How To Secure Router By Using Single Command

Our Score
Click to rate this post!
[Total: 0 Average: 0]

In This Tutorial We Are Going To Learn How To Secure Router By Using Only One Single Command Even Without Knowing How To Configure Telnet And How To Enable Password On Router. If You Are In Networking Field You Must Know How To Secure Router.

You Can Easily Secure Router Without Knowing The Whole Book Of The Networking And Security Cisco Provide The Auto Secure Feature To Quickly Configure And Secure The Router.

Q- What Does Autosecure Router Feature Do ?

Ans- Autosecure Disables Common Router Features That Might Pose A Security While Enabling Other IOS Features That Will Assist To Harden The Router.

Screenshot (57)

Now Assign The IP Address To The Router

Now Go In Router And Do Configuration

Router#Config t
Router(config)#int f0/0
Router(config-if)#ip add
Router(config-if)#no shut

After Assining The IP Address To The Router Run This Command To Autosecure The Router.

Router#auto secure

— AutoSecure Configuration —

*** AutoSecure configuration enhances the security of

the router, but it will not make it absolutely resistant

to all security attacks ***

AutoSecure will modify the configuration of your device.

All configuration changes will be shown. For a detailed

explanation of how the configuration changes enhance security

and any possible side effects, please refer to for

Autosecure documentation.

At any prompt you may enter ‘?’ for help.

Use ctrl-c to abort this session at any prompt.

Gathering information about the router for AutoSecure

Is this router connected to internet? [no]: no

Securing Management plane services…

Disabling service finger

Disabling service pad

Disabling udp & tcp small servers

Enabling service password encryption

Enabling service tcp-keepalives-in

Enabling service tcp-keepalives-out

Disabling the cdp protocol

Disabling the bootp server

Disabling the http server

Disabling the finger service

Disabling source routing

Disabling gratuitous arp

Here is a sample Security Banner to be shown

at every access to device. Modify it to suit your

enterprise requirements.

Authorized Access only

This system is the property of So-&-So-Enterprise.


You must have explicit permission to access this

device. All activities performed on this device

are logged. Any violations of access policy will result

in disciplinary action.

Enter the security banner {Put the banner between

k and k, where k is any character}:k

Enable secret is either not configured or

is the same as enable password

Enter the new enable secret: ccna123

Confirm the enable secret: ccna123

Enter the new enable password: redhat123

Confirm the enable password: redhat123

Configuration of local user database

Enter the username: ccnp123

Enter the password: ccnp123

Confirm the password: ccnp123

Configuring AAA local authentication

Configuring Console, Aux and VTY lines for

local authentication, exec-timeout, and transport

Securing device against Login Attacks

Configure the following parameters

Blocking Period when Login Attack detected: 2

Maximum Login failures with the device: 2

Maximum time period for crossing the failed login attempts: 2

Configure SSH server? [yes]: yes

Enter the host name: R1

Enter the domain-name:

Disabling mop on Ethernet interfaces

Securing Forwarding plane services…

Enabling CEF (This might impact the memory requirements for your platform)

Enabling unicast rpf on all interfaces connected

to internet

Configure CBAC Firewall feature? [yes/no]: no

Tcp intercept feature is used prevent tcp syn attack

on the servers in the network. Create autosec_tcp_intercept_list

to form the list of servers to which the tcp traffic is to

be observed

Enable tcp intercept feature? [yes/no]: no

This is the configuration generated:


service password-encryption

no cdp run

access-list 100 permit udp any any eq bootpc

banner motd

enable secret 5 $1$mERr$JfFWIUz3yMQCrLAeXHYLw/

enable password 7 0833494A011811464058

username ccnp123 password 7 08224F4019485744

aaa new-model

aaa authentication login local_auth local

line con 0

login authentication local_auth

exec-timeout 5 0

transport output telnet

line vty 0 4

login authentication local_auth

transport input telnet

service timestamps debug datetime msec

service timestamps log datetime msec

logging trap debugging

logging console

logging buffered

line vty 0 4

transport input ssh

transport input telnet

hostname R1

ip domain-name

ip access-list extended 100

permit udp any any eq bootpc

Apply this configuration to running-config? [yes]: yes

Applying the config generated to running-config

The name for the keys will be: test.test

% The key modulus size is 1024 bits

% Generating 1024 bit RSA keys, keys will be non-exportable…

*Mar 1 22:56:41.001: %SYS-3-CPUHOG: Task is running for (2007)msecs, more than

(2000)msecs (0/0),process = crypto sw pk proc.

-Traceback= 0x824198E0 0x82419FC4 0x8283C238 0x82866AD8 0x828667A8 0x82865D34 0x

828660F4 0x82866510 0x802335D4 0x80236D80 [OK]


Leave a Reply