AutoSecure is a new security feature in Cisco IOS 12.2(18)S and 12.3(1). Up to this point in the chapter, you have had to manually disable services to protect your router. This is okay if you understand the Cisco IOS configuration process and are familiar with all the things that you must disable and why you should disable them.
However, for a novice administrator, this becomes a difficult task. AutoSecure removes the complexity by using a simple script that asks basic questions about the use of the router, and then creates a configuration file that will be used to secure the router. This is very similar to the use of the System Configuration dialog script that some administrators use to put a basic configuration on their router. The difference between this and AutoSecure is that AutoSecure focuses only on security-related services.
The AutoSecure feature provides the following security functions:
It disables all IP services that can be exploited by an attack.
It enables IP services that can help you prevent attacks.
It configures minimum password-length restrictions, preventing passwords such as cisco and admin from being configured.
It generates syslog messages when the maximum number of unsuccessful authentication attempts has been exceeded.
On the surface, the use of AutoSecure sounds simple, but you need to understand how AutoSecure works, as well as its restrictions, before you use it.
AutoSecure's security focuses on two basic areas: management and forwarding. The next two sections cover these areas.
AutoSecure can secure the management plane of your router by disabling global and interface services. Basically, everything I have discussed until this point of the chapter is included in the AutoSecure management plane, including securing access to the router and logging functions. Here is a list of the global services AutoSecure disables:
BootP
CDP
Finger
HTTP server
IdentD protocol
NTP (Network Time Protocol)
PAD
Source routing
TCP small servers
UDP small servers
NTP is the only service I have not discussed in this chapter. I discuss NTP in more depth in Chapter 18, "Logging Events."
Here is a list of the interface services that AutoSecure disables:
Directed broadcasts
ICMP mask replies
ICMP redirects
ICMP unreachables
MOP
Proxy ARP
Note that if you need any of these services, like HTTP, you need to re-enable them manually after running AutoSecure.
Besides disabling the previous services, AutoSecure can enable certain services to increase your security, including the following:
The service password-encryption command is executed, encrypting unencrypted passwords. This command is covered in Chapter 3.
The service tcp-keepalives-in and service tcp-keepalives-out commands are executed to remove abnormally terminated TCP connections.
Secure Copy (SCP) is set up in tandem with SSH to provide secure access to and from the router.
For all lines, the login and password commands are configured.
For VTY connections, only Telnet and SSH are allowed through the transport input and transport output commands.
If AAA is not set up, AutoSecure can create a local authentication database with usernames and passwords, to give you more control over router access.
A login text banner is created, if one does not already exist.
SNMP is disabled (if not needed), and community strings that are configured with either public or private are removed.
Logging on the console port and the internal buffer is enabled, sequence numbers and time stamps are added to all logging and debug messages, and trap logging levels are set to debug (logging is discussed in Chapter 18).
From this long list of services that are disabled and enabled, you can see that AutoSecure performs a lot of tasks for you from a simple menu-driven script.
AutoSecure also can secure the forwarding plane of your Cisco router. This is a marketing term used to describe how AutoSecure will configure security features that affect traffic flowing through your router. Here are some of the things that AutoSecure configures for the forwarding plane:
For routers that support Context-based Access Control (CBAC), AutoSecure enables this stateful firewall feature on your external interface. CBAC is discussed in Chapter 9, "Context-Based Access Control."
AutoSecure implements antispoofing by blocking reserved addresses defined by the IANA. This is done by creating an extended access list. These reserved addresses can be examined at http://www.iana.org/assignments/ipv4-address-space. Note that these addresses are subject to change, so you should compare AutoSecure's list of ACL statements with those in the previous URL. Extended ACLs are discussed in Chapter 7, "Basic Access Lists."
Private IP address spaces defined in RFC 1918 from external sources are blocked.
CEF is enabled on CEF-supported routers, which helps the router perform better when DoS attacks such as TCP SYN flood attacks are occurring.
Unicast Reverse Path Forwarding is implemented to help prevent packet spoofing. This feature is covered in Chapter 15, "Routing Protocol Protection."
TCP Intercept is configured, if available, to reduce the impact of DoS attacks on your internal resources. TCP Intercept is covered in Chapter 17, "DoS Protection."
For those features that need to be implemented on your perimeter router's public interface, such as CBAC and extended ACLs, AutoSecure prompts you for the necessary configuration information.
CAUTION
AutoSecure does not guarantee that it completely secures your router. It is actually a good tool to use when you originally are setting up your router to put a base security configuration on it. However, you will want to implement the many other features in this book to completely secure your router and the traffic behind your router, especially if your router is functioning as a perimeter router or firewall solution.
Now that you have a basic understanding of what AutoSecure can do for you, let us discuss how you use this script and how to verify its security configuration. You probably will perform three basic tasks:
Execute the AutoSecure script.
Verify the script's secured configuration.
Use optional commands to increase your security solution.
CAUTION
Before you begin the AutoSecure script to automatically secure your router, make sure that you back up its current configuration to an SCP server. When the script completes, your old configuration is gone. I discuss the use of SCP in Chapter 5.
AutoSecure is meant to be run on a router with a base, or initial configuration. If you have a router that already has a configuration on it, with many security features enabled, some features of AutoSecure might not be enabled because of configuration conflictions or restrictions. Therefore, follow these steps to ensure the proper operation of AutoSecure:
To start up AutoSecure, you use the privileged EXEC auto secure command, shown here:
Router(config)# auto secure [management | forwarding] [no-interact]
These are the options that you can enter:
No options? AutoSecure secures both the management and forwarding planes, prompting you for the necessary information.
management? AutoSecure performs security configurations for only the management plane, prompting you for the necessary information.
forwarding? AutoSecure performs security configurations for only the forwarding plane, prompting you for the necessary information.
For all three of these configuration options, if you include the no-interact parameter, the router uses all the defaults for parameters and does not prompt you for any information.
NOTE
The AutoSecure script functions basically the same as the System Configuration dialog box. As you are going through the script, the script prompts you for specific information. Information in brackets ([]) is default values and is accepted when you press the Enter key on an empty line. There is no method of returning to a question if you answer it incorrectly; in this case, abort the script with Ctrl-c.
To help you understand how to interact with the AutoSecure script, this section goes through an example. This example uses a 1720 router with an internal FastEthernet0 interface and an external Ethernet0 interface. The 1720 has the Cisco IOS Firewall feature set installed. Example 4-22 shows the script configuring both the management and forwarding planes. An explanation of the most important lines follows.
Router# auto secure --- AutoSecure Configuration --- *** AutoSecure configuration enhances the security of the router but it will not make the router absolutely secure from all security attacks *** All the configuration done as part of AutoSecure will be shown here. For more details of why and how this configuration is useful, and any possible side effects, please refer to Cisco documentation of AutoSecure. At any prompt you may enter '?' for help. Use ctrl-c to abort this session at any prompt. If this device is being managed by a network management station, AutoSecure configuration may block network management traffic. Continue with AutoSecure? [no]: yes (1) Gathering information about the router for AutoSecure Is this router connected to internet? [no]: yes (2) Interface IP-Address OK? Method Status Protocol Ethernet0 unassigned YES NVRAM administratively down down FastEthernet0 192.168.1.254 YES NVRAM up up Enter the interface name that is facing internet: Ethernet0 Securing Management plane services.. (3) Disabling service finger Disabling service pad Disabling udp & tcp small servers Enabling service password encryption Enabling service tcp-keepalives-in Enabling service tcp-keepalives-out Disabling the cdp protocol Disabling the bootp server Disabling the http server Disabling the finger service Disabling source routing Disabling gratuitous arp Here is a sample Security Banner to be shown at every access to device. Modify it to suit your enterprise requirements. Authorized Access only This system is the property of So-&-So-Enterprise. UNAUTHORIZED ACCESS TO THIS DEVICE IS PROHIBITED. You must have explicit permission to access this device. All activities performed on this device are logged and violations of this policy result in disciplinary action. Enter the security banner {Put the banner between (4) k and k, where k is any character}: + This system is the property of the Deal Group, Inc. Unauthorized access to this device is prohibited. You must have explicit permission to access this device. All activities performed on this device are logged and violations of this policy result in disciplinary, civil, and criminal action. + Enable secret is either not configured or (5) is same as enable password Enter the new enable secret: ciscocisco Enable password is not configured or its length is less than minimum no. of characters configured Enter the new enable password: sanfransanfran Configuration of local user database (6) Enter the username: richard Enter the password: EmilyAlina Configuring aaa local authentication Configuring console, Aux and vty lines for local authentication, exec-timeout, transport Configure SSH server? [yes]: yes (7) Enter the hostname: Bullmastiff Enter the domain-name: quizware.com Configuring interface specific AutoSecure services (8) Disabling the following ip services on all interfaces: no ip redirects no ip proxy-arp no ip unreachables no ip directed-broadcast no ip mask-reply Securing Forwarding plane services.. (9) Enabling CEF (it might have more memory requirements on some low-end platforms) Configuring the named acls for Ingress filtering autosec_iana_reserved_block: This block may subject to (10) change by iana and for updated list visit www.iana.org/assignments/ipv4-address-space. 1/8, 2/8, 5/8, 7/8, 23/8, 27/8, 31/8, 36/8, 37/8, 39/8, 41/8, 42/8, 49/8, 50/8, 58/8, 59/8, 60/8, 70/8, 71/8, 72/8, 73/8, 74/8, 75/8, 76/8, 77/8, 78/8, 79/8, 83/8, 84/8, 85/8, 86/8, 87/8, 88/8, 89/8, 90/8, 91/8, 92/8, 93/8, 94/8, 95/8, 96/8, 97/8, 98/8, 99/8, 100/8, 101/8, 102/8, 103/8, 104/8, 105/8, 106/8, 107/8, 108/8, 109/8, 110/8, 111/8, 112/8, 113/8, 114/8, 115/8, 116/8, 117/8, 118/8, 119/8, 120/8, 121/8, 122/8, 123/8, 124/8, 125/8, 126/8, 197/8, 201/8 autosec_private_block: (11) 10/8, 172.16/12, 192.168/16 autosec_complete_block: This is union of above two and (12) the addresses of source multicast, class E addresses and addresses that are prohibited for use as source. source multicast (224/4), class E(240/4), 0/8, 169.254/16, 192.0.2/24, 127/8. Configuring Ingress filtering replaces the existing acl on external interfaces, if any, with ingress filtering acl. Configure Ingress filtering on edge interfaces? [yes]: yes (13) [1] Apply autosec_iana_reserved_block acl on all edge interfaces [2] Apply autosec_private_block acl on all edge interfaces [3] Apply autosec_complete_bogon acl on all edge interfaces Enter your selection [3]: 3 (14) Enabling unicast rpf on all interfaces connected to internet Configure CBAC Firewall feature? [yes/no]: yes (15) This is the configuration generated: (16) no service finger no service pad no service udp-small-servers no service tcp-small-servers service password-encryption service tcp-keepalives-in service tcp-keepalives-out no cdp run no ip bootp server no ip http server no ip finger no ip source-route no ip gratuitous-arps banner + This system is the property of the Deal Group, Inc. Unauthorized access to this device is prohibited. You must have explicit permission to access this device. All activities performed on this device are logged and violations of this policy result in disciplinary, civil, and criminal action. + security passwords min-length 6 security authentication failure rate 10 log enable secret 5 $1$1q95$10TM0DLUhsUo.C37dF2WZ/ enable password 7 021505550D140E2F5F4F071F17161C username richard password 7 03175A050C0032495D08170F18010E aaa new-model aaa authentication login local_auth local line console 0 login authentication local_auth exec-timeout 5 0 transport output telnet line aux 0 login authentication local_auth exec-timeout 10 0 transport output telnet line vty 0 4 login authentication local_auth transport input telnet hostname Bullmastiff ip domain-name quizware.com crypto key generate rsa general-keys modulus 1024 ip ssh time-out 60 ip ssh authentication-retries 2 line vty 0 4 transport input ssh telnet service timestamps debug datetime localtime show-timezone msec service timestamps log datetime localtime show-timezone msec logging facility local2 logging trap debugging service sequence-numbers logging console critical logging buffered int Ethernet0 no ip redirects no ip proxy-arp no ip unreachables no ip directed-broadcast no ip mask-reply int FastEthernet0 no ip redirects no ip proxy-arp no ip unreachables no ip directed-broadcast no ip mask-reply ip cef ip access-list extended autosec_iana_reserved_block deny ip 1.0.0.0 0.255.255.255 any deny ip 2.0.0.0 0.255.255.255 any deny ip 5.0.0.0 0.255.255.255 any deny ip 7.0.0.0 0.255.255.255 any deny ip 23.0.0.0 0.255.255.255 any deny ip 27.0.0.0 0.255.255.255 any deny ip 31.0.0.0 0.255.255.255 any deny ip 36.0.0.0 0.255.255.255 any deny ip 37.0.0.0 0.255.255.255 any deny ip 39.0.0.0 0.255.255.255 any deny ip 41.0.0.0 0.255.255.255 any deny ip 42.0.0.0 0.255.255.255 any deny ip 49.0.0.0 0.255.255.255 any deny ip 50.0.0.0 0.255.255.255 any deny ip 58.0.0.0 0.255.255.255 any deny ip 59.0.0.0 0.255.255.255 any deny ip 60.0.0.0 0.255.255.255 any deny ip 70.0.0.0 0.255.255.255 any deny ip 71.0.0.0 0.255.255.255 any deny ip 72.0.0.0 0.255.255.255 any deny ip 73.0.0.0 0.255.255.255 any deny ip 74.0.0.0 0.255.255.255 any deny ip 75.0.0.0 0.255.255.255 any deny ip 76.0.0.0 0.255.255.255 any deny ip 77.0.0.0 0.255.255.255 any deny ip 78.0.0.0 0.255.255.255 any deny ip 79.0.0.0 0.255.255.255 any deny ip 83.0.0.0 0.255.255.255 any deny ip 84.0.0.0 0.255.255.255 any deny ip 85.0.0.0 0.255.255.255 any deny ip 86.0.0.0 0.255.255.255 any deny ip 87.0.0.0 0.255.255.255 any deny ip 88.0.0.0 0.255.255.255 any deny ip 89.0.0.0 0.255.255.255 any deny ip 90.0.0.0 0.255.255.255 any deny ip 91.0.0.0 0.255.255.255 any deny ip 92.0.0.0 0.255.255.255 any deny ip 93.0.0.0 0.255.255.255 any deny ip 94.0.0.0 0.255.255.255 any deny ip 95.0.0.0 0.255.255.255 any deny ip 96.0.0.0 0.255.255.255 any deny ip 97.0.0.0 0.255.255.255 any deny ip 98.0.0.0 0.255.255.255 any deny ip 99.0.0.0 0.255.255.255 any deny ip 100.0.0.0 0.255.255.255 any deny ip 101.0.0.0 0.255.255.255 any deny ip 102.0.0.0 0.255.255.255 any deny ip 103.0.0.0 0.255.255.255 any deny ip 104.0.0.0 0.255.255.255 any deny ip 105.0.0.0 0.255.255.255 any deny ip 106.0.0.0 0.255.255.255 any deny ip 107.0.0.0 0.255.255.255 any deny ip 108.0.0.0 0.255.255.255 any deny ip 109.0.0.0 0.255.255.255 any deny ip 110.0.0.0 0.255.255.255 any deny ip 111.0.0.0 0.255.255.255 any deny ip 112.0.0.0 0.255.255.255 any deny ip 113.0.0.0 0.255.255.255 any deny ip 114.0.0.0 0.255.255.255 any deny ip 115.0.0.0 0.255.255.255 any deny ip 116.0.0.0 0.255.255.255 any deny ip 117.0.0.0 0.255.255.255 any deny ip 118.0.0.0 0.255.255.255 any deny ip 119.0.0.0 0.255.255.255 any deny ip 120.0.0.0 0.255.255.255 any deny ip 121.0.0.0 0.255.255.255 any deny ip 122.0.0.0 0.255.255.255 any deny ip 123.0.0.0 0.255.255.255 any deny ip 124.0.0.0 0.255.255.255 any deny ip 125.0.0.0 0.255.255.255 any deny ip 126.0.0.0 0.255.255.255 any deny ip 197.0.0.0 0.255.255.255 any deny ip 201.0.0.0 0.255.255.255 any permit ip any any remark This acl might not be up to date. Visit www.iana.org/assignments/ipv4-address-space for update list exit ip access-list extended autosec_private_block deny ip 10.0.0.0 0.255.255.255 any deny ip 172.16.0.0 0.15.255.255 any deny ip 192.168.0.0 0.0.255.255 any permit ip any any exit ip access-list extended autosec_complete_bogon deny ip 1.0.0.0 0.255.255.255 any deny ip 2.0.0.0 0.255.255.255 any deny ip 5.0.0.0 0.255.255.255 any deny ip 7.0.0.0 0.255.255.255 any deny ip 23.0.0.0 0.255.255.255 any deny ip 27.0.0.0 0.255.255.255 any deny ip 31.0.0.0 0.255.255.255 any deny ip 36.0.0.0 0.255.255.255 any deny ip 37.0.0.0 0.255.255.255 any deny ip 39.0.0.0 0.255.255.255 any deny ip 41.0.0.0 0.255.255.255 any deny ip 42.0.0.0 0.255.255.255 any deny ip 49.0.0.0 0.255.255.255 any deny ip 50.0.0.0 0.255.255.255 any deny ip 58.0.0.0 0.255.255.255 any deny ip 59.0.0.0 0.255.255.255 any deny ip 60.0.0.0 0.255.255.255 any deny ip 70.0.0.0 0.255.255.255 any deny ip 71.0.0.0 0.255.255.255 any deny ip 72.0.0.0 0.255.255.255 any deny ip 73.0.0.0 0.255.255.255 any deny ip 74.0.0.0 0.255.255.255 any deny ip 75.0.0.0 0.255.255.255 any deny ip 76.0.0.0 0.255.255.255 any deny ip 77.0.0.0 0.255.255.255 any deny ip 78.0.0.0 0.255.255.255 any deny ip 79.0.0.0 0.255.255.255 any deny ip 83.0.0.0 0.255.255.255 any deny ip 84.0.0.0 0.255.255.255 any deny ip 85.0.0.0 0.255.255.255 any deny ip 86.0.0.0 0.255.255.255 any deny ip 87.0.0.0 0.255.255.255 any deny ip 88.0.0.0 0.255.255.255 any deny ip 89.0.0.0 0.255.255.255 any deny ip 90.0.0.0 0.255.255.255 any deny ip 91.0.0.0 0.255.255.255 any deny ip 92.0.0.0 0.255.255.255 any deny ip 93.0.0.0 0.255.255.255 any deny ip 94.0.0.0 0.255.255.255 any deny ip 95.0.0.0 0.255.255.255 any deny ip 96.0.0.0 0.255.255.255 any deny ip 97.0.0.0 0.255.255.255 any deny ip 98.0.0.0 0.255.255.255 any deny ip 99.0.0.0 0.255.255.255 any deny ip 100.0.0.0 0.255.255.255 any deny ip 101.0.0.0 0.255.255.255 any deny ip 102.0.0.0 0.255.255.255 any deny ip 103.0.0.0 0.255.255.255 any deny ip 104.0.0.0 0.255.255.255 any deny ip 105.0.0.0 0.255.255.255 any deny ip 106.0.0.0 0.255.255.255 any deny ip 107.0.0.0 0.255.255.255 any deny ip 108.0.0.0 0.255.255.255 any deny ip 109.0.0.0 0.255.255.255 any deny ip 110.0.0.0 0.255.255.255 any deny ip 111.0.0.0 0.255.255.255 any deny ip 112.0.0.0 0.255.255.255 any deny ip 113.0.0.0 0.255.255.255 any deny ip 114.0.0.0 0.255.255.255 any deny ip 115.0.0.0 0.255.255.255 any deny ip 116.0.0.0 0.255.255.255 any deny ip 117.0.0.0 0.255.255.255 any deny ip 118.0.0.0 0.255.255.255 any deny ip 119.0.0.0 0.255.255.255 any deny ip 120.0.0.0 0.255.255.255 any deny ip 121.0.0.0 0.255.255.255 any deny ip 122.0.0.0 0.255.255.255 any deny ip 123.0.0.0 0.255.255.255 any deny ip 124.0.0.0 0.255.255.255 any deny ip 125.0.0.0 0.255.255.255 any deny ip 126.0.0.0 0.255.255.255 any deny ip 197.0.0.0 0.255.255.255 any deny ip 201.0.0.0 0.255.255.255 any deny ip 10.0.0.0 0.255.255.255 any deny ip 172.16.0.0 0.15.255.255 any deny ip 192.168.0.0 0.0.255.255 any deny ip 224.0.0.0 15.255.255.255 any deny ip 240.0.0.0 15.255.255.255 any deny ip 0.0.0.0 0.255.255.255 any deny ip 169.254.0.0 0.0.255.255 any deny ip 192.0.2.0 0.0.0.255 any deny ip 127.0.0.0 0.255.255.255 any permit ip any any remark This acl might not be up to date. Visit www.iana.org/assignments/ipv4-address-space for update list exit interface Ethernet0 ip access-group autosec_complete_bogon in exit ip access-list extended 100 permit udp any any eq bootpc interface Ethernet0 ip verify unicast source reachable-via rx 100 exit ip inspect audit-trail ip inspect dns-timeout 7 ip inspect tcp idle-time 14400 ip inspect udp idle-time 1800 ip inspect name autosec_inspect cuseeme timeout 3600 ip inspect name autosec_inspect ftp timeout 3600 ip inspect name autosec_inspect http timeout 3600 ip inspect name autosec_inspect rcmd timeout 3600 ip inspect name autosec_inspect realaudio timeout 3600 ip inspect name autosec_inspect smtp timeout 3600 ip inspect name autosec_inspect tftp timeout 30 ip inspect name autosec_inspect udp timeout 15 ip inspect name autosec_inspect tcp timeout 3600 ip access-list extended autosec_firewall_acl permit udp any any eq bootpc deny ip any any interface Ethernet0 ip inspect autosec_inspect out ! end Apply this configuration to running-config? [yes]: yes (17) Applying the config generated to running-config The name for the keys will be: Bullmastiff.quizware.com % The key modulus size is 1024 bits % Generating 1024 bit RSA keys ...[OK] Bullmastiff#
The following list explains the output from the script in Example 4-22. The numbers on the right side of Example 4-22 correspond to the numbers in the following list:
At the beginning of the script, you are given the instructions and then asked to continue; the default is no.
If the router is connected to the Internet, answer the question yes; you then are shown a list of interfaces and are asked which interface is connected to the Internet. In this example, I entered Ethernet0. If this is an internal router, just answer no to the question.
After answering the public interface question, the AutoSecure script displays which global management services it is disabling.
A sample login banner is displayed, and you are given the opportunity to configure your own. This is similar to using the banner motd command, in which you need a beginning and ending delimiter character. In this example, I used + as the delimiting character.
You must enter an encrypted privileged EXEC password (enable secret) if one is not configured or if it matches the clear-text privileged EXEC password (enable password). You also must enter a clear-text privileged EXEC password.
Next, you are asked to configure one entry in your router's local authentication database, which is used for both console and remote access. In this example, I created an account called richard.
If you want to use SSH, answer yes to this question. If you answer yes, you must enter a hostname and a domain name so that the Cisco IOS can generate an RSA for the SSH encryption keys.
Now that the global management services are completed, you are taken into the interface-specific management services. Here you can see which services automatically are disabled. You do not have to answer any questions here.
When the router completes the management services, it moves on to the forwarding services. If the router supports CEF, this is enabled.
The first filter set up is to block source addresses defined by the IANA. Note that the addresses that the Cisco IOS uses in AutoSecure might not be the most current; therefore, you periodically should check with IANA's web site to verify the Cisco IOS configuration.
The second filter includes private IP source addresses defined in RFC 1918.
The third filter combines the first two filters and adds source multicast addresses, Class E addresses, and 169.254.0.0/24, 0.0.0.0/8, 192.0.2.0/24, and 127.0.0.0/8.
Next, you are asked if you want to use one of the three filters in steps 10, 11, or 12 to be applied inbound on the Internet (public) interface.
If you answer yes to step 13, you are asked which filter you want to apply to the interface. If the interface is not connected directly to the Internet and you are using public addresses, choose 1. However, you will want to go back into the configuration later and add the addresses from Step 12. If you are connected to the Internet, choose option 3.
After unicast reverse path forwarding is enabled, you are asked if you want to configure CBAC on your router. This happens only if you have installed the Cisco IOS Firewall feature set on your router. This sets up a stateful firewall for allowing returning traffic for outbound connections.
You now have answered all of the questions for the AutoSecure configuration process. The script displays the actual Cisco IOS commands that it will execute. Examine these closely to make sure that this is the configuration that you want.
In the last step you are asked if you want to implement this configuration. Answer yes to do so. When you answer yes, if you chose to enable SSH, the Cisco IOS generates RSA encryption keys.
This completes the AutoSecure configuration script. As you can see, this is a lot easier than manually configuring all of these commands individually.
NOTE
I have not discussed many features here that AutoSecure configures for you, including CBAC, CEF, ACLs, and others. These are covered in later chapters in much more depth.
When you have implemented AutoSecure, you can view the commands that AutoSecure generated with the following command:
Router# show auto secure config
This is the same display shown in Step 16 of the previous demonstration. Note that to execute the show auto secure config command, you must be in privileged EXEC mode.
Two additional commands are a part of AutoSecure:
Router(config)# security passwords min-length length Router(config)# security authentication failure rate #_of_failures log
The security passwords min-length command specifies the minimum length that passwords must be; this allows you to ensure that passwords are not short, making them more secure and preventing common passwords such as cisco and admin. The default is a minimum length of six characters. If you do not configure a password of the minimum required length, you will see a message like the one in Example 4-23.
Bullmastiff(config)# username natalie secret cisco
% Password too short - must be at least 6 characters.
Password configuration failed
The security authentication failure rate command specifies the maximum number of failed authentication attempts before the router stops any subsequent authentication requests; the router pauses for 15 seconds and then processes new authentication requests. The default threshold for this command is 10 attempts. This is a very useful command in preventing brute force password-guessing attacks.