If the switch is supported by "Cisco Router and Security Device Manager (SDM)", it suggests (and can implement) security configuration modifications. (NB: There's a newer recently released renamed version of this package, by I don't recall what it's called.)
If the switch is atleast configured with one ip address, the following command "" sh ip sockets ""will list the default services that switch will listen on. however, it will not accept the packets destined to that port unless appropriate configuration is done for those services.
NOTE: The above command will list only udp sockets and to view active TCP connections, you need to use "sh tcp brief "
This links gives general guidelines to harden Cisco devices running IOS
We are pleased to announce availability of Beta software for 16.6.3. 16.6.3 will be the second rebuild on the 16.6 release train targeted towards Catalyst 9500/9400/9300/3850/3650 switching platforms. We are looking for early feedback from custome...