-use ssh only to connect to router, if possible force version 2 and put access list to restrict vty access
ip ssh version 2
line vty 0 4
transport input ssh
- on interfaces use the following -
no ip redirects
no ip unreachables
no ip proxy-arp
no ip directed-broadcast
no cdp enable
- to disable common ip vulnerabilities
Beyond that, set up good logging and a trusted time source. Also, access lists to filter packets that should not be entering an interface, for example on int e0 block all but 10.10.10.0/24, depending on how paranoid you want to be. On external interface block private networks, loopback, multicast, etc.
There is one or two ways to completely lockdown your router, because given you config it is a bit exposed. Download SDM from cisco, and install it either on the router or on your PC. You should run the firewall wizard and then run the Security Check tool. Both of these ensure that you router is fairly secure. These enable all interface security, IOS firewall, application layer packet inspection and stateful packet inspection.
Also, you can deny access to telnet from SDM also.
A good learning curve here is to look at you config before and after SDM features are implemented.
Otherwise the below config will suffice;
ip inspect name SDM_LOW cuseeme
ip inspect name SDM_LOW dns
ip inspect name SDM_LOW ftp
ip inspect name SDM_LOW h323
ip inspect name SDM_LOW https
ip inspect name SDM_LOW icmp
ip inspect name SDM_LOW imap
ip inspect name SDM_LOW pop3
ip inspect name SDM_LOW netshow
ip inspect name SDM_LOW rcmd
ip inspect name SDM_LOW realaudio
ip inspect name SDM_LOW rtsp
ip inspect name SDM_LOW esmtp
ip inspect name SDM_LOW sqlnet
ip inspect name SDM_LOW streamworks
ip inspect name SDM_LOW tftp
ip inspect name SDM_LOW tcp
ip inspect name SDM_LOW udp
ip inspect name SDM_LOW vdolive
ip inspect SDM_LOW out
ip access-group 101 in
access-list 101 permit gre any any (Allow external PPTP)
access-list 101 deny ip 192.168.1.0 0.0.0.255 any
access-list 101 permit icmp any any echo-reply
access-list 101 permit icmp any any time-exceeded
access-list 101 permit icmp any any unreachable
access-list 101 deny ip 10.0.0.0 0.255.255.255 any
access-list 101 deny ip 172.16.0.0 0.15.255.255 any
access-list 101 deny ip 192.168.0.0 0.0.255.255 any
access-list 101 deny ip 127.0.0.0 0.255.255.255 any
access-list 101 deny ip host 255.255.255.255 any
access-list 101 deny ip host 0.0.0.0 any
access-list 23 permit tcp 192.168.1.0 0.0.0.255
access-list 23 deny any any
line vty 0 4
access-class 23 in
The above locks telnet down to the 192.168.1.0 subnat adn the 101 acl denys icmp reply from the ADSL interface.
HTH, Pls Rate Posts
A free, open source network device configuration management tool, customizable to your needs!
- Always vote on an answer if you found it helpful
We are pleased to announce availability of Beta software for 16.6.3.
16.6.3 will be the second rebuild on the 16.6 release train targeted
towards Catalyst 9500/9400/9300/3850/3650 switching platforms. We are
looking for early feedback from customers befor...
Introduction Featured Speakers Luis Espejel is the Telecommunications
Manager of IENova, an Oil & Gas company. Currently he works with Cisco
IOS® and Cisco IOS XE platforms, and NX to some extent. He has also
worked as a Senior Engineer with the Routing P...
In this session you can learn more about Layer 3 multicast and the best
practices to identify possible threats and take security measures. It
provides an overview of basic multicast, the best security practices for
use of this technology, and recommendati...