Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 

Basic router security

Cisco NFP (Network Foundation Protection) is a framework which provides infrastructure protection based on IOS features designed specifically to protect the device control plane (services and routing protocols); the device data plane (malicious traffic) and the device management plane.

This document briefly describes a simple way to protect THE DEVICE MANAGEMENT PLANE.

HOSTNAME. 

  1. Router>enable
  2. Router#configure terminal
  3. Router(config)#hostname ccna_sec

USERS

  1. ccna_sec(config)#service password-encryption
  2. ccna_sec(config)#enable secret "PASSWORD"
  3. ccna_sec(config)#username "USER" privilege 15 secret "PASSWORD"

SSH

  1. ccna_sec(config)#ip domain-name "DOMAIN.NAME"
  2. ccna_sec(config)#crypto key generate rsa modulus 1024
  3. ccna_sec(config)#ip ssh version 2
  4. ccna_sec(config)#ip ssh authentication-retries 3
  5. ccna_sec(config)#ip ssh time-out 120

 

HTTPS

  1. ccna_sec(config)#ip http authentication local
  2. ccna_sec(config)#no ip http server
  3. ccna_sec(config)#ip http secure-server

LINE VTY

  1. ccna_sec(config)#line vty 0 4
  2. ccna_sec(config-line)#login local
  3. ccna_sec(config-line)#transport input ssh
  4. ccna_sec(config-line)#exec-timeout 3
  5. ccna_sec(config-line)#exit

 

LINE CONSOLE

  1. ccna_sec(config)#line console 0
  2. ccna_sec(config-line)#login local
  3. ccna_sec(config-line)#exec-timeout 3

 

BANNERS

  1. ccna_sec(config)#banner login " MESSAGE "
  2. ccna_sec(config)#banner exec " MESSAGE "

ACCESS LOG

  1. ccna_sec(config)#login block-for 10 attempts 3 within 20
  2. ccna_sec(config)#login delay 10
  3. ccna_sec(config)#login on-failure log
  4. ccna_sec(config)#login on-success log

 

ACL + ACCESS LOG

  1. ccna_sec(config)#ip access-list standard SSH-ADMIN
  2. ccna_sec(config-std-nacl)#remark Admin Management ACL
  3. ccna_sec(config-std-nacl)#permit X.X.X.X log
  4. ccna_sec(config-std-nacl)#exit
  5. ccna_sec(config)#login quiet-mode access-class SSH-ADMIN
  6. ccna_sec(config)#line vty 0 4
  7. ccna_sec(config-line)#access-class SSH-ADMIN in
  8. ccna_sec(config)#exit

DEBUG

  1. ccna_sec#show running-config
  2. ccna_sec#show login
  3. ccna_sec#show login failures
  4. ccna_sec#sh access-lists

Regards.

https://twitter.com/julioask

about.me/juliomtz

Version history
Revision #:
1 of 1
Last update:
‎10-16-2013 09:22 AM
 
Labels (1)