Full Disclosure mailing list archives

RE: cisco acl

From: "Patrick Doyle" <patrick.doyle () bbc co uk>
Date: Fri, 5 Dec 2003 14:10:08 -0000

You can issue "show ip access-lists" to show the current access-lists configured on your router.

Also "show running-config" displays the current loaded config in RAM.

"show running-config | begin access-list" will take you to the portion of the config where your access list entries 
begin.

You should configure AAA and TACACS+ on you routers, this way you can see when certain commands were issued such 
"enable secret <new password>" etc. from you accounting logs   

TACACS+ gives you centralised control of username and passwords for your routers / switches, as well as other stuff. 

You can have the tac_plus binary running on a locked down server, or two servers for redundancy  

This would make it difficult for someone to change username and passwords, if AAA is configured correctly, they would 
first have to stop your router talking tacacs to your tacacs server, then try and gues the local username and password.

tac_plus is a freeware tacacs server available on cisco.com

Hope this helps.

Paddy

-----Original Message-----
From: full-disclosure-admin () lists netsys com
[mailto:full-disclosure-admin () lists netsys com]On Behalf Of isa vaul
Sent: 05 December 2003 12:46
To: full-disclosure () lists netsys com
Subject: [Full-disclosure] cisco acl


Hello full-disclosure,

  I've got a little problem with a cisco router.
  It has obviously been compromised. How do i know, well the password
  has changed. So I want to retrieve the ACL from the RAM (not NVRAM)
  to see what else maybe got compromised.
  Does anyone know how this could be done?

  thanks for any suggestions in advance...
-- 
Best regards,
 nonleft                          mailto:nonleft () gmx net

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

BBCi at http://www.bbc.co.uk/

This e-mail (and any attachments) is confidential and may contain personal views which are not the views of the BBC 
unless specifically
stated.
If you have received it in error, please delete it from your system. Do not use, copy or disclose the information in 
any way nor act in
reliance on it and notify the sender immediately. Please note that the BBC monitors e-mails sent or received.
Further communication will signify your consent to this.

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

Current thread:

cisco acl isa vaul (Dec 05)
- Re: cisco acl petard (Dec 05)
  - Re[2]: cisco acl isa vaul (Dec 05)
    - Re: cisco acl Cael Abal (Dec 05)
    - Re: Re[2]: cisco acl vb (Dec 05)
    - Re: cisco acl Anton Ivanov (Dec 05)
- Re: cisco acl vb (Dec 05)
- Re: cisco acl Paulo Pereira (Dec 05)
- Re: cisco acl Alexandru Balan (Dec 08)
- <Possible follow-ups>
- RE: cisco acl Patrick Doyle (Dec 05)
- RE: cisco acl Noren, Bill (Dec 05)
- RE: Re[2]: cisco acl Anthony Clendenen (Dec 05)
- RE: Re[2]: cisco acl Keith Pachulski (Dec 05)
- RE: cisco acl Clint Bodungen (Dec 05)
- RE: cisco acl Tonneson, Thomas (Dec 05)