What is the security implications of the following on a Cisco device:
line vty 0 4
exec-timeout 0 0
transport input ssh
First, here is what Cisco's documentation says about the exec-timeout command (I gathered the important information (to me)):
To set the interval that the EXEC command interpreter waits until user input is detected, use the exec-timeout line configuration command. To remove the timeout definition, use the no form of this command.
If no input is detected during the interval, the EXEC facility resumes the current connection. If no connections exist, the EXEC facility returns the terminal to the idle state and disconnects the incoming session.
To specify no timeout, enter the exec-timeout 0 0 command.
Seems like "0 0" might not be a good idea, especially for console access, which I did get in on recently into a core switch without having to login. Just be aware of the security implications of the configs you do.
line con 0
exec-timeout 0 0
This is the retired Shane Killen personal blog, an IT technical blog about configs and topics related to the Network and Security Engineer working with Cisco, Brocade, Check Point, and Palo Alto and Sonicwall. I hope this blog serves you well. -- May The Lord bless you and keep you. May He shine His face upon you, and bring you peace.
Monday, October 20, 2014
Cisco Switch/Router/ASA: "Exec-timeout 0 0"
Subscribe to: Post Comments (Atom)
Great note...especially about Console access. That could be a really bad "gotcha" for network equipment that may not have proper physical access control in place.ReplyDelete
:) got me in enable mode when I needed it and didn't have the passwords.ReplyDelete