Controlling Root Authentication
Problem
When you first installed your router, you created a password for the root user (see Recipe 1.1). With this initial configuration, anyone who knows the root password can log in to the router using Telnet. You want to make the root login more secure.
Solution
There are two solutions, depending on the desired level of security. One solution is to use SSH for the root password. You can specify the root password in plain text as you are configuring the router:
[edit] root@router1# set system root-authentication ssh $1991poppI
You can also load an SSH key file from a server:
[edit]
aviva@router1# set system root-authentication load-key-file server1:/homes/aviva
/.ssh/id_dsa.pub
.file.19692 | 0 KB | 0.3 kB/s | ETA: 00:00:00 | 100%
aviva@router1# show
system {
root-authentication {
ssh-rsa "1024 35
9727638204084251055468226757249864241630322207404962528390382038690141584534964170019
6106083587229615634757849182736033612764418742659468932077391083448101268312595772262
5461667999278316123500438660915866283822489746732605661192181489539813965561563786211
94032768780653816960202749164163735913269396344008443
root@mynetwork.com"; # SECRET-
DATA
}
}
The second solution for providing root authentication forces the root user to log in using the router's console port:
[edit system] aviva@router1# set services ssh root-login deny
Discussion
There are two schools of thought about root access to the router. One suggests using SSH for the root password because SSH is more secure than using just the password you initially configured on the router. SSH provides inband access to the router, meaning that the root user can log in from anywhere in the network, especially if the router is part of a service provider network. A second school of thought suggests disabling SSH access for root altogether, forcing the root user to log in on the router's console port. Access using the console port is assumed to be secure in that you must be on the company's internal network to even have access to the console port.
Generally, there's very little reason to provide access to the root login inband, so unless you really need this on your network, for strict security you should not provide root SSH access.
If you use SSH to authenticate the root password, you need to first enable SSH services on the router and be running SSH on your server.
This first command in this recipe sets the root's SSH password by entering it directly in plain text in the router's configuration file. When you use the show command to view the configuration, you see only an encrypted version of the password. The second command copies an SSH key file from a server. After you type the command, the contents of the key file are immediately copied into the configuration file.
Any SSH password you set is in addition to the plain-text password. You should leave a local root password on the router so you can log in using the console port.
The second command in this recipe disables SSH for the root user altogether. Anyone needing to log in to the router as root must log in through the router's console. The reason for doing this is not so much that you want the root user to come in to the router through the console, but rather that you want him to log in using an individual account and then exit to the shell and use the su command to become root only if he needs to. There are two reasons for this. First, you want to avoid habitual use of the root account. Logging in with root is like running with scissors: there are lots of ways to hurt yourself. It's much better to get in the habit of using a nonroot account and su only when required. Second, and more importantly, you want to maintain accountability. If you log in to a router, su to root, and then do something horrible, there will be an audit trail to trace the source of the problem. However, if you had logged in as root in the first place, the action wouldn't be traceable to an individual router user.
See Also
Recipe 2.3
Router Configuration and File Management
- Introduction
- Configuring the Router for the First Time
- Configuring the Router from the CLI
- Getting Exclusive Access to Configure the Router
- Displaying the Commands to Recreate a Configuration
- Including Comments in the Configuration
- Checking the Syntax of the Configuration
- Activating the Router Configuration
- Debugging a Failed Commit
- Exiting Configuration Mode
- Keeping a Record of Configuration Changes
- Determining What Changes You Have Made to the Configuration
- Configuring the Router by Copying a File from a Server
- Configuring the Router by Copying Text from a Terminal Window
- Backing Up the Routers Configuration
- Scheduling the Activation of a Configuration
- Provisionally Activating a Configuration
- Loading a Previous Router Configuration
- Creating an Emergency Rescue Configuration
- Backing Up Filesystems on M-Series and T-Series Routers
- Backing Up Filesystems on J-Series Routers
- Restoring a Backed-Up Filesystem
- Installing a Different Software Release on M-Series and T-Series Routers
- Installing a Different Software Release on J-Series Routers
- Creating an Emergency Boot Disk
- Gathering Software Version Information
- Gathering Hardware Inventory Information
- Finding Out How Long the Router Has Been Up
- Gathering Information Before Contacting Support
- Managing Routers with Similar Configurations
- Managing Redundant Routing Engines
- Using the Second Routing Engine to Upgrade to a New Software Version
Basic Router Security and Access Control
- Basic Router Security and Access Control
- Introduction
- Allowing Access to the Router
- Controlling Root Authentication
- Logging In to the Routers Console
- Setting the Login Authentication Methods
- Setting Up Login Accounts on the Router
- Changing the Format of Plain-Text Passwords
- Changing the Plain-Text Password Encryption Method
- Creating a Login Account for Remote Authentication
- Creating a Group Login Account
- Customizing Account Privileges
- Creating a Privilege Class that Hides Encrypted Passwords
- Setting Up RADIUS User Authentication
- Setting Up TACACS+ User Authentication
- Restricting Inbound SSH and Telnet Access
- Setting the Source Address for Telnet Connections
- Creating a Login Banner
- Finding Out Who Is Logged In to the Router
- Logging Out of the Router
- Forcibly Logging a User Out
IPSec
- IPSec
- Introduction
- Configuring IPSec
- Configuring IPSec Dynamic SAs
- Creating IPSec Dynamic SAs on J-Series Routers or Routers with AS PICs
- Using Digital Certificates to Create Dynamic IPSec SAs
SNMP
- SNMP
- Introduction
- Configuring SNMP
- Setting Router Information for the MIB-II System Group
- Setting Up SNMP Traps
- Controlling SNMP Access to the Router
- Using a Firewall Filter to Protect SNMP Access
- Controlling Access to Router MIBs
- Extracting Software Inventory Information with SNMP
- Extracting Hardware Inventory Information with SNMP
- Collecting Router Operational Information with SNMP
- Logging SNMP Access to the Router
- Logging Enterprise-Specific Traps
- Using RMON Traps to Monitor the Routers Temperature
- Configuring SNMPv3
- Tracking Router Configuration Changes
- Setting Up SNMPv3 Traps
Logging
- Logging
- Introduction
- Turning On Logging
- Limiting the Messages Collected
- Including the Facility and Severity in Messages
- Changing the Size of a Logging File
- Clearing the Routers Logfiles
- Sending Log Messages to Your Screen
- Sending Logging Messages to a Log Server
- Saving Logging Messages to the Other Routing Engine
- Turning Off Logging
- Turning On Basic Tracing
- Monitoring Interface Traffic
NTP
- NTP
- Introduction
- Setting the Date and Time on the Router Manually
- Setting the Time Zone
- Synchronizing Time When the Router Boots
- Synchronizing Time Periodically
- Authenticating NTP
- Checking NTP Status
Router Interfaces
- Router Interfaces
- Introduction
- Viewing Interface Status
- Viewing Traffic Statistics on an Interface
- Setting an IP Address for the Router
- Setting the Routers Source Address
- Configuring an IPv4 Address on an Interface
- Configuring an IPv6 Address on an Interface
- Configuring an ISO Address on an Interface
- Creating an MPLS Protocol Family on a Logical Interface
- Configuring an Interface Description
- Choosing Primary and Preferred Interface Addresses
- Using the Management Interface
- Finding Out What IP Addresses Are Used on the Router
- Configuring Ethernet Interfaces
- Using VRRP on Ethernet Interfaces
- Connecting to an Ethernet Switch
- Configuring T1 Interfaces
- Performing a Loopback Test on a T1 Interface
- Setting Up a BERT Test on a T1 Interface
- Configuring Frame Relay on a T1 Interface
- Configuring a SONET Interface
- Using APS to Protect Against SONET Circuit Failures
- Configuring an ATM Interface
- Dealing with Nonconfigurable Interfaces
- Configuring Interfaces Before the PICs Are Installed
IP Routing
- IP Routing
- Introduction
- Viewing the Routes in the Routing Table
- Viewing Routes to a Particular Prefix
- Viewing Routes Learned from a Specific Protocol
- Displaying the Routes in the Forwarding Table
- Creating Static Routes
- Blackholing Routes
- Filtering Traffic Using Unicast Reverse-Path Forwarding
- Aggregating Routes
- Load-Balancing Traffic Flows
- Adding Martian Addresses
- Changing Route Preferences to Migrate to Another IGP
- Configuring Routing Protocols to Restart Without Losing Adjacencies
Routing Policy and Firewall Filters
- Routing Policy and Firewall Filters
- Introduction
- Creating a Simple Routing Policy
- Changing a Routes Routing Information
- Filtering Routes by IP Address
- Filtering Long Prefixes
- Filtering Unallocated Prefix Blocks
- Creating a Chain of Routing Policies
- Making Sure a Routing Policy Is Functioning Properly
- Creating a Simple Firewall Filter that Matches Packet Contents
- Creating a Firewall Filter that Negates a Match
- Reordering Firewall Terms
- Filtering Traffic Transiting the Router
- Using a Firewall Filter to Count Traffic on an Interface
- Logging the Traffic on an Interface
- Limiting Traffic on an Interface
- Protecting the Local Routing Engine
- Rate-Limiting Traffic Flow to the Routing Engine
- Using Counters to Determine Whether a Router Is Under Attack
RIP
- RIP
- Introduction
- Configuring RIP
- Having RIP Advertise Its Routes
- Configuring RIP for IPv6
- Enabling RIP Authentication
- Routing RIP Traffic over Faster Interfaces
- Sending Version 1 Update Messages
- Tracing RIP Protocol Traffic
IS-IS
- IS-IS
- Introduction
- Configuring IS-IS
- Viewing the IS-IS Link-State Database
- Viewing Routes Learned by IS-IS
- Configuring IS-IS for IPv6
- Configuring a Level 1Only Router
- Controlling DIS Election
- Enabling IS-IS Authentication
- Redistributing Static Routes into IS-IS
- Leaking IS-IS Level 2 Routes into Level 1
- Adjusting IS-IS Link Costs
- Improving IS-IS Convergence Times
- Moving IS-IS Traffic off a Router
- Disabling IS-IS on an Interface
- Tracing IS-IS Protocol Traffic
OSPF
- Introduction
- Configuring OSPF
- Viewing Routes Learned by OSPF
- Viewing the OSPF Link-State Database
- Configuring OSPF for IPv6
- Configuring a Multiarea OSPF Network
- Setting Up Stub Areas
- Creating a Not-So-Stubby Area
- Summarizing Routes in OSPF
- Enabling OSPF Authentication
- Redistributing Static Routes into OSPF
- Adjusting OSPF Link Costs
- Improving OSPF Convergence Times
- Moving OSPF Traffic off a Router
- Disabling OSPF on an Interface
- Tracing OSPF Protocol Traffic
BGP
- Introduction
- Configuring a BGP Session Between Routers in Two ASs
- Configuring BGP on Routers Within an AS
- Diagnosing TCP Session Problems
- Adjusting the Next-Hop Attribute
- Adjusting Local Preference Values
- Removing Private AS Numbers from the AS Path
- Prepending AS Numbers to the AS Path
- Filtering BGP Routes Based on AS Paths
- Restricting the Number of Routes Advertised to a BGP Peer
- Authenticating BGP Peers
- Setting Up Route Reflectors
- Mitigating Route Instabilities with Route Flap Damping
- Adding a BGP Community to Routes
- Load-Balancing BGP Traffic
- Tracing BGP Protocol Traffic
MPLS
- Introduction
- Configuring LSPs Using LDP as the Signaling Protocol
- Viewing Information and LDP-Signaled LSPs in the Routing Tables
- Verifying that an LDP-Signaled LSP Is Carrying Traffic
- Enabling LDP Authentication
- Tracing LDP Operations
- Setting Up RSVP-Signaled LSPs
- Viewing Information About RSVP-Signaled LSPs in the Routing Tables
- Verifying Packet Labels
- Verifying that the RSVP-Signaled LSP Is Carrying Traffic
- Configuring RSVP Authentication
- Protecting an LSPs Path
- Using Fast Reroute to Reduce Packet Loss Following a Link Failure
- Automatically Allocating Bandwidth
- Prioritizing LSPs
- Allowing IGP Traffic to Use an LSP
- Installing LSPs into the Unicast Routing Table
- Tracing RSVP Operations
VPNs
- Introduction
- Setting Up a Simple Layer 3 VPN
- Viewing the VPN Routing Tables
- Adding a VPN for a Second Customer
IP Multicast
- Introduction
- Configuring PIM-SM
- Manually Establishing a PIM-SM RP
- Using Auto-RP to Dynamically Map RPs
- Setting Up a PIM-SM Bootstrap Router
- Filtering PIM-SM Bootstrap Messages
- Configuring Multiple RPs in a PIM-SM Domain with Anycast RP
- Configuring Multiple RPs in a PIM-SM Domain Anycast PIM
- Limiting the Group Ranges an RP Services
- Viewing Multicast Routes
- Checking the Groups for Which a PIM-SM Router Maintains Join State
- Manually Configuring IGMP
- Using SSM
- Connecting PIM-SM Domains Using MSDP and MBGP
- Configuring PIM-DM
- Tracing PIM Packets
EAN: 2147483647
Pages: 290
