Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Community Member

By default, the Cisco IOS runs some services that are unnecessary

Besides encryption, ACLs, and authorization, there are additional commands we can configure on our perimeter routers to limit access to it. By default, the Cisco IOS runs some services that are unnecessary to its normal operation, and if we don't disable them, they can be easy targets for DoS attacks and break-in attempts.

Plus, if we just use a Cisco router's default settings, it won't check routing paths to stop illegitimate traffic, and ARP traffic will be allowed to pass through its interfaces. We'll now look at how to turn off these unneeded services.

Lab_B(config)#no service tcp-small-servers

Lab_B(config)#no service udp-small-servers

Lab_B(config)#no service finger

Lab_B(config)#no ip boot server

Lab_B(config)#no service config

Lab_B(config)#no ip source-route

Lab_B(config)#interface s0/0

Lab_B(config-if)#no ip proxy-arp

Lab_B(config)#no ip forward-protocol udp 69

Lab_B(config)#no ip forward-protocol udp 53

Lab_B(config)#no ip forward-protocol udp 37

Lab_B(config)#no ip forward-protocol udp 137

Lab_B(config)#no ip forward-protocol udp 138

Lab_B(config)#no ip forward-protocol udp 68

Lab_B(config)#no ip forward-protocol udp 49

Guys, I want to know that,shall i disable all the above cited default service in cisco 1811 router or its already disabled...

Please need your valuable suggestion on the same.

Regards,

Khan

6 REPLIES
Cisco Employee

Re: By default, the Cisco IOS runs some services that are unnece

Hello Khan,

So of those services are disabled by default. There is no harm turning off a feature that is already disabled. If you want more information, there is a nice on-line security training module

http://www.cisco.com/web/about/security/security_services/ciag/workforce_development/securing_cisco_routers.html

Securing Cisco Routers - Computer Based Training

Securing Cisco Routers (SECR) v1.0 teaches the top ten steps to improving Cisco router security. It combines an updated version of the popular Cisco Router Security (CRS) course with the new Advanced Cisco Router Security (ACRS) course.

Based on industry best practices and the newest in Cisco IOS security features, SECR contains tutorials, animations, and configuration examples that teach you how to configure Cisco routers to ensure maximum device security. Practice what you learn in a safe training environment through e-lab simulations of the Cisco IOS software command-line interface. Finally, test your knowledge using the built-in assessment quizzes.

Hope that helps! If so, please rate.

Thanks

Hall of Fame Super Gold

Re: By default, the Cisco IOS runs some services that are unnece

I have one small follow-up. While you may choose to disable proxy arp the example given is flawed:

Lab_B(config)#interface s0/0

Lab_B(config-if)#no ip proxy-arp

There is no ARP and no proxy-arp on serial interfaces. This would make much more sense on an Ethernet or FastEthernet interface.

One other suggestion is that on outward facing interfaces you may want to configure no ip unreachable.

HTH

Rick

Re: By default, the Cisco IOS runs some services that are unnece

Also, you won't close port 67 on the router unless you also do a "no service dhcp".

Andrew.

Community Member

Re: By default, the Cisco IOS runs some services that are unnece

Guys,

With regards to the ?no ip proxy-arp? on Ethernet or FastEthernet interface, what exactly it does? Please advice.

Lab_B(config)#no service config ( we do not have any configuration server in our network from where we can download configuration file)

I have found that we need to configure the Exec-timeout Command is used to drop an idle Exec session after the idle time specified in minutes and second occurs. The exec command enables or disables access to the EXEC process for line.

exec-timeout 5 0

And no tcp-keepalives-in and out generates keepalive packets on idle outgoing network connections (initiated by a user). To disable the keepalives, use the no form of this command

What are the other commands which we need to implement on our perimeter router for enhance the security?

Your true assistance will be highly appreciated.

Community Member

Re: By default, the Cisco IOS runs some services that are unnece

Waiting for your valuable suggestion on the same.

Community Member

Re: By default, the Cisco IOS runs some services that are unnece

One more question is that i am using NAT, so is this necessary to apply this command on ethernet interface "no proxy-arp" just want to make sure before applying this command in real network..

Please advice.

Regards,

Khan.

335
Views
0
Helpful
6
Replies
CreatePlease to create content