I'm not numbering these. They are not in order. This is not an exhaustive list. They are probably all from the CCNA and CCNP exam list. I'll mention reservations(potential problems) where I can.
Cisco User Security Config Guide
I'm not a super fast touch-typist, but even if I was, how many times a second would I be trying to log in? For a couple lines in the config, this is a pretty easy one.
login block-for (seconds) attempts (tries) within (seconds)
(optional) login quiet-mode access-class (acl-name or acl-number)
(optional) login delay (seconds)
The quiet-mode access class, and login delay, is optional. I believe this works for both routers and switches.
Also, try the
show login and
show login failures
Radius or Tacacs is going to lock my account after three failed attempts anyway. So if I block login attempts after 2 tries, I'll forgo the pleasure of calling the sys admins to unlock my account. I'm not going to try to log in more than twice in two minutes. This command is what inspired this webpage. Why *wouldn't* I want to add this one line to all of my configurations. If there was ever a quick and easy win for securing routers and switches, this is it.
No plain text passwords in routers and switches.
if a password looks encrypted, but it is a
password 7 it is a trivially hidden password that can be easily unhidden by any number of web applications. Don't use
password 7. service password-encryption uses encryption level 7 by default. Level 7 is the easiest to break. Level 7 is better than plain text passwords.
password 5 is better, but still not preferred. It is a MD5 hash.
password 8 is much better. This is a sha256 hash. This is an acceptable way of hashing a password in 2019.
The best password encryption today, for the CCNP SENSS exam 300-206
Written with Notepad ++, and Vim