If there is a new user account, or if the enable and access passwords have changed, look out! The miscreants love to scan and find routers with "cisco" as the access and enable passwords.
I thought everyone sensible put ACLs on vtys. Guess I was wrong.
I've seen ACL-less VTYs because someone copied a config from a router with fewer VTYs. 8-(
Yes, but these are clue problems, not router operating system problems. The OS problem is when they leave a device with a default backdoor because they want to make it easy for their customers. It's almost like the cheaper the box the less secure and the consideration seems to be that an unsavvy folk is buying the cheaper boxen so "it needs to be easy". If you look at the maintenance and surveillance networks of a few large tier1's, you'll find this "dummy" gear on those networks since they are cheap and generalte no revenue. My last M/S design was dual rail 2XXX, 1600's for firewalls and frame terminations, which handled console and monitoring for the cost of an ethernet port and < 15K per facility. For the use, the capex matches as well as the reliability. If we accept the "clue" problem as the solution, I think we accept the fact that we condone the vendor not having secure solutions. That may be fine for our new colleague the 'security engineer', but it's not good for the Internet as a whole and it distracts us from the work of making it work. Offering tutorials at NANOG is a great effort towards the clue issue, but maybe we should offer vendors tutorials on the inverse? -M<