Ensure unused services are disabled (most of these are turned off in newer versions of IOS by default):
Disable small services (echo, discard, chargen, etc.):
no service tcp-small-servers
no service udp-small-servers
cdp - no cdp run
remote config-no service config
source routing - no ip source-route
BOOTP - no ip bootp server
Finger - no service finger
HTTP - no ip http server
Disable IP domain lookup-no ip domain-lookup
disable SNMP if you don't really need it- no snmp-server
(If you do need SNMP use an access-list to deny everything but your managment station access and use Read Only):
access-list 1 permit
snmp-server community hard_to_guess_string ro 1
Adminstratively shutdown unused interfaces
On used interfaces:
Disable directed broadcasts-no ip directed-broadcasts - this helps prevent "smurf" type attacks
Disable proxy arp - no ip proxy-arp
disable IP unreachables, redirects and mask replies:
no ip unreachable
no ip redirect
no ip mask-reply
Stuff to enable:
If you have a crypto version of IOS, enable SSH and use access-class on VTY lines to restrict access. If you don't have a crypto version of IOS, be sure to use an access-class on the vty lines:
access-list 1 permit
line vty 0 4
access-class 1 in
Ensure you have a banner motd that states "Unauthorized access to this system is prohibited..."
Use a local login username/password instead of just having a telnet password (since you only have two routers you can get by with using a local database:
username xxxx password xxxx
line vty 0 4
Ensure you have strong passwords for your enable secret, usernames/passwords and telnet/ssh.
enable service password encryption and timestamps to use date and time instead of uptime:
service timestamps debug datetime
service timestamps log datetime localtime
Ensure you have the correct date and time set on the box.
Some people like to put an inbound ACL on the incoming interface of their router that denies obvious fake source IPs and source IPs that exist in their internal network (anti-spoofing):
e.g. a named ACL (say your internal IP block is x.x.x.0/24):
ip access-list extended inbound
deny ip x.x.x.0 0.0.0.255 any log
deny ip 169.254.0.0 0.0.255.255 any log
deny ip 127.0.0.0 0.255.255.255 any log
deny ip 10.0.0.0 0.255.255.255 any log
deny ip 172.16.0.0 0.15.255.255 any log
deny ip 192.168.0.0 0.0.255.255 any log
permit ip any any
(newer versions of IOS show line numbers so you can quickly insert and remove entries without having to re-enter the whole ACL)
Normal ACL method:
access-list 199 deny ip x.x.x.0 0.0.0.255 any log
access-list 199 deny ip 169.254.0.0 0.0.255.255 any log
access-list 199 deny ip 127.0.0.0 0.255.255.255 any log
access-list 199 deny ip 10.0.0.0 0.255.255.255 any log
access-list 199 deny ip 172.16.0.0 0.15.255.255 any log
access-list 199 deny ip 192.168.0.0 0.0.255.255 any log
access-list 199 permit ip any any
Then apply it to your inbound interface:
ip access-group inbound in
If you have this ACL in place and there is a breach on your network you can quickly add a line into the ACL to block the offending host/attacker more quickly than you can probably change your firewall. A lot of people use this inbound ACL as a first line of defense when something new is released into the wild. It also can stop attacks, etc before they reach your firewall. A common example would be to use this ACL to block the ports used by some kind of virus out there until you can patch up all your hosts with the latest DAT files.
If you use routing protocols, use MD5 authentication if available (OSPF, EIGRP, etc have MD5)
I like Jamey's reply, but would emphasize that his suggestion should be considered the minimum acceptable.
On routers which are the first hop inside a firewall, I like to go a step further and put in access-lists which duplicate as much as possible the IP filtering already on the firewall. That way, when a wiley hacker does get through the firewall, you may be able to detect and stop him before he also works his way through your router.
It's more work, but could save you when a hacker does get through (and they will :-( ). The goal is defense in depth, aka redundant security. Of course, if no one is monitoring the firewall and router, you'll have no idea that either was penetrated, and you're wasting your time. Unfortunately, real security is not something you can install and forget. Like high availability, it requires constant attention.
Question We run asr9001 with XR 6.1.3, and we have a very long delay to
login w/ SSH 1 or 2 to the device compare to IOS device. After
investigation, the there is 1s delay between the client KEXDH_INIT and
the server (XR) KEXDH_REPLY. After debug ssh serv...
Introduction The purpose of this document is to demonstrate the Open
Shortest Path First (OSPF) behavior when the V-bit (Virtual-link bit) is
present in a non-backbone area. The V-bit is signaled in Type-1 LSA only
if the router is the endpoint of one or ...
Hi, I am seeing quite a few issues with patch install and wanted to
share my experience and workaround to this. Login to admin via CLI, then
access root with the “shell” command Issue “df –h” and you’ll probably
see the following directory full or nearly ...