Differences between revisions 4 and 5
Revision 4 as of 2015-03-16 15:08:22
Size: 2507
Editor: PieterSmit
Comment: Add #no ip tcp timestamp
Revision 5 as of 2016-01-08 23:20:06
Size: 345
Editor: LorrieKeth
Comment:
Deletions are marked like this. Additions are marked like this.
Line 1: Line 1:
##master-page:HomepageReadWritePageTemplate
##master-date:Unknown-Date
#format wiki
#language en
= Secure Cisco Router =
{{{
!Beginning with Cisco IOS Software Release 12.4(6)T
control-plane host
  management-interface GigabitEthernet 0/1 allow ssh https
!
}}}

 * In order to encrypt a user password with MD5 hashing, issue the '''username secret''' global configuration command.
{{{
!
username <name> secret <password>
!
 The small services are disabled by default in Cisco IOS Software Releases 12.0 and later. In earlier software, the
no service tcp-small-servers
no service udp-small-servers
}}}
{{{
no ip tcp timestamp
no ip bootp server
 no ip finger
no service dhcp
no mop enabled
no ip domain-lookup
no service pad
no ip http server
no ip http secure-server
no service config
!!no cdp enable
no lldp transmit
no lldp receive
no lldp run global
!
line con 0
 exec-timeout <minutes> [seconds]
line vty 0 4
 exec-timeout <minutes> [seconds]
!
!
service tcp-keepalive-in
service tcp-keepalive-out
!
}}}
= Notifications =
{{{
!
memory free low-watermark processor <threshold>
memory free low-watermark io <threshold>
!
memory reserve critical <value>
!
!
snmp-server enable traps cpu threshold
!
snmp-server host <host-address> <community-string> cpu
!
process cpu threshold type <type> rising <percentage> interval <seconds>
     [falling <percentage> interval <seconds>]
process cpu statistics limit entry-percentage <number> [size <seconds>]
!
!
memory reserve console 4096
!
show memory debug leaks
!
exception memory ignore overflow io
exception memory ignore overflow processor
!
!
exception crashinfo maximum files <number-of-files>
!
}}}
= ACL filtering =

{{{
ip access-list extended ACL-INFRASTRUCTURE-IN
!
!--- Deny IP fragments using protocol-specific ACEs to aid in
!--- classification of attack traffic
!
 deny tcp any any fragments
 deny udp any any fragments
 deny icmp any any fragments
 deny ip any any fragments
!
!--- Deny IP packets containing IP options
!
 deny ip any any option any-options
!
!--- Deny IP packets with TTL values insufficient to traverse the network
!
 deny ip any any ttl lt 6

}}}


{{{
ip domain-name example.com
!
crypto key generate rsa modulus 2048
!
ip ssh time-out 60
ip ssh authentication-retries 3
ip ssh source-interface GigabitEthernet 0/1
!
line vty 0 4
 transport input ssh
!
}}}
...
----
CategorySecurity CategoryCisco		 Granville is what's written on his birth certificate although appeared not his birth designate. My family lives in Nebraska. My day job is a person's resources front desk staff. What his as well as friends him love is fighting styles and he's been get started for a very long time. Go to my can i find out more: http://www.akapi.com/node/44682

Granville is what's written on his birth certificate although appeared not his birth designate. My family lives in Nebraska. My day job is a person's resources front desk staff. What his as well as friends him love is fighting styles and he's been get started for a very long time. Go to my can i find out more: http://www.akapi.com/node/44682

cisco/SecureRouter (last edited 2016-01-12 07:20:37 by PieterSmit)