Cisco IOS Login Enhancements

Since 2005 Cisco IOS has offered several security enhancements to help mitigate the risks of dictionary attacks used against login sessions. Now you are probably wondering why I’m blogging about something more than 7 years after it was released. I rarely see people implement any of these features and I’m hoping to raise the visibility of these simple configurations.

If you’ve ever left SSH open to the internet I’m confident you’ve seen how quickly  a dictionary attack will commence. There are two basic ways to combat this issue. The first, and highly recommended, way is to simply block SSH access from the internet. The second option involves slowing down dictionary attacks to the point where usernames and passwords can’t be tested quickly enough to guess a valid combination thereof.

The Cisco IOS login enhancements include two features:

  1. Introducing a delay between successive login attempts
  2. Blocking all login attempts once a failure threshold is reached

By introducing even a small delay the time taken for a remote attacker to apply a dictionary attack is greatly increased.

Cisco refers to the second feature as “quiet mode” and also includes an option to specify an access-list which is exempted during the block period.

A quick example should tie all these pieces together. First we will create an access-list that permits specific network(s) from which logins will never be denied.

ip access-list extended SSH_IN
 remark Local Network
 permit ip 10.1.0.0 0.0.0.255 any

Next we will configure the login blocking which requires three parameters. These three parameters are the length of time to block for, the number of failed attempts after which to take action and the period of time during which to monitor failed logins. Here’s the completed configuration to block logins for 60 seconds after 3 failed attempts within a 60 second period. The second line of configuration will reference the access-list created above to never block the specified networks.

login block-for 60 attempts 3 within 60
login quiet-mode access-class SSH_IN

Previously I mentioned that a simple delay between login attempts would greatly slow down dictionary attacks. This delay can be accomplished using the following configuration. The delay duration is specified in seconds.

login delay 2

Cisco Documentation Link

Cisco Unified Communications Manager (CallManager) TFTP File Browsing

The Cisco CallManager TFTP server component provides various configuration files to endpoints (phones, video devices, etc.) as well as things like ring tones, IP phone background images, and phone loads (firmware). There are times when it is convenient to directly access the files that the TFTP server is hosting such as when determining why a phone can’t download a new background or ring tone.

One method of accessing these files from Windows is to use the built in TFTP command line application. Simply open a command prompt and type:

tftp <server IP or hostname> get SEP<MACADDRESS>.cnf.xml

Microsoft documentation on this command is available here. If you are running Windows 7 the TFTP application is not installed by default and you will need to install it using the “Turn Windows Features On or Off” section of the “Programs and Features” Control Panel item.

Most linux/unix (including OS X) distributions include tftp by default which can be invoked from the command line simply by typing:

tftp <server IP or hostname>
tftp>get get SEP<MACADDRESS>.cnf.xml
tftp>quit

For more information reference the manual page (man tftp)

The other method of accessing these TFTP is to actually use HTTP which was made available in CallManager 8.x. The 89XX and 99XX series IP phones actually attempt to download files via HTTP and fall back to TFTP only when necessary. You can use this new functionality to your advantage and simply browse to http://<TFTP server IP or hostname>:6970/<File Name>

For example if you wish to download a phone configuration file just put this in the address bar of your browser:

http://<TFTP server IP or hostname>:6970/SEP<MACADDRESS>.cnf.xml

Once downloaded simply open this file with any text or XML capable editor.

Remember that just as in the past if you manually upload a new file to the CallManager TFTP server you need to stop and restart the TFTP service in order to have the new file appear no matter if you are accessing the file via TFTP or HTTP.

Using Cisco Unified Communications Manager (CallManager) to Convert Audio Format

I was helping someone with a contact center express project recently and it became necessary to convert some G.711 audio prompts to G.729. Back in the good ol’ days of CallManager 3.x – 4.x this was a very simple task, but I had never attempted using a Linux based version of CUCM (CallManager) to do the same. You will need an SFTP server to act as the destination for the converted files. I highly recommend SilverSHielD if you are running Windows (there’s a free version available at the link).

Enough background. Here’s the process:

  1. Login to the CUCM admin web page and navigate to the Media Resources -> MOH Audio File Management
  2. Upload the audio file(s) that you want to convert to G.729
  3. Login to the CUCM command line interface via SSH
  4. Run the following command to see all current MOH files “file list activelog mohprep
  5. Run the following command to transfer the file to an SFTP server: “file get activelog mohprep/<filename>.wav” (where filename is obtained in step 4)
  6. You will be prompted to enter the following details about the SFTP server:

SFTP server IP: <SERVER IP>

SFTP server port [22]:

User ID: <SFTP username>

Password: <SFTP password>

Download directory: \

(NOTE: Use ‘\’ for Windows based SFTP servers or ‘/’ for Linux/Unix based SFTP servers)

Cisco IOS SIP dial-peer status notifications

This configuration will create a syslog message as well as an SNMP trap either of which your monitoring/alerting systems should be able to use as a trigger to take action.

1. Copy the linked TCL file to the root of the flash filesystem on the router that connects to the SIP trunk(s). Download TCL Script
2. Add the command to “voice-class sip options-keepalive” to one of the dial-peers pointing to the service provider and make a note of the dial-peer number you are adding the command to

Example:

dial-peer voice 100 voip
voice-class sip options-keepalive

3. Add the command track 100 stub-object to the global config.
4. Add the command snmp-server enable traps event-manager to the global config (this is needed for the SNMP trap functionality).

4. Finally the following configuration template can be applied to the router. Notice the number 100 below is a reference to the dial-peer and tracking number from above and must match for this to work.

event manager environment dial_peer_number 100
event manager environment check_interval 30
event manager directory user policy "flash:/"
event manager applet siptrunk_down
event track 100 state down
action 10 snmp-trap strdata "SIP Trunk Down"
action 20 syslog msg "Alert - SIP Trunk Down"
event manager policy check_dial_peer_status.tcl

This was documented at the following Cisco page as well: Link

General Cisco IOS Debugging Reference

Many engineers have been scared away from running debugs in production network due to bad experiences with high CPU utilization requiring drastic action like powering down the device and letting it reload. The CPU impact of debugging can be greatly decreased by changing the configuration of IOS. The snippet below shows a basic template that both reduces the performance impact of debugging and also helps improve the accuracy of logged debugging information.

Router(config)# service timestamps debug datetime localtime msec
Router(config)# service sequence-numbers
Router(config)# logging buffered 1000000 debug
Router(config)# no logging console
Router(config)# no logging monitor

I love config templates as much as the next guy, but a better understanding of what each of these commands does is important too!

Let’s break it down line by line:

service timestamps debug datetime localtime msec Ensures that debug logging entries include millisecond time stamps based on the router’s clock. Millisecond level precision is desired as debugging can generate a lot of messages very quickly and it’s important to know what order things happened in

service sequence-numbers Assigns numerically increasing values to the beginning of log entries to quickly identify the order in which messages occurred.

logging buffered 1000000 debug Increases the size of the onboard log buffer to 1 MB and enables logging of debug level messages. Be aware that issuing this command will erase the current log entries.

no logging console Disables logging output to the console port. By default all logging output is sent to the console port whether or not anything is even connected to it. Not configuring this is one of the biggest contributors to the high CPU utilization and sluggish response. Simply put Cisco IOS schedules the output of text to the console port ahead of many other tasks. The default baud rate on the console interface is 9600 bps, which further amplifies the problem. This means that when lots of things are being sent to the console other tasks must wait before they are allowed to execute.

no logging monitor Disables logging output to other terminal interfaces (telnet or SSH). This prevents us from being able to use the “terminal monitor” command which can be a useful way to see the output of a debug while connected to a router over telnet or SSH. The downside of examining debugs in this way is that depending upon how quickly the messages are being generated there is a good chance some won’t ever show up on your screen. It’s best to simply log them to the internal buffer and view them using “show log”.

Both of the previous commands could be altered to prevent just debug logs from being displayed. Simply add the word “debugging” after one or both and you’ll still be able to see everything that isn’t a debug message.

As wise network professionals always say be sure to test and validate these configurations in a lab environment before implementing anything in production. Even with the optimizations above be sure to check CPU and memory utilization before enabling any debugs.

Cisco IOS dial peer basics

To find all dial-peers configured use “show run | include dial-peer”
To see the configuration of all the dial-peers use “show run | section dial-peer”
If you want to see the entire configuration use “show run”, but I’d start to get comfortable with using the | syntax to help reduce paging through lengthy configurations. Before you make any changes it is a good idea to save a copy of the configuration as a reference. This can be done in a few ways, but the easiest is usually to log your terminal session (turn on logging in PuTTY) and then type “show run” and page through the entire configuration to ensure that it’s been logged. By doing this you can easily revert back to a previous configuration without scrambling to find a backup copy somewhere on the network.When you’ve found a dial-peer that is a good template for what you want to do simply copy and paste that single dial-peer to notepad. A single dial-peer will start with the “dial-peer voice xxx” and ends with the last indented line. When Cisco IOS parses the configuration the indents are automatically added to help make it easier to see what sub-commands are related to a parent command. In the examples below the “dial-peer voice xxx” commands are parent commands and everything indented below them are commands related to these parent commands. You’ll see that same syntax many places within the configuration for things other than dial-peers as well.Note: Make sure when you configure a new dial-peer that you choose a unique number to identify the dial-peer otherwise you’ll be overwriting the existing dial-peer with your new configuration. In the example below you’d be safe creating a dial-peer “102”. The router will not prompt you or prevent you from overwriting existing configuration it will simply assume that you want to change what it already there. You can think of when you press the “insert” key in Word and whenever you type with the cursor in front of existing text you simply overwrite what’s there. You should also know that any configuration changes take effect immediately.Example:

Router#show run | include dial-peer
dial-peer voice 6000 voip
dial-peer voice 100 voip
dial-peer voice 101 voipRouter#show run | section dial-peerdial-peer voice 6000 voip
destination-pattern 60[01].
session protocol sipv2
session target ipv4:192.168.1.100
voice-class codec 2
dtmf-relay rtp-nte
no vad
dial-peer voice 100 voip
translation-profile outgoing OUTBOUND
destination-pattern 9[2-9]..[2-9]......
progress_ind setup enable 3
session protocol sipv2
session target ipv4:192.168.1.100
voice-class sip early-offer forced
dtmf-relay rtp-nte
codec g711ulaw
no vad
dial-peer voice 101 voip
translation-profile outgoing OUTBOUND
destination-pattern 91[2-9]..[2-9]......
progress_ind setup enable 3
session protocol sipv2
session target ipv4:192.168.1.100
voice-class sip early-offer forced
dtmf-relay rtp-nte
codec g711ulaw
no bad

To add a new dial-peer you first need to ensure that you’re in configuration mode (take a look at the router prompt and if you see the word “config” after the router hostname you’re good to go). If you’re in enable mode (you’ll see the hash or octothorpe after the router hostname) type “config t” to enter config mode.

Example:

Router#Now we enter configuration mode:Router#config tThe prompt changes to:Router(config)#From the configuration prompt you can type or paste your new dial-peer.

Router(config)#dial-peer voice 102 voip
translation-profile outgoing OUTBOUND
destination-pattern 9011T
progress_ind setup enable 3
session protocol sipv2
session target ipv4:192.168.1.100
voice-class sip early-offer forced
dtmf-relay rtp-nte
codec g711ulaw
no vad

To return to enable mode type "exit"

Router(config)#exit

The prompt will return to the enable mode prompt:

Router#

To save your configuration type "write memory". If you don't do this and someone restarts the router or power is lost your configuration changes will be lost.

Router#write memory

You'll see two messages displayed and then you'll be returned to the enable mode prompt:

Router#wr mem
Building configuration...

[OK]
Router#

To logout of the router and close your session type "exit":

Router#exit

Strange crypto map commands logged at boot up

When configuration archiving and logging is configured on an IOS router with a crypto capable image you may some rather odd commands every time the router starts up.

Here’s an example of what’s shown when you run the “show archive log config all”

1 1 console@console |access-list 199 permit icmp host 10.10.10.10 host 20.20.20.20
2 1 console@console |crypto map NiStTeSt1 10 ipsec-manual
3 1 console@console |match address 199
4 1 console@console |set peer 20.20.20.20
5 1 console@console |exit
6 1 console@console |no access-list 199
7 1 console@console |no crypto map NiStTeSt1

At first glance this appears to something nefarious, but it’s actually a test routine built in to IOS in order to meet FIPS requirements. It’s completely normal and does not impact normal operations.

Viewing pre-shared keys in Cisco ASA configuration

Most of the configuration on an ASA can be viewed in plain text just by using the “show run” command. One of the exceptions to this is viewing pre-shared keys for VPN’s (the keys appear as asterisks ‘*’). These keys can however be viewed using the command “more system:running-config” which displays the running configuration including the pre-shared keys in plain text. If you want to filter the output to just the lines containing the keys use “more system:running-config | include keys”.

Hide Cisco Unity Voice Messages from Microsoft Outlook Inbox

All Unity voice messages have a message class of “IPM.Note.Voice.Unity” (Unity Connection uses the message class IPM.Note.Custom.Cisco.Unity.Voice). Within Outlook you can adjust the default view to prevent displaying messages of specific classes thus hiding the Unity generated messages without moving them to a folder. This technique should allow for the MWI light status to be accurate and messages will be able to be retrieved via the phone.

Instructions:

  1. Launch Outlook
  2. Select View-> Current View-> Customize Current View
  3. Click the “Filter…” button
  4. Click the “Advanced” tab
  5. Click “Field” under “Define more criteria:”
  6. Select All Mail Fields->Message Class
  7. Select the “doesn’t contain” option under “Condition”
  8. In the “Value:” field enter IPM.Note.Voice.Unity
  9. Click “Add to List”
  10. Click “Ok” twice to save and activate your changes

The change should be active immediately and voice messages will no longer appear in the inbox or anywhere that this view is active. Different views can be created for different folders in case voice messages should appear in a sub-folder.

This was tested with Outlook 2007 on Windows 7.

Cisco IP Phone 7900 Reset Sequences

Most of the time Cisco IP phones boot up correctly and attempt to locate the appropriate network resources (CallManager IP, TFTP server, IP address, default gateway, DNS, etc.).

Occasionally this process doesn’t work correctly due to firmware issues or a failed firmware upgrade/downgrade. When this happens there are two reset sequences that may bring your phone back to life! Both procedures are nearly the same, but use different digit strings based on the type of reset you wish to perform. The first process removes all the phone configuration stored on the phone. The second process formats the flash memory on the phone and removes the firmware itself.

1. Unplug the power cable from the phone and then plug it back in.

The phone begins its power-up cycle.

2. While the phone is powering up, and before the Speaker button flashes on and off, press and hold #.

Continue to hold # until each line button flashes on and off in sequence in amber.

3. Release # and press

process 1 use 123456789*0#

process 2 use 3491672850*#

You can press a key twice in a row, but if you press the keys out of sequence, the factory reset will not take place.

After you press these keys, the line buttons on the phone flash red, and the phone goes through the factory reset process.

Do not power down the phone until it completes the factory reset process, and the main screen appears.

If you followed process 2 be prepared to wait for up to 20 minutes for the phone to retrieve a copy of the firmware image from the TFTP server. Remember that since you removed the firmware completely there won’t even be the comforting Cisco labeled splash screen on startup. Be patient!