Securing Console Access
Console access is the most privileged level of access to a Cisco device. It allows an administrator to configure, manage, and troubleshoot a device. If console access is not secured properly, unauthorized users can access the device, potentially compromising the network's security.
Console access is the only option to access a device with an empty configuration. However, besides this importance, it does not have access protection by default. Therefore, users can connect through the console port without restrictions and gain physical access.
To fix this, you must configure some sort of protection allowing access to the device only after successful authentication. There are two different ways to authenticate users. The first one is simpler and requires defining a password inside the configuration mode of the console port using the “password password” command.
You also need to instruct the device to prompt the user to provide the password, which is configured using the “login” command. The following commands provide access protection on the console port with the password “C!sc0pa$$”:
Once configured, the console password is kept in plaintext inside the running configuration. If you want to hide a plaintext password in the running configuration, you can encrypt it with type-7 encryption using the “service password-encryption” command.
NOTE: Keep in mind that this algorithm is extremely weak by modern-day cryptography standards, which is a acceptable in this situation since the goal is to only hide the console password or make it unreadable by human.
The other option for securing console access is by requesting multiple credentials. It includes a username and password and requires the user to enter both credentials instead of the password alone. Besides improving the authentication process, it also helps when multiple administrators should have access to the device using different credentials.
To implement this, you must create an account in the device’s local database and define the username and password using the “username username password password” command.
Since you will use the local database instead of the local password configured under the configuration mode of the console port, you need to use the “login local” command instead of the “login” command.
This way, the device will prompt the user to provide both credentials and check them against the configured accounts in the local database. The following commands create an example local account and use it for the protection of console access:
A more secure way to configure a local account is to use a secret password instead of a plaintext password. This can be done using the “username username secret password” command. This way, the hashed version of the password will be saved in the running configuration. The MD5 or SHA algorithm will be used depending on the IOS version.
Additionally, you can modify the default inactivity timeout of 10 minutes for disconnecting idle EXEC sessions. If your company policy requires more strict rules, you can lower the timeout value to 5 minutes or even less. The command you need to use to define this parameter is “exec-timeout,” which is configured in the configuration mode for console 0.