Introduction
- Hack Cisco Router Password Telnet Port Number
- Cisco Router Password Wrt120n
- Hack Cisco Router Password Telnet Port Settings
- Enable Telnet On Cisco Router
- Telnet Cisco Router
This document provides sample configurations for configuring password protection for inbound EXEC connections to the router.
Prerequisites
Configure telnet password on Cisco router & switches. R1#conf t R1(config)#line vty 0 4. Just replace line con 0 to line aux 0. Post navigation. Click scan and watch as the program scans the computer or device for open ports. Watch the nmap output until you see some words in green. These are the open ports on the computer or device. If port 23 is open, the device is hackable, if there is no password set. Another way is to try to access some of the cisco router's ports, you can do this simply by using telnet, and opening a connection to the router on port 23. If it asks for a password, but no username, you are at the router, but if it wants a username aswell, you are probably at a firewall.
Requirements
In order to perform the tasks described in this document, you must have privileged EXEC access to the router's command line interface (CLI). For information on using the command line and for understanding command modes, see Using the Cisco IOS Command-Line Interface.
For instructions on connecting a console to your router, refer to the documentation that accompanied your router, or refer to the online documentation for your equipment.
Components Used
The information in this document is based on these software and hardware versions:
Cisco 2509 router
Cisco IOS® Software Version 12.2(19)
The information in this document was created from the devices in a specific lab environment. All of the devices used in this document started with a cleared (default) configuration. If your network is live, make sure that you understand the potential impact of any command.
Conventions
For more information on document conventions, refer to the Cisco Technical Tips Conventions.
Background Information
The use of password protection to control or restrict access to the command line interface (CLI) of your router is one of the fundamental elements of an overall security plan.
Protecting the router from unauthorized remote access, typically Telnet, is the most common security that needs configuring, but protecting the router from unauthorized local access cannot be overlooked.
Note: Password protection is just one of the many steps you should use in an effective in-depth network security regimen. Firewalls, access-lists, and control of physical access to the equipment are other elements that must be considered when implementing your security plan.
Command line, or EXEC, access to a router can be made in a number of ways, but in all cases the inbound connection to the router is made on a TTY line. There are four main types of TTY lines, as seen in this sample show line output:
The CTY line-type is the Console Port. On any router, it appears in the router configuration as line con 0 and in the output of the show line command as cty. The console port is mainly used for local system access using a console terminal.
The TTY lines are asynchronous lines used for inbound or outbound modem and terminal connections and can be seen in a router or access server configuration as line x. The specific line numbers are a function of the hardware built into or installed on the router or access server.
The AUX line is the Auxiliary port, seen in the configuration as line aux 0.
The VTY lines are the Virtual Terminal lines of the router, used solely to control inbound Telnet connections. They are virtual, in the sense that they are a function of software - there is no hardware associated with them. They appear in the configuration as line vty 0 4.
Each of these types of lines can be configured with password protection. Lines can be configured to use one password for all users, or for user-specific passwords. User-specific passwords can be configured locally on the router, or you can use an authentication server to provide authentication.
There is no prohibition against configuring different lines with different types of password protection. It is, in fact, common to see routers with a single password for the console and user-specific passwords for other inbound connections.
Below is an example of router output from the show running-config command:
Configure Passwords on the Line
To specify a password on a line, use the password command in line configuration mode. To enable password checking at login, use the login command in line configuration mode.
Configuration Procedure
In this example, a password is configured for all users attempting to use the console.
From the privileged EXEC (or 'enable') prompt, enter configuration mode and then switch to line configuration mode using the following commands. Notice that the prompt changes to reflect the current mode.
Configure the password, and enable password checking at login.
Exit configuration mode.
Note: Do not save configuration changes to line con 0 until your ability to log in has been verified.
Note: Under the line console configuration, login is a required configuration command to enable password checking at login. Console authentication requires both the password and the login commands to work.
Verify the Configuration
Examine the configuration of the router to verify that the commands have been properly entered:
show running-config - displays the current configuration of the router.
To test the configuration, log off the console and log in again, using the configured password to access the router:
Note: Before performing this test, ensure that you have an alternate connection into the router, such as Telnet or dial-in, in case there is a problem logging back into the router.
Troubleshoot Login Failure
If you cannot log back into the router and you have not saved the configuration, reloading the router will eliminate any configuration changes you have made.
If the configuration changes were saved and you cannot login to the router, you will have to perform a password recovery. See Password Recovery Procedures to find instructions for your particular platform.
Configure Local User-Specific Passwords
To establish a username-based authentication system, use the username command in global configuration mode. To enable password checking at login, use the login local command in line configuration mode.
Configuration Procedure
In this example, passwords are configured for users attempting to connect to the router on the VTY lines using Telnet.
From the privileged EXEC (or 'enable') prompt, enter configuration mode and enter username/password combinations, one for each user for whom you want to allow access to the router:
Switch to line configuration mode, using the following commands. Notice that the prompt changes to reflect the current mode.
Configure password checking at login.
Exit configuration mode.
Note: In order to disable auto Telnet when you type a name on the CLI, configure no logging preferred on the line that is used. While transport preferred none provides the same output, it also disables auto Telnet for the defined host that are configured with the ip host command. This is unlike the no logging preferred command, which stops it for undefined hosts and lets it work for the defined ones.
Verify the Configuration
Examine the configuration of the router to verify that the commands have been properly entered:
show running-config - displays the current configuration of the router.
To test this configuration, a Telnet connection must be made to the router. This can be done by connecting from a different host on the network, but you can also test from the router itself by telnetting to the IP address of any interface on the router that is in an up/up state as seen in the output of the show interfaces command.
Here is a sample output if the address of interface ethernet 0 were 10.1.1.1:
Troubleshoot User-specific Password Failure
Usernames and passwords are case-sensitive. Users attempting to log in with an incorrectly cased username or password will be rejected.
If users are unable to log into the router with their specific passwords, reconfigure the username and password on the router.
Configure AUX Line Password
In order to specify a password on the AUX line, issue the password command in line configuration mode. In order to enable password checking at login, issue the login command in line configuration mode.
Configuration Procedure
In this example, a password is configured for all users attempting to use the AUX port.
Issue the show line command in order to verify the line used by the AUX port.
In this example, the AUX port is on line 65. Issue these commands in order to configure the router AUX line:
Verify Configuration
Examine the configuration of the router in order to verify that the commands have been properly entered:
The show running-config command displays the current configuration of the router:
Configure AAA Authentication for Login
To enable authentication, authorization, and accounting (AAA) authentication for logins, use the login authentication command in line configuration mode. AAA services must also be configured.
Configuration Procedure
In this example, the router is configured to retrieve users' passwords from a TACACS+ server when users attempt to connect to the router.
Note: Configuring the router to use other types of AAA servers (RADIUS, for example) is similar. See Configuring Authentication for additional information.
Note: This document does not address configuration of the AAA server itself.
From the privileged EXEC (or 'enable') prompt, enter configuration mode and enter the commands to configure the router to use AAA services for authentication:
Switch to line configuration mode using the following commands. Notice that the prompt changes to reflect the current mode.
Configure password checking at login.
Exit configuration mode.
Verify the Configuration
Examine the configuration of the router to verify that the commands have been properly entered:
show running-config - displays the current configuration of the router.
To test this particular configuration, an inbound or outbound connection must be made to the line. See the Modem - Router Connection Guide for specific information on configuring async lines for modem connections.
Alternately, you can configure one or more VTY lines to perform AAA authentication and perform your testing thereupon.
Troubleshoot AAA Login Failure
Before issuing debug commands, see Important Information on Debug Commands.
To troubleshoot a failed login attempt, use the debug command appropriate to your configuration:
Related Information
There are five passwords used to secure your Cisco routers: console, auxiliary, telnet (VTY), enable password, and enable secret. Just as you learned earlier in the chapter, the first two passwords are used to set your enable password that’s used to secure privileged mode. This will prompt a user for a password when the enable command is used. The other three are used to configure a password when user mode is accessed either through the console port, through the auxiliary port, or via Telnet.
Cisco Router Auxiliary Password Setup
To configure the auxiliary password, go into global configuration mode and type line aux ?.You can see here that you only get a choice of 0–0 (that’s because there’s only one port)
Router#config t
Enter configuration commands, one per line. End with CNTL/Z.
Router(config)#line aux ?
<0-0> First Line number
Router(config)#line aux 0
Router(config-line)#login
Router(config-line)#password admin
It’s important to remember the login command, or the auxiliary port won’t prompt for authentication.Now watch what happens when you try to set the Aux on the “newer” IOS that Cisco has released
2600A#config t
Enter configuration commands, one per line. End with CNTL/Z.
2600A(config)#line aux 0
2600A(config-line)#login
% Login disabled on line 65, until ‘password’ is set
2600A(config-line)#
Cisco has begun this process of not letting you set the “login” command before a password is set on a line because if you set the login command under a line, and then don’t set a password, the line won’t be usable. And it will prompt for a password that doesn’t exist. So this is a good thing—a feature, not a hassle!
Cisco Router Console Password Setup
To set the console password, use the line console 0 command. But look at what happened when I tried to type line console 0 ? from the aux line configuration—you should received an error.You can still type line console 0 and it will accept it, but the help screens just don’t work from that prompt. Type exit to get back one level and you’ll find that your help screens now work. This is a “feature.” Really.
Example
Router(config-line)#line console ?
% Unrecognized command
Router(config-line)#exit
Hack Cisco Router Password Telnet Port Number
Router(config)#line console ?
<0-0> First Line number
Router(config)#line console 0
Router(config-line)# password admin1
Router(config-line)# login
Since there’s only one console port, you can only choose line console 0. You can set all your line passwords to the same password, but for security reasons, I’d recommend that you make them different.
There are a few other important commands to know for the console port.
For one, the exec-timeout 0 0 command sets the timeout for the console EXEC session to zero, which basically means to never time out. The default timeout is 10 minutes. (If you’re feeling mischievous, try this on people at work: Set it to 0 1. That will make the console time out in 1 second! And to fix it, you have to continually press the Down arrow key while changing the timeout time with your free hand!)
Logging synchronous is a very cool command, and it should be a default command, but it’s not. It stops annoying console messages from popping up and disrupting the input you’re trying to type. The messages still pop up, but you are returned to your router prompt without your input interrupted. This makes your input messages oh-so-much easier to read.
Here’s an example of how to configure both commands
Router(config)#line con 0
Router(config-line)#exec-timeout ?
<0-35791> Timeout in minutes
Router(config-line)#exec-timeout 0 ?
<0-2147483> Timeout in seconds
Router(config-line)#exec-timeout 0 0
Router(config-line)#logging synchronous
Cisco Router Telnet Password Setup
Cisco Router Password Wrt120n
To set the user-mode password for Telnet access into the router, use the line vty command. Routers that aren’t running the Enterprise edition of the Cisco IOS default to five VTY lines, 0 through 4. But if you have the Enterprise edition, you’ll have significantly more. The best way to find out how many lines you have is to use that question mark
Router(config-line)#line vty 0 ?
<1-4> Last Line Number
Router(config-line)#line vty 0 4
Router(config-line)# password admin2
Router(config-line)# login
You may or may not have to set the login command before the password on the VTY lines—depends on the IOS version. The result is the same either way.
So what will happen if you try to telnet into a router that doesn’t have a VTY password set? You’ll receive an error stating that the connection is refused because, well, the password isn’t set. So, if you telnet into a router and receive this message
Router#telnet SFRouter
Trying SFRouter (10.0.0.1)…Open
Password required, but none set
[Connection to SFRouter closed by foreign host]
Router#
Then the remote router (SFRouter in this example) does not have the VTY (telnet) password set. But you can get around this and tell the router to allow Telnet connections without a password by using the no login command
Hack Cisco Router Password Telnet Port Settings
Router(config-line)#line vty 0 4
Router(config-line)#no login
After your routers are configured with an IP address, you can use the Telnet program to configure and check your routers instead of having to use a console cable. You can use the Telnet program by typing telnet from any command prompt (DOS or Cisco).
—Original tutorial & Comment discussion from debianadmin.com
Resources from Cisco.com
Enable Telnet On Cisco Router
More Cisco Router Tutorials:
Telnet Cisco Router
How to Reset a Cisco 3900 Router?