I am testing for console protection on a Cisco 2610 router.
The console port of a typical cisco router has 2 levels of protection:
1 being the 'login' or 'view' password, and the second being the 'enable' password where you can actually re-configure the router. Best way to protect the router from a console port hack/access is to secure it physically and to configure both access and enable passwords on it.
My question is: Does the router automatically wipe out the config when you break in, can someone see the config when it breaks? If it does not do this automatically, is there a config setting that says upon break-in, remove all configs?
Just curious how the router would know there was a break-in, I mean a person would have to enter a proper username and password to gain access, how would the router know it was unauthorized if the correct credentials were used?
If you've properly secured it physically, you generally aren't too concerned about console port access in most environments..
I assume that you mean invoke password recovery.
No, a router, unlike a firewall, generally does not wipe the config out when you do password recovery. The full config is there after doing so. The main security protection Cisco has designed in is that after doing password recovery, the router will have all interfaces in a shutdown state, so if somebody has done it "accidentally" (ie. messing around), the router generally will signal by it not passing traffic that something has happened.
No, there is no config option that tells the router to wipe the config upon password recovery the way you are thinking... BUT, there is an undocumented option (which actually gets mentioned alot in tech notes now-a-days, maybe it has reached documentation status) to tell the router to not allow password recovery to happen.
no service password-recovery
Once you do this, then you can't do password-recovery, although with this on, some platforms have a way to wipe the config during a certain step in the boot process.
Others do not, especially older systems, so once you do this, there will be no way to wipe out the config to get back into the box on those platforms, and you'd end up with a brick for that older system.
Cabling-Design.com Forums website is not affiliated with any of the manufacturers or service providers discussed here.
All logos and trade names are the property of their respective owners.