To this point, I’ve disabled timestamps to make the various log messages easier to read. SO at the top of the config you used to see this :
In real-world networking, they’ll almost always be on, so we’ll get the timestamp service up and running (and maybe peek at another service or two) before we work with logging.
Those three services mentioned there, are not the only ones. If you want to see a full list of services, do this:
You may never learn every single service here.
Let me just do a Ctrl+Z there and that’s enough to get a console message:
This is actually a logging message (tend to call it a console message because we’re getting it as a result of being directly connected to this device via the console port.)
We have the time stamps cut off as you’ll see in a moment the time would appear at the beginning of the message, and then we’ve got a “sys” and then ‘5’ and then a ‘CONFIG_I’ And what is the deal with that ‘5’? That is the severity level of the message.
(There are eight different levels and I’m going to have a chart here for you in a minute.
We’re going to see a couple of them in action. But the real way that you use them in real world networking is sometimes you don’t want every console message or every other kind of log message which will go over. If you want to limit the amount of log messages you’re getting, you need to know the severity levels.)
Let’s have a look at the time stamp options.
Those are our choices and we’re going to go ahead and go with “log” here. Then we have ‘datetime’ and ‘uptime’ and generally you’re going to see ‘datetime’ instead of uptime.
So let’s just go ahead and go with what we have right there and see what the message now looks like.(I’m gonna do Ctrl+Z there to generate something.
And now we see a time stamp at the beginning of the message.
If you wanted to add the year:
If you need milliseconds in your timestamp:
if we wanted to show the time zone:
You really can customize these as far as you want to, and that goes for the ‘debug’ messages as well.
You can see your options are exactly the same.
Let’s remove that really long timestamp. We’ll take that one off and we’ll go with log and we’ll go with ‘uptime’
If you say you want up time that’s what you’re getting.
So this router’s been up for an hour and 16 minutes and 53 seconds and let me make absolutely sure of that.
We’re not always going to be at the console port or the device that we want to see in action, and we can choose to send the devices to a system log server and also we might want to see the messages via a telnet connection. We’ll talk about it later.
The Password Encryption Services
Other Friendly Neighborhood Services (And Some Not-So-Friendly ones, Too)…
IOS Help showed us quite the list of services a few pages back, and while they were created for our benefits, a few of them can be used against us, including these:
The finger service can be used to snag the username and addresses of users who successfully Telnet to our router.( when you open that service up intruders might be able to access that information either)
UDP small servers and TCP small servers can be used as part pf a Denial of Service (DoS) attack, as can the IP BOOTP Server service.
(There are different ways of launching a DoS attack where a legitimate server can not respond to legitimate requests because it’s so busy handling frankly illegitimate requests ones that intruders are sending and a couple of services that we have and that list can actually be used as part of a DoS attack.)
A handy service that helps to increase the peace is the password encryption service. We know from earlier labs that all passwords in a Cisco config will be displayed in clear text, with the exception of the enable secret. I was going to give you here.
Here’s on R1 a lot going on I admit, but I did that for you on purpose because I want you get used to seeing a crowded window as well.
And you can see about six lines down what I did… I set an enable password, an enable secret, a username password combination creating a database technically, I went to the console port, put the password to CCENT on, and then I went to the vty lines (or Telnet lines) and put the password football on.
Now when I run a ‘show run’ :
When you look at enable secret, you see the number ‘5’ and then I have all these characters. that password has been hashed and it’s a form of encryption, and it’s been done by the message digest five protocol or MD5 (you can tell that anytime you actually see the number five) and the only reason we’re seeing it here with enable secret is that that one is encrypted by default.
But other passwords are not encrypted yes and are in clear text.
So what we can do is run that password encryption service (it has no option in front of it and that’s the thing with a lot of services)
We’ll do a show run and what will happen now when I have pre entered passwords if you will I have passwords that I entered before I ran the service? Will it go back and encrypt all the passwords in that config?
It sure did! The password 01302825 is the encrypted version of our enable password.
Note this ‘7’ here and we’re going to see that with every other password here. This means it’s encrypted. That’s the lowest level of an encryption and can be broken by a program you can find out on the net very easily. You can find it in about a minute and probably cracked these passwords in about 30 seconds! It just helps to defeat what we call the over the shoulder network attack.
What if we turn the service off? How can read de-encrypt these passwords?
It’s not going to work as you can see:
You can’t run this encryption backwards.
Now what I can do is overwrite the current ones. So if I wanted to go back and set the Enable password to CCNA now what would happen? Would it be encrypted or unencrypted? Let’s find out:
Important: When you turn the service off, future passwords will not be encrypted, but the passwords that have already been encrypted to level 7 by service password encryption being on, they are not going to encrypt.
And again you can’t really reverse it but you can overwrite those passwords.