Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1348
Views
0
Helpful
6
Replies

By default, the Cisco IOS runs some services that are unnecessary

azmath.hk
Level 1
Level 1

‎07-07-2006 11:15 AM - edited ‎03-09-2019 03:31 PM

Besides encryption, ACLs, and authorization, there are additional commands we can configure on our perimeter routers to limit access to it. By default, the Cisco IOS runs some services that are unnecessary to its normal operation, and if we don't disable them, they can be easy targets for DoS attacks and break-in attempts.

Plus, if we just use a Cisco router's default settings, it won't check routing paths to stop illegitimate traffic, and ARP traffic will be allowed to pass through its interfaces. We'll now look at how to turn off these unneeded services.

Lab_B(config)#no service tcp-small-servers

Lab_B(config)#no service udp-small-servers

Lab_B(config)#no service finger

Lab_B(config)#no ip boot server

Lab_B(config)#no service config

Lab_B(config)#no ip source-route

Lab_B(config)#interface s0/0

Lab_B(config-if)#no ip proxy-arp

Lab_B(config)#no ip forward-protocol udp 69

Lab_B(config)#no ip forward-protocol udp 53

Lab_B(config)#no ip forward-protocol udp 37

Lab_B(config)#no ip forward-protocol udp 137

Lab_B(config)#no ip forward-protocol udp 138

Lab_B(config)#no ip forward-protocol udp 68

Lab_B(config)#no ip forward-protocol udp 49

Guys, I want to know that,shall i disable all the above cited default service in cisco 1811 router or its already disabled...

Please need your valuable suggestion on the same.

Regards,

Khan

Labels:
0 Helpful
6 Replies 6

hemendoz
Cisco Employee
Cisco Employee

‎07-07-2006 11:35 AM

Hello Khan,

So of those services are disabled by default. There is no harm turning off a feature that is already disabled. If you want more information, there is a nice on-line security training module

http://www.cisco.com/web/about/security/security_services/ciag/workforce_development/securing_cisco_routers.html

Securing Cisco Routers - Computer Based Training

Securing Cisco Routers (SECR) v1.0 teaches the top ten steps to improving Cisco router security. It combines an updated version of the popular Cisco Router Security (CRS) course with the new Advanced Cisco Router Security (ACRS) course.

Based on industry best practices and the newest in Cisco IOS security features, SECR contains tutorials, animations, and configuration examples that teach you how to configure Cisco routers to ensure maximum device security. Practice what you learn in a safe training environment through e-lab simulations of the Cisco IOS software command-line interface. Finally, test your knowledge using the built-in assessment quizzes.

Hope that helps! If so, please rate.

Thanks

0 Helpful

Richard Burts
Hall of Fame
Hall of Fame
In response to hemendoz

‎07-08-2006 06:23 PM

I have one small follow-up. While you may choose to disable proxy arp the example given is flawed:

Lab_B(config)#interface s0/0

Lab_B(config-if)#no ip proxy-arp

There is no ARP and no proxy-arp on serial interfaces. This would make much more sense on an Ethernet or FastEthernet interface.

One other suggestion is that on outward facing interfaces you may want to configure no ip unreachable.

HTH

Rick

HTH

Rick
0 Helpful

andrew.burns
Level 7
Level 7

‎07-10-2006 02:13 AM

Also, you won't close port 67 on the router unless you also do a "no service dhcp".

Andrew.

0 Helpful

azmath.hk
Level 1
Level 1
In response to andrew.burns

‎07-10-2006 11:34 AM

Guys,

With regards to the ?no ip proxy-arp? on Ethernet or FastEthernet interface, what exactly it does? Please advice.

Lab_B(config)#no service config ( we do not have any configuration server in our network from where we can download configuration file)

I have found that we need to configure the Exec-timeout Command is used to drop an idle Exec session after the idle time specified in minutes and second occurs. The exec command enables or disables access to the EXEC process for line.

exec-timeout 5 0

And no tcp-keepalives-in and out generates keepalive packets on idle outgoing network connections (initiated by a user). To disable the keepalives, use the no form of this command

What are the other commands which we need to implement on our perimeter router for enhance the security?

Your true assistance will be highly appreciated.

0 Helpful

azmath.hk
Level 1
Level 1
In response to azmath.hk

‎07-10-2006 01:21 PM

Waiting for your valuable suggestion on the same.

0 Helpful

azmath.hk
Level 1
Level 1
In response to azmath.hk

‎07-10-2006 02:06 PM

One more question is that i am using NAT, so is this necessary to apply this command on ethernet interface "no proxy-arp" just want to make sure before applying this command in real network..

Please advice.

Regards,

Khan.

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents