07-22-2006 05:30 PM - edited 03-03-2019 01:25 PM
Hey all,
Got the basic config of my 827 going, however I want to disable ICMP replys to external, and close telnet off. Anyone got any suggestions on general hardening of the below config? Cheers.
ow run
Building configuration...
Current configuration : 1624 bytes
!
version 12.1
no service single-slot-reload-enable
no service pad
service timestamps debug uptime
service timestamps log uptime
service password-encryption
!
hostname X
!
logging rate-limit console 10 except errors
enable secret 5 X
!
username X privilege 15 password 7 X
username X password 7 X
ip subnet-zero
no ip finger
ip name-server X
ip name-server X
!
no ip dhcp-client network-discovery
vpdn enable
no vpdn logging
!
vpdn-group 1
request-dialin
protocol pppoe
!
!
!
!
interface Ethernet0
ip address 10.10.10.1 255.255.255.0
ip adjust-mss 1452
ip nat inside
!
interface ATM0
no ip address
no atm ilmi-keepalive
pvc 0/35
protocol pppoe
pppoe-client dial-pool-number 1
!
pvc 8/35
protocol pppoe
pppoe-client dial-pool-number 1
!
bundle-enable
dsl operating-mode auto
!
interface Dialer1
ip address negotiated
ip mtu 1492
ip nat outside
encapsulation ppp
dialer pool 1
dialer remote-name redback
dialer-group 1
ppp authentication pap chap callin
ppp chap hostname ahucker
ppp chap password 7 X
ppp pap sent-username X password 7 X
ppp ipcp dns request
ppp ipcp wins request
!
ip classless
ip route 0.0.0.0 0.0.0.0 Dialer1
no ip http server
!
ip nat inside source list 102 interface Dialer1 overload
access-list 102 permit ip 10.10.10.0 0.0.0.255 any
dialer-list 1 protocol ip permit
!
line con 0
transport input none
stopbits 1
line vty 0 4
exec-timeout 30 0
login local
length 0
!
scheduler max-task-time 5000
end
07-27-2006 08:42 AM
Step 1 To disable ICMP debug messages, enter the following command:
hostname(config)# no debug icmp trace
Step 2 To disable logging, if desired, enter the following command:
hostname(config)# no logging on
Step 3 To remove the ICMPACL access list, and also delete the related access-group commands, enter the following command: hostname(config)# no access-list ICMPACL
Step 4 (Optional) To disable the ICMP inspection engine, enter the following command:
hostname(config)# no service-policy ICMP-POLICY
07-27-2006 10:27 AM
Some things you might consider:
-global commands-
no snmp-server
no ip identd
no ip bootp server
no ip source-route
no ip gratuitous-arps
no ip directed-broadcast
no ip domain-lookup
no ip http server
no ip http secure-server
no cdp run
service tcp-keepalives-in
service tcp-keepalives-out
service sequence-numbers
login on-failure log
login on-success log
login block-for 60 attempts 3 within 30
-use ssh only to connect to router, if possible force version 2 and put access list to restrict vty access
ip ssh version 2
line vty 0 4
transport input ssh
- on interfaces use the following -
no ip redirects
no ip unreachables
no ip proxy-arp
no ip directed-broadcast
no cdp enable
ntp disable
- to disable common ip vulnerabilities
Beyond that, set up good logging and a trusted time source. Also, access lists to filter packets that should not be entering an interface, for example on int e0 block all but 10.10.10.0/24, depending on how paranoid you want to be. On external interface block private networks, loopback, multicast, etc.
HTH,
Little_Wing
08-16-2006 10:50 PM
I have found the SDM_LOW config to be vunerable to attack.
I have tried running this config and I get inundated with disconnects and the dialer interface being hammered untill it falls over.
I am trying to find out if my 837 can be upgraded to a stronger IOS version so that I can beef up the firewall with SDM.
Otherwise I will have to read up on firewalls and edit the config myself.
07-27-2006 02:06 PM
Hi,
There is one or two ways to completely lockdown your router, because given you config it is a bit exposed. Download SDM from cisco, and install it either on the router or on your PC. You should run the firewall wizard and then run the Security Check tool. Both of these ensure that you router is fairly secure. These enable all interface security, IOS firewall, application layer packet inspection and stateful packet inspection.
Also, you can deny access to telnet from SDM also.
A good learning curve here is to look at you config before and after SDM features are implemented.
Otherwise the below config will suffice;
ip inspect name SDM_LOW cuseeme
ip inspect name SDM_LOW dns
ip inspect name SDM_LOW ftp
ip inspect name SDM_LOW h323
ip inspect name SDM_LOW https
ip inspect name SDM_LOW icmp
ip inspect name SDM_LOW imap
ip inspect name SDM_LOW pop3
ip inspect name SDM_LOW netshow
ip inspect name SDM_LOW rcmd
ip inspect name SDM_LOW realaudio
ip inspect name SDM_LOW rtsp
ip inspect name SDM_LOW esmtp
ip inspect name SDM_LOW sqlnet
ip inspect name SDM_LOW streamworks
ip inspect name SDM_LOW tftp
ip inspect name SDM_LOW tcp
ip inspect name SDM_LOW udp
ip inspect name SDM_LOW vdolive
!
!
interface dial0
ip inspect SDM_LOW out
ip access-group 101 in
!
!
access-list 101 permit gre any any (Allow external PPTP)
access-list 101 deny ip 192.168.1.0 0.0.0.255 any
access-list 101 permit icmp any any echo-reply
access-list 101 permit icmp any any time-exceeded
access-list 101 permit icmp any any unreachable
access-list 101 deny ip 10.0.0.0 0.255.255.255 any
access-list 101 deny ip 172.16.0.0 0.15.255.255 any
access-list 101 deny ip 192.168.0.0 0.0.255.255 any
access-list 101 deny ip 127.0.0.0 0.255.255.255 any
access-list 101 deny ip host 255.255.255.255 any
access-list 101 deny ip host 0.0.0.0 any
!
!
access-list 23 permit tcp 192.168.1.0 0.0.0.255
access-list 23 deny any any
!
line vty 0 4
login
password *password*
access-class 23 in
!
The above locks telnet down to the 192.168.1.0 subnat adn the 101 acl denys icmp reply from the ADSL interface.
HTH, Pls Rate Posts
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide