Re: Cisco, haven't we learned anything? (technician reset)
Hi, Matthew. ] Cisco Router and Security Device Manager (SDM) is installed on this device. ] This feature requires the one-time use of the username "cisco" ] with the password "cisco". Interesting. Is it limited to one-time use? Are the network login services (SSH, telnet, et al.) prevented from using this login and password? Thanks! Rob. -- Rob Thomas Team Cymru http://www.cymru.com/ ASSERT(coffee != empty);
On Thu, Jan 12, 2006 at 10:53:32AM -0600, Rob Thomas wrote:
Hi, Matthew.
] Cisco Router and Security Device Manager (SDM) is installed on this device. ] This feature requires the one-time use of the username "cisco" ] with the password "cisco".
Interesting. Is it limited to one-time use? Are the network login services (SSH, telnet, et al.) prevented from using this login and password?
I know the AP350 comes with a default Cisco/Cisco account.. (as opposed to doing a nvram/config clear and it only lets you login on console). problem is with cisco each product group controls how they ship their system, so the Aironet teams don't quite seem to get this IMHO. That doesn't mean your 76k/GSR/CRS-1 will have Cisco/Cisco, but your aironet products sure may. - jared -- Jared Mauch | pgp key available via finger from jared@puck.nether.net clue++; | http://puck.nether.net/~jared/ My statements are only mine.
Many products have default STARTING passwords. Whose fault is it that someone can't figure out that it's not real bright if they don't change it? The hidden ones are more an issue (with static passwords as opposed to generated ones). Scott PS. If your briefcase still uses 0000 as the combination, I have no sympathy for your missing items... ;) -----Original Message----- From: owner-nanog@merit.edu [mailto:owner-nanog@merit.edu] On Behalf Of Jared Mauch Sent: Thursday, January 12, 2006 12:39 PM To: Rob Thomas Cc: NANOG Subject: Re: Cisco, haven't we learned anything? (technician reset) On Thu, Jan 12, 2006 at 10:53:32AM -0600, Rob Thomas wrote:
Hi, Matthew.
] Cisco Router and Security Device Manager (SDM) is installed on this
device.
] This feature requires the one-time use of the username "cisco" ] with the password "cisco".
Interesting. Is it limited to one-time use? Are the network login services (SSH, telnet, et al.) prevented from using this login and password?
I know the AP350 comes with a default Cisco/Cisco account.. (as opposed to doing a nvram/config clear and it only lets you login on console). problem is with cisco each product group controls how they ship their system, so the Aironet teams don't quite seem to get this IMHO. That doesn't mean your 76k/GSR/CRS-1 will have Cisco/Cisco, but your aironet products sure may. - jared -- Jared Mauch | pgp key available via finger from jared@puck.nether.net clue++; | http://puck.nether.net/~jared/ My statements are only mine.
On Thu, Jan 12, 2006 at 10:53:32AM -0600, Rob Thomas wrote:
Hi, Matthew.
] Cisco Router and Security Device Manager (SDM) is installed on this device. ] This feature requires the one-time use of the username "cisco" ] with the password "cisco".
Interesting. Is it limited to one-time use? Are the network login services (SSH, telnet, et al.) prevented from using this login and password?
I know the AP350 comes with a default Cisco/Cisco account..
(as opposed to doing a nvram/config clear and it only lets you login on console).
problem is with cisco each product group controls how they ship their system, so the Aironet teams don't quite seem to get this IMHO. That doesn't mean your 76k/GSR/CRS-1 will have Cisco/Cisco, but your aironet products sure may.
No, but it means that there is no centralized standard on how to implement authentication which is troubling. That means that your GSR _could_ come with such a "feature". -M<
- jared
-- Jared Mauch | pgp key available via finger from jared@puck.nether.net clue++; | http://puck.nether.net/~jared/ My statements are only mine.
Hi, NANOGers. You all know how I love a good segue... ;) How can you tell if your router has been owned? In general the configuration will be modified. This is why we advocate using rancid (or something akin to it) as both a configuration backup tool AND an early warning tool. If you have a router running BGP, it also pays to peer with it externally. You can use a private ASN and rackspace with a buddy. You can use this peering to detect announcements you don't expect or necessarily condone. How else can you tell? Here are some tips: If there is a new user account, or if the enable and access passwords have changed, look out! The miscreants love to scan and find routers with "cisco" as the access and enable passwords. They know that other miscreants are doing the same thing. In fact this is even more widespread thanks to a module found in rBot and rxBot. Yes, even bots are scanning for routers now. If there are new or changed ACLs, look out! The miscreants love to use routers as IRC bounces. To avoid detection by IRC server proxy monitors, the miscreants will block access to the router (generally all access, sometimes just TCP 23) from those proxy monitors using ACLs. If there are new or changed SNMP RW community strings, look out! One of the tricks they employ is to leave a SNMP RW community backdoor. Is this to avoid the actions of we good folk? No, it's usually employed in the case where a compromised router is stolen from one miscreant by another. If the banner has changed, look out! As with the ACLs, this is a method by which the miscreants attempt to fool any proxy monitors. The most common banner we see identifies the router as a FreeBSD box. If tunnels suddenly appear on the router, look out! Chaining together lots of routers is also common now. This provides obfuscation and sometimes encryption. Most of the changes are based on templates. Consider this bundled clue, where the prowess of the template user isn't at all a factor. Use the flows. :) Thanks, Rob. -- Rob Thomas Team Cymru http://www.cymru.com/ ASSERT(coffee != empty);
On Thu, 12 Jan 2006, Rob Thomas wrote:
If there is a new user account, or if the enable and access passwords have changed, look out! The miscreants love to scan and find routers with "cisco" as the access and enable passwords.
I thought everyone sensible put ACLs on vtys. Guess I was wrong. -Dan
If there is a new user account, or if the enable and access passwords have changed, look out! The miscreants love to scan and find routers with "cisco" as the access and enable passwords.
I thought everyone sensible put ACLs on vtys. Guess I was wrong.
I've seen ACL-less VTYs because someone copied a config from a router with fewer VTYs. 8-(
If there is a new user account, or if the enable and access passwords have changed, look out! The miscreants love to scan and find routers with "cisco" as the access and enable passwords.
I thought everyone sensible put ACLs on vtys. Guess I was wrong.
I've seen ACL-less VTYs because someone copied a config from a router with fewer VTYs. 8-(
Yes, but these are clue problems, not router operating system problems. The OS problem is when they leave a device with a default backdoor because they want to make it easy for their customers. It's almost like the cheaper the box the less secure and the consideration seems to be that an unsavvy folk is buying the cheaper boxen so "it needs to be easy". If you look at the maintenance and surveillance networks of a few large tier1's, you'll find this "dummy" gear on those networks since they are cheap and generalte no revenue. My last M/S design was dual rail 2XXX, 1600's for firewalls and frame terminations, which handled console and monitoring for the cost of an ethernet port and < 15K per facility. For the use, the capex matches as well as the reliability. If we accept the "clue" problem as the solution, I think we accept the fact that we condone the vendor not having secure solutions. That may be fine for our new colleague the 'security engineer', but it's not good for the Internet as a whole and it distracts us from the work of making it work. Offering tutorials at NANOG is a great effort towards the clue issue, but maybe we should offer vendors tutorials on the inverse? -M<
On Thu, 12 Jan 2006, Martin Hannigan wrote:
If we accept the "clue" problem as the solution, I think we accept the fact that we condone the vendor not having secure solutions. That may be fine for our new colleague the 'security
vendors should always, or be beatten about the head/shoulders when not, put out secure products... always.
engineer', but it's not good for the Internet as a whole and it distracts us from the work of making it work.
how is it better for security engineers? it's hell, every 3rd month a new 'default passwd' often on a 'security' device :( talk about stupid :(
Offering tutorials at NANOG is a great effort towards the clue issue, but maybe we should offer vendors tutorials on the inverse?
Some vendors have asked and received this sort of thing, does huwei (which I butchered the spelling of) want one? (or need one?) how about netgear and their lovely NTP issue? or checkpoint or ... there are quite a few vendors out there, some even attend NANOG. If they listened to their customers I suspect they'd hear: "I want a secure platform!" quite loudly.
On Fri, Jan 13, 2006 at 03:29:15AM +0000, Christopher L. Morrow wrote: ...
Some vendors have asked and received this sort of thing, does huwei (which I butchered the spelling of) want one? (or need one?) how about netgear and their lovely NTP issue? or checkpoint or ... there are quite a few vendors out there, some even attend NANOG. If they listened to their customers I suspect they'd hear: "I want a secure platform!" quite loudly.
Only from the engineers. From the money people (Layer 8), they may be hearing: "I want an inexpensive platform, and make it as easy to manage as MS Windows, so I don't have to hire all these expensive network engineers, eh?" The trick may be to get the Layer 9 people to understand that this is a losing proposition. -- Joe Yao ----------------------------------------------------------------------- This message is not an official statement of OSIS Center policies.
On Thu, 12 Jan 2006, Rob Thomas wrote:
If there are new or changed SNMP RW community strings, look out!
If you have any SNMP v1/v2 RW communities what so ever, you're likely to be owned, at least if they're common to several units in your network and you don't limit what part of the tree the RW communities can access. Seems like a common attack vector is to send SNMP WRITE and upload the router configuration to a hacked tftp server, and then iterate thru the network as a lot of people have a single SNMP WRITE community in their network. -- Mikael Abrahamsson email: swmike@swm.pp.se
Some Cisco IOS'es have numerous bugs, related to SNMP (I watched few cases, when all Cisco's 72xx lost configuration becuase of receivbing something bogus), so SNMP should be filtered out from public internet. ----- Original Message ----- From: "Mikael Abrahamsson" <swmike@swm.pp.se> To: "NANOG" <nanog@merit.edu> Sent: Thursday, January 12, 2006 2:09 PM Subject: Re: Is my router owned? How would I know?
On Thu, 12 Jan 2006, Rob Thomas wrote:
If there are new or changed SNMP RW community strings, look out!
If you have any SNMP v1/v2 RW communities what so ever, you're likely to be owned, at least if they're common to several units in your network and you don't limit what part of the tree the RW communities can access.
Seems like a common attack vector is to send SNMP WRITE and upload the router configuration to a hacked tftp server, and then iterate thru the network as a lot of people have a single SNMP WRITE community in their network.
-- Mikael Abrahamsson email: swmike@swm.pp.se
On Sat, 14 Jan 2006, Alexei Roudnev wrote:
Some Cisco IOS'es have numerous bugs, related to SNMP (I watched few cases, when all Cisco's 72xx lost configuration becuase of receivbing something bogus), so SNMP should be filtered out from public internet.
The major problem people forget is that snmp is UDP and if there is any way what so ever to spoof your management station, someone will be able to upload your config to whereever unless you have tightened down what can be done via snmp write. As soon as they have your config they're likely to be able to progress further unless you have very tight security. Also remember that the private key for SSH is in the config so if they get it, ssh offers no protection either. Rule of thumb: All keys (tacacs keys, snmp communities etc) should be unique for each device, so if someone gets the config, they cannot use the information on other devices in your network. -- Mikael Abrahamsson email: swmike@swm.pp.se
I use CCR (Cisco COnfiguration Repository, part of snmpstat project) and have change reports daily, + have syslog reports hourly. The same (osiris ) with hosts, btw. ----- Original Message ----- From: "Rob Thomas" <robt@cymru.com> To: "NANOG" <nanog@merit.edu> Sent: Thursday, January 12, 2006 10:19 AM Subject: Is my router owned? How would I know?
Hi, NANOGers.
You all know how I love a good segue... ;)
How can you tell if your router has been owned? In general the configuration will be modified. This is why we advocate using rancid (or something akin to it) as both a configuration backup tool AND an early warning tool. If you have a router running BGP, it also pays to peer with it externally. You can use a private ASN and rackspace with a buddy. You can use this peering to detect announcements you don't expect or necessarily condone.
How else can you tell? Here are some tips:
If there is a new user account, or if the enable and access passwords have changed, look out! The miscreants love to scan and find routers with "cisco" as the access and enable passwords. They know that other miscreants are doing the same thing. In fact this is even more widespread thanks to a module found in rBot and rxBot. Yes, even bots are scanning for routers now.
If there are new or changed ACLs, look out! The miscreants love to use routers as IRC bounces. To avoid detection by IRC server proxy monitors, the miscreants will block access to the router (generally all access, sometimes just TCP 23) from those proxy monitors using ACLs.
If there are new or changed SNMP RW community strings, look out! One of the tricks they employ is to leave a SNMP RW community backdoor. Is this to avoid the actions of we good folk? No, it's usually employed in the case where a compromised router is stolen from one miscreant by another.
If the banner has changed, look out! As with the ACLs, this is a method by which the miscreants attempt to fool any proxy monitors. The most common banner we see identifies the router as a FreeBSD box.
If tunnels suddenly appear on the router, look out! Chaining together lots of routers is also common now. This provides obfuscation and sometimes encryption.
Most of the changes are based on templates. Consider this bundled clue, where the prowess of the template user isn't at all a factor.
Use the flows. :)
Thanks, Rob. -- Rob Thomas Team Cymru http://www.cymru.com/ ASSERT(coffee != empty);
On Thu, Jan 12, 2006 at 10:53:32AM -0600, Rob Thomas wrote:
Hi, Matthew.
] Cisco Router and Security Device Manager (SDM) is installed on this device. ] This feature requires the one-time use of the username "cisco" ] with the password "cisco".
Interesting. Is it limited to one-time use? Are the network login services (SSH, telnet, et al.) prevented from using this login and password?
No. No. (It's nothing special -- it doesn't do anything you couldn't configure manually on a pre-SDM device if you wanted.) -- Brett
participants (11)
-
Alexei Roudnev -
Brett Frankenberger -
Christopher L. Morrow -
Florian Weimer -
goemon@anime.net -
Jared Mauch -
Joseph S D Yao -
Martin Hannigan -
Mikael Abrahamsson -
Rob Thomas -
Scott Morris