The best practice I follow for securing routers, is to disable any remote
access unless remote access is really necessary. If remote access is
required, I always limit the access to a small number, usually 1-3 remote IP's.
It is also a good idea to enable remote logging to keep a record of events
and access as all routers have limited logging space internally.
Cisco among other brands all have had a number of exploits found and
reported on the web. I expect that is how your telnet users got into your
router. So it also is in your best interest and practices to regularly
check and update any firmware on your routers.
Hope this helps.
-Derek
At 12:07 AM 2/9/2006, Mark Jayson Alvarez wrote:
Hi,
We have a couple of cisco routers. There was one time when suddenly we
cannot login remotely via telnet. I investigate further and was shocked
when I found out that there where 16 telnet connections coming from
outsiders ip addresses. I immediately called our Director(the only cisco
certified guy in the office) and he begin kicking each of the telnet
connections one by one. He then replaced every "secret/password" and
deleted all unnecessary local accounts. However, we're still wondering
how those hackers got into the system. Now this cisco's aaa is default to
a radius server. Since then, outsiders have gone away.. Perhaps the
hackers got one of the router's local accounts, and trying to brute force
their way to enable mode.
Now, I have few questions:
1. Is it possible to think that they still haven't cracked the enable
password yet or they already know it and just silently been playing with
our router?? What for? If you are a hacker, what would you do if you got
an access to an ISP's router??:-)
2. What will you do if the same thing happened to you??
3.How do you secure your cisco routers in your office?? Our director
said that we should look for best practices in securing our routers.
Our company is an ISP for broadband internet for R&D institutions. We
offer no dial up connections, only E1's etc. We have 2 stm1(155Mbps)
outgoing pipes. One cisco 7206 and one cisco 7304.
We have a radius server running some old version of freebsd(4.6 I guess)
but the accounting is not working anymore. Only authentication, and
radius uses the accounts listed in /etc/passwd.
Now, I am trying to configure a new radius server(to replace the old
server configured by the former net/sys admins) only not sure if it is
really what we need.. My initial idea of radius is that it ties up
authentication, authorization and accounting.. however as I have said, I
guess we don't need any accounting since we don't offer dial up services.
In authentication, I tried once to make our router work with our
kerberos setup so that telnet password doesnt have to be sent but
unfortunately, I failed to make it work with our heimdal
installation(seems like they are having incompatibility issues with
encryption, though I haven't tried it with MIT yet). Authorization: We
currently have an ldap directory used only for email services, don't know
if it is still needed. We also have remote logging through that radius
server also, and guess what, its not working anymore. I compared the
config of that compromised router with the other one and found out that
the logging lines are
gone(hmmm..)
I need some tips here. The tools you are currently using. Also some of
the best practices you are implementing in your noc.. I'm the new admin
and the services are poorly documented.. Now I am trying to start
everything from scratch, this time documenting everything I am doing..
Load balancer, proxy server, email, dns, web, ldap, kerberos, etc.
Unfortunately I don't have any cisco training yet and I'm glad that my
supervisor is kind enough to lend me the enable password (the rest,
google and google)
Thank's for your time.
Sincerely
-jay
---------------------------------
Brings words and photos together (easily) with
PhotoMail - it's free and works with Yahoo! Mail.
_______________________________________________
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "[EMAIL PROTECTED]"
_______________________________________________
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "[EMAIL PROTECTED]"
