (except I VPN into my network and access other routers/systems from there). The problem is the router that gives access to all that has to be accessible to anywhere in case I have an issue with it (I have twin connections in the event of one going down).

There isn't really a problem as such in that I use login tracking and silent time to make sure that nobody can make a concerted attack and my choice of username/password (which changes reguarly) is certainly strong enough. However, I don't come close to the level of knowledge I would like to have with Cisco routers and thought it was just worth checking there wasn't a better way to achieve what I want.]]> http://www.dslreports.com/forum/remark,20870417 Wed, 30 Jul 2008 04:02:21 EDT Re: Is it national hack a router day? http://www.dslreports.com/forum/remark,20864621 TomS_ :
said by Phraxos See Profile :

Umm I'm really not sure how this helps :)
It helps by allowing you to lock down your routers to only allow remote access from one or two trusted locations, rather than everywhere, thus reducing possible attack vectors.

If there are only two places you are able to telnet from, and both of those locations are relatively secure, youre less likely to suffer from the problem you were experiencing at the beginning of this thread - unwanted authentication attempts.

You dont have to learn everything about linux, just enough to set it up so that you can SSH in from where ever, and then SSH or Telnet out to whereever. Linux 101 really.

But its up to you, I just offered one such suggestion which does work in practice, and doesnt cost an arm, a leg, nor a finger, heck not even a pinky toe to setup - if you have an oldish box sitting around you have a perfect candidate. :-)]]> http://www.dslreports.com/forum/remark,20864621 Tue, 29 Jul 2008 04:53:22 EDT Re: Is it national hack a router day? http://www.dslreports.com/forum/remark,20860487 aryoba : Well, you could setup something like Cisco MARS and/or IPS 4215 to detect and to automatically block password scan attack. However this solution might not be financially feasible. :D

With limited budget, your best bet is probably IPSec VPN approach as mentioned. Yes, it may not set security perimeter like you are looking for. However it is still a good solution with (again) limited budget. :)]]> http://www.dslreports.com/forum/remark,20860487 Mon, 28 Jul 2008 11:39:10 EDT Re: Is it national hack a router day? http://www.dslreports.com/forum/remark,20860381 Phraxos : Some interesting suggestions and thanks for taking the time to post but I don't think any of them really address my requirement. I would also disagree about passwords being 'simple'. Bearing in mind this is a username/password combination a sensible choice of both will result in an unbreakable combination by dictionary/brute force methods, the main vulnerability being an insecure terminal (key loggers etc) and that is not usually an issue for me.

said by TomS_ See Profile :

As much as you might like to access your router from anywhere, and as handy as that may be, I would probably look at establishing some sort of central location where you initiate all of your access from. Something like a Linux/FreeBSD box would suffice.

Configure your VTY ACL to only allow access from the IP or subnet that box lives in (preferably have it on a static IP), and maybe one or two others (home, and a trusted friends or work place incase your box goes down).

You may not like the idea, and it may take some getting used to, but it is far far far more secure. Think about it, you wouldn't have this current issue with the implementation as per above. :-)
Umm I'm really not sure how this helps :)

I would still have to gain access to the linux box from anywhere and that access will still be via a router so I have just swapped one issue for two. Also, I think we have done this before but there are people in the world who don't "do" Linux. No prejudice, just no commercial value to me to learn it (well more a case of less commercial value than spending my time doing something else).

Effectively I already do what you suggest in practice - have one central system that I log into to gain access to all the remote systems I look after. But I still need access to that central site via a router and if there is a router issue I need to be able to log into it if possible to resolve it.]]> http://www.dslreports.com/forum/remark,20860381 Mon, 28 Jul 2008 11:18:46 EDT Re: Is it national hack a router day? http://www.dslreports.com/forum/remark,20801120 Euphrates : Depending on your router, may I suggest VPN access. You VPN into the router and then access it like it's a local device on the network. Most Cisco VPN enabled routers being sold have 2 free SSL VPN licenses that you can use for administration of the router. You can even configure it to answer on some high up non-standard port.

This way, any other connection attempts will be immediately blocked by the ACL on the router.

Another note. In case you don't have it, I would also suggest ensuring the "no ip unreachables" command is configured on your outside interface. When an ACL blocks access to that port, it sends an unreachable reply to the machine attempting to access it. It's basically like someone knocking on your door and you not opening the door and saying, "I'm not home!" My guess, is that although you are blocking access, unreachables may be getting out which is alerting people that there is something there but it's just not currently accessible.]]> http://www.dslreports.com/forum/remark,20801120 Wed, 16 Jul 2008 15:26:20 EDT Re: Is it national hack a router day? http://www.dslreports.com/forum/remark,20800627 PA23 : I have to agree with TomS_ See Profile, yes can be secure but the way cisco does it, its not any more secure than a simple username/password.

What I would recommend is one step beyond TomS See Profile and have a host behind your router that accepts ssh but requires a public/private keypair. If the "script kiddie" connects to your ssh host the connection will get rejected immediately with no authentication methods available. Then you allow connections from the single protected host or subnet to your router.
--
It's the end of the world as we know it, and I feel fine]]> http://www.dslreports.com/forum/remark,20800627 Wed, 16 Jul 2008 13:53:10 EDT Re: Is it national hack a router day? http://www.dslreports.com/forum/remark,20798732 TomS_ : As much as you might like to access your router from anywhere, and as handy as that may be, I would probably look at establishing some sort of central location where you initiate all of your access from. Something like a Linux/FreeBSD box would suffice.

Configure your VTY ACL to only allow access from the IP or subnet that box lives in (preferably have it on a static IP), and maybe one or two others (home, and a trusted friends or work place incase your box goes down).

You may not like the idea, and it may take some getting used to, but it is far far far more secure. Think about it, you wouldn't have this current issue with the implementation as per above. :-)]]> http://www.dslreports.com/forum/remark,20798732 Wed, 16 Jul 2008 06:31:33 EDT Re: Is it national hack a router day? http://www.dslreports.com/forum/remark,20774233 aryoba : Ban IP address could work if there are only handful of IP addresses to ban. Once the list grows longer (let's say to thousands or tens of thousands), the solution is no longer feasible.

If you are thinking that you could block by subnet instead of individual IP address, it would not work either since most of the time the attacker IP address are too random. By banning the entire subnet, you may block legitimate IP address. In other words, this IP address ban solution is not scalable.

Instead of permitting direct telnet or ssh into your router, you should probably VPN in to login. You can set your router as IPSec VPN concentrator that can receive any remote VPN users with proper credential.

I believe most of the time, those attacks looks for production service holes such as ssh, telnet, web, mail, and snmp. I guess I can say it is rare to find IPSec VPN credential attacks. By setting up router login only through IPSec VPN tunnel, then your router access should be more secure.]]> http://www.dslreports.com/forum/remark,20774233 Fri, 11 Jul 2008 09:39:59 EDT Re: Is it national hack a router day? http://www.dslreports.com/forum/remark,20764841 Phraxos : The problem is that I need to be able to access my router from any IP. What I ideally want is something like my FTP server software - 3 bad logins and that IP is put on a permanent ban list.

I do currently use TACACS+ for all my login validations.]]> http://www.dslreports.com/forum/remark,20764841 Wed, 09 Jul 2008 14:38:22 EDT Re: Is it national hack a router day? http://www.dslreports.com/forum/remark,20764384 aryoba : In general, ACL that permit authorized IP subnet only and deny others should take care the hacking. If you want to go further, you can always setup TACACS+ server to authenticate any login attempt to your router (in addition of setting up the ACL).]]> http://www.dslreports.com/forum/remark,20764384 Wed, 09 Jul 2008 13:15:50 EDT Is it national hack a router day? http://www.dslreports.com/forum/remark,20764090 Phraxos : I currently use 3 strikes and out to keep the kiddie script hackers off my router.


ACL 1 is my local LAN

My syslog server then emails me every attempted login. The email gets delivered to a sub-folder in outlook. Normally I get a few attempts a day but today it has been almost constant (baring in mind that the router goes into 'sulk' mode for 15 minutes every time there is 3 failed attempts. And it is a variety of IPs not just one person playing a script for a few hours.

Is there some sort of competition on today? It always amazes why people bother baring in mind that they have to get a username/password combo and they don't even get a starter with the username as I don't use 'root' or 'admin'!

When I looked at this before I could find no way to automatically add an IP to an ACL in response to failed logins and I presume this is still the case?


]]> http://www.dslreports.com/forum/remark,20764090 Wed, 09 Jul 2008 12:19:05 EDT