Cisco - Setting up access using telnet or ssh? - is it safe to use transport input all?

Sorted out the user name issue, deleted admin and set my own one, put a little cheeky route in there and I can ping out on to the t'web from the router.

I have also woken Ethernet0

Morandarouter1#show running-config
Building configuration...

Current configuration : 887 bytes
!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname Morandarouter1
!
boot-start-marker
boot-end-marker
!
enable secret 5 $1$uhuiasufasdfsudfdsfsdiuhfiasgdflasgdu
!
no aaa new-model
mmi polling-interval 60
no mmi auto-configure
no mmi pvc
mmi snmp-timeout 180
!
!
!
!
ip cef
ip domain name moranda.net
ip auth-proxy max-nodata-conns 3
ip admission max-nodata-conns 3
!
!
!
!
username dm0rand4 privilege 15 secret 5 $uhiufhiufhisuf;laudialuh
!
!
!
!
!
!
interface Ethernet0
ip address 192.168.1.2 255.255.255.0
half-duplex
!
interface FastEthernet0
ip address 192.168.0.2 255.255.255.0
speed auto
!
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 192.168.0.1
no ip http server
no ip http secure-server
!
!
!
!
!
!
control-plane
!
!
line con 0
line aux 0
line vty 0 4
login local
transport input ssh
!
end

Morandarouter1#
 
Just something i've seen from work with SSH.

Try the global command "ip ssh v2" Come across simular symtoms at work but on 3750's and 6509's. For some reason this has resolved it.

Other than that, i can't seen what's wrong and i've port forwarded ssh on a Netgear without problem too.

Regenerate the keys "cry key gen rsa" then enter 1024 our even higher. I'd also remove the priv 15 too for security and you've set an enable password to.

Let us know how you get on.
 
you could add an exec-timeout parameter on the vty line to time your session out if you disconnect or idle too long.

I would agree that priv 15 should be removed - go in a 0 and the enable up to 15.

if you still have an issue with the timeout - create a second username to test and try to connect with that - you shoul have multiple vty lines that you should be able to connect to if one is being held open. To confirm do a shop ip ssh to check open sessions
 
you could add an exec-timeout parameter on the vty line to time your session out if you disconnect or idle too long.

I would agree that priv 15 should be removed - go in a 0 and the enable up to 15.

if you still have an issue with the timeout - create a second username to test and try to connect with that - you shoul have multiple vty lines that you should be able to connect to if one is being held open. To confirm do a shop ip ssh to check open sessions

Whats the best way to set this up?, I dont want to go creating multiple accounts as its just me, so what I want to do is for this to happen


usera goes to log in with credentials

username: usera
password: passworda

login successful, "usera" now has privilege 0

I then type "enable" and I am asked to enter a password which jumps me up to privilege 15

How would I do this?
 
username <username> password <password>

enable secret <password>

What you have now is basically just that, just remove the priv level from your login. Adding it in there just allows you to bypass the need for typing in the enable password or just automatically set a lower level for somebody etc. etc.

- Pea0n
 
Last edited:
Ahh of course!! Can't believe I forgot that :)

enable secret password is usually the first or second thing I do when I am starting a config. I am pretty sure I done it with this one too :\ I last noticed it working though when I was consoled in to it before I got the interfaces up and SSH working, I haven't noticed it working since.
 
Well its in your config, if you changed the username for automatically give you priv 15 then you wont have needed to use it after that :)

As it happens for my habits its the second thing I do too after changing the hostname, must be habit!

- Pea0n
 
Awesome, you can try replacing it with

usename <username> secret <password>

That provides proper encryption on your account password (MD5 rather than the Cisco proprietary)

What's your next objective? :)

- Pea0n
 
Last edited:
Awesome, you can try replacing it with

usename <username> secret <password>

That provides proper encryption on your account password (MD5 rather than the Cisco proprietary encryption )

Wha'ts your next objective? :)

- Pea0n

Cool will do :)

We'll I still need to get access from the WAN in via SSH, then I am going to start disabling services I dont need, add a dhcp server to interfaces, what else would you recommend at this stage?
 
Last edited:
Ummmmmm well DHCP and connectivity first along with locking it down. Really the first thing would be to ensure you can ping from the router to a public Internet server (4.2.2.2 for example...if that isn't up then something is broke :) ). Once that's in add a DHCP server in really! There's so much stuff you *can* add its hard to know where to start really

- Pea0n
 
It's a 1721 :)

I have had a bit of a break with this at the moment, I did start disabling un-needed services but I gave a break for abit as work was getting a bit mad, we are just starting a huge migration of our customers over to a new service. So I needed some down time before the fun begins ;)
 
Last edited:
Back
Top Bottom