Secure Cisco Router
!Beginning with Cisco IOS Software Release 12.4(6)T control-plane host
management-interface GigabitEthernet 0/1 allow ssh https
!
- In order to encrypt a user password with MD5 hashing, issue the username secret global configuration command.
! username <name> secret <password> !
- The small services are disabled by default in Cisco IOS Software Releases 12.0 and later. In earlier software, the
no service tcp-small-servers no service udp-small-servers
no ip bootp server
- no ip finger
no service dhcp no mop enabled no ip domain-lookup no service pad no ip http server no ip http secure-server no service config !!no cdp enable no lldp transmit no lldp receive no lldp run global ! line con 0
exec-timeout <minutes> [seconds]
line vty 0 4
exec-timeout <minutes> [seconds]
! ! service tcp-keepalive-in service tcp-keepalive-out !
Notifications
! memory free low-watermark processor <threshold> memory free low-watermark io <threshold> ! memory reserve critical <value> ! ! snmp-server enable traps cpu threshold ! snmp-server host <host-address> <community-string> cpu ! process cpu threshold type <type> rising <percentage> interval <seconds>
[falling <percentage> interval <seconds>]
process cpu statistics limit entry-percentage <number> [size <seconds>] ! ! memory reserve console 4096 ! show memory debug leaks ! exception memory ignore overflow io exception memory ignore overflow processor ! ! exception crashinfo maximum files <number-of-files> !
ACL filtering
!
ip access-list extended ACL-INFRASTRUCTURE-IN ! !--- Deny IP fragments using protocol-specific ACEs to aid in !--- classification of attack traffic !
- deny tcp any any fragments deny udp any any fragments deny icmp any any fragments deny ip any any fragments
! !--- Deny IP packets containing IP options !
- deny ip any any option any-options
! !--- Deny IP packets with TTL values insufficient to traverse the network !
- deny ip any any ttl lt 6
ip domain-name example.com ! crypto key generate rsa modulus 2048 ! ip ssh time-out 60 ip ssh authentication-retries 3 ip ssh source-interface GigabitEthernet 0/1 ! line vty 0 4
- transport input ssh
!
...