Every network administrator should know how to secure their network so that they lessen the encounter of malicious activity. Sometimes it really just comes down to following some best practices in securing a Cisco switch or router. Here are 5 easy steps to secure your Cisco switch or router.

enable secret

When you use the command,

show run

do you see your passwords in plain text? That’s a no-no. Use

enable secret your-password

to encrypt it to keep nosy people from seeing your password and entering your switch or router. Enable secret will encrypt your password – AWAY WITH PLAIN TEXT.

encrypt plain text passwords

If you’ve moved over to encrypted passwords and noticed that your existing passwords are still in plain text then run the global configuration command:

service password-encryption

to encrypt all your passwords.

secure console access

Physical security should be your first line of defense. But what if you have shotty physical security? Then use console security to stop curious users from connecting to your console port:

conf t
  line con 0
  login
  password your-password

Be aware that this does not protect your Cisco device from the password recovery procedure. This is why physical security is important!

secure remote access

What protocol are you using to remote into your Cisco switches and routers for management? If you said Telnet, shame on you! Telnet does not encrypt any traffic between you and your Cisco devices. Everything you type is in cleartext. The best alternative is to use SSH. All traffic between you and your Cisco switch or router will be encrypted.

conf t
 line vty 0 4
 login local
 transport input ssh
username user password user-password
ip domain-name domain
crypto key generate rsa

The above commands will allow only SSH traffic to your Cisco switch or router and will prompt for a username and password, in which the user account should be on the switch.

parking lot or shutdown the interface

Organize your network with the use of virtual local area networks (vlans). Put accounting on their own vlan, HR on their own vlan, IT on their own vlan. Not only is it good to segment these departments, you can also create a parking lot vlan. A parking lot vlan is where you can put all unused interfaces. So if a malicious user wanted to connect to your network via an open port from the wall, they wouldn’t be able to connect to anything because that unused port would be put on a vlan that is not being used.

conf t
 vlan 3
 name parking-lot
int fa0/15
 switchport mode access
 switchport access vlan 3

A better solution would be to shutdown an unused interface. When an interface is shut down that means it cannot be used until you use the no shutdown command to bring the interface back up.

conf t
 int fa0/15
 shutdown

To bring it back to a working interface:

conf t
 int fa0/15
 no shut

And those are my 5 easy steps to securing your Cisco switch or router. There are other advanced ways but if you’re new to Cisco then the above steps will be better than having a non-secured network. If you have any questions or feedback please comment below!

Related posts:

1. How To Configure a Router-on-a-Stick
2. User VLAN Do Not Acquire DHCP Address
3. Virtual LANs Notes

I’m sure many of us have installed nmap straight from the Ubuntu repositories.

After running a couple of network scans you noticed it spitting out ugly Script Engine runtime errors. You can temporarily get rid of these errors by disabling the script scan but it requires more work to fix this bug.

I’ve searched online and found that I wasn’t the only person annoyed with this problem. Nmap in the Ubuntu repository is messed up right now. You can view the launchpad thread here. There is a minor revision fix that a user has supplied in a debdiff. What I’m going to show you here is a combination of two things, resolving the nmap script engine runtime error in Ubuntu and also install a debdiff file in Ubuntu. Most of these instructions are derived from Ubuntu wiki.

First step is to install the necessary tools for building packages. Use this command in Ubuntu if you’ve never built a package before:

sudo apt-get install build-essential fakeroot devscripts

From your /tmp directory I would create a temporary staging directory for nmap:

 mkdir nmap

and enter that directory,

cd nmap

then you download the debdiff file from launchpad into the nmap directory we just created:

wget http://launchpadlibrarian.net/21515655/nmap_4.76-0ubuntu2.dsc.debdiff

From here we will download the source code for nmap from the Ubuntu repository,

sudo apt-get source nmap

Then type in this command after you’ve downloaded the source code for nmap:

sudo apt-get build-dep nmap

Now this is where we start adding the changes in the debdiff file.

Enter this command:

cd nmap-*

The asterisk will be dependent on the version of nmap you are working with in Ubuntu. In my case the folder I was changing directories was nmap-4.76

This command will patch the debdiff to the source,

patch p1 < ../nmap_*.debdiff

Now read carefully. After the < ../ You will have to type in the debdiff file here. In my case I am using < ../nmap_4.76-0ubuntu5.debdiff

After that step we will build the the new source package,

sudo debuild -uc -us

Finally, we install the package:

sudo dkpg -i ../nmap_4.76-0ubuntu5_i386.deb

Note that the deb package will be dependent on your version number so please change accordingly.

Here’s an example for my nmap_4.76 installation:

sudo apt-get install fakeroot devscripts
mkdir nmap
cd nmap
wget http://launchpadlibrarian.net/21515655/nmap_4.76-0ubuntu2.dsc.debdiff
sudo apt-get source nmap
sudo apt-get build-dep nmap
cd nmap-4.76
patch p1 < ../nmap_4.76-0ubuntu5.debdiff
sudo debuild -uc -us
sudo dkpg -i ../nmap_4.76-0ubuntu5_i386.deb

Related posts:

1. How To Install Adobe Air in Ubuntu
2. How To Install GNS3 in Ubuntu 9.04
3. Ubuntu Notification System Tray Gone