Hello, everyone!
Today, I want to share with you about how to maintain OLT accounts and passwords.
How Do I Change the Default Account and Password on the OLT?
During the deployment of a new device, a user must change the default CLI and BIOS passwords before logging in to the CLI for the first time.
1. The default user name of the CLI is root.
A password with low complexity is vulnerable to attacks and cracking by unauthorized users, which affects device security. Maintenance engineers must ensure that the password length and complexity meet security requirements when setting a password. A password must comply with the following requirements:
2. Contains 8 to 15 characters.
3. Contains letters and digits. It is recommended that a password contain uppercase letters, lowercase letters, special characters, and digits.
Procedure
1. Use the default user name and password to log in to the CLI.
2. Change the default password of the root user and the BIOS password as prompted
>>User name:root
>>User password:
When you first log on the system. Change your password
New Password(length<8,15>):
Confirm Password(length<8,15>):
The extended BIOS password of the active control board is required to modify
New Password(length<8,15>):
Confirm Password(length<8,15>):
The extended BIOS password of the standby control board is required to modify
New Password(length<8,15>):
Confirm Password(length<8,15>):
How Do I Maintain CLI Account Passwords?
The security information in CLI account management contains the user name, password, and user profile.
1. The user profile is recommended for monitoring the user information in real time and setting the validity of a created user, expiration date of a password, and permitted login time.
2. The default user name is root.
a. In V100R020C00 and later versions, when you log in to the BIOS for the first time, you must change the BIOS password and default account password.
b. In V100R020C10 and later versions, if a user password is reset, the user must change the password when logging in to the system using the new password for the first time. This function can be disabled by running the system modify logon password disable command.
The default password or a password with low complexity is easily attacked or cracked by an unauthorized user, affecting device security. To ensure system security, the length and complexity of a password must meet certain security requirements when a maintenance engineer creates a user. Password setting must comply with the following requirements:
a. The default passwords of the system must be changed promptly after the system goes online. You can run the system modify logon password command to make password changing mandatory upon the first login.
b. Weak passwords (for example, password, admin, and 123456) are not allowed.
c. A password must contain at least 6 characters in versions earlier than V100R020C00 and 8 characters in V100R020C00 and later versions. You are advised to run the system user password security-length command to change the secure password length requirement.
d. A password must contain uppercase and lowercase characters, punctuation marks, and digits.
e. A password must be different from the user name or the user name in reverse order.
3. A weak password dictionary is supported. You cannot use a password in the weak password dictionary when setting or changing a password. The weak password dictionary is empty by default. You are advised to run the system user password exclude command to add insecure passwords to the weak password dictionary.
4. A password used for a long period of time is more likely to be stolen or cracked. The longer the usage period, the more likely the password to be stolen or cracked. Therefore, you need to change a password periodically. It is recommended that you change a password at least once every 3 months.
All device passwords and keys must be updated based on site requirements. The following uses the SSH key as an example. You can run the ssh server rekey-interval command to configure the key update interval.
5. The system supports the management channel firewall. To prevent a management terminal with an unauthorized IP address from logging in to the system, configure the management channel firewall. Then, only management terminals with authorized IP addresses can log in to the system.
6. You can log in to the device through Telnet, SSH, or a local serial port.
a. Telnet is an insecure protocol and is disabled by default in V100R019C1x and later versions. If a device is upgraded from an earlier version, Telnet may be enabled (depending on whether Telnet is enabled before the upgrade). You are advised to disable Telnet and use SSH.
b. If you log in to the system in SSH mode, the SSHv2 mode is used by default. SSHv1 is not recommended because it has security risks. SSHv1 is disabled by default.
c. SSH user authentication can be performed in 4 modes: Password, Public-Key, Password & Public-Key, and Password or Public-Key. The Public-Key authentication mode is more secure than the Password authentication mode. You are advised to use the Public-Key or Password & Public-Key authentication mode.
d. The key pair used by the SSH service can be created and updated. You are advised to configure an RSA key with a length of 3072 bits (supported since V100R020C01&C02).
e. The local serial port login mode can be used only at the near end of the device and supports user name+password authentication. The serial port is enabled by default and is usually used during device deployment. If the serial port is enabled for a long time, security risks exist. You are advised to run the sysman console disable command to disable the serial port unless the port needs to be used. The SSH mode is recommended.
7. A user who logs in to the system and then leaves the system for a long period of time must exit the system to prevent the system from being operated by another user. The system supports automatic logout. If there is no keyboard input for a long time, a user is forcibly logged out. You are advised to set the idle time before automatic logout to 5 minutes (default).
8. The system locks out an account or corresponding IP address if the number of login failures exceeds the permitted number of login attempts. This function is enabled by default. The root user is locked out for fixed 1 minute and the time for locking out the other users can be set by running the system lock interval command. To prevent unauthorized users from cracking a user name and password by continuous attempts, do not disable the lockout function.
9. The system performs complexity check on SNMPv1/SNMPv2 community names and SNMPv3 user authentication passwords and encryption passwords. If SNMP authentication fails, the system locks out the corresponding IP address. This function is enabled by default. You can run the system snmp-user password security command to set this function. You are not advised to disable the lockout function.
IP address lockout upon an SNMP authentication failure takes effect only after the system lock is enabled by running the system lock type command and the lock type is set to IP or all.
Procedure
1. Associate a correct user profile with a user being created.
- Run the terminal user-profile command to create a user profile.
- Run the terminal user name command to create a user and specify the user profile for the user.
- Run the terminal user user-profile command to replace the user profile of a user.
2. Run the terminal user password command to change the password of a user.
3. Configure the system lockout policy.
- Run the system lock condition command to configure the number of allowed login attempts.
- Run the system lock interval command to configure the lockout duration.
- Run the system lock type command to configure the lockout type, which supports locking of user names, IP addresses, or both user names and IP addresses.
4. Configure the Telnet service.
- Run the display sysman service state command to check whether the Telnet function is enabled.
- Run the sysman service telnet disable command to disable the Telnet service.
5. Configure the SSH service.
- Run the ssh user username authentication-type command to configure the user authentication mode.
- Run the ssh server rekey-interval command to configure the period of updating SSH keys.
- Run the rsa local-key-pair create command to configure a key pair required by the SSH service.
6. Run the sysman console disable command to disable the serial port.
7. Configure the management plane firewall. The firewall on the management plane can be configured using either of the following methods:
a. Configure the permitted and denied IP address segments.
- Run the sysman ip-access command to configure the IP address segment that is allowed to access the device through SSH, Telnet, and SNMP.
- Run the sysman ip-refuse command to configure the IP address segment that is not allowed to access the device through SSH, Telnet, or SNMP.
- Run the sysman firewall command to enable the firewalls of SSH, Telnet, and SNMP.
b. Bind an ACL rule.
- Run the telnet server acl command to bind an ACL rule to the Telnet protocol.
- Run the ssh server acl command to bind an ACL rule to the SSH protocol.
8. Run the idle-timeout command to set the terminal login timeout time.
- Run the idle-timeout command to set the terminal timeout time as required. After logging in to the system and performing related operations, log out of the system in time.
I hope it helps you.
Thank you for reading!
