Show Menu

Cisco Device Security Cheat Sheet by

Cisco device configuration commands for security (SEC-160)
commands     cisco     networking     network     configuration     security     infosec

Login Enhanc­ements

Comm­and
Func­tion
login block-­for 120
attempts 3 within 30
blocks login attempts for 120 secs if 3 fail within 30 secs
(login local must be config­ured)
login quiet-mode access-class
[acl-name | acl-number]
maps to an ACL so only authorized hosts can attempt to login
login delay seconds
wait-time between login attempts
login on-success log
records successful logins
login on-failure log
records failed login attempts
> Login enhanc­ements don't apply to console connec­tions
> login block-for must be configured before any others

Role-Based CLI Views

Comm­and
Mode
Func­tion
aaa new-mo­del
global
enables AAA
parser view view-name
global
creates a new view (must be in root view)
sec­ret passw­ord
view
assigns view password (required)
commands parser-mode [include|
exclude] [command|interface]
view
assigns command or interface to view
enable view view-name
priv. EXEC
enters view (enable secret for root password)
parser view view-name superview
global
creates a new superview
sec­ret passw­ord
superview
assigns superview password (required)
view view-­name
superview
assigns existing view to superview

IPsec VPNs (Site-­to-­Site)

 
Comm­and
Mode
----- Phase 1 -----
cry is en
crypto isakamp enable
global
cry is pol 10
crypto isakmp policy 10
global
h sha
hash sha
(config-isakmp)
a p (auth pre)
aut­hen­tic­ation pre-sh­are
(-isakmp)
g 14
group [DH group #]
(-isakmp)
l 3600
lif­etime [secs]
(-isakmp)
enc a 256
enc­ryp­tion aes 256
(-isakmp)
cry is key vpnpass
add 10.2.2.2
crypto isakmp key [key]
address [peer IP]
global
----- Phase 2 -----
cry ip t VPN-SET esp-a 256 esp-sha-
crypto ipsec transform-set
[tag] [encry.] [bits] [hash]
global
cry ip s l s
crypto ipsec security-
association lifetime
seconds
1800
global
cry map CMAP 10
ipsec-i
crypto map [name] [seq #]
ipsec-isakmp
global
m add 101
match address 101
(-crypto-map)
s pe 10.2.2.2
set peer [peer IP]
(-crypto-map)
s pfs group14
set pfs [group#]
(-crypto-map)
s t VPN-SET
set transf­orm­-set [tag]
(-crypto-map)
s s li s 900
set security-association
lifetime seconds
[secs]
(-crypto-map)
desc [text]
des­cri­ption [text]
(-crypto-map)
cry m CMAP
crypto map [name]
interface

Line Config Mode

Comm­and
Line
Func­tion
no exec
any unused
disables EXEC mode for the line (outgoing connec­tions only)
login local
all
forces userna­me/­pas­sword authen­tic­ation from local database
logging synchronous
all
prevents logging from interr­upting commands
exe­c-t­ime­out 5 0
all
logs out after 5 mins inactive
 

Inform­ati­ona­l/Show Commands

Short Command
Full Command
What It Displays
sh login
show login
configured login settings
sh login f
show login failur­es
details about login failures (src IP, count, time/date, etc)
sh cry key
mypubkey r
show crypto key
mypubkey rsa
current RSA keys
sh ip ssh
show ip ssh
SSH config­uration
sh ssh
show ssh
current SSH connec­tions
sh p v a
show parser view all
summary of all configured views
(asterisk indicates superview)
sh sec b
show secure bootset
verifi­cation of the archive
sh logg
show logging
logging config­uration & buffered syslog messages
sh us
show users
users connected to the device
sh cr is po
show crypto isakmp policy
ISAKMP policy config­uration
sh cr ip sa
show crypto
ipsec sa
IPsec security associ­ation
sh cr map
show crypto map
crypto map config­uration

Logging & Monitoring

Comm­and
Mode
Func­tion
service timestamps log datetime msec
global
enables timestamps service
logging host ip-address
global
specifies syslog server
logging trap level
global
sets log severity level
logging source-interface
ip-address
global
identifies the device sending the log info
logging on
global
turns on logging

Secure Bootset

Comm­and
Mode
Func­tion
secure boot-i­mage
global
secures IOS image & enables Cisco IOS image resilience
secure boot-c­onf­ig
global
takes snapshot of runnin­g-c­onfig to save in persistent storage
--- To Restore Secure Config­uration ---
rel­oad -> ROMmon mode
dir
ROMmon
lists contents of device where secure bootset is stored
boot flash:­fi­len­ame
ROMmon
boots route with secure IOS image
secure boot-config restore
flash:filename
global
restores secure config

SSH Config­uration

Comm­and
Func­tion
user Bob algorithm-type
scrypt secret
password
creates user in local database
ip domain­-name span.com
sets network domain name
crypto key zeroize rsa
removes any existing RSA key pairs
cry key gen rsa
gen mod 1024
creates RSA encryption key (max: 4096 bits)
tra­nsport input ssh
enables SSH (line config, vty)
ip ssh time-out seconds
sets SSH timeout length
ip ssh authentication-retries 2
sets number of login attempts before user is discon­nected
ip ssh version 2
sets SSH version to v2

Miscel­laneous Config­ura­tions

Comm­and
Func­tion
license boot module c1900
technology-package securityk9
Adds security package to 1941 routers!
no service password-recovery
prevents an attacker from recovering the router password

Download the Cisco Device Security Cheat Sheet

3 Pages
//media.cheatography.com/storage/thumb/tamaranth_cisco-device-security.750.jpg

PDF (recommended)

Alternative Downloads

Share This Cheat Sheet!

 

Comments

No comments yet. Add yours below!

Add a Comment

Your Comment

Please enter your name.

    Please enter your email address

      Please enter your Comment.

          Related Cheat Sheets

          Cisco Switch Configuration Cheat Sheet

          More Cheat Sheets by Tamaranth

          Cisco Switch Configuration Cheat Sheet
          NET-126 Commands Cheat Sheet