Hi,
We have a couple of cisco routers. There was one time when suddenly we cannot
login remotely via telnet. I investigate further and was shocked when I found
out that there where 16 telnet connections coming from outsiders ip addresses.
I immediately called our Director(the only cisco certified guy in the office)
and he begin kicking each of the telnet connections one by one. He then
replaced every "secret/password" and deleted all unnecessary local accounts.
However, we're still wondering how those hackers got into the system. Now this
cisco's aaa is default to a radius server. Since then, outsiders have gone
away.. Perhaps the hackers got one of the router's local accounts, and trying
to brute force their way to enable mode.
Now, I have few questions:
1. Is it possible to think that they still haven't cracked the enable password
yet or they already know it and just silently been playing with our router??
What for? If you are a hacker, what would you do if you got an access to an
ISP's router??:-)
2. What will you do if the same thing happened to you??
3.How do you secure your cisco routers in your office?? Our director said that
we should look for best practices in securing our routers.
Our company is an ISP for broadband internet for R&D institutions. We offer no
dial up connections, only E1's etc. We have 2 stm1(155Mbps) outgoing pipes. One
cisco 7206 and one cisco 7304.
We have a radius server running some old version of freebsd(4.6 I guess) but
the accounting is not working anymore. Only authentication, and radius uses the
accounts listed in /etc/passwd.
Now, I am trying to configure a new radius server(to replace the old server
configured by the former net/sys admins) only not sure if it is really what we
need.. My initial idea of radius is that it ties up authentication,
authorization and accounting.. however as I have said, I guess we don't need
any accounting since we don't offer dial up services. In authentication, I
tried once to make our router work with our kerberos setup so that telnet
password doesnt have to be sent but unfortunately, I failed to make it work
with our heimdal installation(seems like they are having incompatibility issues
with encryption, though I haven't tried it with MIT yet). Authorization: We
currently have an ldap directory used only for email services, don't know if it
is still needed. We also have remote logging through that radius server also,
and guess what, its not working anymore. I compared the config of that
compromised router with the other one and found out that the logging lines are
gone(hmmm..)
I need some tips here. The tools you are currently using. Also some of the
best practices you are implementing in your noc.. I'm the new admin and the
services are poorly documented.. Now I am trying to start everything from
scratch, this time documenting everything I am doing.. Load balancer, proxy
server, email, dns, web, ldap, kerberos, etc. Unfortunately I don't have any
cisco training yet and I'm glad that my supervisor is kind enough to lend me
the enable password (the rest, google and google)
Thank's for your time.
Sincerely
-jay
---------------------------------
Brings words and photos together (easily) with
PhotoMail - it's free and works with Yahoo! Mail.
_______________________________________________
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "[EMAIL PROTECTED]"
