Setting Up Cisco Device Timeouts
Without setting up timeout settings for Cisco Device Privileged EXEC Mode, your sessions stay open indefinitely. This is especially dangerous of the console port. Without timeout parameters enabled, if the administrator doesn't log out an intruder has access and no issues getting elevated permissions.
To avoid this potentially dangerous situation, you need only type a command in each of your configuration line interfaces. The command’s format is exec-timeout <minutes> [seconds]. The default setting disables sessions after ten minutes; exec-timeout 0 disables the timeout altogether.
Router1#enable Password: Router1#configure terminal Enter configuration commands, one per line. End with CNTL/Z. Router1(config)#line con 0 Router1(config)# exec-timeout 5 Router1(config)#line vty 0 4 Router1(config)# exec-timeout 5 Router1(config)#end
In addition to setting a timeout on these settings, you can force vty sessions to be encrypted via SSH. This is easy to implement with the following code example:
Router1#enable Password: Router1#configure terminal Enter configuration commands, one per line. End with CNTL/Z. Router1(config)#line vty 0 4 Router1(config)# transport input ssh Router1(config)#end
However, if you do not need to have remote terminal access to these devices, the better option is transport input none, which disables all vty access. In addition to this inbound access, you can create management SSH sessions from one device to another. So by connecting to one device, you can then launch a connection from that device to connect to another device.
Limiting this connection may be accomplished with transport output ssh, which limits you to an outgoing SSH session, whereas transport output none can prevent all outbound connections.