https://learningnetwork.cisco.com/thread/2367
First, VTY (Virtual Teminal Lines) are (1) of (4) main types of TTY lines used solely to control inbound Telnet connections. They are virtual, in the sense that they are a funtion of software - there is no hardware associated with them. They appear in the configuration as line vty 0 4. That means you can have up to 5 simultaneous connections to this device at one time (IOS 12.2 allows 16 -->i.e line vty 0 15).
I know this is an older thread, however I was practicing a lab and really didn't know what vty was or why it kept getting split up in (0 to 4) (5 to 15). ?
Protect Local Passwords
As described in Restrict Infrastructure Device Management Accessibility, page 2-3, infrastructure devices always have local passwords and secret information that need to be properly secured. In addition to enforcing a strong password policy, secret information and password should be protected with the use of encryption.
Step 1 
Global local password encryption: enable automatic password encryption with the service password-encryption global command. Once configured, all passwords are encrypted automatically, including passwords of locally defined users.
Global local password encryption: enable automatic password encryption with the service password-encryption global command. Once configured, all passwords are encrypted automatically, including passwords of locally defined users.Router(config)# service password-encryption
Step 2 Enable secret: Define a local enable password using the enable secret global command. Enable access should be handled with an AAA protocol such as TACACS+ or RADIUS. The locally configured enable password will be used as a fallback mechanism after AAA is configured.
Enable secret: Define a local enable password using the enable secret global command. Enable access should be handled with an AAA protocol such as TACACS+ or RADIUS. The locally configured enable password will be used as a fallback mechanism after AAA is configured.Router(config)# enable secret <strong-password>
Step 3 Line passwords: define a line password for each line you plan to use to administer the system. Note that line passwords are used for initial configuration and are not in effect once AAA is configured. Also note that some devices may have more than 5 VTYs.
Line passwords: define a line password for each line you plan to use to administer the system. Note that line passwords are used for initial configuration and are not in effect once AAA is configured. Also note that some devices may have more than 5 VTYs.line vty 0 4
password <strong-password>
Implement Notification Banners
With the guidance of a legal professional create and apply a login banner. Login banner examples are provided in Appendix A, "Sample Configurations."
banner login #
UNAUTHORIZED ACCESS TO THIS DEVICE IS PROHIBITED
You must have explicit, authorized permission to access or configure this device.
Unauthorized attempts and actions to access or use this system may result in civil and/or criminal penalties.
All activities performed on this device are logged and monitored.
#
http://www.cisco.com/c/en/us/td/docs/solutions/Enterprise/Security/Baseline_Security/securebasebook/sec_chap8.html#wp1059187
line vty 0 4 ~~line vty 5 15
configure Local User-Specific Passwords
To establish a username-based authentication system, use the username command in global configuration mode. To enable password checking at login, use the login local command in line configuration mode.
Configuration Procedure
In this example, passwords are configured for users attempting to connect to the router on the VTY lines using Telnet.
- From the privileged EXEC (or "enable") prompt, enter configuration mode and enter username/password combinations, one for each user for whom you want to allow access to the router:
router#configure terminal Enter configuration commands, one per line. End with CNTL/Z. router(config)#username russ password montecito router(config)#username cindy password belgium router(config)#username mike password rottweiler
- Switch to line configuration mode, using the following commands. Notice that the prompt changes to reflect the current mode.
router(config)#line vty 0 4 router(config-line)#
- Configure password checking at login.
router(config-line)#login local
- Exit configuration mode.
router(config-line)#end router# %SYS-5-CONFIG_I: Configured from console by console
Note: In order to disable auto Telnet when you type a name on the CLI, configure no logging preferred on the line that is used. While transport preferred none provides the same output, it also disables auto Telnet for the defined host that are configured with the ip host command. This is unlike the no logging preferred command, which stops it for undefined hosts and lets it work for the defined ones.
http://www.cisco.com/c/en/us/support/docs/ios-nx-os-software/ios-software-releases-110/45843-configpasswords.html#pw-line
沒有留言:
張貼留言
注意:只有此網誌的成員可以留言。