Previous section   Next section

Recipe 3.14 Disabling Router Lines

3.14.1 Problem

You want to disable your router's AUX port to help prevent unauthorized access.

3.14.2 Solution

To completely disable access via the router's AUX port, use the following set of commands:

Router1#configure terminal 
Enter configuration commands, one per line.  End with CNTL/Z.
Router1(config)#line aux 0
Router1(config-line)#transport input none
Router1(config-line)#no exec
Router1(config-line)#exec-timeout 0 1
Router1(config-line)#no password
Router1(config-line)#end
Router1#

You can also disable access to the router through the VTY lines:

Router1#configure terminal 
Enter configuration commands, one per line.  End with CNTL/Z.
Router1(config)#access-list 98 deny any log
Router1(config)#line vty 0 4
Router1(config-line)#transport input none
Router1(config-line)#exec-timeout 0 1
Router1(config-line)#no exec
Router1(config-line)#access-class 98 in
Router1(config-line)#end
Router1#

3.14.3 Discussion

It is extremely important to secure access to your routers. The most effective way to secure router ports is to simply disable them if they aren't needed. For instance, network administrators rarely use the router's AUX port, so they should consider disabling it. If your routers are physically close to the administrators and remote access is not necessary, you might even want to disable the VTY ports to provide greater security.

Our first example shows a somewhat paranoid method of disabling a router's AUX port. We say paranoid because it involves using several different techniques, each of which should be sufficient alone, strung together for added protection. The transport input none command prevents reverse Telnet access from the network (see Recipe 3.10). The no exec command prevents the AUX port from running an EXEC session. Without an EXEC process, no response is given when you connect a terminal to the port. The exec-timeout command sets the EXEC timeout to one second (see Recipe 3.9). This effectively limits the ability to submit commands, just in case an attacker somehow manages to start an EXEC process. Finally, the no password clears the line password, so there is no way to authenticate if somebody is able to connect.

The way we disable the VTY ports is also paranoid but effective. The example we gave illustrates several different methods to disable connectivity. In reality, any one of these methods would work, but we recommend including at least one secondary method as a safety measure. It is important to note that these extra precautions don't cost anything. They don't increase the router's CPU load or memory consumption appreciably. So, for the extra level of safety, you might as well string together several methods as we have shown.

To disable the VTY interfaces we first set the transport input to none (see Recipe 3.10) to disable all inbound transport methods. We also set the exec-timeout to one second (see Recipe 3.9). We then disable the EXEC process on this line, rendering the VTY port useless. Finally, we implement an input access-class that prevents all IP addresses from accessing the VTY ports (see Recipe 3.16).

If you try to connect to a VTY line that is disabled (as shown in this recipe), the router refuses the connection:

Freebsd% telnet Router1
Trying 172.22.1.4...
telnet: connect to address 172.22.1.4: Connection refused
telnet: Unable to connect to remote host
Freebsd%

The console port is the most important access line your router has. It is the last place you can still connect to when everything else goes wrong, so we do not recommend disabling it. However, we do recommend increasing the security of your console port to provide maximum protection. By default, the console port will not prompt for a login or password. This means that unauthorized users can easily gain access to your router's EXEC without effort. Of course, the router is always vulnerable to console access via the password recovery process, which highlights why physical security is important. You should always house routers in restricted rooms or closets to ensure physical security.

To increase the security of a router's console port, use the following set of configuration commands:

Router1#configure terminal
Enter configuration commands, one per line.  End with CNTL/Z.
Router1(config)#line con 0
Router1(config-line)#exec-timeout 5 0
Router1(config-line)#password ora22bkz
Router1(config-line)#login
Router1(config-line)#end
Router1#

This example enables a login prompt by configuring the login and password commands, and reduces the exec-timeout to five minutes to ensure that console sessions will disconnect themselves if somebody walks away from the terminal. Note however that login and password commands become unnecessary if you configure your router to use local authentication or AAA. The stronger authentication method overrides the configurations of all of the lines, including those of the console port.

3.14.4 See Also

Recipe 3.1; Recipe 3.9; Recipe 3.10; Recipe 3.16; Chapter 4


  Previous section   Next section
Top