RE: need some advice on our cisco routers..
Cisco's site is pretty big to find anything for a newbie. If you can implement all the recommendations here: http://www.dhs.gov/interweb/assetlibrary/NIAC_HardeningInternetPaper_Jan0 5.pdf your way ahead of most networks. Ted -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Chuck Swiger Sent: Thursday, February 09, 2006 4:41 AM To: Mark Jayson Alvarez Cc: freebsd-questions@freebsd.org Subject: Re: need some advice on our cisco routers.. Mark Jayson Alvarez wrote: We have a couple of cisco routers. There was one time when suddenly we cannot login remotely via telnet. I investigate further and was shocked when I found out that there where 16 telnet connections coming from outsiders ip addresses. I immediately called our Director(the only cisco certified guy in the office) and he begin kicking each of the telnet connections one by one. He then replaced every secret/password and deleted all unnecessary local accounts. However, we're still wondering how those hackers got into the system. Now this cisco's aaa is default to a radius server. Since then, outsiders have gone away.. Perhaps the hackers got one of the router's local accounts, and trying to brute force their way to enable mode. Did you keep careful logs of who was connecting from where so someone could start tracking things down? Have you contacted your local police and FBI, or whatever the local equivalent is? (Don't bother unless you can claim more than $2000 or so in damages, however.) Most importantly, have you contacted Cisco? Asking for security advice about their routers here is not the right place to gain such information. cisco.com's got a large, informative site -- -Chuck ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED] -- No virus found in this incoming message. Checked by AVG Free Edition. Version: 7.1.375 / Virus Database: 267.15.3/254 - Release Date: 2/8/2006 ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: need some advice on our cisco routers..
The best practice I follow for securing routers, is to disable any remote access unless remote access is really necessary. If remote access is required, I always limit the access to a small number, usually 1-3 remote IP's. It is also a good idea to enable remote logging to keep a record of events and access as all routers have limited logging space internally. Cisco among other brands all have had a number of exploits found and reported on the web. I expect that is how your telnet users got into your router. So it also is in your best interest and practices to regularly check and update any firmware on your routers. Hope this helps. -Derek At 12:07 AM 2/9/2006, Mark Jayson Alvarez wrote: Hi, We have a couple of cisco routers. There was one time when suddenly we cannot login remotely via telnet. I investigate further and was shocked when I found out that there where 16 telnet connections coming from outsiders ip addresses. I immediately called our Director(the only cisco certified guy in the office) and he begin kicking each of the telnet connections one by one. He then replaced every secret/password and deleted all unnecessary local accounts. However, we're still wondering how those hackers got into the system. Now this cisco's aaa is default to a radius server. Since then, outsiders have gone away.. Perhaps the hackers got one of the router's local accounts, and trying to brute force their way to enable mode. Now, I have few questions: 1. Is it possible to think that they still haven't cracked the enable password yet or they already know it and just silently been playing with our router?? What for? If you are a hacker, what would you do if you got an access to an ISP's router??:-) 2. What will you do if the same thing happened to you?? 3.How do you secure your cisco routers in your office?? Our director said that we should look for best practices in securing our routers. Our company is an ISP for broadband internet for RD institutions. We offer no dial up connections, only E1's etc. We have 2 stm1(155Mbps) outgoing pipes. One cisco 7206 and one cisco 7304. We have a radius server running some old version of freebsd(4.6 I guess) but the accounting is not working anymore. Only authentication, and radius uses the accounts listed in /etc/passwd. Now, I am trying to configure a new radius server(to replace the old server configured by the former net/sys admins) only not sure if it is really what we need.. My initial idea of radius is that it ties up authentication, authorization and accounting.. however as I have said, I guess we don't need any accounting since we don't offer dial up services. In authentication, I tried once to make our router work with our kerberos setup so that telnet password doesnt have to be sent but unfortunately, I failed to make it work with our heimdal installation(seems like they are having incompatibility issues with encryption, though I haven't tried it with MIT yet). Authorization: We currently have an ldap directory used only for email services, don't know if it is still needed. We also have remote logging through that radius server also, and guess what, its not working anymore. I compared the config of that compromised router with the other one and found out that the logging lines are gone(hmmm..) I need some tips here. The tools you are currently using. Also some of the best practices you are implementing in your noc.. I'm the new admin and the services are poorly documented.. Now I am trying to start everything from scratch, this time documenting everything I am doing.. Load balancer, proxy server, email, dns, web, ldap, kerberos, etc. Unfortunately I don't have any cisco training yet and I'm glad that my supervisor is kind enough to lend me the enable password (the rest, google and google) Thank's for your time. Sincerely -jay - Brings words and photos together (easily) with PhotoMail - it's free and works with Yahoo! Mail. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED] ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: need some advice on our cisco routers..
Mark Jayson Alvarez wrote: We have a couple of cisco routers. There was one time when suddenly we cannot login remotely via telnet. I investigate further and was shocked when I found out that there where 16 telnet connections coming from outsiders ip addresses. I immediately called our Director(the only cisco certified guy in the office) and he begin kicking each of the telnet connections one by one. He then replaced every secret/password and deleted all unnecessary local accounts. However, we're still wondering how those hackers got into the system. Now this cisco's aaa is default to a radius server. Since then, outsiders have gone away.. Perhaps the hackers got one of the router's local accounts, and trying to brute force their way to enable mode. Did you keep careful logs of who was connecting from where so someone could start tracking things down? Have you contacted your local police and FBI, or whatever the local equivalent is? (Don't bother unless you can claim more than $2000 or so in damages, however.) Most importantly, have you contacted Cisco? Asking for security advice about their routers here is not the right place to gain such information. cisco.com's got a large, informative site -- -Chuck ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
RE: need some advice on our cisco routers..
[mailto:[EMAIL PROTECTED] On Behalf Of Chuck Swiger Sent: Thursday, February 09, 2006 4:41 AM To: Mark Jayson Alvarez Cc: freebsd-questions@freebsd.org Subject: Re: need some advice on our cisco routers.. Mark Jayson Alvarez wrote: We have a couple of cisco routers. There was one time when suddenly we cannot login remotely via telnet. I investigate further and was shocked when I found out that there where 16 telnet connections coming from outsiders ip addresses. I immediately called our Director(the only cisco certified guy in the office) and he begin kicking each of the telnet connections one by one. He then replaced every secret/password and deleted all unnecessary local accounts. However, we're still wondering how those hackers got into the system. Now this cisco's aaa is default to a radius server. Since then, outsiders have gone away.. Perhaps the hackers got one of the router's local accounts, and trying to brute force their way to enable mode. Did you keep careful logs of who was connecting from where so someone could start tracking things down? Have you contacted your local police and FBI, or whatever the local equivalent is? (Don't bother unless you can claim more than $2000 or so in damages, however.) The last I looked the limit was $5000 for the FBI to accept a complaint; however, due to manpower limitations, a more realistic limit is well over $100,000 (aggregate damage for one attacker, multiple victims) for them even to pay attention. Dealing with the FBI is better these days - they have some good people now. -gayn Bristol Systems Inc. 714/532-6776 www.bristolsystems.com ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: need some advice on our cisco routers..
3. How do you secure your cisco routers in your office?? Our director said that we should look for best practices in securing our routers. The very first step would be to limit where from you can telnet to the router. There is no good reason why whole internet could telnet to the router. The following shoud do access-list 30 permit 192.168.0.0 ! one unique machine ins9ide my network access-list 30 deny any log line vty 0 4 access-class 30 in exec-timeout 0 0 login local refuse-message ^Cnauthorized access prohibited ^C 1. Is it possible to think that they still haven't cracked the enable password yet or they already know it and just silently been playing with our router?? What for? If you are a hacker, what would you do if you got an access to an ISP's router??:-) If you have a back-up of your configuration, you can check if anything has been changed. You can alos check the config change time stamp in Cisco show run. In any case, play it safe, restore the last running configuration and change the enable password. The router could be a good sniffing point to grab hold on some username/password from the ISP customers. Olivier ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]