Show Menu

Cisco Device Security Cheat Sheet by

Cisco device configuration commands for security (SEC-160)
commands     cisco     networking     network     configuration     security     infosec

Login Enhanc­ements

Comm­and
Func­tion
login block-­for 120 atte­mpts 3 within 30
blocks login attempts for 120 secs if 3 fail within 30 secs
(login local must be config­ured)
login quiet-mode access-class [acl-name | acl-number]
maps to an ACL so only authorized hosts can attempt to login
login delay seconds
wait-time between login attempts
login on-success log
records successful logins
login on-failure log
records failed login attempts
> Login enhanc­ements don't apply to console connec­tions
> login block-for must be configured before any others

Role-Based CLI Views

Comm­and
Mode
Func­tion
aaa new-mo­del
global
enables AAA
parser view view-name
global
creates a new view (must be in root view)
sec­ret passw­ord
view
assigns view password (required)
commands parser-mode [include|exclude] [command|interface]
view
assigns command or interface to view
enable view view-name
priv. EXEC
enters view (enable secret for root password)
parser view view-name superview
global
creates a new superview
sec­ret passw­ord
superview
assigns superview password (required)
view view-­name
superview
assigns existing view to superview

IPsec VPNs (Site-­to-­Site)

 
Comm­and
Mode
----- Phase 1 -----
cry is en
crypto isakamp enable
global
cry is pol 10
crypto isakmp policy 10
global
h sha
hash sha
(config-isakmp)
a p (auth pre)
aut­hen­tic­ation pre-sh­are
(-isakmp)
g 14
group [DH group #]
(-isakmp)
l 3600
lif­etime [secs]
(-isakmp)
enc a 256
enc­ryp­tion aes 256
(-isakmp)
cry is key vpnpass add 10.2.2.2
crypto isakmp key [key] address [peer IP]
global
----- Phase 2 -----
cry ip t VPN-SET esp-a 256 esp-sha-
crypto ipsec transform-set [tag] [encry.] [bits] [hash]
global
cry ip s l s
crypto ipsec security-association lifetime seconds 1800
global
cry map CMAP 10 ipsec-i
crypto map [name] [seq #] ipsec-isakmp
global
m add 101
match address 101
(-crypto-map)
s pe 10.2.2.2
set peer [peer IP]
(-crypto-map)
s pfs group14
set pfs [group#]
(-crypto-map)
s t VPN-SET
set transf­orm­-set [tag]
(-crypto-map)
s s li s 900
set security-association lifetime seconds [secs]
(-crypto-map)
desc [text]
des­cri­ption [text]
(-crypto-map)
cry m CMAP
crypto map [name]
interface

Line Config Mode

Comm­and
Line
Func­tion
no exec
any unused
disables EXEC mode for the line (outgoing connec­tions only)
login local
all
forces userna­me/­pas­sword authen­tic­ation from local database
logging synchronous
all
prevents logging from interr­upting commands
exe­c-t­ime­out 5 0
all
logs out after 5 mins inactive

Inform­ati­ona­l/Show Commands

Short Command
Full Command
What It Displays
sh login
show login
configured login settings
sh login f
show login failur­es
details about login failures (src IP, count, time/date, etc)
sh cry key mypubkey r
show crypto key mypubkey rsa
current RSA keys
sh ip ssh
show ip ssh
SSH config­uration
sh ssh
show ssh
current SSH connec­tions
sh p v a
show parser view all
summary of all configured views
(asterisk indicates superview)
sh sec b
show secure bootset
verifi­cation of the archive
sh logg
show logging
logging config­uration & buffered syslog messages
sh us
show users
users connected to the device
sh cr is po
show crypto isakmp policy
ISAKMP policy config­uration
sh cr ip sa
show crypto ipsec sa
IPsec security associ­ation
sh cr map
show crypto map
crypto map config­uration

Logging & Monitoring

Comm­and
Mode
Func­tion
service timestamps log datetime msec
global
enables timestamps service
logging host ip-address
global
specifies syslog server
logging trap level
global
sets log severity level
logging source-interface ip-address
global
identifies the device sending the log info
logging on
global
turns on logging

Secure Bootset

Comm­and
Mode
Func­tion
secure boot-i­mage
global
secures IOS image & enables Cisco IOS image resilience
secure boot-c­onf­ig
global
takes snapshot of runnin­g-c­onfig to save in persistent storage
--- To Restore Secure Config­uration ---
rel­oad -> ROMmon mode
dir
ROMmon
lists contents of device where secure bootset is stored
boot flash:­fi­len­ame
ROMmon
boots route with secure IOS image
secure boot-config restore flash:filename
global
restores secure config

SSH Config­uration

Comm­and
Func­tion
user Bob algorithm-type scrypt secret password
creates user in local database
ip domain­-name span.com
sets network domain name
crypto key zeroize rsa
removes any existing RSA key pairs
cry key gen rsa gen mod 1024
creates RSA encryption key (max: 4096 bits)
tra­nsport input ssh
enables SSH (line config, vty)
ip ssh time-out seconds
sets SSH timeout length
ip ssh authentication-retries 2
sets number of login attempts before user is discon­nected
ip ssh version 2
sets SSH version to v2

Miscel­laneous Config­ura­tions

Comm­and
Func­tion
license boot module c1900 technology-package securityk9
Adds security package to 1941 routers!
no service password-recovery
prevents an attacker from recovering the router password

Download the Cisco Device Security Cheat Sheet

3 Pages
//media.cheatography.com/storage/thumb/tamaranth_cisco-device-security.750.jpg

PDF (recommended)

Alternative Downloads

Share This Cheat Sheet!

 

Comments

No comments yet. Add yours below!

Add a Comment

Your Comment

Please enter your name.

    Please enter your email address

      Please enter your Comment.

          Related Cheat Sheets

          Cisco Switch Configuration Cheat Sheet

          More Cheat Sheets by Tamaranth

          NET-126 Commands Cheat Sheet
          Basic Cisco IOS Commands Cheat Sheet