##master-page:HomepageReadWritePageTemplate
##master-date:Unknown-Date
#format wiki
#language en
= Secure Cisco Router =
{{{
!Beginning with Cisco IOS Software Release 12.4(6)T
control-plane host
  management-interface GigabitEthernet 0/1 allow ssh https
!
}}}

 * In order to encrypt a user password with MD5 hashing, issue the '''username secret''' global configuration command.
{{{
!
username <name> secret <password>
!
 The small services are disabled by default in Cisco IOS Software Releases 12.0 and later. In earlier software, the 
no service tcp-small-servers 
no service udp-small-servers
}}}
{{{
no ip tcp timestamp 
no ip bootp server 
 no ip finger 
no service dhcp
no mop enabled 
no ip domain-lookup
no service pad 
no ip http server 
no ip http secure-server 
no service config
!!no cdp enable
no lldp transmit 
no lldp receive 
no lldp run global
!
line con 0
 exec-timeout <minutes> [seconds]
line vty 0 4
 exec-timeout <minutes> [seconds]
!
!
service tcp-keepalive-in
service tcp-keepalive-out
!
}}}
= Notifications =
{{{
!
memory free low-watermark processor <threshold>
memory free low-watermark io <threshold>
!
memory reserve critical <value>
!
!
snmp-server enable traps cpu threshold
!
snmp-server host <host-address> <community-string> cpu 
!
process cpu threshold type <type> rising <percentage> interval <seconds> 
     [falling <percentage> interval <seconds>]
process cpu statistics limit entry-percentage <number> [size <seconds>]
!
!
memory reserve console 4096
!
show memory debug leaks
!
exception memory ignore overflow io
exception memory ignore overflow processor
!
!
exception crashinfo maximum files <number-of-files>
!
}}}
= ACL filtering =

{{{
ip access-list extended ACL-INFRASTRUCTURE-IN
!
!--- Deny IP fragments using protocol-specific ACEs to aid in
!--- classification of attack traffic
!
 deny tcp any any fragments
 deny udp any any fragments
 deny icmp any any fragments
 deny ip any any fragments
!
!--- Deny IP packets containing IP options
!
 deny ip any any option any-options
!
!--- Deny IP packets with TTL values insufficient to traverse the network
!
 deny ip any any ttl lt 6

}}}


{{{
ip domain-name example.com
!
crypto key generate rsa modulus 2048
!
ip ssh time-out 60
ip ssh authentication-retries 3
ip ssh source-interface GigabitEthernet 0/1
!
line vty 0 4
 transport input ssh
!
}}}
...
----
CategorySecurity CategoryCisco