Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1031
Views
0
Helpful
4
Replies

Securing my 827

arpansa
Level 1
Level 1

‎07-22-2006 05:30 PM - edited ‎03-03-2019 01:25 PM

Hey all,

Got the basic config of my 827 going, however I want to disable ICMP replys to external, and close telnet off. Anyone got any suggestions on general hardening of the below config? Cheers.

ow run

Building configuration...

Current configuration : 1624 bytes

!

version 12.1

no service single-slot-reload-enable

no service pad

service timestamps debug uptime

service timestamps log uptime

service password-encryption

!

hostname X

!

logging rate-limit console 10 except errors

enable secret 5 X

!

username X privilege 15 password 7 X

username X password 7 X

ip subnet-zero

no ip finger

ip name-server X

ip name-server X

!

no ip dhcp-client network-discovery

vpdn enable

no vpdn logging

!

vpdn-group 1

request-dialin

protocol pppoe

!

!

!

!

interface Ethernet0

ip address 10.10.10.1 255.255.255.0

ip adjust-mss 1452

ip nat inside

!

interface ATM0

no ip address

no atm ilmi-keepalive

pvc 0/35

protocol pppoe

pppoe-client dial-pool-number 1

!

pvc 8/35

protocol pppoe

pppoe-client dial-pool-number 1

!

bundle-enable

dsl operating-mode auto

!

interface Dialer1

ip address negotiated

ip mtu 1492

ip nat outside

encapsulation ppp

dialer pool 1

dialer remote-name redback

dialer-group 1

ppp authentication pap chap callin

ppp chap hostname ahucker

ppp chap password 7 X

ppp pap sent-username X password 7 X

ppp ipcp dns request

ppp ipcp wins request

!

ip classless

ip route 0.0.0.0 0.0.0.0 Dialer1

no ip http server

!

ip nat inside source list 102 interface Dialer1 overload

access-list 102 permit ip 10.10.10.0 0.0.0.255 any

dialer-list 1 protocol ip permit

!

line con 0

transport input none

stopbits 1

line vty 0 4

exec-timeout 30 0

login local

length 0

!

scheduler max-task-time 5000

end

Labels:
0 Helpful
4 Replies 4

mchin345
Level 6
Level 6

‎07-27-2006 08:42 AM

Step 1 To disable ICMP debug messages, enter the following command:

hostname(config)# no debug icmp trace

Step 2 To disable logging, if desired, enter the following command:

hostname(config)# no logging on

Step 3 To remove the ICMPACL access list, and also delete the related access-group commands, enter the following command: hostname(config)# no access-list ICMPACL

Step 4 (Optional) To disable the ICMP inspection engine, enter the following command:

hostname(config)# no service-policy ICMP-POLICY

0 Helpful

Little_Wing
Level 1
Level 1

‎07-27-2006 10:27 AM

Some things you might consider:

-global commands-

no snmp-server

no ip identd

no ip bootp server

no ip source-route

no ip gratuitous-arps

no ip directed-broadcast

no ip domain-lookup

no ip http server

no ip http secure-server

no cdp run

service tcp-keepalives-in

service tcp-keepalives-out

service sequence-numbers

login on-failure log

login on-success log

login block-for 60 attempts 3 within 30

-use ssh only to connect to router, if possible force version 2 and put access list to restrict vty access

ip ssh version 2

line vty 0 4

transport input ssh

- on interfaces use the following -

no ip redirects

no ip unreachables

no ip proxy-arp

no ip directed-broadcast

no cdp enable

ntp disable

- to disable common ip vulnerabilities

Beyond that, set up good logging and a trusted time source. Also, access lists to filter packets that should not be entering an interface, for example on int e0 block all but 10.10.10.0/24, depending on how paranoid you want to be. On external interface block private networks, loopback, multicast, etc.

HTH,

Little_Wing

0 Helpful

dogwelp
Level 1
Level 1
In response to Little_Wing

‎08-16-2006 10:50 PM

I have found the SDM_LOW config to be vunerable to attack.

I have tried running this config and I get inundated with disconnects and the dialer interface being hammered untill it falls over.

I am trying to find out if my 837 can be upgraded to a stronger IOS version so that I can beef up the firewall with SDM.

Otherwise I will have to read up on firewalls and edit the config myself.

0 Helpful

stephen.stack
Level 4
Level 4

‎07-27-2006 02:06 PM

Hi,

There is one or two ways to completely lockdown your router, because given you config it is a bit exposed. Download SDM from cisco, and install it either on the router or on your PC. You should run the firewall wizard and then run the Security Check tool. Both of these ensure that you router is fairly secure. These enable all interface security, IOS firewall, application layer packet inspection and stateful packet inspection.

Also, you can deny access to telnet from SDM also.

A good learning curve here is to look at you config before and after SDM features are implemented.

Otherwise the below config will suffice;

ip inspect name SDM_LOW cuseeme

ip inspect name SDM_LOW dns

ip inspect name SDM_LOW ftp

ip inspect name SDM_LOW h323

ip inspect name SDM_LOW https

ip inspect name SDM_LOW icmp

ip inspect name SDM_LOW imap

ip inspect name SDM_LOW pop3

ip inspect name SDM_LOW netshow

ip inspect name SDM_LOW rcmd

ip inspect name SDM_LOW realaudio

ip inspect name SDM_LOW rtsp

ip inspect name SDM_LOW esmtp

ip inspect name SDM_LOW sqlnet

ip inspect name SDM_LOW streamworks

ip inspect name SDM_LOW tftp

ip inspect name SDM_LOW tcp

ip inspect name SDM_LOW udp

ip inspect name SDM_LOW vdolive

!

!

interface dial0

ip inspect SDM_LOW out

ip access-group 101 in

!

!

access-list 101 permit gre any any (Allow external PPTP)

access-list 101 deny ip 192.168.1.0 0.0.0.255 any

access-list 101 permit icmp any any echo-reply

access-list 101 permit icmp any any time-exceeded

access-list 101 permit icmp any any unreachable

access-list 101 deny ip 10.0.0.0 0.255.255.255 any

access-list 101 deny ip 172.16.0.0 0.15.255.255 any

access-list 101 deny ip 192.168.0.0 0.0.255.255 any

access-list 101 deny ip 127.0.0.0 0.255.255.255 any

access-list 101 deny ip host 255.255.255.255 any

access-list 101 deny ip host 0.0.0.0 any

!

!

access-list 23 permit tcp 192.168.1.0 0.0.0.255

access-list 23 deny any any

!

line vty 0 4

login

password *password*

access-class 23 in

!

The above locks telnet down to the 192.168.1.0 subnat adn the 101 acl denys icmp reply from the ADSL interface.

HTH, Pls Rate Posts

========================== http://www.rconfig.com A free, open source network device configuration management tool, customizable to your needs! - Always vote on an answer if you found it helpful
0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card