Cisco IOS Routers: Auto Secure
Auto Secure is useful for small businesses or IT administrators who know how to configure a router with networking protocols, set up IP interfaces, and networks but may not have a strong understanding of router security. Cisco has implemented a script called Auto Secure, which simplifies securing a router by prompting the user with “yes” or “no” questions. Some answers may require additional network-specific details.
Getting Started with Auto Secure
To begin, enter user mode on the router, then enable privileged EXEC mode:
Router>enableOnce in privileged EXEC mode, type the following command to start Auto Secure:
Router#auto secureAutoSecure Configuration
--- AutoSecure Configuration ---
*** AutoSecure configuration enhances the security of the router, but it will not make it absolutely resistant to all security attacks ***
AutoSecure will modify the configuration of your device. All configuration changes will be shown.
For a detailed explanation of how the configuration changes enhance security and any possible side effects, please refer to Cisco.com for AutoSecure documentation.
At any prompt you may enter '?' for help.
Use ctrl-c to abort this session at any prompt.
Gathering information about the router for AutoSecure...Auto Secure enhances security but does not guarantee complete protection. It modifies the device configuration and displays all changes before applying them.
AutoSecure Prompts and Configuration
Internet Connection
Is this router connected to internet? [no]: yesNumber of Interfaces Facing the Internet
Enter the number of interfaces facing the internet [1]: 1Selecting the Internet-Facing Interface
Interface IP-Address OK? Method Status Protocol
FastEthernet0/0 unassigned YES unset administratively down down
FastEthernet0/1 unassigned YES unset administratively down down
Serial0/0/0 172.16.2.241 YES manual down down
Serial0/0/1 unassigned YES unset administratively down down
Vlan1 unassigned YES unset administratively down down
Enter the interface name that is facing the internet: serial0/0/0Disabling and Enabling Services
After identifying the internet-facing interface, Auto Secure disables unnecessary services and enables essential security features:
Securing Management plane services...
Disabling service finger
Disabling service pad
Disabling udp & tcp small servers
Enabling service password encryption
Enabling service tcp-keepalives-in
**Output Omitted**Setting a Security Banner
Enter the security banner {Put the banner between k and k, where k is any character}:*Authorized Access Only*Setting Enable Secret and Enable Password
Enable secret is either not configured or is the same as enable password
Enter the new enable secret:
Enter the new enable password:Configuring a Local User Database
Configuration of local user database
Enter the username: Username
Enter the password: password
Confirm the password: passwordEnabling AAA and Login Attack Prevention
Blocking Period when Login Attack detected: #
Maximum Login failures with the device: #
Maximum time period for crossing the failed login attempts: #Configuring SSH Access
Configure SSH server? [yes]: yes
Enter the host name: {Router Name}
Enter the domain-name: {Yourdomain-name}Configuring CBAC Firewall
Configure CBAC Firewall feature? [yes/no]: yesAt this stage, Auto Secure generates a secure configuration:
This is the configuration generated:
!
Disabling service finger
Disabling service pad
Disabling udp & tcp small servers
Enabling service password encryption
Enabling service tcp-keepalives-in
**Output Omitted**
Apply this configuration to running-config? [yes]:You can choose to apply this configuration immediately or review it before making changes. If any issues arise, you can reload the router without saving the configuration to revert to its previous state.
For further details, visit Cisco.com and explore the official Auto Secure documentation.