Secure Cisco Router
!Beginning with Cisco IOS Software Release 12.4(6)T control-plane host management-interface GigabitEthernet 0/1 allow ssh https !
In order to encrypt a user password with MD5 hashing, issue the username secret global configuration command.
! username <name> secret <password> ! The small services are disabled by default in Cisco IOS Software Releases 12.0 and later. In earlier software, the no service tcp-small-servers no service udp-small-servers
no ip tcp timestamp no ip bootp server no ip finger no service dhcp no mop enabled no ip domain-lookup no service pad no ip http server no ip http secure-server no service config !!no cdp enable no lldp transmit no lldp receive no lldp run global ! line con 0 exec-timeout <minutes> [seconds] line vty 0 4 exec-timeout <minutes> [seconds] ! ! service tcp-keepalive-in service tcp-keepalive-out !
Notifications
!
memory free low-watermark processor <threshold>
memory free low-watermark io <threshold>
!
memory reserve critical <value>
!
!
snmp-server enable traps cpu threshold
!
snmp-server host <host-address> <community-string> cpu
!
process cpu threshold type <type> rising <percentage> interval <seconds>
[falling <percentage> interval <seconds>]
process cpu statistics limit entry-percentage <number> [size <seconds>]
!
!
memory reserve console 4096
!
show memory debug leaks
!
exception memory ignore overflow io
exception memory ignore overflow processor
!
!
exception crashinfo maximum files <number-of-files>
!
ACL filtering
ip access-list extended ACL-INFRASTRUCTURE-IN ! !--- Deny IP fragments using protocol-specific ACEs to aid in !--- classification of attack traffic ! deny tcp any any fragments deny udp any any fragments deny icmp any any fragments deny ip any any fragments ! !--- Deny IP packets containing IP options ! deny ip any any option any-options ! !--- Deny IP packets with TTL values insufficient to traverse the network ! deny ip any any ttl lt 6
ip domain-name example.com ! crypto key generate rsa modulus 2048 ! ip ssh time-out 60 ip ssh authentication-retries 3 ip ssh source-interface GigabitEthernet 0/1 ! line vty 0 4 transport input ssh !
...