Mailing List Archive: conserver: users

Using conserver to secure cisco routers

Index | Next | Previous | View Threaded

jay2xra at yahoo

Mar 9, 2006, 12:33 AM

Post #1 of 5 (1799 views)
Permalink

Using conserver to secure cisco routers

Good day!

I'm looking for ways to secure our cisco routers by not allowing remote access to it, and only console access. To do this, I would connect the router to a pc using a console cable. The pc is running freebsd 6.0. The pc can be accessed via a much secure ssh. After a user logs in, he can use "cu -l /dev/cuad0 -s 9600" Now he can connect to the cisco router and recieve the login prompt. Now my problem is how am I going to have multiple users login to the router using only one console cable (as the router is limited to only one console port). This is required because most of the time, our NOC engineers are troubleshooting our network at the same time using different priviledges. After googling for a while, I found conserver.

Question:
Am I looking into the right tool or not??
Anyone here doing the same thing with their routers??

That's all for now.
Thanks!

---------------------------------
Yahoo! Mail
Bring photos to life! New PhotoMail makes sharing a breeze.

bryan at conserver

Mar 9, 2006, 7:11 AM

Post #2 of 5 (1705 views)
Permalink

Re: Using conserver to secure cisco routers [In reply to]

hey mark...yep, that's what conserver was made for. ;-)

you just point conserver at your consoles (in the example below, it's
/dev/cuad0 - but any others you might hook up as well), and folks could
then log in and use 'console <router>' to gain access. if you wanted to
be even more secure you could limit who had login access to the freebsd
box to just you and have them use the console client from remote
machines. and as a "middle ground", you could set their shell to a
script that execed 'console <router>' and put them in the "restricted
user" list inside conserver...that way they'd be "locked" onto the
console and unable to do some of the more advanced commands (that may or
may not be appropriate, depending on your world).

that's a lot to absorb. i'd start with something simple (getting
conserver going and using the client locally) and then refine that if
you need to. check out conserver.cf/samples/simple.cf (and the others)
in the distribution for a starting point of crafting a config file.

good luck!

Bryan

On Thu, Mar 09, 2006 at 12:33:46AM -0800, Mark Jayson Alvarez wrote:
> Good day!
>
> I'm looking for ways to secure our cisco routers by not allowing
> remote access to it, and only console access. To do this, I would
> connect the router to a pc using a console cable. The pc is running
> freebsd 6.0. The pc can be accessed via a much secure ssh. After a
> user logs in, he can use "cu -l /dev/cuad0 -s 9600" Now he can
> connect to the cisco router and recieve the login prompt. Now my
> problem is how am I going to have multiple users login to the router
> using only one console cable (as the router is limited to only one
> console port). This is required because most of the time, our NOC
> engineers are troubleshooting our network at the same time using
> different priviledges. After googling for a while, I found conserver.
>
> Question: Am I looking into the right tool or not?? Anyone here
> doing the same thing with their routers??
_______________________________________________
users mailing list
users [at] conserver
https://www.conserver.com/mailman/listinfo/users

jay2xra at yahoo

Mar 9, 2006, 10:28 PM

Post #3 of 5 (1713 views)
Permalink

Re: Using conserver to secure cisco routers [In reply to]

Bryan Stansell <bryan [at] conserver> wrote: hey mark...yep, that's what conserver was made for. ;-)

You mean multiple logins at the same time using only one /dev/cuad0 ??? When I tried it, console complained that "hey, mark is connected"..

---------------------------------
Yahoo! Mail
Bring photos to life! New PhotoMail makes sharing a breeze.

bryan at conserver

Mar 9, 2006, 11:25 PM

Post #4 of 5 (1716 views)
Permalink

Re: Using conserver to secure cisco routers [In reply to]

On Thu, Mar 09, 2006 at 10:28:47PM -0800, Mark Jayson Alvarez wrote:
> Bryan Stansell <bryan [at] conserver> wrote: hey mark...yep, that's
> what conserver was made for. ;-)
>
> You mean multiple logins at the same time using only one /dev/cuad0
> ??? When I tried it, console complained that "hey, mark is
> connected"..

only one person will be in read-write mode at a time...the others are
forced into read-only mode. if you use the '^Ecf' escape sequence,
you'll grab read-write mode and force the previous writer to read-only
mode. and if the read-write person disconnects, it will pass read-write
mode back to the latest read-only person who wanted read-write mode.
you can also use 'console -f <name>' to automatically force read-write
and bump the other person to read-only.

Bryan
_______________________________________________
users mailing list
users [at] conserver
https://www.conserver.com/mailman/listinfo/users

zonker at jeffk

Mar 9, 2006, 11:30 PM

Post #5 of 5 (1710 views)
Permalink

Re: Using conserver to secure cisco routers [In reply to]

On Thu, Mar 09, 2006 at 10:28:47PM -0800, Mark Jayson Alvarez wrote:
>
> Bryan Stansell <bryan [at] conserver> wrote: hey mark...yep, that's what conserver was made for. ;-)
>
> You mean multiple logins at the same time using only one /dev/cuad0 ??? When I tried it, console complained that "hey, mark is connected"..

Yep...the key is, that second person *IS* also connected, but in
read-only (or "spy") mode...

So, log in the first person...he has read-write... then log in the
second person, and they are read-only... The first person can type,
but both will see what's happening. :-)

Next, have the second person type [ctrl]-[e[, [c], [f], to 'force'
control of the connection...the first user get's "bumped" into spy
mode, but they see the login name of who bumped them (they are now
in read-only mode)...and the second user now has read-write! Still,
any responses from the consoled device will go to both (read: 'all
attached') users on that console.

Typing ^E-c-w will show you 'who' is attached to that console,
and indicates which user has read-write access.

When the second person either disconnects (^E-c-.) or goes into
spy mode (^E-c-s), then the previous user gets control back.
(Of course, the other person could have 'forced' the connection
back to thenselves, too. ;-)

Of course, before forcing the connection, it's always a good idea
to reply the last 60 lines of the log (^E-c-r) to see what the person
with read-write access is up to...they may be in the middle of a
configuration change, etc., and hitting a couple carriage returns
may accept settings that you would rather not have. :-)

Many users can be on the same console, in spy mode, but only one
cn have read-write control at a time.

-Z-
_______________________________________________
users mailing list
users [at] conserver
https://www.conserver.com/mailman/listinfo/users

Index | Next | Previous | View Threaded

Interested in having your list archived? Contact Gossamer Threads