Login Through the Console Port
Attack Behavior
Console ports, also called serial ports, are physical interfaces. After an attacker accesses the console port on a switch, the switch is exposed to the attacker, and the switch security cannot be guaranteed. The attacker can damage the switch even without a user name and a password.
When the console port is used for login, a potential attacker may attempt to crack the user name and password over network connections and obtain the system administrator rights.
Security Policy
To defend against the preceding attack, configure the following security policy on a switch:
When a switch is used for the first time, configure it through the console port.
Connect the DB9 female connector of the console cable to the serial port of the PC. During the startup process of the switch, press Ctrl+B or Ctrl+E, use the default password to access the BootROM or BootLoad menu, and change the BootROM or BootLoad password.
The switch generates configurations. Change the console port login password and record the new password.
- In V200R009 and earlier versions, the console port uses non-authentication by default. No default user name and password are available. The switch allows users to log in and asks them whether to configure a password. To ensure the console port security, it is recommended that users change the authentication mode for the console user interface to Authentication, Authorization and Accounting (AAA) authentication and configure the correct user name and password in the AAA view.
In V200R010 and later versions, the console port uses AAA authentication by default. The default user name is admin and the default password is admin@huawei.com. This default authentication mode is recommended.
- V100R003C00: 9300
- V100R005C01: huawei
- V100R006C00–V100R006C03: 9300 for modular switches and huawei for fixed switches
- V100R006C05: Admin@huawei.com
- V200R001C00–V200R0012C00 and later versions: Admin@huawei.com
Passwords are stored in cipher text on switches. Record the new password for future login to the console port.
Configuration Method
Change the BootROM or BootLoad password.
Switches may support the BootROM or BootLoad menu, depending on versions and models.
Changing the BootROM password
When "Press Ctrl+B or Ctrl+E to enter BootROM menu:" is displayed during the switch startup, the switch has started the BootROM program. Press Ctrl+B within 3 seconds to access the BootROM main menu, and enter the correct BootROM password. The following BootROM main menu is displayed.
Modular switch:MAIN MENU 1. Boot with default mode 2. Boot from Flash 3. Boot from CFCard 4. Enter serial submenu 5. Enter ethernet submenu 6. Enter file system submenu 7. Enter test submenu 8. Enter password submenu 9. Modify Flash description area 10. Clear password for console user 11. Reboot Enter your choice(1-11): 8 //Enter 8 to access the password submenu. PASSWORD SUBMENU 1. Modify BootROM password 2. Reset BootROM password 3. Return to main menu Enter your choice(1-3):1 //Enter 1 to change the BootROM password. Modify BootROM password Old password: //Enter the old password. New password: //Enter the new password. Verify: //Enter the new password again.Fixed switch:BootROM MENU 1. Boot with default mode 2. Enter serial submenu 3. Enter startup submenu 4. Enter ethernet submenu 5. Enter filesystem submenu 6. Enter password submenu 7. Clear password for console user 8. Reboot (Press Ctrl+E to enter diag menu) Enter your choice(1-8): 6 //Enter 6 to access the password submenu. PASSWORD SUBMENU 1. Modify BootROM password 2. Reset BootROM password 3. Return to main menu Enter your choice(1-3): 1 //Enter 1 to change the BootROM password. Old password: //Enter the old password. New password: //Enter the new password. Verify: //Enter the new password again. Write password to flash ...Changing the BootLoad password
When "Press Ctrl+B to enter BootLoad menu:" is displayed during the switch startup, the switch has started the BootLoad program. Press Ctrl+B within 3 seconds to access the BootLoad menu.
Modular switch:BootLoad Menu 1. Boot with default mode 2. Enter ethernet submenu 3. Modify Flash description area 4. File system submenu 5. Enter password submenu 6. Clear password for console user 7. Reboot Enter your choice(1-7): //Enter 5 to access the password submenu. PASSWORD SUBMENU 1. Modify bootload password 2. Reset bootload password 3. Return Enter your choice(1-3): //Enter 1 to change the BootLoad password. Old password: //Enter the old password. New password: //Enter the new password. Verify: //Enter the new password again.Fixed switch:BootLoad Menu 1. Boot with default mode 2. Enter serial submenu 3. Enter startup submenu 4. Enter ethernet submenu 5. Enter filesystem submenu 6. Enter password submenu 7. Clear password for console user 8. Reboot (Press Ctrl+E to enter diag menu) Enter your choice(1-8): //Enter 6 to access the password submenu. PASSWORD SUBMENU 1. Modify bootload password 2. Reset bootload password 3. Return to main menu Enter your choice(1-3): //Enter 1 to change the BootLoad password. Enter your choice(1-3): 1 Old password: //Enter the old password. New password: //Enter the new password. Verify: //Enter the new password again.Configure AAA authentication.
Set the authentication mode of the console user interface to AAA authentication. In the AAA view, set the user name to admin1234 and password to Helloworld@6789.
<HUAWEI> system-view [HUAWEI] user-interface console 0 [HUAWEI-ui-console0] authentication-mode aaa [HUAWEI-ui-console0] quit [HUAWEI] aaa [HUAWEI-aaa] local-user admin1234 password irreversible-cipher Helloworld@6789 [HUAWEI-aaa] local-user admin1234 service-type terminal