CCNA Video: Securing Routers with Passwords

Hi and welcome to this CertificationKits CCNA training video on securing your router with passwords. We are going to talk about the different types of passwords you can set on a router. The enable passwords to get from user mode to privilege mode, console passwords for the line console 0, auxiliary port as well as telnet passwords, password encryption as well as password recovery.

There are a few different ways people are going to go in and access your device. One is the console port. This is the console port and this is a physical access method.  If they have physical access to the device, they can plug this cable in from their laptop to the console port on the back of the device and go in and configure the router. This is a basic CCNA lab skill.  Now we can put a password on the console port so that way if somebody does plug into it, they are going to get hit with a password. The auxiliary port, this is typically used as a modem access method but the router has to be configured.  Initially there is an enable password or just a router name.  Something configured on it.  People can actually plug into the auxiliary port and access the operating system as well.  We don’t want people plugging into that auxiliary port so we should put a password there and the last method that people are going to use to access your device is telnet.  Network connectivity, must be up, there by default needs to be a password set and so that’s another issue.  You can’t event telnet in without putting a password on the port and that’s another way that people are going to go in and access your device. So they can access it through the console, auxiliary port or telnet so those are three different methods people can use to access your router. Each one of those methods must have a password set. If people have physical access to your device; it doesn’t matter if there is a password set because they can easily bypass that. But let’s go in and take a look at configuring the passwords on this device so if somebody does gain access, they’re going to have to enter a password to get into any important modes.

This is the mode they are going to want to get into. I’m in privilege mode right now and the router prompt that I brought up. I know I’m I privilege mode because there is a pound sign here. So if I were to exit out, right now it shows me I’m connected though console 0. It’s available, I hit enter and I’m automatically in user mode. Now in user mode I can’t make any configuration changes to the router but I can go in and view the configuration of the router. What I need to do is set it up to where if somebody is even getting to user mode, they’ve got to enter a password.

So I enter into privilege mode, next go into global mode with the config space t command and now I need to go in and enter a password at line console 0 because console is the one I’m connecting to.  There’s only one, it starts with the number 0. So I type in line console 0 and hit enter. Now I have to configure a password. I type password CCNAso if anyone tries to enter this router and get to user mode, they’re going to have to remember that the password is CCNA when thy plug into the console 0. Now I’d probably use a more secure password as CCNA is not too tough to figure out.   However, let’s take a look at that password. We’ll test it. I exit all the way out and for some reason I’m thinking I am not going to get prompted for a password. I hit enter, I did not get prompted for a password. My hunch was right, the reason I didn’t get prompted for the password is I never turned on the password prompt. You actually have to… even if you set a password. You have to tell the router to prompt the user for the password.  So my work is not done.

I have to type in the word login. This is the key word, this is what’s going to tell the router, hey, if somebody is trying to connect into the line console, show the password prompt. So login is an important command here. If I don’t have a log in typed in at the line console 0, you are not going to get hit with a password prompt. So I’m done, exit out. Now if I hit enter, I get hit with the password prompt because of that login word.  So it takes two things to get a password set. I am typing right now but you cannot see that I’m typing right now. It’s not going to show you that you are typing.  All the time I get students going in and starting to type and they will keep typing and they will think the router is not responding.  It’s just not showing you that you are typing anything even though you are. I hit enter, I typed it wrong. Typed it correctly, hit enter again, it doesn’t show me any characters that I’m typing out and it takes me to user mode. Now again user mode is what I call scrub mode. You can’t do anything in it, anything worthwhile anyway. However, you can view things. To get to privilege mode however, you just type the word enable and once you are in privilege mode, that’s where you have control of the device and again I know in privilege mode because of the pound sign.

Now I can go in and start messing some things up. So ideally you’d also have a password to get from user mode to privilege mode and this password would affect anyone whether they are telnetting in, using the auxiliary port or using the line console to get into the router. Now there are two different ways for me to set passwords that will prompt people for that password when they are going from user mode to privilege mode. What I’ll do first is I’ll enter the first type of password. All I do is I type enable and the password, enable matches the command that people actually use to go from user mode to privilege mode, I type enable and the password and I’ll use CCNA.  I exit out, do a show run and I can check the password out right here. Enable, password CCNA.

Now this password, if I walk away from my router for a minute, somebody else sneaks in behind me and they do a show run and they are going to see this password but nobody will be able to write that password down. Again, I shouldn’t have easy access to my router, I shouldn’t have my laptop, wide open with a Hyperterminal session going.  But again if I do, I would like this password to be encrypted. There is an additional password I can set. If I go in and I type enable secret and this time I’ll use CiscoCCNA, enable secret CiscoCCNA that creates an encrypted password. So I’ll do a show run and I can check it out here. Here is the enabled password CCNA and here is the enable secret and then whatever the heck those characters mean. There are websites that you can go to and you can copy this, paste it into the website and it will tell you what the password is. However, it’s a lot better than just somebody looking into you prompt and seeing CisocCCNA right here as the password. I have set both passwords, they both do the same thing, since I’ve set both, the secret password is the one that’s going to be used. 

The enable password CCNA is basically useless at this point so all I have to do to get rid of that is I’ll go into global mode.  I always like cleaning up the configuration. It doesn’t hurt for me to leave it here, but since it’s useless, why leave it in? I see a lot of router configurations that are cluttered with stuff that’s not even being used. If something is not being used, get rid of it.  Enable password, CCNA, actually at this point it’s going “No, enable password” and it will go ahead and get rid of it. I can do a show run and I can verify that the only password for user mode or privilege mode is in the enable secret password.

Let’s take a look at setting the auxiliary password as well as the telnet passwords. So I’m plugged into the router right now through the line console. So if I exit out and I hit enter, I get prompted to a password to get it. Watch what happens when I plug into the auxiliary port. Look at the auxiliary port and watch what happens when I hit enter.  I get right to the user mode; no password, magically. So I got to go in and set a password on the line auxiliary 0. If I do a show run, a little help, I might have forgotten how to set the password; I see here underneath the line con 0.  I’ve got to type in login and I have to go password CiscoCCNA and I would do that underneath line auxiliary 0. Line 1 through 16 here, this is a router with a lot of modem ports on the back of it and that’s what these are. Those might not always be there and probably won’t be there. So line auxiliary 0 here is the one that we will go in and set a password on. All I have to do is go to global mode, type line auxiliary 0 and then these two lines right here can all be set. So let’s do that. Line auxiliary 0 and I can actually if I wanted to, I could even copy and paste if I’m extremely lazy or I’m a horrible typer. I could actually copy right out of the prompt and paste it in. That can be helpful when you are working with access listings like that. We’ll talk about what access lists are later in a later CCNA video. So I’ve set a password for the auxiliary port and so people can telnet in, line vty 0 4 is here. Now 0 is the first telnet session 4 is the last telnet session.

Notice by default, login is already there. Meaning if there is no password set on the line vty 0 4 you cannot telnet into this device. So I’m just going to type in line vty  0 4 and password CiscoCCNA. Notice, I did not have to type in login because it’s already there. However, it can’t hurt to type it in again for no reason and I can do a show run and verify that all my passwords are here. So there is the secret password to get from user mode to privilege mode and at the bottom here, I’ve got a password for line console, auxiliary and line vty, all my passwords were set. Problem, somebody comes along behind me, checks us out, does a show run, all the passwords are in plain text. If I want to, I can encrypt all the passwords on the router. If I do a snow run, I can see the command right here. It says “No service password encryption.” Meaning, service password encryption is turned off. If I want to turn it on, I just remove the “No” from the statement. So I’m in the router prompt, I go to global mode, again if I want to be really lazy, and I hate typing, I can go copy, paste, service passwords encryption and watch what happens. If I do a show run now, all my passwords are encrypted. Again you can go online, find a website, copy, paste them into the website and I’ll decrypt the passwords for you but it’s a lot better than just somebody being able to open up your prompt and seeing all the passwords. Something else I might do to the router. Just in case, I walk away from the router and for whatever reason I’m gone, I don’t come back and I leave this setup available. So anyone that walks into the server room or where the heck the router is, I’ve seen then in closets, will be able to have access to the device.

So whatever method I’m using to connect to the device, I would like you to log me out. It’s kind of like a screensaver with a password lock on it. It logs me out after a certain period of time of being idle. So what I can do is for each method of access I can put a timeout.  First method of access, line console 0. The command is exact dash timeout, so exact dash timeout and then it goes minutes, and seconds so the time in minutes… so I go 10 minutes and then I can specify time in seconds or I could hit carriage return and then you hit enter. So exact timeout, 10 space 0 means 10 minutes, 0 seconds and t’s going to lock me out. Do not do this. Exact timeout, space 0, space 10 because after 10 seconds of being idle on your keyboard, it’s going to go ahead and kick you out. I used to do this to my students quite a bit, set their exact timeout to like five seconds, it was really funny until one got so mad he started screaming at me. 

So again, be careful, it can be frustrating if you set this to too low number. I have seen people set it to 0 1 accidentally and so if you are idle for a second on the keyboard it’s going to kick you out. Again if done properly, very helpful, exact timeout 10, meaning 10 minutes.  Now I can go to line auxiliary 0 so if I’m connected in or dialed in and I’m idle for 10 minutes, I can go ahead and get kicked out. Line vty, this way no matter what method of access people are using if they are idle on the keyboard for a certain period of time, it’s going to kick them out. That’s important. That way somebody walks along, you might have gone to the bathroom for an extended period of time, somebody walks along behind you, they cannot go in and access the device.  It will kick them out and this is the prompt that would kick them out too. Now I came all the way back to the beginning. What do I do? I want to connect it to the device, I get prompted for a password, and I don’t know it. I have to try a few standard passwords a couple of times figuring out that I’m not going to get in.  I’ve got to go ahead and initiate the password recovery procedure.

Let’s take a look at how we do that, but first of all I want to make sure I save my configuration so I will remember the password for a second here. I’m going to save everything with copy, running config, startup config because if I have to do password to recovery and nothing has been saved, everything is going to be gone.  So I just saved my configuration and what this does, running config is what’s in RAM, how it’s currently configured.  Startup config is nonvolatile RAM, so if I reboot the router, whatever is in startup config is saved. So copy, running config  startup config takes my current configuration and makes a copy of it and puts it in NVRAM so that way if I reboot the router now, it will use this configuration that’s in NVRAM to configure the router. If I didn’t save anything, I reboot it, it will come up un-configured or whatever old configuration was in NVRAM would be used. Now let me figure out my passwords again. So I hit enter, type the password, I don’t know it. What am I going to do? I have to go in and reboot the router. I’ll reboot the router by using the power switch so what I’m going to do is go ahead and turn the router off and turn it back on.

By the way, you need physical access to this device which is important. You don’t want people being able to do this from a remote location if they don’t know their passwords. So physical access to this device, we can go in and reset the passwords. My computer is plugged into the console port and I’ve rebooted the router. So what I’m going to do is I’m going to abort the operating system from loading and I do that while holding the control button and tapping pause/break. So what I’ve just done is I see a greater than symbol and in later version routers it will actually say ROMMON for Rom Monitor and I see this greater than symbol so I know I’m in this, basically it’s a safe mode for the router. Now what I want to do is I want to change the configuration register setting. So in older routers, I type o/r 0X2142. What I’ve done is I’m changing the configuration register setting from 0X2102 which will use the configuration file in NVRAM when it boots to the configuration register setting of 0X2142 which will ignore the configuration file when it boots. So I just hit enter and nothing happens. So that’s good and I can go ahead and reboot the router and it will come up un-configured. In a newer version router, what you would do is you would type confreg 0X2142 and that would go ahead and set the configuration registry setting to something that would ignore what’s an NVRAM when the router booted.

You just want to be careful, you don’t want to get this number wrong, it could change broad rate. It could do a lot of things, so you want to make sure you know what configuration register setting you are using as well as make sure you type it in appropriately. If you don’t, you can cause some problems. So all I have to do is go ahead and reboot the router and the router will come up un-configured and I wanted to come up un-configured because in the configuration file are a bunch of passwords. I have no clue as to what they are. So I’ve rebooted the router and it’s booted up now and it’s brought me to the initial system configuration dialogue. What this is, if I do enter the initial configuration dialogue, this is basically a wizard, Cisco’s version of a wizard that will allow me to go in and configure the router based on a series of questions. You cannot stand this thing. It works well but it’s better if you just know what you are configuring and you go in and you configure it because if you answer some of these questions wrong, the router will not function.  So what I’ve done is I’ve used the control-c to get out of that and I wait for it to do a thing here. Hit enter a few times and I am in user mode. So I type in enable to get to privilege mode.

At this point, I’ve bypass any places where there might be a password. Usually there might be a password to get it into user mode and then we have another password to get from user mode to privilege mode. I’m in privilege mode now and I haven’t had entered a single password in but again, the router is un-configured. If I do show running config, nothing is set up on the router. But if I do a show startup config, that’s what’s in NVRAM and I can see the configuration. Here is my host name, there is my password set, all that stuff so all I need to do at this point is type in copy startup config running config and what that does is it copies the configuration file that’s in NVRAM to the running configuration and configures the router accordingly. So I go to copy startup config to running config. The router is now configured and noticed what happens to my prompt, it goes to CertificationKits router one, so it’s configured exactly the way it was before I went in and did the password recovery procedure and the nice thing about this, I’m in privilege mode now without entering any passwords.

You must have physical access to do this. What good does that do to me? I do a show run, I can’t see what the passwords are, but I can go in and set my own. So all I would do at this point as I would type enable secret CisocCCNA.  Something I know and I go to line console 0, password CiscoCCNA and I just go in and reset all the passwords to something that I knew without affecting the actual configuration files. So I can have the router up and running again exactly the way it was configured before but with new passwords. You must have physical access to the device to be able to do this and you do want to be careful and you got to realize if you do reboot the router and it comes up un-configured, if anybody is trying to get access to the LAN or out to the internet or anything like that while the router is down, they’re not going to have that access so you’d effectively be killing a WAN link by doing this.  So it’s not something you’d want to do during normal operation hours if the router is functioning appropriately.

In this video we’ve talked about setting the passwords, the enable passwords, the console passwords for line vty, for telnet access, auxiliary port for modems or again you can just plug right into that like the console port as well as the console port passwords. Why are they important? Again if somebody gets access to your device, so they access the operating system they can mess everything up so you don’t want unauthorized personnel accessing your operating system on the router. How to encrypt those passwords, so if you make a mistake, leave the prompt open, you don’t have any timeout values, you walk away, somebody can come in and actually see that passwords just by typing show run and then what we do when we don’t know the passwords in the first place. I used password recovery, if you’d buy a router used, it’s been previously configured, or somebody leaves a disgruntled admin, changes all the passwords, messes everything up so people can’t get in. Whatever the case, you need to recover the passwords or bypass the passwords password recovery process will do that without messing up any of the other configuration. I hope you have enjoyed this CertificationKits CCNA training video on securing your router with passwords.