Actually, setting bit 8 to 0 disables the break feature when the routing is
running normally, NOT during boot (this is the default). Setting this bit
to 1, some shmoe could press the break key while it is up and routing
normally, the router would drop into ROM mode, thereby stoping the
forwarding of all packets. As you might imagine, this is a VERY dangerous
bit to play with.
Again, we come back to the viability of a big padlock...
K
-----
Kristopher B. Climie, CCNP, CCDP
"Ole Drews Jensen" <[EMAIL PROTECTED]> wrote in message
2019FB428FD3D311893700508B71EBFB313920@RWR_MAIL_SVR">news:2019FB428FD3D311893700508B71EBFB313920@RWR_MAIL_SVR...
> Well, the "no service password-recovery" is an unknown command on my
Routers
> / Switches, but you could set the config register bit 8 to 0, which would
> disable the BREAK feature.
>
> Hth,
>
> Ole
>
> ~~~~~~~~~~~~~~~~~~~~~~~~~~
> Ole Drews Jensen
> Systems Network Manager
> CCNA, MCSE, MCP+I
> RWR Enterprises, Inc.
> [EMAIL PROTECTED]
> ~~~~~~~~~~~~~~~~~~~~~~~~~~
>
>
>
> -----Original Message-----
> From: Chris McCoy [mailto:[EMAIL PROTECTED]]
> Sent: Tuesday, September 12, 2000 10:50 PM
> To: Bob Wilson; [EMAIL PROTECTED]
> Subject: Re: can you shutdown a console port?
>
>
> I've tried this configuration before, and all I can say is it must set a
> bit in NVRAM somewhere that ROM monitor inspects on bootup. Or ROM
monitor
> could parse the config in NVRAM. It also has dependencies on the system
> being configured a certain way. For instance, the bit that determines
> whether the router ignores the startup-configuration must be cleared for
no
> service password-recovery to work. In fact, it complains otherwise. When
> no service password-recovery is configured, ROM monitor simply refuses to
> respond to breaks. This could definitely suck if you need to break into a
> router for legitimate reasons. This is probably why it is undocumented.
I
> would imagine if you could somehow wipe out NVRAM, you could bypass it.
>
> To make a long story short, there is no substitute for physical
security.
>
> Chris M.
>
> ----- Original Message -----
> From: "Bob Wilson" <[EMAIL PROTECTED]>
> To: <[EMAIL PROTECTED]>
> Sent: Tuesday, September 12, 2000 7:55 PM
> Subject: Re: can you shutdown a console port?
>
>
> > Correct me if I'm wrong -- if you input something like 'no service
> > password-recovery' doesn't it go into the running config, and then into
> > flash if you save the running config there? So if you restart the
router
> > with a cable in the console and send it a break, you'll boot into ROMMON
> and
> > it will never look at the config that's in flash, and you can have your
> way
> > with it. Right?
> >
> >
> > ----- Original Message -----
> > From: Chris McCoy <[EMAIL PROTECTED]>
> > To: John Kaberna <[EMAIL PROTECTED]>; beth shriver
> > <[EMAIL PROTECTED]>; David L. Blair <[EMAIL PROTECTED]>
> > Cc: <[EMAIL PROTECTED]>
> > Sent: Tuesday, September 12, 2000 9:18 PM
> > Subject: Re: can you shutdown a console port?
> >
> >
> > > There's an undocumented command called 'no service password-recovery'
> > which
> > > will keep people from breaking into routers. Make sure you have a way
> in,
> > > otherwise!
> > >
> > > Chris M.
> > >
> > > ----- Original Message -----
> > > From: "John Kaberna" <[EMAIL PROTECTED]>
> > > To: "beth shriver" <[EMAIL PROTECTED]>; "David L. Blair"
> > > <[EMAIL PROTECTED]>
> > > Cc: <[EMAIL PROTECTED]>
> > > Sent: Tuesday, September 12, 2000 2:43 PM
> > > Subject: Re: can you shutdown a console port?
> > >
> > >
> > > > The last statement was incorrect!!
> > > >
> > > > Console and aux ports DO NOT require a password. VTY's do however.
> You
> > > > should set a complex password on your console and aux port.
> > > >
> > > > The other thing you can do is setup local authentication which will
> > > require
> > > > a username and matching password. This will make it even harder to
> > break.
> > > >
> > > > You can also weed out a few amatuers by changing your console speed
to
> > > > something other than 9600. When I tested mine I didn't even get
ascii
> > > text
> > > > so there is no indication the speed is set wrong. That may be
> different
> > > > with other terminal programs though (I'm using SecureCRT 3.1).
> > > >
> > > > You should be ok as long as you have physical security and good
> > passwords
> > > > you likely won't have any problems.
> > > >
> > > > John
> > > >
> > > > ----- Original Message -----
> > > > From: beth shriver <[EMAIL PROTECTED]>
> > > > To: David L. Blair <[EMAIL PROTECTED]>
> > > > Cc: <[EMAIL PROTECTED]>
> > > > Sent: Tuesday, September 12, 2000 12:52 PM
> > > > Subject: Re: can you shutdown a console port?
> > > >
> > > >
> > > > > if you use the password recovery technique and hit
> > > > > break during boot . and go to rommon mode.. would the
> > > > > router even know there is a password on the console?
> > > > > thanks
> > > > > Beth
> > > > > --- "David L. Blair" <[EMAIL PROTECTED]> wrote:
> > > > > > require a password on the console port and do not
> > > > > > supply a password. That
> > > > > > will effectively deny all access via the console
> > > > > > port.
> > > > > >
> > > > > > -dlb
> > > > > >
> > > > > > ----- Original Message -----
> > > > > > From: "beth shriver" <[EMAIL PROTECTED]>
> > > > > > Newsgroups: groupstudy.cisco
> > > > > > Sent: Tuesday, September 12, 2000 8:43 AM
> > > > > > Subject: can you shutdown a console port?
> > > > > >
> > > > > >
> > > > > > > Is there anyway to keep someone from plugging in a
> > > > > > > console port and using password recovery procedure
> > > > > > to
> > > > > > > get into a router? for instance if you have a
> > > > > > router
> > > > > > > at a remote site and someone decides they want to
> > > > > > > alter your config etc. what could stop them?
> > > > > > (besides
> > > > > > > a huge padlock ?)
> > > > > > >
> > > > > > >
> > > > > > > __________________________________________________
> > > > > > > Do You Yahoo!?
> > > > > > > Yahoo! Mail - Free email you can access from
> > > > > > anywhere!
> > > > > > > http://mail.yahoo.com/
> > > > > > >
> > > > > > > **NOTE: New CCNA/CCDA List has been formed. For
> > > > > > more information go to
> > > > > > > http://www.groupstudy.com/list/Associates.html
> > > > > > > _________________________________
> > > > > > > UPDATED Posting Guidelines:
> > > > > > http://www.groupstudy.com/list/guide.html
> > > > > > > FAQ, list archives, and subscription info:
> > > > > > http://www.groupstudy.com
> > > > > > > Report misconduct and Nondisclosure violations to
> > > > > > [EMAIL PROTECTED]
> > > > > > >
> > > > >
> > > > >
> > > > > __________________________________________________
> > > > > Do You Yahoo!?
> > > > > Yahoo! Mail - Free email you can access from anywhere!
> > > > > http://mail.yahoo.com/
> > > > >
> > > > > **NOTE: New CCNA/CCDA List has been formed. For more information
go
> to
> > > > > http://www.groupstudy.com/list/Associates.html
> > > > > _________________________________
> > > > > UPDATED Posting Guidelines:
> http://www.groupstudy.com/list/guide.html
> > > > > FAQ, list archives, and subscription info:
http://www.groupstudy.com
> > > > > Report misconduct and Nondisclosure violations to
> [EMAIL PROTECTED]
> > > >
> > > > **NOTE: New CCNA/CCDA List has been formed. For more information go
to
> > > > http://www.groupstudy.com/list/Associates.html
> > > > _________________________________
> > > > UPDATED Posting Guidelines:
http://www.groupstudy.com/list/guide.html
> > > > FAQ, list archives, and subscription info: http://www.groupstudy.com
> > > > Report misconduct and Nondisclosure violations to
[EMAIL PROTECTED]
> > >
> > > **NOTE: New CCNA/CCDA List has been formed. For more information go to
> > > http://www.groupstudy.com/list/Associates.html
> > > _________________________________
> > > UPDATED Posting Guidelines: http://www.groupstudy.com/list/guide.html
> > > FAQ, list archives, and subscription info: http://www.groupstudy.com
> > > Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
> > >
> >
> > **NOTE: New CCNA/CCDA List has been formed. For more information go to
> > http://www.groupstudy.com/list/Associates.html
> > _________________________________
> > UPDATED Posting Guidelines: http://www.groupstudy.com/list/guide.html
> > FAQ, list archives, and subscription info: http://www.groupstudy.com
> > Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
>
> **NOTE: New CCNA/CCDA List has been formed. For more information go to
> http://www.groupstudy.com/list/Associates.html
> _________________________________
> UPDATED Posting Guidelines: http://www.groupstudy.com/list/guide.html
> FAQ, list archives, and subscription info: http://www.groupstudy.com
> Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
>
> **NOTE: New CCNA/CCDA List has been formed. For more information go to
> http://www.groupstudy.com/list/Associates.html
> _________________________________
> UPDATED Posting Guidelines: http://www.groupstudy.com/list/guide.html
> FAQ, list archives, and subscription info: http://www.groupstudy.com
> Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
>
**NOTE: New CCNA/CCDA List has been formed. For more information go to
http://www.groupstudy.com/list/Associates.html
_________________________________
UPDATED Posting Guidelines: http://www.groupstudy.com/list/guide.html
FAQ, list archives, and subscription info: http://www.groupstudy.com
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]