{"id":1217,"date":"2019-12-21T12:33:52","date_gmt":"2019-12-21T11:33:52","guid":{"rendered":"http:\/\/blogperso.union31.fr\/?p=1217"},"modified":"2019-12-23T11:35:45","modified_gmt":"2019-12-23T10:35:45","slug":"packet-tracer-ssh-et-un-peu-securite-sur-un-switch","status":"publish","type":"post","link":"https:\/\/blogperso.union31.fr\/?p=1217","title":{"rendered":"Packet tracer : SSH et un peu s\u00e9curit\u00e9 sur un switch"},"content":{"rendered":"\n<p>Il va \u00eatre abord\u00e9 :<\/p>\n\n\n\n<ul class=\"wp-block-list\"><li>un mot de passe pour l&rsquo;acc\u00e8s en port console<\/li><li>une mise en \u0153uvre d&rsquo;un acc\u00e8s SSH pour une administration \u00e0 distance<\/li><li>la cr\u00e9ation de comptes d&rsquo;administration<\/li><\/ul>\n\n\n\n<div id=\"ez-toc-container\" class=\"ez-toc-v2_0_82_2 counter-hierarchy ez-toc-counter ez-toc-grey ez-toc-container-direction\">\n<div class=\"ez-toc-title-container\">\n<p class=\"ez-toc-title\" style=\"cursor:inherit\">Sommaire<\/p>\n<span class=\"ez-toc-title-toggle\"><a href=\"#\" class=\"ez-toc-pull-right ez-toc-btn ez-toc-btn-xs ez-toc-btn-default ez-toc-toggle\" aria-label=\"Toggle Table of Content\"><span class=\"ez-toc-js-icon-con\"><span class=\"\"><span class=\"eztoc-hide\" style=\"display:none;\">Toggle<\/span><span class=\"ez-toc-icon-toggle-span\"><svg style=\"fill: #999;color:#999\" xmlns=\"http:\/\/www.w3.org\/2000\/svg\" class=\"list-377408\" width=\"20px\" height=\"20px\" viewBox=\"0 0 24 24\" fill=\"none\"><path d=\"M6 6H4v2h2V6zm14 0H8v2h12V6zM4 11h2v2H4v-2zm16 0H8v2h12v-2zM4 16h2v2H4v-2zm16 0H8v2h12v-2z\" fill=\"currentColor\"><\/path><\/svg><svg style=\"fill: #999;color:#999\" class=\"arrow-unsorted-368013\" xmlns=\"http:\/\/www.w3.org\/2000\/svg\" width=\"10px\" height=\"10px\" viewBox=\"0 0 24 24\" version=\"1.2\" baseProfile=\"tiny\"><path d=\"M18.2 9.3l-6.2-6.3-6.2 6.3c-.2.2-.3.4-.3.7s.1.5.3.7c.2.2.4.3.7.3h11c.3 0 .5-.1.7-.3.2-.2.3-.5.3-.7s-.1-.5-.3-.7zM5.8 14.7l6.2 6.3 6.2-6.3c.2-.2.3-.5.3-.7s-.1-.5-.3-.7c-.2-.2-.4-.3-.7-.3h-11c-.3 0-.5.1-.7.3-.2.2-.3.5-.3.7s.1.5.3.7z\"\/><\/svg><\/span><\/span><\/span><\/a><\/span><\/div>\n<nav><ul class='ez-toc-list ez-toc-list-level-1 ' ><li class='ez-toc-page-1 ez-toc-heading-level-2'><a class=\"ez-toc-link ez-toc-heading-1\" href=\"https:\/\/blogperso.union31.fr\/?p=1217\/#I_Lacces_console_via_le_port_console\" >I L&rsquo;acc\u00e8s console via le port console<\/a><ul class='ez-toc-list-level-3' ><li class='ez-toc-heading-level-3'><a class=\"ez-toc-link ez-toc-heading-2\" href=\"https:\/\/blogperso.union31.fr\/?p=1217\/#I1_Une_banniere\" >I.1 Une banni\u00e8re<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-3'><a class=\"ez-toc-link ez-toc-heading-3\" href=\"https:\/\/blogperso.union31.fr\/?p=1217\/#I2_Mot_de_passe\" >I.2 Mot de passe<\/a><ul class='ez-toc-list-level-4' ><li class='ez-toc-heading-level-4'><a class=\"ez-toc-link ez-toc-heading-4\" href=\"https:\/\/blogperso.union31.fr\/?p=1217\/#I21_Implementation_dun_mot_de_passe\" >I.2.1 Impl\u00e9mentation d&rsquo;un mot de passe<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-4'><a class=\"ez-toc-link ez-toc-heading-5\" href=\"https:\/\/blogperso.union31.fr\/?p=1217\/#I22_Mot_de_passe_chiffre\" >I.2.2 Mot de passe chiffr\u00e9<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-4'><a class=\"ez-toc-link ez-toc-heading-6\" href=\"https:\/\/blogperso.union31.fr\/?p=1217\/#I23_Suppression_dun_mot_de_passe\" >I.2.3 Suppression d&rsquo;un mot de passe<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-4'><a class=\"ez-toc-link ez-toc-heading-7\" href=\"https:\/\/blogperso.union31.fr\/?p=1217\/#I24_Chiffrer_automatiquement_les_mots_de_passe\" >I.2.4 Chiffrer automatiquement les mots de passe<\/a><\/li><\/ul><\/li><\/ul><\/li><li class='ez-toc-page-1 ez-toc-heading-level-2'><a class=\"ez-toc-link ez-toc-heading-8\" href=\"https:\/\/blogperso.union31.fr\/?p=1217\/#II_Lacces_console_via_SSH\" >II L&rsquo;acc\u00e8s console via SSH<\/a><ul class='ez-toc-list-level-3' ><li class='ez-toc-heading-level-3'><a class=\"ez-toc-link ez-toc-heading-9\" href=\"https:\/\/blogperso.union31.fr\/?p=1217\/#II1_Preparation\" >II.1 Pr\u00e9paration<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-3'><a class=\"ez-toc-link ez-toc-heading-10\" href=\"https:\/\/blogperso.union31.fr\/?p=1217\/#II2_Installation_du_service_SSH\" >II.2 Installation du service SSH<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-3'><a class=\"ez-toc-link ez-toc-heading-11\" href=\"https:\/\/blogperso.union31.fr\/?p=1217\/#II3_Creation_des_comptes\" >II.3 Cr\u00e9ation des comptes<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-3'><a class=\"ez-toc-link ez-toc-heading-12\" href=\"https:\/\/blogperso.union31.fr\/?p=1217\/#III4_Forcer_en_SSH_a_sauthentifier\" >III.4 Forcer en SSH \u00e0 s&rsquo;authentifier<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-3'><a class=\"ez-toc-link ez-toc-heading-13\" href=\"https:\/\/blogperso.union31.fr\/?p=1217\/#III5_Quelques_options_supplementaires\" >III.5 Quelques options suppl\u00e9mentaires<\/a><\/li><\/ul><\/li><li class='ez-toc-page-1 ez-toc-heading-level-2'><a class=\"ez-toc-link ez-toc-heading-14\" href=\"https:\/\/blogperso.union31.fr\/?p=1217\/#IV_Acces_console_via_port_console_authentification_par_utilisateur\" >IV Acc\u00e8s console via port console : authentification par utilisateur<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-2'><a class=\"ez-toc-link ez-toc-heading-15\" href=\"https:\/\/blogperso.union31.fr\/?p=1217\/#V_Journalisation_des_logs\" >V Journalisation des logs<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-2'><a class=\"ez-toc-link ez-toc-heading-16\" href=\"https:\/\/blogperso.union31.fr\/?p=1217\/#VI_Pour_aller_plus_loin%E2%80%A6\" >VI Pour aller plus loin&#8230;<\/a><\/li><\/ul><\/nav><\/div>\n<h2 class=\"wp-block-heading\"><span class=\"ez-toc-section\" id=\"I_Lacces_console_via_le_port_console\"><\/span>I L&rsquo;acc\u00e8s console via le port console<span class=\"ez-toc-section-end\"><\/span><\/h2>\n\n\n\n<p>L&rsquo;acc\u00e8s console permet de se connecter au switch via un port d\u00e9di\u00e9. Il est le plus souvent de type s\u00e9rie. C&rsquo;est par ce port que la configuration du switch va \u00eatre effectu\u00e9e. Par d\u00e9faut, l&rsquo;acc\u00e8s se fait authentification.<\/p>\n\n\n\n<p>Le but est d&rsquo;en d\u00e9finir.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\"><span class=\"ez-toc-section\" id=\"I1_Une_banniere\"><\/span>I.1 Une banni\u00e8re<span class=\"ez-toc-section-end\"><\/span><\/h3>\n\n\n\n<p>Mais avant de configurer une authentification, il sera int\u00e9ressant de mettre une banni\u00e8re.<\/p>\n\n\n\n<p>Suivant les switchs ou routeurs CISCO les param\u00e8tres du \u00ab\u00a0banner\u00a0\u00bb seront plus ou moins fins.<\/p>\n\n\n\n<p><span style=\"text-decoration: underline;\">Exemple pour un switch 2960 :<\/span><\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>Switch_01(config)#banner ?\n  motd  Set Message of the Day banner<\/code><\/pre>\n\n\n\n<p><span style=\"text-decoration: underline;\">Exemple pour un switch 3650 :<\/span><\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>Switch(config)#banner ?\n  login  Set login banner\n  motd   Set Message of the Day banner<\/code><\/pre>\n\n\n\n<p>Donc pour une premi\u00e8re banni\u00e8re \u00e0 l&rsquo;ouverture de session :<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>Switch#configure terminal \nSwitch(config)#banner motd \"Bienvenue sur le Switch. Attention aux modifications !\"<\/code><\/pre>\n\n\n\n<p>Ce qui donne au d\u00e9marrage donne l&rsquo;\u00e9cran suivant :<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>Switch con0 is now available\n\nPress RETURN to get started.\n\nBienvenue sur le Switch. Attention aux modifications !\n\nSwitch><\/code><\/pre>\n\n\n\n<h3 class=\"wp-block-heading\"><span class=\"ez-toc-section\" id=\"I2_Mot_de_passe\"><\/span>I.2 Mot de passe<span class=\"ez-toc-section-end\"><\/span><\/h3>\n\n\n\n<h4 class=\"wp-block-heading\"><span class=\"ez-toc-section\" id=\"I21_Implementation_dun_mot_de_passe\"><\/span>I.2.1 Impl\u00e9mentation d&rsquo;un mot de passe<span class=\"ez-toc-section-end\"><\/span><\/h4>\n\n\n\n<p>La mani\u00e8re la plus simple est la suivante :<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>Switch_01#conf t\nSwitch_01(config)#enable password test<\/code><\/pre>\n\n\n\n<p>A partir de maintenant un mot de passe sera demand\u00e9 non pas \u00e0 l&rsquo;ouverture de session mais au passage dans le mode privil\u00e9gi\u00e9 (apr\u00e8s enable) :<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>Switch_01 con0 is now available\n\nPress RETURN to get started.\n\n\nBienvenue sur le Switch : faire attention \n\nSwitch_01>enable\nPassword: \nSwitch_01#<\/code><\/pre>\n\n\n\n<h4 class=\"wp-block-heading\"><span class=\"ez-toc-section\" id=\"I22_Mot_de_passe_chiffre\"><\/span>I.2.2 Mot de passe chiffr\u00e9<span class=\"ez-toc-section-end\"><\/span><\/h4>\n\n\n\n<p>Cependant le mot de passe n&rsquo;est pas chiffr\u00e9 comme on peut le voir dans la configuration du switch :<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>Switch_01#show running-config \nBuilding configuration...\n\nCurrent configuration : 2394 bytes\n!\nversion 12.2\nno service timestamps log datetime msec\nno service timestamps debug datetime msec\nno service password-encryption\n!\nhostname Switch_01\n!\nenable password test\n!\n....<\/code><\/pre>\n\n\n\n<p>Ainsi pour ajouter un mot de passe qui soit chiffr\u00e9 :<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>Switch_01#conf t\nEnter configuration commands, one per line.  End with CNTL\/Z.\nSwitch_01(config)#enable secret test2\nSwitch_01(config)#exit<\/code><\/pre>\n\n\n\n<p>Nous avons maintenant 2 mot de passe : un chiffr\u00e9 et un en clair<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>Switch_01#show running-config \nBuilding configuration...\n\nCurrent configuration : 2441 bytes\n!\nversion 12.2\nno service timestamps log datetime msec\nno service timestamps debug datetime msec\nno service password-encryption\n!\nhostname Switch_01\n!\nenable secret 5 $1$mERr$6JAcKA4.\/sQ7vpEDnPE0X0\nenable password test\n!\n....<\/code><\/pre>\n\n\n\n<h4 class=\"wp-block-heading\"><span class=\"ez-toc-section\" id=\"I23_Suppression_dun_mot_de_passe\"><\/span>I.2.3 Suppression d&rsquo;un mot de passe<span class=\"ez-toc-section-end\"><\/span><\/h4>\n\n\n\n<p>Pour supprimer le mot de passe en clair :<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>Switch_01#conf t\nSwitch_01(config)#no enable password <\/code><\/pre>\n\n\n\n<p>Ainsi dans la configuration est la suivante :<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>Switch_01#show running-config \nBuilding configuration...\n\nCurrent configuration : 2420 bytes\n!\nversion 12.2\nno service timestamps log datetime msec\nno service timestamps debug datetime msec\nno service password-encryption\n!\nhostname Switch_01\n!\nenable secret 5 $1$mERr$6JAcKA4.\/sQ7vpEDnPE0X0\n!\n...<\/code><\/pre>\n\n\n\n<h4 class=\"wp-block-heading\"><span class=\"ez-toc-section\" id=\"I24_Chiffrer_automatiquement_les_mots_de_passe\"><\/span>I.2.4 Chiffrer automatiquement les mots de passe<span class=\"ez-toc-section-end\"><\/span><\/h4>\n\n\n\n<p>Pour \u00eatre sur que les mots de passes seront chiffr\u00e9s, il est possible d&rsquo;activer le service \u00ab\u00a0pasword-encryption\u00a0\u00bb<\/p>\n\n\n\n<p>Mais avant enlevons tous les mots de passes :<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>Switch_01#conf t\nSwitch_01(config)#no enable secret\nSwitch_01(config)#no enable password <\/code><\/pre>\n\n\n\n<p>Activons le service :<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>Switch_01#conf t\nSwitch_01(config)#service password-encryption<\/code><\/pre>\n\n\n\n<p>D\u00e9finissons un mot de passe :<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>Switch_01#conf t\nSwitch_01(config)#enable password test<\/code><\/pre>\n\n\n\n<p>V\u00e9rifions :<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>Switch_01#show running-config \nBuilding configuration...\n\nCurrent configuration : 2399 bytes\n!\nversion 12.2\nno service timestamps log datetime msec\nno service timestamps debug datetime msec\nservice password-encryption\n!\nhostname Switch_01\n!\nenable password 7 0835495D1D\n!\n...<\/code><\/pre>\n\n\n\n<p>Enfin nous pouvons avoir \u00e9galement un deuxi\u00e8me mot de passe :<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>Switch_01#conf t\nSwitch_01(config)#enable secret test2<\/code><\/pre>\n\n\n\n<p>Ce qui donne :<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>Switch_01#show running-config \nBuilding configuration...\n\nCurrent configuration : 2446 bytes\n!\nversion 12.2\nno service timestamps log datetime msec\nno service timestamps debug datetime msec\nservice password-encryption\n!\nhostname Switch_01\n!\nenable secret 5 $1$mERr$6JAcKA4.\/sQ7vpEDnPE0X0\nenable password 7 0835495D1D\n!\n...<\/code><\/pre>\n\n\n\n<h2 class=\"wp-block-heading\"><span class=\"ez-toc-section\" id=\"II_Lacces_console_via_SSH\"><\/span>II L&rsquo;acc\u00e8s console via SSH<span class=\"ez-toc-section-end\"><\/span><\/h2>\n\n\n\n<h3 class=\"wp-block-heading\"><span class=\"ez-toc-section\" id=\"II1_Preparation\"><\/span>II.1 Pr\u00e9paration<span class=\"ez-toc-section-end\"><\/span><\/h3>\n\n\n\n<p>Tout d&rsquo;abord il faut donner une adresse IP au switch. Plus pr\u00e9cis\u00e9ment \u00e0 un VLAN (ici le 20) :<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>Switch_01#conf t\nEnter configuration commands, one per line.  End with CNTL\/Z.\nSwitch_01(config)#interface vlan 20\nSwitch_01(config-if)#ip address 192.168.0.254 255.255.255.0\nSwitch_01(config-if)#no shutdown \nSwitch_01(config-if)#exit<\/code><\/pre>\n\n\n\n<p>Ensuite il faut configurer un nom et un nom de domaine. Ci dessous pour le nome de domaine :<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>Switch_01#configure terminal \nSwitch_01(config)#ip domain-name domaine.local<\/code><\/pre>\n\n\n\n<h3 class=\"wp-block-heading\"><span class=\"ez-toc-section\" id=\"II2_Installation_du_service_SSH\"><\/span>II.2 Installation du service SSH<span class=\"ez-toc-section-end\"><\/span><\/h3>\n\n\n\n<p>Cr\u00e9ation d&rsquo;une cl\u00e9 :<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>Switch_01#conf t\nSwitch_01(config)#crypto key generate rsa general-keys modulus 1024\nThe name for the keys will be: Switch_01.domaine.local\n% The key modulus size is 1024 bits\n% Generating 1024 bit RSA keys, keys will be non-exportable...[OK]\n*mars 4 15:9:38.655: %SSH-5-ENABLED: SSH 1.99 has been enabled<\/code><\/pre>\n\n\n\n<p>Activation du service ssh :<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>Switch_01#conf t\nSwitch_01(config)#ip ssh version 2<\/code><\/pre>\n\n\n\n<h3 class=\"wp-block-heading\"><span class=\"ez-toc-section\" id=\"II3_Creation_des_comptes\"><\/span>II.3 Cr\u00e9ation des comptes<span class=\"ez-toc-section-end\"><\/span><\/h3>\n\n\n\n<p>La cr\u00e9ation de compte se fait comme suivant :<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>Switch_01#conf t\nEnter configuration commands, one per line.  End with CNTL\/Z.\nSwitch_01(config)#username admin1 secret test\nSwitch_01(config)#username admin2 secret test<\/code><\/pre>\n\n\n\n<p>Pour v\u00e9rifier la pr\u00e9sence de comptes : show running-config<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>Switch_01#show running-config \nBuilding configuration...\n\nCurrent configuration : 2519 bytes\n!\nversion 12.2\nno service timestamps log datetime msec\nno service timestamps debug datetime msec\nservice password-encryption\n!\nhostname Switch_01\n!\nenable secret 5 $1$mERr$6JAcKA4.\/sQ7vpEDnPE0X0\nenable password 7 0835495D1D\n!\n!\n!\nip ssh version 2\nip domain-name domaine.local\n!\nusername admin1 secret 5 $1$mERr$126VWMuSfhXn9GAlqkjPo\/\nusername admin2 secret 5 $1$mERr$126VWMuSfhXn9GAlqkjPo\/\n!\n...<\/code><\/pre>\n\n\n\n<p>Pour supprimer un compte :<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>Switch_01#conf t\nSwitch_01(config)#no username admin2<\/code><\/pre>\n\n\n\n<h3 class=\"wp-block-heading\"><span class=\"ez-toc-section\" id=\"III4_Forcer_en_SSH_a_sauthentifier\"><\/span>III.4 Forcer en SSH \u00e0 s&rsquo;authentifier<span class=\"ez-toc-section-end\"><\/span><\/h3>\n\n\n\n<p>Par d\u00e9faut, l&rsquo;acc\u00e8s SSH est ouvert, c&rsquo;est \u00e0 dire qu&rsquo;il ne demande pas \u00e0 s&rsquo;authentifier.<\/p>\n\n\n\n<p>C&rsquo;est au niveau des terminaux virtuels (vty) qu&rsquo;il faut forcer une connexion par loggin\/mot de passe. Au passage les commandes possibles sur les suivantes :<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>Switch_01(config)#line vty 0 15\nSwitch_01(config-line)#?\nVirtual Line configuration commands:\n  access-class  Filter connections based on an IP access list\n  databits      Set number of data bits per character\n  exec-timeout  Set the EXEC timeout\n  exit          Exit from line configuration mode\n  flowcontrol   Set the flow control\n  history       Enable and control the command history function\n  logging       Modify message logging facilities\n  login         Enable password checking\n  motd-banner   Enable the display of the MOTD banner\n  no            Negate a command or set its defaults\n  parity        Set terminal parity\n  password      Set a password\n  privilege     Change privilege level for line\n  speed         Set the transmit and receive speeds\n  stopbits      Set async line stop bits\n  transport     Define transport protocols for line<\/code><\/pre>\n\n\n\n<p>Donc nous aurons la commande suivante :<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>Switch_01(config-line)#login local<\/code><\/pre>\n\n\n\n<p>Ainsi en ligne de commande, depuis un terminal :<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>C:\\>ssh -l admin1 192.168.0.254\n\nPassword: \n% Login invalid\n\nPassword: \n\nBienvenue sur le Switch : faire attention \n\nSwitch_01><\/code><\/pre>\n\n\n\n<p>Ensuite on va faire en sorte que les acc\u00e8s par terminaux virtuels ne se fassent qu&rsquo;en SSH :<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>Switch_01(config-line)#transport input ?\n  all     All protocols\n  none    No protocols\n  ssh     TCP\/IP SSH protocol\n  telnet  TCP\/IP Telnet protocol\nSwitch_01(config-line)#transport input ssh<\/code><\/pre>\n\n\n\n<h3 class=\"wp-block-heading\"><span class=\"ez-toc-section\" id=\"III5_Quelques_options_supplementaires\"><\/span>III.5 Quelques options suppl\u00e9mentaires<span class=\"ez-toc-section-end\"><\/span><\/h3>\n\n\n\n<p>Nous allons forcer un temps de session de 60s :<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>Switch_01#conf t\nSwitch_01(config)#ip ssh time-out 60<\/code><\/pre>\n\n\n\n<p>Puis n&rsquo;accepter que 5 tentatives de connexion<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>Switch_01#conf t\nSwitch_01(config)#ip ssh authentication-retries 5<\/code><\/pre>\n\n\n\n<h2 class=\"wp-block-heading\"><span class=\"ez-toc-section\" id=\"IV_Acces_console_via_port_console_authentification_par_utilisateur\"><\/span>IV Acc\u00e8s console via port console : authentification par utilisateur<span class=\"ez-toc-section-end\"><\/span><\/h2>\n\n\n\n<p>Nous avons vu pr\u00e9c\u00e9demment comment activer l&rsquo;acc\u00e8s par compte et mot de passe en SSH. Nous allons faire de m\u00eame lors de l&rsquo;utilisation du port console :<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>Switch_01#conf t\nSwitch_01(config)#line console 0\nSwitch_01(config-line)#login local<\/code><\/pre>\n\n\n\n<p>Ainsi en d\u00e9but de connexion nous aurons :<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>Switch_01 con0 is now available\n\n\n\nPress RETURN to get started.\n\n\n\n\nBienvenue sur le Switch : faire attention \n\nUser Access Verification\n\nUsername: admin1\nPassword: \n\nSwitch_01><\/code><\/pre>\n\n\n\n<h2 class=\"wp-block-heading\"><span class=\"ez-toc-section\" id=\"V_Journalisation_des_logs\"><\/span>V Journalisation des logs<span class=\"ez-toc-section-end\"><\/span><\/h2>\n\n\n\n<p>Nous allons voir comment r\u00e9cup\u00e9rer les messages d&rsquo;alertes sur un serveur syslog d\u00e9di\u00e9.<\/p>\n\n\n\n<p>Ce serveur syslog aura l&rsquo;adresse IP 192.168.0.110.<\/p>\n\n\n\n<p>Dans un premier temps il faut d\u00e9finir le type de message \u00e0 logguer. Dans notre cas il n&rsquo;ya qu&rsquo;un seul type. Cependant, sur un swicth physique, il existe diff\u00e9rents niveaux (alerts, criticals, warning, etc.)<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>Switch_01#conf t\nSwitch_01(config)#logging trap ?\n  debugging  Debugging messages                (severity=7)\n  &lt;cr><\/code><\/pre>\n\n\n\n<p>Donc dans  notre cas :<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>Switch_01(config)#logging trap debugging <\/code><\/pre>\n\n\n\n<p>Ensuite on d\u00e9clare le serveur syslog :<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>logging host 192.168.0.110<\/code><\/pre>\n\n\n\n<p>\nC&rsquo;est tout avec packet tracer. Avec un switch physique il est \u00e9galement \npossible de d\u00e9finir des tag pour les trames envoy\u00e9es au serveur.\n\n<\/p>\n\n\n\n<h2 class=\"wp-block-heading\"><span class=\"ez-toc-section\" id=\"VI_Pour_aller_plus_loin%E2%80%A6\"><\/span>VI Pour aller plus loin&#8230;<span class=\"ez-toc-section-end\"><\/span><\/h2>\n\n\n\n<p>Tout ce qui a \u00e9t\u00e9 abord\u00e9 est une \u00e9bauche. Pour aller plus loin dans la s\u00e9curisation des switchs, il est conseill\u00e9 de lire la note technique de l&rsquo;ANSI particuli\u00e8rement bien d\u00e9taill\u00e9e : <a href=\"https:\/\/www.google.com\/url?sa=t&amp;rct=j&amp;q=&amp;esrc=s&amp;source=web&amp;cd=9&amp;cad=rja&amp;uact=8&amp;ved=2ahUKEwix9PH9vMvmAhUVkFwKHRSkC-4QFjAIegQICBAI&amp;url=https%3A%2F%2Fwww.ssi.gouv.fr%2Fuploads%2F2016%2F07%2Fnt_commutateurs.pdf&amp;usg=AOvVaw38MsFct-kul69NuU4j2CgR\" target=\"_blank\" rel=\"noreferrer noopener\" aria-label=\"lien (s\u2019ouvre dans un nouvel onglet)\">lien<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"<p>Il va \u00eatre abord\u00e9 : un mot de passe pour l&rsquo;acc\u00e8s en port console une mise en \u0153uvre d&rsquo;un acc\u00e8s SSH pour une administration \u00e0 distance la cr\u00e9ation de comptes d&rsquo;administration I L&rsquo;acc\u00e8s console via le port console L&rsquo;acc\u00e8s console<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[4],"tags":[],"class_list":["post-1217","post","type-post","status-publish","format-standard","hentry","category-_systeme"],"_links":{"self":[{"href":"https:\/\/blogperso.union31.fr\/index.php?rest_route=\/wp\/v2\/posts\/1217","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/blogperso.union31.fr\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/blogperso.union31.fr\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/blogperso.union31.fr\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/blogperso.union31.fr\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=1217"}],"version-history":[{"count":38,"href":"https:\/\/blogperso.union31.fr\/index.php?rest_route=\/wp\/v2\/posts\/1217\/revisions"}],"predecessor-version":[{"id":1265,"href":"https:\/\/blogperso.union31.fr\/index.php?rest_route=\/wp\/v2\/posts\/1217\/revisions\/1265"}],"wp:attachment":[{"href":"https:\/\/blogperso.union31.fr\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=1217"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/blogperso.union31.fr\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=1217"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/blogperso.union31.fr\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=1217"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}