RE: can you shutdown a console port?
Not a problem.. find your nearest router with an ISDN BRI or even better, PRI port. Boot this router up, and enable the ISDN port. Insert one end of an RJ-45 cable into this ISDN, making sure the other end is FAR away from your switches. Then go around your rack of routers you would like to secure, and carefully insert the other end of the RJ-45 cable into the appropriate router's console port. Please note to pay attention to not ignore the happenings, as there may be a little smoke, and the RJ45 cable may warm up quickly. If this occurs, quickly power off the ISDN router, and if required, apply fire extinguisher. (haha, it's not that bad, but couldn't resist). Voila.. permanently secure console port. Of course, please reference your service contract with Cisco Systems prior to applying this procedure, to see something about maliscious misconduct effecting your warranty. - This is a comical reply. Don't try this at home, kids. We are highly trained professionals. Regards, Trevor Corness, CCNA MCSE MCP+I CiscoConsoleSecurityAssociate. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of beth shriver Sent: September 12, 2000 5:41 AM To: [EMAIL PROTECTED] Subject: can you shutdown a console port? Is there anyway to keep someone from plugging in a console port and using password recovery procedure to get into a router? for instance if you have a router at a remote site and someone decides they want to alter your config etc. what could stop them? (besides a huge padlock ?) __ Do You Yahoo!? Yahoo! Mail - Free email you can access from anywhere! http://mail.yahoo.com/ **NOTE: New CCNA/CCDA List has been formed. For more information go to http://www.groupstudy.com/list/Associates.html _ UPDATED Posting Guidelines: http://www.groupstudy.com/list/guide.html FAQ, list archives, and subscription info: http://www.groupstudy.com Report misconduct and Nondisclosure violations to [EMAIL PROTECTED] **NOTE: New CCNA/CCDA List has been formed. For more information go to http://www.groupstudy.com/list/Associates.html _ UPDATED Posting Guidelines: http://www.groupstudy.com/list/guide.html FAQ, list archives, and subscription info: http://www.groupstudy.com Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: can you shutdown a console port?
Actually, setting bit 8 to 0 disables the break feature when the routing is running normally, NOT during boot (this is the default). Setting this bit to 1, some shmoe could press the break key while it is up and routing normally, the router would drop into ROM mode, thereby stoping the forwarding of all packets. As you might imagine, this is a VERY dangerous bit to play with. Again, we come back to the viability of a big padlock... K - Kristopher B. Climie, CCNP, CCDP "Ole Drews Jensen" <[EMAIL PROTECTED]> wrote in message 2019FB428FD3D311893700508B71EBFB313920@RWR_MAIL_SVR">news:2019FB428FD3D311893700508B71EBFB313920@RWR_MAIL_SVR... > Well, the "no service password-recovery" is an unknown command on my Routers > / Switches, but you could set the config register bit 8 to 0, which would > disable the BREAK feature. > > Hth, > > Ole > > ~~ > Ole Drews Jensen > Systems Network Manager > CCNA, MCSE, MCP+I > RWR Enterprises, Inc. > [EMAIL PROTECTED] > ~~ > > > > -Original Message- > From: Chris McCoy [mailto:[EMAIL PROTECTED]] > Sent: Tuesday, September 12, 2000 10:50 PM > To: Bob Wilson; [EMAIL PROTECTED] > Subject: Re: can you shutdown a console port? > > > I've tried this configuration before, and all I can say is it must set a > bit in NVRAM somewhere that ROM monitor inspects on bootup. Or ROM monitor > could parse the config in NVRAM. It also has dependencies on the system > being configured a certain way. For instance, the bit that determines > whether the router ignores the startup-configuration must be cleared for no > service password-recovery to work. In fact, it complains otherwise. When > no service password-recovery is configured, ROM monitor simply refuses to > respond to breaks. This could definitely suck if you need to break into a > router for legitimate reasons. This is probably why it is undocumented. I > would imagine if you could somehow wipe out NVRAM, you could bypass it. > > To make a long story short, there is no substitute for physical security. > > Chris M. > > - Original Message - > From: "Bob Wilson" <[EMAIL PROTECTED]> > To: <[EMAIL PROTECTED]> > Sent: Tuesday, September 12, 2000 7:55 PM > Subject: Re: can you shutdown a console port? > > > > Correct me if I'm wrong -- if you input something like 'no service > > password-recovery' doesn't it go into the running config, and then into > > flash if you save the running config there? So if you restart the router > > with a cable in the console and send it a break, you'll boot into ROMMON > and > > it will never look at the config that's in flash, and you can have your > way > > with it. Right? > > > > > > ----- Original Message - > > From: Chris McCoy <[EMAIL PROTECTED]> > > To: John Kaberna <[EMAIL PROTECTED]>; beth shriver > > <[EMAIL PROTECTED]>; David L. Blair <[EMAIL PROTECTED]> > > Cc: <[EMAIL PROTECTED]> > > Sent: Tuesday, September 12, 2000 9:18 PM > > Subject: Re: can you shutdown a console port? > > > > > > > There's an undocumented command called 'no service password-recovery' > > which > > > will keep people from breaking into routers. Make sure you have a way > in, > > > otherwise! > > > > > > Chris M. > > > > > > - Original Message - > > > From: "John Kaberna" <[EMAIL PROTECTED]> > > > To: "beth shriver" <[EMAIL PROTECTED]>; "David L. Blair" > > > <[EMAIL PROTECTED]> > > > Cc: <[EMAIL PROTECTED]> > > > Sent: Tuesday, September 12, 2000 2:43 PM > > > Subject: Re: can you shutdown a console port? > > > > > > > > > > The last statement was incorrect!! > > > > > > > > Console and aux ports DO NOT require a password. VTY's do however. > You > > > > should set a complex password on your console and aux port. > > > > > > > > The other thing you can do is setup local authentication which will > > > require > > > > a username and matching password. This will make it even harder to > > break. > > > > > > > > You can also weed out a few amatuers by changing your console speed to > > > > something other than 9600. When I tested mine I didn't even get ascii > > > text > > > > so there is no indication the speed is set wrong. That may be > different > > > > with other term
RE: can you shutdown a console port?
Well, the "no service password-recovery" is an unknown command on my Routers / Switches, but you could set the config register bit 8 to 0, which would disable the BREAK feature. Hth, Ole ~~ Ole Drews Jensen Systems Network Manager CCNA, MCSE, MCP+I RWR Enterprises, Inc. [EMAIL PROTECTED] ~~ -Original Message- From: Chris McCoy [mailto:[EMAIL PROTECTED]] Sent: Tuesday, September 12, 2000 10:50 PM To: Bob Wilson; [EMAIL PROTECTED] Subject: Re: can you shutdown a console port? I've tried this configuration before, and all I can say is it must set a bit in NVRAM somewhere that ROM monitor inspects on bootup. Or ROM monitor could parse the config in NVRAM. It also has dependencies on the system being configured a certain way. For instance, the bit that determines whether the router ignores the startup-configuration must be cleared for no service password-recovery to work. In fact, it complains otherwise. When no service password-recovery is configured, ROM monitor simply refuses to respond to breaks. This could definitely suck if you need to break into a router for legitimate reasons. This is probably why it is undocumented. I would imagine if you could somehow wipe out NVRAM, you could bypass it. To make a long story short, there is no substitute for physical security. Chris M. - Original Message - From: "Bob Wilson" <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]> Sent: Tuesday, September 12, 2000 7:55 PM Subject: Re: can you shutdown a console port? > Correct me if I'm wrong -- if you input something like 'no service > password-recovery' doesn't it go into the running config, and then into > flash if you save the running config there? So if you restart the router > with a cable in the console and send it a break, you'll boot into ROMMON and > it will never look at the config that's in flash, and you can have your way > with it. Right? > > > - Original Message - > From: Chris McCoy <[EMAIL PROTECTED]> > To: John Kaberna <[EMAIL PROTECTED]>; beth shriver > <[EMAIL PROTECTED]>; David L. Blair <[EMAIL PROTECTED]> > Cc: <[EMAIL PROTECTED]> > Sent: Tuesday, September 12, 2000 9:18 PM > Subject: Re: can you shutdown a console port? > > > > There's an undocumented command called 'no service password-recovery' > which > > will keep people from breaking into routers. Make sure you have a way in, > > otherwise! > > > > Chris M. > > > > - Original Message - > > From: "John Kaberna" <[EMAIL PROTECTED]> > > To: "beth shriver" <[EMAIL PROTECTED]>; "David L. Blair" > > <[EMAIL PROTECTED]> > > Cc: <[EMAIL PROTECTED]> > > Sent: Tuesday, September 12, 2000 2:43 PM > > Subject: Re: can you shutdown a console port? > > > > > > > The last statement was incorrect!! > > > > > > Console and aux ports DO NOT require a password. VTY's do however. You > > > should set a complex password on your console and aux port. > > > > > > The other thing you can do is setup local authentication which will > > require > > > a username and matching password. This will make it even harder to > break. > > > > > > You can also weed out a few amatuers by changing your console speed to > > > something other than 9600. When I tested mine I didn't even get ascii > > text > > > so there is no indication the speed is set wrong. That may be different > > > with other terminal programs though (I'm using SecureCRT 3.1). > > > > > > You should be ok as long as you have physical security and good > passwords > > > you likely won't have any problems. > > > > > > John > > > > > > - Original Message - > > > From: beth shriver <[EMAIL PROTECTED]> > > > To: David L. Blair <[EMAIL PROTECTED]> > > > Cc: <[EMAIL PROTECTED]> > > > Sent: Tuesday, September 12, 2000 12:52 PM > > > Subject: Re: can you shutdown a console port? > > > > > > > > > > if you use the password recovery technique and hit > > > > break during boot . and go to rommon mode.. would the > > > > router even know there is a password on the console? > > > > thanks > > > > Beth > > > > --- "David L. Blair" <[EMAIL PROTECTED]> wrote: > > > > > require a password on the console port and do not > > > > > supply a password. That > > > > >
Re: can you shutdown a console port?
I've tried this configuration before, and all I can say is it must set a bit in NVRAM somewhere that ROM monitor inspects on bootup. Or ROM monitor could parse the config in NVRAM. It also has dependencies on the system being configured a certain way. For instance, the bit that determines whether the router ignores the startup-configuration must be cleared for no service password-recovery to work. In fact, it complains otherwise. When no service password-recovery is configured, ROM monitor simply refuses to respond to breaks. This could definitely suck if you need to break into a router for legitimate reasons. This is probably why it is undocumented. I would imagine if you could somehow wipe out NVRAM, you could bypass it. To make a long story short, there is no substitute for physical security. Chris M. - Original Message - From: "Bob Wilson" <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]> Sent: Tuesday, September 12, 2000 7:55 PM Subject: Re: can you shutdown a console port? > Correct me if I'm wrong -- if you input something like 'no service > password-recovery' doesn't it go into the running config, and then into > flash if you save the running config there? So if you restart the router > with a cable in the console and send it a break, you'll boot into ROMMON and > it will never look at the config that's in flash, and you can have your way > with it. Right? > > > - Original Message - > From: Chris McCoy <[EMAIL PROTECTED]> > To: John Kaberna <[EMAIL PROTECTED]>; beth shriver > <[EMAIL PROTECTED]>; David L. Blair <[EMAIL PROTECTED]> > Cc: <[EMAIL PROTECTED]> > Sent: Tuesday, September 12, 2000 9:18 PM > Subject: Re: can you shutdown a console port? > > > > There's an undocumented command called 'no service password-recovery' > which > > will keep people from breaking into routers. Make sure you have a way in, > > otherwise! > > > > Chris M. > > > > - Original Message - > > From: "John Kaberna" <[EMAIL PROTECTED]> > > To: "beth shriver" <[EMAIL PROTECTED]>; "David L. Blair" > > <[EMAIL PROTECTED]> > > Cc: <[EMAIL PROTECTED]> > > Sent: Tuesday, September 12, 2000 2:43 PM > > Subject: Re: can you shutdown a console port? > > > > > > > The last statement was incorrect!! > > > > > > Console and aux ports DO NOT require a password. VTY's do however. You > > > should set a complex password on your console and aux port. > > > > > > The other thing you can do is setup local authentication which will > > require > > > a username and matching password. This will make it even harder to > break. > > > > > > You can also weed out a few amatuers by changing your console speed to > > > something other than 9600. When I tested mine I didn't even get ascii > > text > > > so there is no indication the speed is set wrong. That may be different > > > with other terminal programs though (I'm using SecureCRT 3.1). > > > > > > You should be ok as long as you have physical security and good > passwords > > > you likely won't have any problems. > > > > > > John > > > > > > - Original Message - > > > From: beth shriver <[EMAIL PROTECTED]> > > > To: David L. Blair <[EMAIL PROTECTED]> > > > Cc: <[EMAIL PROTECTED]> > > > Sent: Tuesday, September 12, 2000 12:52 PM > > > Subject: Re: can you shutdown a console port? > > > > > > > > > > if you use the password recovery technique and hit > > > > break during boot . and go to rommon mode.. would the > > > > router even know there is a password on the console? > > > > thanks > > > > Beth > > > > --- "David L. Blair" <[EMAIL PROTECTED]> wrote: > > > > > require a password on the console port and do not > > > > > supply a password. That > > > > > will effectively deny all access via the console > > > > > port. > > > > > > > > > > -dlb > > > > > > > > > > - Original Message - > > > > > From: "beth shriver" <[EMAIL PROTECTED]> > > > > > Newsgroups: groupstudy.cisco > > > > > Sent: Tuesday, September 12, 2000 8:43 AM > > > > > Subject: can you shutdown a console port? > > > > > > > > > > > > > > > > Is there anyway to keep
Re: can you shutdown a console port?
Correct me if I'm wrong -- if you input something like 'no service password-recovery' doesn't it go into the running config, and then into flash if you save the running config there? So if you restart the router with a cable in the console and send it a break, you'll boot into ROMMON and it will never look at the config that's in flash, and you can have your way with it. Right? - Original Message - From: Chris McCoy <[EMAIL PROTECTED]> To: John Kaberna <[EMAIL PROTECTED]>; beth shriver <[EMAIL PROTECTED]>; David L. Blair <[EMAIL PROTECTED]> Cc: <[EMAIL PROTECTED]> Sent: Tuesday, September 12, 2000 9:18 PM Subject: Re: can you shutdown a console port? > There's an undocumented command called 'no service password-recovery' which > will keep people from breaking into routers. Make sure you have a way in, > otherwise! > > Chris M. > > - Original Message - > From: "John Kaberna" <[EMAIL PROTECTED]> > To: "beth shriver" <[EMAIL PROTECTED]>; "David L. Blair" > <[EMAIL PROTECTED]> > Cc: <[EMAIL PROTECTED]> > Sent: Tuesday, September 12, 2000 2:43 PM > Subject: Re: can you shutdown a console port? > > > > The last statement was incorrect!! > > > > Console and aux ports DO NOT require a password. VTY's do however. You > > should set a complex password on your console and aux port. > > > > The other thing you can do is setup local authentication which will > require > > a username and matching password. This will make it even harder to break. > > > > You can also weed out a few amatuers by changing your console speed to > > something other than 9600. When I tested mine I didn't even get ascii > text > > so there is no indication the speed is set wrong. That may be different > > with other terminal programs though (I'm using SecureCRT 3.1). > > > > You should be ok as long as you have physical security and good passwords > > you likely won't have any problems. > > > > John > > > > - Original Message - > > From: beth shriver <[EMAIL PROTECTED]> > > To: David L. Blair <[EMAIL PROTECTED]> > > Cc: <[EMAIL PROTECTED]> > > Sent: Tuesday, September 12, 2000 12:52 PM > > Subject: Re: can you shutdown a console port? > > > > > > > if you use the password recovery technique and hit > > > break during boot . and go to rommon mode.. would the > > > router even know there is a password on the console? > > > thanks > > > Beth > > > --- "David L. Blair" <[EMAIL PROTECTED]> wrote: > > > > require a password on the console port and do not > > > > supply a password. That > > > > will effectively deny all access via the console > > > > port. > > > > > > > > -dlb > > > > > > > > - Original Message - > > > > From: "beth shriver" <[EMAIL PROTECTED]> > > > > Newsgroups: groupstudy.cisco > > > > Sent: Tuesday, September 12, 2000 8:43 AM > > > > Subject: can you shutdown a console port? > > > > > > > > > > > > > Is there anyway to keep someone from plugging in a > > > > > console port and using password recovery procedure > > > > to > > > > > get into a router? for instance if you have a > > > > router > > > > > at a remote site and someone decides they want to > > > > > alter your config etc. what could stop them? > > > > (besides > > > > > a huge padlock ?) > > > > > > > > > > > > > > > __ > > > > > Do You Yahoo!? > > > > > Yahoo! Mail - Free email you can access from > > > > anywhere! > > > > > http://mail.yahoo.com/ > > > > > > > > > > **NOTE: New CCNA/CCDA List has been formed. For > > > > more information go to > > > > > http://www.groupstudy.com/list/Associates.html > > > > > _ > > > > > UPDATED Posting Guidelines: > > > > http://www.groupstudy.com/list/guide.html > > > > > FAQ, list archives, and subscription info: > > > > http://www.groupstudy.com > > > > > Report misconduct and Nondisclosure violations to > > > > [EMAIL PROTECTED] > > > > > > > > > > > > > > __
Re: can you shutdown a console port?
There's an undocumented command called 'no service password-recovery' which will keep people from breaking into routers. Make sure you have a way in, otherwise! Chris M. - Original Message - From: "John Kaberna" <[EMAIL PROTECTED]> To: "beth shriver" <[EMAIL PROTECTED]>; "David L. Blair" <[EMAIL PROTECTED]> Cc: <[EMAIL PROTECTED]> Sent: Tuesday, September 12, 2000 2:43 PM Subject: Re: can you shutdown a console port? > The last statement was incorrect!! > > Console and aux ports DO NOT require a password. VTY's do however. You > should set a complex password on your console and aux port. > > The other thing you can do is setup local authentication which will require > a username and matching password. This will make it even harder to break. > > You can also weed out a few amatuers by changing your console speed to > something other than 9600. When I tested mine I didn't even get ascii text > so there is no indication the speed is set wrong. That may be different > with other terminal programs though (I'm using SecureCRT 3.1). > > You should be ok as long as you have physical security and good passwords > you likely won't have any problems. > > John > > - Original Message - > From: beth shriver <[EMAIL PROTECTED]> > To: David L. Blair <[EMAIL PROTECTED]> > Cc: <[EMAIL PROTECTED]> > Sent: Tuesday, September 12, 2000 12:52 PM > Subject: Re: can you shutdown a console port? > > > > if you use the password recovery technique and hit > > break during boot . and go to rommon mode.. would the > > router even know there is a password on the console? > > thanks > > Beth > > --- "David L. Blair" <[EMAIL PROTECTED]> wrote: > > > require a password on the console port and do not > > > supply a password. That > > > will effectively deny all access via the console > > > port. > > > > > > -dlb > > > > > > - Original Message - > > > From: "beth shriver" <[EMAIL PROTECTED]> > > > Newsgroups: groupstudy.cisco > > > Sent: Tuesday, September 12, 2000 8:43 AM > > > Subject: can you shutdown a console port? > > > > > > > > > > Is there anyway to keep someone from plugging in a > > > > console port and using password recovery procedure > > > to > > > > get into a router? for instance if you have a > > > router > > > > at a remote site and someone decides they want to > > > > alter your config etc. what could stop them? > > > (besides > > > > a huge padlock ?) > > > > > > > > > > > > __ > > > > Do You Yahoo!? > > > > Yahoo! Mail - Free email you can access from > > > anywhere! > > > > http://mail.yahoo.com/ > > > > > > > > **NOTE: New CCNA/CCDA List has been formed. For > > > more information go to > > > > http://www.groupstudy.com/list/Associates.html > > > > _ > > > > UPDATED Posting Guidelines: > > > http://www.groupstudy.com/list/guide.html > > > > FAQ, list archives, and subscription info: > > > http://www.groupstudy.com > > > > Report misconduct and Nondisclosure violations to > > > [EMAIL PROTECTED] > > > > > > > > > > __ > > Do You Yahoo!? > > Yahoo! Mail - Free email you can access from anywhere! > > http://mail.yahoo.com/ > > > > **NOTE: New CCNA/CCDA List has been formed. For more information go to > > http://www.groupstudy.com/list/Associates.html > > _ > > UPDATED Posting Guidelines: http://www.groupstudy.com/list/guide.html > > FAQ, list archives, and subscription info: http://www.groupstudy.com > > Report misconduct and Nondisclosure violations to [EMAIL PROTECTED] > > **NOTE: New CCNA/CCDA List has been formed. For more information go to > http://www.groupstudy.com/list/Associates.html > _ > UPDATED Posting Guidelines: http://www.groupstudy.com/list/guide.html > FAQ, list archives, and subscription info: http://www.groupstudy.com > Report misconduct and Nondisclosure violations to [EMAIL PROTECTED] **NOTE: New CCNA/CCDA List has been formed. For more information go to http://www.groupstudy.com/list/Associates.html _ UPDATED Posting Guidelines: http://www.groupstudy.com/list/guide.html FAQ, list archives, and subscription info: http://www.groupstudy.com Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: can you shutdown a console port?
Maybe I should have read the entire thread first...
In answer to the question, "Is there anyway to keep someone from plugging in
a console port and using password recovery procedure to get into a router? "
the answer is an unequivocal yes. How can that be, seeing as when you hit
the break at boot you get the rmon prompt? Easy -- put the router in a
lockable rack case, in a locked room.
As the thief who took my cell phone and $3 sunglasses from my car this
weekend proved, if you want something bad enough, no matter how worthless it
is, there is always a way to get it (And no, that was not a typo, someone
stole my $3 sunglasses -- may they rot for it too!).
K
-
Kristopher B. Climie, CCNP, CCDP
> From: [EMAIL PROTECTED] ("Kristopher B. Climie")
> Organization: GroupStudy.com Discussion Groups
> Newsgroups: groupstudy.cisco
> Date: 12 Sep 2000 19:40:16 -0400
> Subject: Re: can you shutdown a console port?
>
> Don't forget about TACACS+ and Radius...
> K
>
> -
> Kristopher B. Climie, CCNP, CCDP
>
>> From: [EMAIL PROTECTED] ("John Kaberna")
>> Organization: GroupStudy.com Discussion Groups
>> Newsgroups: groupstudy.cisco
>> Date: 12 Sep 2000 17:48:38 -0400
>> Subject: Re: can you shutdown a console port?
>>
>> The last statement was incorrect!!
>>
>> Console and aux ports DO NOT require a password. VTY's do however. You
>> should set a complex password on your console and aux port.
>>
>> The other thing you can do is setup local authentication which will require
>> a username and matching password. This will make it even harder to break.
>>
>> You can also weed out a few amatuers by changing your console speed to
>> something other than 9600. When I tested mine I didn't even get ascii text
>> so there is no indication the speed is set wrong. That may be different
>> with other terminal programs though (I'm using SecureCRT 3.1).
>>
>> You should be ok as long as you have physical security and good passwords
>> you likely won't have any problems.
>>
>> John
>>
>> - Original Message -
>> From: beth shriver <[EMAIL PROTECTED]>
>> To: David L. Blair <[EMAIL PROTECTED]>
>> Cc: <[EMAIL PROTECTED]>
>> Sent: Tuesday, September 12, 2000 12:52 PM
>> Subject: Re: can you shutdown a console port?
>>
>>
>>> if you use the password recovery technique and hit
>>> break during boot . and go to rommon mode.. would the
>>> router even know there is a password on the console?
>>> thanks
>>> Beth
>>> --- "David L. Blair" <[EMAIL PROTECTED]> wrote:
>>>> require a password on the console port and do not
>>>> supply a password. That
>>>> will effectively deny all access via the console
>>>> port.
>>>>
>>>> -dlb
>>>>
>>>> - Original Message -
>>>> From: "beth shriver" <[EMAIL PROTECTED]>
>>>> Newsgroups: groupstudy.cisco
>>>> Sent: Tuesday, September 12, 2000 8:43 AM
>>>> Subject: can you shutdown a console port?
>>>>
>>>>
>>>>> Is there anyway to keep someone from plugging in a
>>>>> console port and using password recovery procedure
>>>> to
>>>>> get into a router? for instance if you have a
>>>> router
>>>>> at a remote site and someone decides they want to
>>>>> alter your config etc. what could stop them?
>>>> (besides
>>>>> a huge padlock ?)
>>>>>
>>>>>
>>>>> __
>>>>> Do You Yahoo!?
>>>>> Yahoo! Mail - Free email you can access from
>>>> anywhere!
>>>>> http://mail.yahoo.com/
>>>>>
>>>>> **NOTE: New CCNA/CCDA List has been formed. For
>>>> more information go to
>>>>> http://www.groupstudy.com/list/Associates.html
>>>>> _
>>>>> UPDATED Posting Guidelines:
>>>> http://www.groupstudy.com/list/guide.html
>>>>> FAQ, list archives, and subscription info:
>>>> http://www.groupstudy.com
>>>>> Report misconduct and Nondisclosure violations to
>>>> [EMAIL PROTECTED]
>>>>>
>>>
>>>
>>> __
>>> Do You Yahoo!?
>>> Yahoo! Mail - Free email you can access from anywhere!
Re: can you shutdown a console port?
Don't forget about TACACS+ and Radius...
K
-
Kristopher B. Climie, CCNP, CCDP
> From: [EMAIL PROTECTED] ("John Kaberna")
> Organization: GroupStudy.com Discussion Groups
> Newsgroups: groupstudy.cisco
> Date: 12 Sep 2000 17:48:38 -0400
> Subject: Re: can you shutdown a console port?
>
> The last statement was incorrect!!
>
> Console and aux ports DO NOT require a password. VTY's do however. You
> should set a complex password on your console and aux port.
>
> The other thing you can do is setup local authentication which will require
> a username and matching password. This will make it even harder to break.
>
> You can also weed out a few amatuers by changing your console speed to
> something other than 9600. When I tested mine I didn't even get ascii text
> so there is no indication the speed is set wrong. That may be different
> with other terminal programs though (I'm using SecureCRT 3.1).
>
> You should be ok as long as you have physical security and good passwords
> you likely won't have any problems.
>
> John
>
> - Original Message -
> From: beth shriver <[EMAIL PROTECTED]>
> To: David L. Blair <[EMAIL PROTECTED]>
> Cc: <[EMAIL PROTECTED]>
> Sent: Tuesday, September 12, 2000 12:52 PM
> Subject: Re: can you shutdown a console port?
>
>
>> if you use the password recovery technique and hit
>> break during boot . and go to rommon mode.. would the
>> router even know there is a password on the console?
>> thanks
>> Beth
>> --- "David L. Blair" <[EMAIL PROTECTED]> wrote:
>>> require a password on the console port and do not
>>> supply a password. That
>>> will effectively deny all access via the console
>>> port.
>>>
>>> -dlb
>>>
>>> - Original Message -
>>> From: "beth shriver" <[EMAIL PROTECTED]>
>>> Newsgroups: groupstudy.cisco
>>> Sent: Tuesday, September 12, 2000 8:43 AM
>>> Subject: can you shutdown a console port?
>>>
>>>
>>>> Is there anyway to keep someone from plugging in a
>>>> console port and using password recovery procedure
>>> to
>>>> get into a router? for instance if you have a
>>> router
>>>> at a remote site and someone decides they want to
>>>> alter your config etc. what could stop them?
>>> (besides
>>>> a huge padlock ?)
>>>>
>>>>
>>>> __
>>>> Do You Yahoo!?
>>>> Yahoo! Mail - Free email you can access from
>>> anywhere!
>>>> http://mail.yahoo.com/
>>>>
>>>> **NOTE: New CCNA/CCDA List has been formed. For
>>> more information go to
>>>> http://www.groupstudy.com/list/Associates.html
>>>> _
>>>> UPDATED Posting Guidelines:
>>> http://www.groupstudy.com/list/guide.html
>>>> FAQ, list archives, and subscription info:
>>> http://www.groupstudy.com
>>>> Report misconduct and Nondisclosure violations to
>>> [EMAIL PROTECTED]
>>>>
>>
>>
>> __
>> Do You Yahoo!?
>> Yahoo! Mail - Free email you can access from anywhere!
>> http://mail.yahoo.com/
>>
>> **NOTE: New CCNA/CCDA List has been formed. For more information go to
>> http://www.groupstudy.com/list/Associates.html
>> _
>> UPDATED Posting Guidelines: http://www.groupstudy.com/list/guide.html
>> FAQ, list archives, and subscription info: http://www.groupstudy.com
>> Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
>
> **NOTE: New CCNA/CCDA List has been formed. For more information go to
> http://www.groupstudy.com/list/Associates.html
> _
> UPDATED Posting Guidelines: http://www.groupstudy.com/list/guide.html
> FAQ, list archives, and subscription info: http://www.groupstudy.com
> Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
>
**NOTE: New CCNA/CCDA List has been formed. For more information go to
http://www.groupstudy.com/list/Associates.html
_
UPDATED Posting Guidelines: http://www.groupstudy.com/list/guide.html
FAQ, list archives, and subscription info: http://www.groupstudy.com
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: can you shutdown a console port?
if you use the password recovery technique and hit break during boot . and go to rommon mode.. would the router even know there is a password on the console? thanks Beth --- "David L. Blair" <[EMAIL PROTECTED]> wrote: > require a password on the console port and do not > supply a password. That > will effectively deny all access via the console > port. > > -dlb > > - Original Message - > From: "beth shriver" <[EMAIL PROTECTED]> > Newsgroups: groupstudy.cisco > Sent: Tuesday, September 12, 2000 8:43 AM > Subject: can you shutdown a console port? > > > > Is there anyway to keep someone from plugging in a > > console port and using password recovery procedure > to > > get into a router? for instance if you have a > router > > at a remote site and someone decides they want to > > alter your config etc. what could stop them? > (besides > > a huge padlock ?) > > > > > > __ > > Do You Yahoo!? > > Yahoo! Mail - Free email you can access from > anywhere! > > http://mail.yahoo.com/ > > > > **NOTE: New CCNA/CCDA List has been formed. For > more information go to > > http://www.groupstudy.com/list/Associates.html > > _ > > UPDATED Posting Guidelines: > http://www.groupstudy.com/list/guide.html > > FAQ, list archives, and subscription info: > http://www.groupstudy.com > > Report misconduct and Nondisclosure violations to > [EMAIL PROTECTED] > > __ Do You Yahoo!? Yahoo! Mail - Free email you can access from anywhere! http://mail.yahoo.com/ **NOTE: New CCNA/CCDA List has been formed. For more information go to http://www.groupstudy.com/list/Associates.html _ UPDATED Posting Guidelines: http://www.groupstudy.com/list/guide.html FAQ, list archives, and subscription info: http://www.groupstudy.com Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: can you shutdown a console port?
>>>(besides a huge padlock ?) That is pretty much it. If someone has physical access to virtually any piece of equipment (router, switch, server, workstation, etc.) and they have the skills they will be able to take control of the device. That is why you will see that most datacenters have locked doors, cabinets, cameras, climate control, UPS, etc. HTH, Casey >From: beth shriver <[EMAIL PROTECTED]> >Reply-To: beth shriver <[EMAIL PROTECTED]> >To: [EMAIL PROTECTED] >Subject: can you shutdown a console port? >Date: Tue, 12 Sep 2000 05:40:38 -0700 (PDT) > >Is there anyway to keep someone from plugging in a >console port and using password recovery procedure to >get into a router? for instance if you have a router >at a remote site and someone decides they want to >alter your config etc. what could stop them? (besides >a huge padlock ?) > > >__ >Do You Yahoo!? >Yahoo! Mail - Free email you can access from anywhere! >http://mail.yahoo.com/ > >**NOTE: New CCNA/CCDA List has been formed. For more information go to >http://www.groupstudy.com/list/Associates.html >_ >UPDATED Posting Guidelines: http://www.groupstudy.com/list/guide.html >FAQ, list archives, and subscription info: http://www.groupstudy.com >Report misconduct and Nondisclosure violations to [EMAIL PROTECTED] _ Get Your Private, Free E-mail from MSN Hotmail at http://www.hotmail.com. Share information about yourself, create your own public profile at http://profiles.msn.com. **NOTE: New CCNA/CCDA List has been formed. For more information go to http://www.groupstudy.com/list/Associates.html _ UPDATED Posting Guidelines: http://www.groupstudy.com/list/guide.html FAQ, list archives, and subscription info: http://www.groupstudy.com Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
