Some of the worst security breaches occur because people neglect basic security measures. David Davis discusses the importance of maintaining proper passwords on your router, explains the three modes for the Cisco IOS, and shows you how to configure the five main passwords that protect your network.
The question you might ask is: Doesn’t the router already have default passwords? The answer is NO, it doesn’t. There is no automatic password defense that comes with your router.
As a Cisco admin, this should be taken very seriously. It is so important and so easy to set up passwords.
First, let’s discuss the different modes of the Cisco IOS. They are set up in a hierarchical manner, which means that the deeper the access, the more privilege you have and, hopefully, the more passwords you have set up for each level. For additional information on security for your router.
Before I can tell you how to secure your router with passwords, I need to first make sure you know the three modes of the Cisco IOS. They are:
User: In User mode, basic interface information on the router is displayed. Well-known Cisco CCNA author, Todd Lammle, once called the user mode “useless mode” because no configuration changes can be made, nor can you view anything important at this level. It is also called user exec mode.
Privileged: Sometimes called the privileged exec (or just priv mode), configuration views and changes are made at this level. In my opinion, this is the first point at which it is absolutely critical to have a password set (although you should have password access even at user mode). To move from user mode to priv mode, you just type enable while in user exec mode and press [Enter]:
Router> enable
Router#
Global Configuration: From the exec priv mode, we can now access the global configuration mode. This is where you would make changes that would affect your whole router, including configuration changes. You will need to step in a little deeper in the router’s commands to make changes to your configuration.
Here’s an example of how to access that mode:
Router# configure terminal
Router(config)#
Note: you can also just type conf t.
The five main passwords of the Cisco IOS are:
If you have no password set on the router’s console, by default, you can access user mode (and then on to the other modes if no passwords are set there either). The console port is where you would initially start to configure a new router. It is critical to set a password on the console port of the router to protect someone from physically walking up to the router, connecting, and gaining access to user mode (and, potentially, much more).
Because there is only one console port per router, you would use the command line console 0 in global configuration mode, and then use the login and password commands to finish up the configuration. The command, login, tells the router to look under the console line configuration for the password. The command, password, sets the actual password.
Here is what it looks like:
Router# config t
Router(config)# line console 0
Router(config-line)# password SecR3t!pass
Router(config-line)# login
Note: Complex passwords are important to keep someone from guessing your password.
This is short for auxiliary port. This is also a physical access port on the router. Not all routers have this port. As the aux port is a backup configuration port for the console, it is equally important to configure a password on it.
Router# config t
Router(config)# line aux 0
Router(config-line)#password SecR3t!pass
Router(config-line)# login
The “virtual tty” line is not a physical connection, but a virtual connection. You would use this line to Telnet or SSH into the router (for SSH configuration, see my article “Configure SSH on Your Cisco Router“). Of course, you would need to have an active LAN or WAN interface set up on your router for Telnet to work. As different routers and switches can have a different number of vty ports, you should see how many you have before you configure them. To do this, just type line ? in privileged mode.
Here’s an example of configuring vty lines:
Router# config t
Router(config)# line vty 0 4
Router(config-line)# password SecR3t!pass
Router(config-line)# login
The enable password prevents someone from getting full access to your router. The enable command is actually used to change between different security levels on the router (there are 0-15 levels of security). However, it is typically used to go from user mode (level 1) to privileged mode (level 15). In fact, if you are at user mode and you just type enable, it assumes you want to go to privileged mode.
To set a password to control access from user mode to privileged mode, go to the global configuration mode and use the enable password command, like this:
Router# config t
Router(config)# enable password SecR3t!enable
Router(config)# exit
The downside of the enable password is that it can be easily unencrypted by someone, and that is why you should use enable secret instead.
The enable secret password has the same function as the enable password, but with enable secret, the password is stored in a much stronger form of encryption:
Router(config)# enable secret SecR3t!enable
Conclusion
I’ve introduced you to the different modes of the Cisco IOS and the five different types of passwords you need to set to ensure that your Cisco router or switch is secure. Remember that, many times, entire networks can be brought down due to the lack of simple password security. Make sure that your Cisco router and switch passwords are set properly.
writer: David Davis