Disabling Router Lines
Problem
You want to disable your router's AUX port to help prevent unauthorized access.
Solution
To completely disable access via the router's AUX port, use the following set of commands:
Router1#configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
Router1(config)#line aux 0
Router1(config-line)#transport input none
Router1(config-line)#no exec
Router1(config-line)#exec-timeout 0 1
Router1(config-line)#no password
Router1(config-line)#exit
Router1(config)#end
Router1#
You can disable access to the router through the VTY lines as follows:
Router1#configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
Router1(config)#access-list 98 deny any log
Router1(config)#line vty 0 4
Router1(config-line)#transport input none
Router1(config-line)#exec-timeout 0 1
Router1(config-line)#no exec
Router1(config-line)#access-class 98 in
Router1(config-line)#exit
Router1(config)#end
Router1#
Discussion
It is extremely important to secure access to your routers. The most effective way to secure router ports is to simply disable them if they aren't needed. Of course, it isn't always feasible to disable all router ports, but you can improve security by disabling any unused ones. For instance, network administrators rarely use the router's AUX port, so they should consider disabling it. If your routers are physically close to the administrators so that remote access is not necessary, you might want to disable the VTY ports as well to provide greater security.
Our first example shows a somewhat paranoid method of disabling a router's AUX port. We say paranoid because it involves using several different techniques, each of which should be sufficient alone, strung together for added protection. The transport i nput none command prevents reverse TELNET access from the network (see Recipe 3.10). The no exec command prevents the AUX port from running an EXEC session. Without an EXEC process, you will get no response when you connect a terminal to the port. Further, the exec-timeout command sets the EXEC timeout to one second (see Recipe 3.9). This effectively limits the ability to submit commands in case an attacker somehow manages to start an EXEC process. Finally, no password forces the router to clear its line password, so there is no way to authenticate if somebody is able to connect.
The example of disabling VTY ports is also paranoid but effective. This example also illustrates several different methods to disable connectivity in a single example. In reality, any one of these methods would work, but we recommend including at least one secondary method as a safety measure. It is important to note that these extra precautions don't cost anything. They don't increase the router's CPU load or memory consumption appreciably. So for the extra level of safety, you might as well string together several methods as we have shown.
To disable the VTY interfaces, we first set the transport input to none (see Recipe 3.10) to disable all inbound transport methods. We also set the exec-timeout to one second (see Recipe 3.9). Then we disable the EXEC process on this line, which renders the VTY port useless. Finally, we implement an input access-class that prevents all IP addresses from accessing the VTY ports (see Recipe 3.16).
If you try to connect to a VTY line that is disabled, as shown in this recipe, the router will refuse the connection:
Freebsd% telnet Router1
Trying 172.22.1.4...
telnet: connect to address 172.22.1.4: Connection refused
telnet: Unable to connect to remote host
Freebsd%
The console port is the most important access line your router has. It is the last place you can still connect to when everything else goes wrong, so we do not recommend disabling it. However, we do recommend increasing the security of your console port to provide maximum protection. By default, the console port will not prompt for a login or password. This means that unauthorized users can easily gain access to your router's EXEC without effort. Of course, the router is always vulnerable to console access via the password recovery process, which highlights why physical security is important. You should always house routers in restricted rooms or closets to ensure physical security.
To increase the security of a router's console port, use the following set of configuration commands:
Router1#configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
Router1(config)#line con 0
Router1(config-line)#exec-timeout 5 0
Router1(config-line)#password ora22bkz
Router1(config-line)#login
Router1(config-line)#exit
Router1(config)#end
Router1#
This example enables a login prompt by configuring the login and password commands, and reduces the exec-timeout to five minutes to ensure that console sessions will disconnect themselves if somebody walks away from the terminal. Note however, that login and password commands become unnecessary if you configure your router to use local authentication or AAA. The stronger authentication method overrides the configurations of all of the lines, including the console port.