Well, the "no service password-recovery" is an unknown command on my Routers
/ Switches, but you could set the config register bit 8 to 0, which would
disable the BREAK feature.
Hth,
Ole
~~~~~~~~~~~~~~~~~~~~~~~~~~
Ole Drews Jensen
Systems Network Manager
CCNA, MCSE, MCP+I
RWR Enterprises, Inc.
[EMAIL PROTECTED]
~~~~~~~~~~~~~~~~~~~~~~~~~~
-----Original Message-----
From: Chris McCoy [mailto:[EMAIL PROTECTED]]
Sent: Tuesday, September 12, 2000 10:50 PM
To: Bob Wilson; [EMAIL PROTECTED]
Subject: Re: can you shutdown a console port?
I've tried this configuration before, and all I can say is it must set a
bit in NVRAM somewhere that ROM monitor inspects on bootup. Or ROM monitor
could parse the config in NVRAM. It also has dependencies on the system
being configured a certain way. For instance, the bit that determines
whether the router ignores the startup-configuration must be cleared for no
service password-recovery to work. In fact, it complains otherwise. When
no service password-recovery is configured, ROM monitor simply refuses to
respond to breaks. This could definitely suck if you need to break into a
router for legitimate reasons. This is probably why it is undocumented. I
would imagine if you could somehow wipe out NVRAM, you could bypass it.
To make a long story short, there is no substitute for physical security.
Chris M.
----- Original Message -----
From: "Bob Wilson" <[EMAIL PROTECTED]>
To: <[EMAIL PROTECTED]>
Sent: Tuesday, September 12, 2000 7:55 PM
Subject: Re: can you shutdown a console port?
> Correct me if I'm wrong -- if you input something like 'no service
> password-recovery' doesn't it go into the running config, and then into
> flash if you save the running config there? So if you restart the router
> with a cable in the console and send it a break, you'll boot into ROMMON
and
> it will never look at the config that's in flash, and you can have your
way
> with it. Right?
>
>
> ----- Original Message -----
> From: Chris McCoy <[EMAIL PROTECTED]>
> To: John Kaberna <[EMAIL PROTECTED]>; beth shriver
> <[EMAIL PROTECTED]>; David L. Blair <[EMAIL PROTECTED]>
> Cc: <[EMAIL PROTECTED]>
> Sent: Tuesday, September 12, 2000 9:18 PM
> Subject: Re: can you shutdown a console port?
>
>
> > There's an undocumented command called 'no service password-recovery'
> which
> > will keep people from breaking into routers. Make sure you have a way
in,
> > otherwise!
> >
> > Chris M.
> >
> > ----- Original Message -----
> > From: "John Kaberna" <[EMAIL PROTECTED]>
> > To: "beth shriver" <[EMAIL PROTECTED]>; "David L. Blair"
> > <[EMAIL PROTECTED]>
> > Cc: <[EMAIL PROTECTED]>
> > Sent: Tuesday, September 12, 2000 2:43 PM
> > Subject: Re: can you shutdown a console port?
> >
> >
> > > The last statement was incorrect!!
> > >
> > > Console and aux ports DO NOT require a password. VTY's do however.
You
> > > should set a complex password on your console and aux port.
> > >
> > > The other thing you can do is setup local authentication which will
> > require
> > > a username and matching password. This will make it even harder to
> break.
> > >
> > > You can also weed out a few amatuers by changing your console speed to
> > > something other than 9600. When I tested mine I didn't even get ascii
> > text
> > > so there is no indication the speed is set wrong. That may be
different
> > > with other terminal programs though (I'm using SecureCRT 3.1).
> > >
> > > You should be ok as long as you have physical security and good
> passwords
> > > you likely won't have any problems.
> > >
> > > John
> > >
> > > ----- Original Message -----
> > > From: beth shriver <[EMAIL PROTECTED]>
> > > To: David L. Blair <[EMAIL PROTECTED]>
> > > Cc: <[EMAIL PROTECTED]>
> > > Sent: Tuesday, September 12, 2000 12:52 PM
> > > Subject: Re: can you shutdown a console port?
> > >
> > >
> > > > if you use the password recovery technique and hit
> > > > break during boot . and go to rommon mode.. would the
> > > > router even know there is a password on the console?
> > > > thanks
> > > > Beth
> > > > --- "David L. Blair" <[EMAIL PROTECTED]> wrote:
> > > > > require a password on the console port and do not
> > > > > supply a password. That
> > > > > will effectively deny all access via the console
> > > > > port.
> > > > >
> > > > > -dlb
> > > > >
> > > > > ----- Original Message -----
> > > > > From: "beth shriver" <[EMAIL PROTECTED]>
> > > > > Newsgroups: groupstudy.cisco
> > > > > Sent: Tuesday, September 12, 2000 8:43 AM
> > > > > Subject: can you shutdown a console port?
> > > > >
> > > > >
> > > > > > Is there anyway to keep someone from plugging in a
> > > > > > console port and using password recovery procedure
> > > > > to
> > > > > > get into a router? for instance if you have a
> > > > > router
> > > > > > at a remote site and someone decides they want to
> > > > > > alter your config etc. what could stop them?
> > > > > (besides
> > > > > > a huge padlock ?)
> > > > > >
> > > > > >
> > > > > > __________________________________________________
> > > > > > Do You Yahoo!?
> > > > > > Yahoo! Mail - Free email you can access from
> > > > > anywhere!
> > > > > > http://mail.yahoo.com/
> > > > > >
> > > > > > **NOTE: New CCNA/CCDA List has been formed. For
> > > > > more information go to
> > > > > > http://www.groupstudy.com/list/Associates.html
> > > > > > _________________________________
> > > > > > UPDATED Posting Guidelines:
> > > > > http://www.groupstudy.com/list/guide.html
> > > > > > FAQ, list archives, and subscription info:
> > > > > http://www.groupstudy.com
> > > > > > Report misconduct and Nondisclosure violations to
> > > > > [EMAIL PROTECTED]
> > > > > >
> > > >
> > > >
> > > > __________________________________________________
> > > > Do You Yahoo!?
> > > > Yahoo! Mail - Free email you can access from anywhere!
> > > > http://mail.yahoo.com/
> > > >
> > > > **NOTE: New CCNA/CCDA List has been formed. For more information go
to
> > > > http://www.groupstudy.com/list/Associates.html
> > > > _________________________________
> > > > UPDATED Posting Guidelines:
http://www.groupstudy.com/list/guide.html
> > > > FAQ, list archives, and subscription info: http://www.groupstudy.com
> > > > Report misconduct and Nondisclosure violations to
[EMAIL PROTECTED]
> > >
> > > **NOTE: New CCNA/CCDA List has been formed. For more information go to
> > > http://www.groupstudy.com/list/Associates.html
> > > _________________________________
> > > UPDATED Posting Guidelines: http://www.groupstudy.com/list/guide.html
> > > FAQ, list archives, and subscription info: http://www.groupstudy.com
> > > Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
> >
> > **NOTE: New CCNA/CCDA List has been formed. For more information go to
> > http://www.groupstudy.com/list/Associates.html
> > _________________________________
> > UPDATED Posting Guidelines: http://www.groupstudy.com/list/guide.html
> > FAQ, list archives, and subscription info: http://www.groupstudy.com
> > Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
> >
>
> **NOTE: New CCNA/CCDA List has been formed. For more information go to
> http://www.groupstudy.com/list/Associates.html
> _________________________________
> UPDATED Posting Guidelines: http://www.groupstudy.com/list/guide.html
> FAQ, list archives, and subscription info: http://www.groupstudy.com
> Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
**NOTE: New CCNA/CCDA List has been formed. For more information go to
http://www.groupstudy.com/list/Associates.html
_________________________________
UPDATED Posting Guidelines: http://www.groupstudy.com/list/guide.html
FAQ, list archives, and subscription info: http://www.groupstudy.com
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
**NOTE: New CCNA/CCDA List has been formed. For more information go to
http://www.groupstudy.com/list/Associates.html
_________________________________
UPDATED Posting Guidelines: http://www.groupstudy.com/list/guide.html
FAQ, list archives, and subscription info: http://www.groupstudy.com
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
