CERT Finds Routers Increasingly Being Cracked 294
alteran writes "CERT has released a paper (PDF) analyzing changes in DOS attack methods. The new twist-- crackers are increasing getting into routers rather then servers and home PCs. The volume of noise a router could generate absolutely dwarfs what a computer could do. And unlike compromised servers, compromised routers could actually screw up the infrastructure of the Internet, not just blast people with packets. Worst of all, router administators appear to be even sloppier than their server counterparts in securing their machines."
Like one of those hypothetical Marvel comics.. (Score:1, Redundant)
Microsoft Made Routers?
Re:Like one of those hypothetical Marvel comics.. (Score:1)
And I quote:
Any manufacturer that considers NAT 'network security against hackers' is delusional. That's just how it is. Far too many companies nowadays are selling eth2eth NAT boxes and calling them firewalls.
Re:Like one of those hypothetical Marvel comics.. (Score:2)
-J
Re:Like one of those hypothetical Marvel comics.. (Score:4, Funny)
* Packaged slickly
* Designed for ease of use by non-geeks
Re:Like one of those hypothetical Marvel comics.. (Score:2)
Routers can be secured... (Score:5, Informative)
Tripwire makes Tripwire for Routers - Tripwire [tripwire.com] has been in the business of ensuring integrity for your systems for some time. Thet even make the Open-Source version of Tripwire for Servers, Web Pages (Apache) and have a Linux-capable Tripwire Manager (management system for reports) available as well. Definitely worthy of investigation.
P.S. - I don't work for Tripwire, but I do like their products. 8-)
DOS (Score:2, Funny)
Well, that's what they get for using DOS as the OS for their routers. Sheeeesh!! Some people will never learn!
Re:DOS (Score:1)
You'd think they'd use some highly specialized (i.e. fast/efficient) OS for it.
Re:DOS (Score:2)
Actually, that's what I was making fun of in my original post. The submitters mistake referring to DoS (Denial of Service) attacks as opposed to DOS (Disk Operating System). This was not meant to take another jab at Microsoft.
It's kind of funnier actually that I have to explain my comment, but I realize that not everyone who visits
Re:DOS (Score:2)
Does no one have a sense of humor?
You people kill me!!
Oh well, I've got Karma to burn!!! Moderate on!!
Wooo-hooo!!!
What to do (Score:1)
I could send this story to the guy who's in charge of security where I work. But he's my boss, and he already thinks I'm Mr. Knowitall...
Damn... If only he read /., what a crime...
Happened alot at my local university (Score:1)
and even longer to figure out who's doing it... lame admins heh..
cisco updates (Score:1)
Re:cisco updates (Score:3, Informative)
who are these people (Score:4, Interesting)
Intruders had to work hard to deploy large DDoS attacks networks; much
work was done to avoid detection and compromise of deployed attack
networks and to provide for easier maintenance.
OK, here's the dumb question: Who is working so hard? Kids on IRC???
It's not the kids on IRC (Score:2)
It boils down to this (Score:4, Informative)
Most companies and people that run them don't understand what it takes to properly setup and maintain a network.
I think this will/is changing though. The company I work for now takes the network seriously after they narrowly avoided a catastrophic data loss about a month ago. Now that backup solution I was bitching that we needed, has been purchased.
Moderators? (Score:2, Insightful)
Re:It boils down to this (Score:2)
Most companies and people that run them don't understand what it takes to properly setup and maintain a network.
OK, I'll assume you're the smart guy. Where do you find this basic info? It seems too concrete and vendor specific for a CS class. Having spent a summer interning with MIS students, all I can figure is they learn a little programming and a lot of beer drinking.
I have my own Linux router (not LRP, just a 586 with Debian and IP-Chains), and I've had a hell of a time finding any decent information. The HOW-TOs are useful, but always seem to have holes, or say "this section to be added later" for the things I actually need. There is no online documentation, and Google searches always find something close, but not what I'm looking for.
This isn't something I do for work, so I have no "mentor" to ask questions of. We're a small company, and our admin knows a bit more than I do. I'm having trouble finding a book (I have O'Reilly's Bulding Internet Firewalls on order). I've found no repository of sample IPCHAINS scripts, or even an "official" way to add them to a Debian system.
How do you go from clueless to "smart"? Why is it, when it comes to security, the Slashdot advice is always "Get a person with a clue as security admin" and never "Here's a clue, here's where to get a clue"?
Password (Score:2, Interesting)
Not really, but it is on 75% of our client's machines.
Re:Password (Score:2)
The boot time password could be put on a sticker and pasted to the machine -- it could even go next to the serial number.
Multiple random passwords would also serve as an incentive for admins to set the passwords to something more to their liking (but hopefully not weak).
Re:Password (Score:2)
Serial number as password seems rather problematic, since the serial number can often be guessed. It is still better than the same password for all boxes. At the very least, it would slow down remote script kiddies attacking random boxes.
Re:Password (Score:2)
Things could get interesting if they try to get into the router now, of course...:-)
Re:Password (Score:2)
Re:Password (Score:2)
Re:Password (Score:2)
Which is why I will never own their wireless router. Too easy to hack into.
But on the plus side, the amount of things that you can do with these routers is rather limited, and I'd be more worried about some company's routers being cracked than some home user's.
What if we don't own the routers? (Score:4, Interesting)
Well, in that case... (Score:2)
That's why we have lawyers. UUnet would be responsible for paying the 1.7e49 dollars, once you proved this in court.
This will be treated as flamebait on /. but there are good uses for the justice system.
Re:What if we don't own the routers? (Score:2)
Re:What if we don't own the routers? (Score:2)
Home broadband = major problem? (Score:1, Interesting)
Home users are increasingly switching to broadband cable/DSL over slowmo phone co. lines. And home broadband routers like Linksys' are getting increasingly inexpensive; even wireless ones are approaching commodity pricing. What will be the fallout when there's a router in every home? Router Wars 2003?
Moderators!? (Score:2, Insightful)
Re:Home broadband = major problem? (Score:2)
Cable modems are real problems, though but I would think that, given their architecture, they would be better used by botnets (zombie IRC clents) than by router attacks in terms of ease of attack.
Speaking of "botnets," anyone else amused at the resemblence to the name
Re:Home broadband = major problem? (Score:2)
Actually, they can be remotely admin'd via http, though this feature is not enabled by default.
Re:Home broadband = major problem? (Score:2)
Out of curiosity, which of the default settings do you change on your Linksys router?
Routing Nightmare (Score:1)
Re:Routing Nightmare (Score:2)
Dial in only to a modem connected to the aux port, you say? That's just another telnet when it comes down to it - you use the same user/password combo across an untrusted network. Call-back from the router? Again, limits us to one or 2 spots - unworkable.
BTW, it's not only rsh, telnet or even ssh that can be a problem - IIRC, there was a Cisco exploit based on SNMP. Something about the RW community string set to public? Like CodeRed, traceable to less than knowlegeable admins, but another backdoor none the less. If any device is connected to an untrusted network at all, it is susceptible to attack - period.
We're contemplating RADIUS or other authentication for the router and switch gear, but that introduces other risks and complications ($). Physical access only would be more secure to be sure, but real world demands kinda toss it out the ethernet port. Sorry.
Soko
Re:Routing Nightmare (Score:3, Informative)
Restrict access to the cisco vty to a list of known hosts. You can use ssh to get from anywhere to one of the permitted hosts, from there you can telnet to the router. If you have the rackspace available, drop an old 486 running *bsd/linux physically right next to each of your routers.
Add an acl to restrict access to the virtual terminals as follows:
access-list 2 remark vty access list
access-list 2 permit 192.168.0.0 0.0.0.255
access-list 2 permit 192.168.200.0 0.0.0.255
....etc....
access-list 2 deny any
line vty 0 4
access-class 2 in
As with any cisco ACL, be careful that you dont "cut off the branch you are sitting on". If you dont understand what the above ACL does, try it out on a test router before you install it on a router 5 timezones away.
Re:Routing Nightmare (Score:2)
However, if the IOS has a security flaw, or the password is weak, well, you know the rest.
Soko
Re:Routing Nightmare (Score:2)
Another tool to use is a TACACS+ server. Cisco produce both a Commercial Cisco server ($$$) and an open source TACACS+ server called tac_plus.
tac_plus allows you to implement AAA (Accounting, Authorisation & Authentication). Which basicly means this:
* Central User Access Authentication for all your Routers, Firewalls & Switches.
* Authorisation for each individual command entered (on a per user, per host basis)
* Accounting (read logging) of all configuration changes on networking equipment.
Tac_plus is open source and compiles on nearly all platforms. More information can be obtained here: at Cisco.com [cisco.com]
router security (Score:4, Informative)
Cisco router security could be a lot worse. (Score:3, Informative)
Aside from the problem of default and backdoor passwords, there are huge numbers of devices deployed with SNMP enabled and configured with RO/RW community strings as public/private.
Any day now some crew will start distributing 'rootkit' firmware versions of IOS with zombie functionality in the binary.
When there is a critical security hole in IOS, Cisco has been very good about releasing IOS revisions with the fix even to customers without any Cisco service contract.
Re:router security (Score:1)
Cisco, Juniper, and Foundry all offer ssh access. Albeit Cisco's implementation of sshd seriously sucks, but it still works (kinda).
Those are just three examples. I'm sure other vendors offer ssh/ssl access as well. Now if people choose to not use ssh in favor of telnet, that's another story....
-BRe:router security (Score:2)
You're not very aware. Cisco [cisco.com] Foundry [foundrynet.com] Juniper [juniper.net] [fill in the blank here]
Re:router security (Score:2)
7200, 7500, 12000. Yay. What about the 3662 I used to admin?
Best I was able to decide on was having it only accept connections from the internal LAN, having a switch between it and the management box, and SSHing into the management box.
Re:router security (Score:2)
Perhaps that documentation is out of date. Support is a lot more pervasive than that now.
Cisco claims to have added support for ssh for the 3600's as of IOS 12.1 [cisco.com].
Re:router security (Score:2)
The real limitation is that you must have an IPSec capable image on your router. Not usually a big deal.
Re:router security (Score:2)
(disclaimer: I work for them)
Re:router security (Score:5, Funny)
As far as backdoors go, this little company called Cisco also requires physical access to the hardware to reset forgotten passwords and such, because they didn't build in backdoors for such purposes.
You should check them out. They're not too well known yet, but they will be after they IPO. Check out www.cisco.com for more information!
One solution and tradeoff (Score:2)
This sort of solution allows you to make your security solutions as extensible as you want, but then you do have to support it yourself, unless you can find a vendor...
10Gb/s ? [was: Re:One solution and tradeoff] (Score:2, Interesting)
I've seen a *controlled* *test* setup where around 3.5Gb/s was inserted into a 12000, then was router over DWDM-fiber (tested upto 90Gb/s by the supplier) and went through 4 12000's in total (infrastructure guaranteed at 80 Gb/s) and it came out at a mere 2.6Gb/s. The loss occurred at *every* 12000 series router. And that network is supposed to be at 80Gb/s backbone capacity in roughly two years.
If those Cisco's loose that much traffic at *sub*-10Gb/s speeds, I don't even want to know what happens at 80Gb/s.
Overall, I think the big difference between Cisco and for example Foundry is that Cisco is betting on the *software*, where as Foundry is doing all their stuff in specially designed ASIC's... But then again, our BigIron 8000 won't be capable of routing IPv6 at wirespeed, because we'd need a new backplane. Cisco's: just upgrade the IOS; but in the end a Cisco is just a very powerfull computer, with some help from ASIC's, but it all boils down to their CPU and bus-structure and interface-cards...
In the 12000 series a slot can hold 1 (one!) 10Gb/s card or a card with 3 (three) 1Gb/s interfaces... Anyone doning the math ?
Ahem... Now to do something productive
Re:router security (Score:2)
As others have already said Cisco (some products), Juniper (all), and others. However it was not always this way. Cisco was utterly uninterested in ssh or krb telnet for most of the '90s (I worked for UUNET during most of that time, we did get to request features...). The first router (as far as I know) that did it was Ascend's GFR, and mostly just because it ran a Unix (BSD/OS?) on one board to do the control functions. Juniper was next (similar reason, FreeBSD on the control board). To this day I'm not sure if Cisco added it because people asked, or because people said "They already have it -- we'll buy one of those if you don't give it to us"...
Re:router security (Score:2)
Cisco do. But given that we were quoted £12000 per router to add ssh support, we decided to stick with telnet, and roll over to Linux routers as time and circumstances permit (there are still some areas where Cisco kit wins out, but not as many as there used to be)
Re:router security (Score:2)
Like Telnet and most HTTP, SNMPv1 and v2 have passwords (community strings) in the clear, but that's why most people don't allow read/write functions from SNMP, only read-only. SNMPv3 fixes this, but it's still not that widely used.
Backdoors are (IMO) less frequent in routers, since most of these are out on the Internet, where any such backdoors would inevitably be discovered quite rapidly. I've seen vendors claim that they have no such backdoors, which tends to support this. ATM switches may be another matter since telcos often manage them via an out-of-band network, which probvides some security by disabling management from other network links.
Anyone who leaves the passwords set to defaults deserves what they get, but it's true to say that quite a lot of networks don't change the passwords frequently (if at all). Those that use TACACS+ or RADIUS authentication servers are in much better shape, since they can change passwords from a single point, and particularly if they use SecurID, which prevents a re-usable password from being used. The best solution is to use SSH, with the caveat that this has been known to have its own security holes - so you must be prepared to update your router OS images quickly if necessary.
Multiple layers of defence are a good idea - e.g. choose strong passwords, proper password encryption, and enable SSH, and then put on ACLs so that SSH is only permitted from a limited set of addresses.
Quality of Company Hires (Score:4, Informative)
Who is building these DDOS networks? (Score:1)
Re:Who is building these DDOS networks? (Score:2)
Remember back to Desert Storm, DoD planted a virus in some Iraqi printers. I don't think the USG forgot that one, and that's just what we know about. How hard would it be, especialy if SSSCA is passed to plant a back-door in everything conntected to the net?
Also I think the other guys are doing the same, and the worst is yet to come.If your a NSA agent and you guys aren't already doing this, get a clue and start As far as using my computer "I'd rather be pissed off than pissed on" at least you retain "plausable denialability" using mine. I can't even imagine how many vulnerable machines are in Asia because you don't want to go to Microsoft to get patches when you're running a bootleg copy of Windows.
I'd guess that someone in USG,Unites States Government, is realy pissed that so much DDoS's are going on, they're more interested in collecting information than blocking it right know. Haven't you found some spooky stuff in your server logs? I know the Islamic terrorist hate the internet, as well as TV and radio, it lets people see/hear other view points. Other view points are dangerous to them, errodes their brain-washing. An effective DDoS attack would serve them just find, and if they destroy Microsoft along the way some much the better in their point of veiw.
Of course maybe I'm just paranoid, but being parnoid doesn't mean that everyone isn't out to get you.
So what should the home user do? (Score:1)
foosh.
Article on SecurityFocus (Score:4, Informative)
The volume of noise a router could generate absolutely dwarfs what a computer could do.
Of course, a router is a computer.
I guess this isn't surprising, since they've been targetting DSL and cable Windows boxes as platforms from which to launch DDoS attacks -- moving up to the routers is, I suppose, the next logical step.
SecurityFocus.com [securityfocus.com] has an article [securityfocus.com] by Kevin Poulsen which addresses the issue. He talked to Kevin Houle of CERT. Here's an excerpt:
A bigger threat (Score:5, Insightful)
We have seen what code red and nimda did to cable modem segments. Cable is somewhat limited with a 2 megabit upstream limit per segment, so the real risk is just the segment blowing itself up, but enough devices on enough 2 megabit segments really starts to add up.
Cable companies need to realize: rushing out crappy cable boxes with insecurities (say to steal extra $$$ channels) is a threat only from smart hackers, and a potential loss of revenue (you don't know if they would buy those channels). Rushing out crappy cable/dsl modems can bring down segments, losing $40 a head across all those customers for that month (while my openbsd firewall was mildly annoyed, nimda brought down my mediaone segment for three full days+ = free month)
ostiguy
ostiguy
Re:A bigger threat (Score:2)
AFAIK, Time Warner doesn't give you a refund or a free month, no matter how often or how long you're without cable service. SWBell home DSL has no service level agreement, and DSL can be shut down for unspecified reasons for significant lengths of time with no recourse to the user. I routinely recommend that businesses avoid basic DSL for that exact reason: you can lose tons of productivity and you still have to pay for the crappy service.
In fact, several years ago the utility company dug through the T-1 line servicing Hoover's, Inc. in Austin, TX, and they had to threaten SWBell with legal action to get the 2 days of downtime taken from their bill.
Either Mediaone is very friendly, or you turned in a command performance on the phone with them. Either way, congrats!
Good router solutions (Score:1)
Astaro Security Linux [astaro.com]
Need more facts! (Score:1)
Re:Need more facts! (Score:3, Informative)
Out of the last 6 companies where I have worked at in the past few years, 2 of them logged connects/logins/attempts. And I know of countless more that have no idea how to enable logging, nor what a syslog is.
So it's not necessary to have a hole in order to get enabled on a router, it just takes patience and a good brute force cracker with telnet capabilities.
The NSA and CERT agree - (Score:4, Informative)
CERT has been saying this for a while now [sans.org]
Most CCNA's know just enough to get RIP running - and security in cisco manuals doesnt go much beyond passwords and locking your telco closet. They do publish more extensive book son the subject - for a price of course.
Im all for this - hopefully itll force companies to pay more for qualified network engineers. As it stands right now theyre paid 35k their first year out - thats pathetic for the amount of training required to put together large secure networks.
Slashdot effect on routers... (Score:3, Funny)
Cheers,
-Alex
We don't need this (Score:2, Interesting)
And frankly I've had enough of the normal server attacking DoS attacks. Since any "script kiddie" with a broadband connection or a few bots at his command can stage they're quite common and still a menace. In fact as I'm writing I'm getting attacked right now.
Re:We don't need this (Score:2)
Given that it's just as easy for me to crack my ISPs router as it is to crack a router in (say) Hoboken, I might as well crack the Hoboken one (presuming that I was up to such things).
Some script kiddies might be stupid enough to break the router that gets them onto the internet -- to that I can only say, "karma blowback".
The last point is that people who actually take the time and think about those kinds of issues aren't generally the kind of people who'll do things like this.
it's the password not the router (Score:3, Insightful)
That said, how often are Cisco routers vulnerable to this kind of attack? I've set up plenty of Cisco routers and if I'm not using a startup config borrowed from one of my other routers, I'm using the "setup" routine that prompts me for a password. Seems like most admins worthy of the title wouldn't use "password" as a password when prompted.
Though I guess they may be referring to the zillions of low-end Ciscos carelessly dropped into client-sites -- but those are supposed to be centrally managed, right?
Re:it's the password not the router (Score:2)
those are the three I've seen the most.
HOWTO crack routers - Funny+Serious (Score:2, Informative)
2: Take your list of open telnet ports, and corresponding IP's, and telnet into them.
3: Using the PDF files of the router docs, log in using the default passwords and wreak havoc. Remove routes, telnet into other boxes on their internal network.
It's really sad how many of these are setup and forgot about, leaving Joe Business Owner wide open. People don't think twice about changing passwords, disabling WAN access, etc etc
Don't even get me started on HP JetDirects !
Re:HOWTO crack routers - Funny+Serious (Score:2)
Seriously, JetDirect lets you set up filters to limit printing to specific IPs/subnets. Which I did with mine.
Routers, Microsoft, USA (Score:2, Insightful)
Now, the US Gov, Microsoft etc. seem to not care (they don't seem to make outward attempts anyway) if what they are doing is stupid/wrong. Let's bomb Iraq 4-5 times a month then complain Saddam is a threat to freedom and is happy about Sep. 11! Hey, let's just act like we own the place then millions of people get pissed off at us and we call THEM terrorists because our way is about freedom and you must be against freedom if you are against us!
...(Back on topic now)
When a router is hacked (especially big ones) they have the capability to use a DOS attack on a mammoth amount of people. DOS = denial of service.... not just packet flooding. Imagine if you changed the DNS information or routing information and starting sending EVERYONE from the router to slashdot.org. I am sure Slashdot would drop like a rock. Plus all those people can not view any website and no one can view slashdot. That is a huge DOS. Why are routers easy targets? Monopoly.
I don't know any current stats but like in 1998 or 1999 something like 80% of the internet infrastructure was Cisco based. I am sure there are at least one common flaw amongst most Cisco routers. Some say it is that reason, others say it's incompetent admins. I say a little from column A, and a little from column B. Cisco needs to make IOS upgrades easier to obtain. Go buy a Cisco router off of ebay and try to upgrade the IOS. Aint going to happen unless you are a CCIE or have a service contract with them. Of course there are illegal ways as well. The point being, you probably are screwed. And to the admins... please... read documentation and understand what you are doing and do it with prior thought before you plug in and turn on. Don't use exec password:cisco and enable password:class (It has been a while since my Cisco training... do they still use that for the lab routers?)
Excuse me while I
Slightly OT but... (Score:3, Interesting)
For one, a business can still operate if the network goes down.. that isnt THAT big an issue... ("Sorry fellows, we wont be sending you home just b/c are network is down"), but if the computers that are being operated/worked on could be sending out data and proprietary information... well..
Also, for home users... the kind who trust the benevolence of the economic cookie.. you know which ones: "Save my credit card information" on amazon/barnesandnobles checked, along with "Save login information in a cookie" always selected... all that has to be done is to buy up 5-6 items and send to dummy addresses (random ones) before the normal computer user REALLY cares about viruses.. which makes me ask--> why hasnt it happened before? Why hasnt a major virus (code red and nimda anyone?) made purchases after the computer has gone idle for K minutes using the cookies stored on there?
Anyways, I may be wrong..
ACL's on vty lines (Score:2, Informative)
line vty 0 4
access-class 1 in
ummm.....not too dificult and unless the version of IOS running is vulnerable, this will restrict access to the vty lines ala tcp wrappers.
Re:ACL's on vty lines (Score:2)
A shot at MS' keep-it-quiet strategy (Score:2)
Can be found on page 14:
"Time-To-Exploit Is Shrinking
Exacerbating the sophistication of attacks and the abundance and susceptibility of targets is a shrinking time-to-exploit. The window of opportunity between vulnerability discovery and widespread exploitation, when security fixes or workarounds can be applied to protect systems, is narrowing. This is, in part, due to the large existing code-base of attack tools than can be used to develop new tools as exploits are written for newly discovered vulnerabilities. Another element causing this trend is a trend toward non-disclosure within intruder communities. Rival groups will often keep new exploits and attack tools private to gain some advantage over other rival groups. Tools that are exposed to outside groups often become obsolete through competitive analysis and are quickly modified, making the lifetime of many attack tools very short. Anti-forensics techniques are now commonly employed in the design of intruder tools in an attempt to increase the lifetime of the tools by limiting the ability of others to determine the function of and defense against an attack tool. Thus, when public awareness of an exploit method or attack tool does rise, the method or tool is often already in some degree of widespread use."
In other words, the bad guys love the practice of not sharing info on vulnerabilities.
A corollary of this is that closed source code is a gift to these guys.
How to secure your cisco router (Score:5, Informative)
Juniper, Unisphere, whatever, has similar precautions that you can take.
http://www.cisco.com/warp/public/707/
Common sense should apply. If you are an idiot, then there is no helping you, and please read no further. Just take your router offline so that you do not harm my network when the time comes for you...
Secure the console;
Turn HTTP servicing OFF!!!
If you use the internal web server to configure your router, you are probably not qualified to work on the thing period. There have been a string of exploits to the http server function, and if someone get's your browser history, you are screwed. Use telnet. Same thing for any cisco CBOS based router (DSL, cable, ISDN).
"no ip http server"
If you have a 12000 or some of the higher end routers, you can ssh to it. Lesser routers, such as anything less than a 7500 can only use telnet. This sucks, but it is what cisco offers. (if you have a PIX firewall, ssh is available from version 5+ or something similar). You can always use IPsec if you have the IOS for it.
Require local authentication to the console, add a 15 minute idle timeout, and other good stuff;
"line con 0"
"exec-timeout 15 0"
"logging synchronous"
"login local"
"transport input none"
Same thing for telnet sessions;
"line vty 0 4"
"exec-timeout 15 0"
"logging synchronous"
"login local"
"transport preferred none"
"transport input telnet"
Access list telnet access to special subnets! This is VERY VERY important;
Add "access-class 5 in" where you have the following access list on the router;
"access-list 5 remark VTY.ACCESS.CONTROL"
"access-list 5 remark 10.3.4.1/32"
"access-list 5 permit 10.3.4.1"
"access-list 5 remark 10.22.33.136/29"
"access-list 5 deny 10.22.33.128 0.0.0.7"
"access-list 5 permit 10.22.33.128 0.0.0.15"
Do not forget the aux port;
"line aux 0"
"login local"
"transport output none"
Authentication;
Use enable secret, NOT enable password!;
enable secret blah-blah-blah-md5-encrypted
Make at least one local user;
username bob password goldfish
Use TACACS+ if you can, and if you have multiple routers. Otherwise, just use a local login. Cisco lets you download TACACS+ if you know where to look;
http://www.cisco.com/warp/public/480/tacplus.sh
Encrypt your passwords too;
service password-encryption
Log stuff, and know when stuff happens;
Turn on logging;
"service timestamps debug datetime msec localtime show-timezone"
"service timestamps log datetime msec localtime show-timezone"
"logging buffered 32000 debugging"
Hate log messages on the console?
"no logging console"
Use "term mon" when telnetting to get live logging messages. Use "term no mon" to turn it off.
Synch to an NTP server so you know when stuff happens;
"ntp server 1.2.3.4 prefer"
Get NTP servers here;
http://www.eecis.udel.edu/~mills/ntp/servers.ht
Interfaces;
EVERY DAMN interface should have the following, unless you know better;
"no ip redirects"
"no ip directed-broadcast"
"no ip proxy-arp"
"no cdp enable"
Route RFC1918 traffic to null0. RFC1918 specifies that this traffic should not be routed. I do not know what NANOG's position on it is;
ip route 10.0.0.0 255.0.0.0 Null0
ip route 172.16.0.0 255.240.0.0 Null0
ip route 192.168.0.0 255.255.0.0 Null0
Turn CDP off, if you can. There is little reason to use it;
Turn it off, on ALL interfaces;
"no cdp run"
Turn it off on an individual interface;
"no cdp enable"
Damn, now wasn't that easy? No? Of course not! People who do networking get paid some serious cash, because it is serious business. Put a fool on the console and your business is going to take it in the ass! Way too many businesses let fools take care of their networking, or better yet have nobody do it at all.
ssh is available on ALL IOS w/ encryption feature (Score:2, Insightful)
You are so wrong with the above statement. Provided you have an encryption Feature Set (IPSEC 3DES or IPSEC 56) you can ssh to your router. No matter if it's a 801, a 12416 or anything else in between.
Read more about requirements + configuration of ssh on IOS routers here [cisco.com] and for further ssh-related reading on Cisco platforms, go here [cisco.com].
Re:How to secure your cisco router (Score:2)
I am not an American btw and my interest is in seeing this law quashed. I'm with AC that we should do all in our power to protect ourselves from it at the expense of the US until the cost (what else would the US administration understand other than money) is so great they repeal the law. I hope the original poster is not American or planing on going there before the law is quashed cause if he is we all know what could happen!
One-time passwords (Score:2, Informative)
Where I work we use one-time passwords. We have special cards that you punch in a personal code and it gives you a one-time use password that expires after use or after 30 seconds. The routers authenticate using TACACS to a server that is synchronized with the cards. Makes it nearly impossible to break into them remotely.
Another thing router admins need to be aware of is the way they set up SNMP. SNMP can be used to modify just about ANY part of a router. All the attacked needs to know is the read/write string (basically a static passsword). And because SNMP uses UDP, it has the potential of being spoofed if access lists are used to determine which machines may send SNMP commands. The only way to guard against this is edged filters everywhere and keeping the location of the password server and SNMP allowed hosts in a secure segment/area.
IOS rules;config checking tool (Score:2, Informative)
configs against the NSA rule set. If you're
interested in testing, drop me a note at
gmj AT users dot sourceforge dot net
Also, for reference, here are three good sources
of security configs for IOS:
# "NSA Router Security Configuration Guidelins", NSA, September, 2001
# http://nsa2.www.conxion.com/cisco/download.htm
#
# "Improving Security on Cisco Routers", Cisco, October 17, 2001
# http://www.cisco.com/warp/public/707/21.html
#
# "Secure IOS Template Version 2.3", Rob Thomas, October, 2001
# http://www.cymru.com/~robt/Docs/Articles/secure-i
You'd be suprised... (Score:2, Informative)
(some) cisco routers have insecure default (Score:2, Interesting)
Apparently their (SLC, Utah) dsl provider was recommending/providing the same model of Cisco router to many of their clients, because by simply pinging down a list of nearby addresses, I was able to telnet into the routers -- with no login, as the access password was by default blank.
The scary part is two-fold in this situation:
1) the user's username and password were stored in plaintext on the router and
2) by telnetting to the provider's site, you could login and see the user's account information, such as address, etc.
This _seriously_ freaked out my friend!
Securing Cisco Routers (Score:2, Informative)
From Cisco:
http://www.cisco.com/warp/public/707/21.html
From the NSA:
http://nsa2.www.conxion.com/cisco/index.html
Its not a solution, but its a start
-- Kevin
The Router/Switch Mindset Problem (Score:2, Interesting)
Router/Switch maintenence is different. How many Cisco users out there a familiar with the "fix on fail" SOP. I've found many a tier-1 support staffer reluctant to let you run off patching things that may not need it.
Routers/Switches are very commonly more important (read: requires less downtime) than any single machine on a network. In an environment like Exodus, Level 3, GlobalCenter,
I identify with this mind set (and if you don't you're probably not a very good admin---running apt-get update/apt-get upgrade every day on a production system is a BAD, no...REALLY BAD idea.) However, let me say clearly, that this is obviously a wrong way to think about things.
How do you tell what ROM/BIOSs to flash? What patches to install? You have to do your research. If you blindly install a new super duper patch, and it breaks NFS on your server, you probably should've read the ChangeLog or Release Notes--it probably mentioned that something changed, or theres a dependancy--or worse yet, that there are configurations with which the patch is incompatible. It happens.
There's no easy way, than to understand what you're doing. Read the docs. You have to be willing to dedicate the time to make sure you're doing the right thing, and your bases are covered.
If you don't--you deserve what you get. If you don't learn from the experience, that'll probably include being fired.
Not preaching here...just passing along uncomfortable experiences.
"Yeah, um...hi. Cisco support? I just installed this patch, and..." Ugh.
Configuring a Cisco router to Dos a Website... (Score:2)
router>enable
router#conf t
router(config)#int tunnel 0
router(conf-if)#tunnel source
router(conf-if)#tunnel destination
router(conf-if)#^Z
router#conf t
router#ip route 0.0.0.0 0.0.0.0 tunnel0
Or thereabouts... This creates half of a tunnel to a peer, which would normally be a router configured to tunnel back... but in this case we just configure the router to send all it's traffic to the victim...
Re:Cisco IOS (Score:3, Informative)
password
config t
line vty 0 1
password 7 (insert password here}
^Z
wr mem
Oh yeah, real hard. 5 lines of commands is super difficult.
You're the reason routers get broken into (Score:2)
Cisco Type 7 passwords are a very basic hash that anyone with some utilities off the internet can crack...
Type 5 passwords (or enable secret) - are encrypted with a much higher quality hash that I believe is resilant to everything but a brute force attack.
Before trying to diminish someone to make yourself look smart, it would help if you gave advice that didn't make everyone's router crackable.
Re:Posts from idiots.. (Score:2)
The majority of DDOS attacks to date have relied of hackers breaking into many computers beforehand, often these are home computers (PCs) running over cable or DSL lines. Compared to that type of a system, a commercial router (particularly one located close to a backbone) is capable of a hell of a lot more traffic generation.
Re:Posts from idiots.. (Score:2, Informative)
br.
tsk tsk. the original poster was simply using common, ordinary terms instead of the more specific terms that you apparently require. perhaps he should have stated, "the volume of noise a specialized computer [read 'router'] could generate absolutely dwarfs what a general-purpose computer [read 'computer'] could do."
theo
--
Life is short; think quickly.
Re:Posts from idiots.. (Score:1)
Didn't you just re-enforce the original post? Maybe the original post could have been clarified by using "personal computer" instead of just "computer," but it was still an accurate statement.
R.
Re:Posts from idiots.. (Score:1)
What was your point again?
Re:Posts from idiots.. (Score:2)
A fully compromised router should be able to at least match, and probably almost always exceed the capacity to cause problems for any machine upstream of it than any computer downstream of it, since any computer downstream of a router can't generate traffic any faster than that router can
This is true as long you make certain assumptions about how the router works, how computationally intensive the attack is, and the geometry of the network(*).
Also, the statement: "A router IS a computer, you fuckwit," is inflamatory and pedantic. For the purposes of what we are talking about a computer is something that traffic flows to and from, and a router is something traffic flows through. Everyone knows what he means, and the distinction is conceivably instructive; according to the article more DOS attacks are coming from things that are called routers. Lumping routers in with computers may be technically correct, but is not helpful. The aim of the article is to get out the message that the things commonly called routers are causing more DOS problems than things commonly called computers.
* E.g. assuming the router can do more than just copy traffic, that the attack doesn't require a lot CPU to generate the data for the attack, and there aren't many paths from the attacker and the attackee.
Re:Posts from idiots.. (Score:2)
Actually, no. Most of the big backbone routers today do most of the work with special-purpose hardware devices, hardwired to do basic packet forwarding functions. Most packets never reach a general-purpose CPU going through a big router. There are general-purpose CPUs in there, but they're for control and exception handling. Without such hardware support, gigabit networking wouldn't be feasible.
Re:Cisco's a good reason why.. (Score:2)
whatever. (Score:2)
And even if you aren't LEGALLY supposed to use the update, it's not much of a big deal really... quite a few people I know just update them, and don't care much about the actual licensing part of it. it's abstract enough that few can find out about it anyway.
I'm not advocating theft, but to say that you don't have a CCIE around is a load of BS.
I'm not going to let the lack of a support contract stop me from securing a product that I spent a bunch of money for.
besides, when you have a WAN with say, 200 2600's or so, you only need a few registered routers. just switch around between good/bad ones for support calls
Re:Cisco's a good reason why.. (Score:1)
Re:How do I tell if my machine is cracked? (Score:3, Insightful)
Are there tools to detect changes made by crackers? One of my nightmares is a rooted zombie server that looks perfectly normal to me, but had several backdoors inserted...
An integrity checker such as Tripwire [tripwire.com] is what you want, and !Squalus pointed out that there is a version of Tripwire for routers.
The idea is this: generate secure hashes of all critical files, using a secure, one-way hashing algorithm such as SHA-1 or MD5. If those files are changed, hacked, or even damaged by hardware failures, comparing the old hashes will reveal that the files have been altered.
In practice, it's a little more complicated. Many files will change, or be changed, in the normal course of operations of a system. Imagine, for example, a clueless sysadmin who ran an integrity checker against all files on a system, and then freaked out because the log files had changed. So it is necessary to have clueful admins who will be able to understand which files are critical and can distinguish between proper, permitted changes and hacker intrusions.
As I'm sure you know, such clueful sysadmins are in short supply.
Another issue in some cases, like virus detection, is that the operating system itself must be trusted while the hashing is taking place. There are stealth viruses that can intercept reads to infected files, and make them appear clean. Or at least, there were, back in the days of DOS. In theory, the same thing could be accomplished by hacking a unix kernel.
For more information on secure hash algorithms, the best reference is Applied Cryptography, 2nd ed. by Bruce Schneier. I'm sure Tripwire has plenty of info on their web site, and a search for "integrity shell" or "secure one-way hashing" would, no doubt, turn up scads of resources and references.
Re:what about cable/dsl "routers" (Score:2)
Our ISP is Megapath, by the way.