Show Menu
Cheatography
  1. Home >
  2. Programming >

Cisco Device Security Cheat Sheet by

Cisco device configuration commands for security (SEC-160)

Login Enhanc­ements

Command
Function
 
login block-for 120 attempts 3 within 30
blocks login attempts for 120 secs if 3 fail within 30 secs
(
login local
must be config­ured)
 
login quiet-mode access-class [acl-name | acl-number]
maps to an ACL so only authorized hosts can attempt to login
 
login delay seconds
wait-time between login attempts
 
login on-success log
records successful logins
 
login on-failure log
records failed login attempts
> Login enhanc­ements don't apply to console connec­tions
> 
login block-for
must be configured before any others

Role-Based CLI Views

Command
Mode
Function
 
aaa new-model
global
enables AAA
 
parser view view-name
global
creates a new view (must be in root view)
 
secret password
view
assigns view password (required)
 
commands parser-mode [include|exclude] [command|interface]
view
assigns command or interface to view
 
enable view view-name
priv. EXEC
enters view (enable secret for root password)
 
parser view view-name superview
global
creates a new superview
 
secret password
superview
assigns superview password (required)
 
view view-name
superview
assigns existing view to superview

IPsec VPNs (Site-­to-­Site)

 
Command
Mode
----- Phase 1 -----
 
cry is en
 
crypto isakamp enable
global
 
cry is pol 10
 
crypto isakmp policy 10
global
 
h sha
 
hash sha
(config-isakmp)
 
a p (auth pre)
 
authen­tic­ation pre-share
(-isakmp)
 
g 14
 
group [DH group #]
(-isakmp)
 
l 3600
 
lifetime [secs]
(-isakmp)
 
enc a 256
 
encryption aes 256
(-isakmp)
 
cry is key vpnpass add 10.2.2.2
 
crypto isakmp key [key] address [peer IP]
global
----- Phase 2 -----
 
cry ip t VPN-SET esp-a 256 esp-sha-
 
crypto ipsec transform-set [tag] [encry.] [bits] [hash]
global
 
cry ip s l s
 
crypto ipsec security-association lifetime seconds 1800
global
 
cry map CMAP 10 ipsec-i
 
crypto map [name] [seq #] ipsec-isakmp
global
 
m add 101
 
match address 101
(-crypto-map)
 
s pe 10.2.2.2
 
set peer [peer IP]
(-crypto-map)
 
s pfs group14
 
set pfs [group#]
(-crypto-map)
 
s t VPN-SET
 
set transf­orm-set [tag]
(-crypto-map)
 
s s li s 900
 
set security-association lifetime seconds [secs]
(-crypto-map)
 
desc [text]
 
descri­ption [text]
(-crypto-map)
 
cry m CMAP
 
crypto map [name]
interface

Line Config Mode

Command
Line
Function
 
no exec
any unused
disables EXEC mode for the line (outgoing connec­tions only)
 
login local
all
forces userna­me/­pas­sword authen­tic­ation from local database
 
logging synchronous
all
prevents logging from interr­upting commands
 
exec-t­imeout 5 0
all
logs out after 5 mins inactive

Inform­ati­ona­l/Show Commands

Short Command
Full Command
What It Displays
 
sh login
 
show login
configured login settings
 
sh login f
 
show login failures
details about login failures (src IP, count, time/date, etc)
 
sh cry key mypubkey r
 
show crypto key mypubkey rsa
current RSA keys
 
sh ip ssh
 
show ip ssh
SSH config­uration
 
sh ssh
 
show ssh
current SSH connec­tions
 
sh p v a
 
show parser view all
summary of all configured views
(asterisk indicates superview)
 
sh sec b
 
show secure bootset
verifi­cation of the archive
 
sh logg
 
show logging
logging config­uration & buffered syslog messages
 
sh us
 
show users
users connected to the device
 
sh cr is po
 
show crypto isakmp policy
ISAKMP policy config­uration
 
sh cr ip sa
 
show crypto ipsec sa
IPsec security associ­ation
 
sh cr map
 
show crypto map
crypto map config­uration

Logging & Monitoring

Command
Mode
Function
 
service timestamps log datetime msec
global
enables timestamps service
 
logging host ip-address
global
specifies syslog server
 
logging trap level
global
sets log severity level
 
logging source-interface ip-address
global
identifies the device sending the log info
 
logging on
global
turns on logging

Secure Bootset

Command
Mode
Function
 
secure boot-image
global
secures IOS image & enables Cisco IOS image resilience
 
secure boot-c­onfig
global
takes snapshot of runnin­g-c­onfig to save in persistent storage
--- To Restore Secure Config­uration ---
 
reload
-> ROMmon mode
 
dir
ROMmon
lists contents of device where secure bootset is stored
 
boot flash:filename
ROMmon
boots route with secure IOS image
 
secure boot-config restore flash:filename
global
restores secure config

SSH Config­uration

Command
Function
 
user Bob algorithm-type scrypt secret password
creates user in local database
 
ip domain­-name span.com
sets network domain name
 
crypto key zeroize rsa
removes any existing RSA key pairs
 
cry key gen rsa gen mod 1024
creates RSA encryption key (max: 4096 bits)
 
transport input ssh
enables SSH (line config, vty)
 
ip ssh time-out seconds
sets SSH timeout length
 
ip ssh authentication-retries 2
sets number of login attempts before user is discon­nected
 
ip ssh version 2
sets SSH version to v2

Miscel­laneous Config­ura­tions

Command
Function
 
license boot module c1900 technology-package securityk9
Adds security package to 1941 routers!
 
no service password-recovery
prevents an attacker from recovering the router password
                       
 

Metadata

  • Languages:
  • Published: 23rd February, 2018
  • Last Updated: 30th August, 2018
  • Rated: 4 out of 5 stars based on 1 ratings

Favourited By

jeaninem71 MobbinOnEm

Comments

No comments yet. Add yours below!

Add a Comment

Your Comment

Please enter your name.

    Please enter your email address

      Please enter your Comment.

          Related Cheat Sheets

          Cisco Switch Configuration Cheat Sheet

          More Cheat Sheets by Tamaranth

          Basic Cisco IOS Commands Cheat Sheet
          Minecraft Item IDs Cheat Sheet