Cisco Security Configuration command

I. vro Network Service Security Configuration
1. disable CDP (Cisco Discovery Protocol ). For example:
Router (Config) # no cdp run
Router (Config-if) # no cdp enable
2. Disable other TCP and UDP Small services.
Router (Config) # no service tcp-small-servers
Router (Config) # no service udp-samll-servers
3. Disable the Finger service.
Router (Config) # no ip finger
Router (Config) # no service finger
4. We recommend that you disable the HTTP service.
Router (Config) # no ip http server
If the HTTP service is enabled, You need to configure security: Set the user name and password, and use the access list for control.
5. Disable the BOOTp service.
Router (Config) # no ip bootp server
6. Disable IP Source Routing.
Router (Config) # no ip source-route
7. If you do not need the ARP-Proxy service, disable it. The router is enabled by default.
Router (Config) # no ip proxy-arp
Router (Config-if) # no ip proxy-arp
8. Disable IP Directed Broadcast.
Router (Config) # no ip directed-broadcast
9 Disable IP Classless.
Router (Config) # no ip classless
10 prohibit icmp ip Unreachables, Redirects, and Mask Replies.
Router (Config-if) # no ip unreacheables
Router (Config-if) # no ip redirects
Router (Config-if) # no ip mask-reply
11 we recommend that you disable the SNMP protocol service. You must delete the default configuration of some SNMP services when disabling them. For example:
Router (Config) # no snmp-server community public Ro
Router (Config) # no snmp-server community admin RW
12 if not necessary, disable WINS and DNS services.
Router (Config) # no ip domain-lookup
If necessary, you need to configure:
Router (Config) # hostname Router
Router (Config) # ip name-server 219.150.32.xxx
13 explicitly prohibit unused ports. For example:
Router (Config) # interface eth0/3
Router (Config) # shutdown </P> <P> 2. Security Configuration of vro Access Control (optional)
Vro access control is an important security measure. However, due to unclear requirements, you can consider not implementing it for the time being. As a suggestion.
1. Do not access the vro remotely. Even if you need to access the vro remotely, we recommend that you use the access control list and high-intensity password control.
2. Strictly control access to CON ports.
Use the access control list to control access to the CON port.
For example, Router (Config) # Access-list 1 permit 192.168.0.1
Router (Config) # line con 0
Router (Config-line) # Transport input none
Router (Config-line) # Login local
Router (Config-line) # Exec-timeoute 5 0
Router (Config-line) # access-class 1 in
Router (Config-line) # end
Set a strong password for the CON port.
3. If you do not use the AUX port, disable it. It is disabled by default. Prohibited:
Router (Config) # line aux 0
Router (Config-line) # transport input none
Router (Config-line) # no exec
4. We recommend that you use a permission classification policy. For example:
Router (Config) # username test privilege 10 xxxx
Router (Config) # privilege EXEC level 10 telnet
Router (Config) # privilege EXEC level 10 show ip access-list
5. Set a strong password for privileged mode access. Do not use enable password to set the password. Use the enable secret command. And enable Service password-encryption.
Router (config) # service password-encryption
Router (config) # enable secret
6. control access to VTY. Disable remote access. If necessary, you must set a strong password. Because VTY is encrypted during network transmission, strict control is required. For example, set a strong password, control the number of concurrent connections, strictly control the access address using the access list, and set user access control using AAA. </P> <P> 3. router routing protocol Security Configuration
1. We recommend that you enable IP Unicast Reverse-Path Verification. It can check the accuracy of the source IP address and prevent certain IP Spooling. However, it can only be used on routers that enable CEF (Cisco Express Forwarding.
URPF has three methods: strict, ACL, and loose. During implementation on the Access Router, strict mode is recommended for users who access the network through a single link. for users who access the network through multiple links, the ACL mode and loose mode can be used. The loose mode is used for implementation on the egress router. </P> <P> Strict mode:
Router # config t
! Enable CEF
Router (Config) # ip cef
! Enable Unicast Reverse-Path Verification
Router (Config) # interface eth0/1
Router (Config-if) # ip verify unicast reverse-path </P> <P> ACL method:
Interface pos1/0
Ip verify unicast reverse-path 190
Access-list 190 permit ip {customer network} {customer network mask} any
Access-list 190 deny ip any [log]
This function checks the source address of each router packet. If the ACL is not met, the router discards the packet.
Loose mode:
Interface pos 1/0
Ip ver unicast source reachable-via any
This function checks Each router packet. If the router does not have a route entry for the source IP address of the packet in the router's route table, the router will discard the packet. </P> <P> 2. Enable OSPF route protocol authentication. The default OSPF Authentication password is transmitted in plaintext. We recommend that you enable MD5 authentication. And set a certain strength key (Key, the vro must have the same key ).
3. authentication of the RIP Protocol. Only RIP-V2 supported, RIP-1 not supported. It is recommended to enable RIP-V2. And uses MD5 authentication. Normal authentication is also transmitted in plain text.
4. The passive-interface command can disable ports that do not need to receive or forward route information. We recommend that you enable passive-interface for ports that do not require routing. However, in the RIP Protocol, only route information Forwarding is prohibited and receiving is not prohibited. In OSPF, route forwarding and receiving are prohibited.
5. Enable the access list function to Filter Junk and malicious route information and control the network's spam information flow. For example:
Router (Config) # access-list 10 deny 192.168.1.0 0.0.255
Router (Config) # access-list 10 permit any
! The router is prohibited from receiving and updating the route information of the 192.168.1.0 network.
Router (Config) # router ospf 100
Router (Config-router) # distribute-list 10 in
! Disable router forwarding to spread route information of 192.168.1.0 Network
Router (Config) # router ospf 100
Router (Config-router) # distribute-list 10 out </P> <P> 4. Other Router security configurations
1. Simple protection against IP spoofing. For example, filter out non-public addresses to access the internal network. Filter your own internal network address, loop address (127.0.0.0/8), RFC1918 private address, DHCP custom address (169.254.0.0/16), and Scientific Document Author's test address (192.0.2.0/24 ); do not use the multicast address (224.0.0.0/4); the old test address of SUN Company (20171000020.0/24; 204.152.64.0/23); the full network address (0.0.0.0/8 ).
Router (Config) # access-list 100 deny ip 127.0.0.0 0.20.255.255 any
Router (Config) # access-list 100 deny ip 192.168.0.0 0.0.255.255 any
Router (Config) # access-list 100 deny ip 172.16.0.0 0.15.255.255 any
Router (Config) # access-list 100 deny ip 10.0.0.0 0.20.255.255 any
Router (Config) # access-list 100 deny ip 169.254.0.0 0.0.255.255 any
Router (Config) # access-list 100 deny ip 192.0.2.0 0.0.255 any
Router (Config) # access-list 100 deny ip 224.0.0.0 15.20.255 any
Router (Config) # access-list 100 deny ip Route 000020.0 0.0.255 any
Router (Config) # access-list 100 deny ip 204.152.64.0 0.0.2.255 any
Router (Config) # access-list 100 deny ip 0.0.0.0 0.20.255.255 any
Router (Config) # access-list 100 permit ip any
Router (Config-if) # ip access-group 100 in </P> <P> 2. We recommend that you use the access list to control the addresses that flow out of the internal network must belong to the internal network. (Optional) for example:
Router (Config) # no accesskey-list 101
Router (Config) # access-list 101 permit ip 192.168.0.0 0.0.255.255 any
Router (Config) # access-list 101 deny ip any
Router (Config) # interface eth 0/1
Router (Config-if) # description "internet Ethernet"
Router (Config-if) # ip address 192.168.0.254 255.255.255.0
Router (Config-if) # ip access-group 101 in </P> <P> other options:
1. We recommend that you enable SSH and discard Telnet. However, only IOS with IPSec feature sets support SSH. And IOS12.0-IOS12.2 only supports SSH-V1. The following is an example of configuring the SSH service:
Router (Config) # config t
Router (Config) # no access-list 22
Router (Config) # access-list 22 permit 192.168.0.22
Router (Config) # access-list deny any
Router (Config) # username test privilege 10 ****
! Set the SSH timeout interval and number of logon attempts
Router (Config) # ip ssh timeout 90
Router (Config) # ip ssh anthentication-retries 2
Router (Config) # line vty 0 4
Router (Config-line) # access-class 22 in
Router (Config-line) # transport input ssh
Router (Config-line) # login local
Router (Config-line) # exit
! Enable the SSH service to generate an RSA key pair.
Router (Config) # crypto key generate rsa
The name for the keys will be: router. xxx
Choose the size of the key modulus in the range of 360 to 2048 for your General Purpose Keys. Choosing a key modulus greater than 512 may take a few minutes.
How many bits in the modulus [512]: 2048
Generating RSA Keys...
[OK]
Router (Config) # </P> <P> 2. tcp syn protection. For example:
A: use the access list to prevent attacks.
Router (Config) # no accesskey-list 106
Router (Config) # access-list 106 permit tcp any 192.168.0.0 0.0.255 established
Router (Config) # access-list 106 deny ip any
Router (Config) # interface eth 0/2
Router (Config-if) # description "external Ethernet"
Router (Config-if) # ip address 192.168.1.254 255.255.255.0
Router (Config-if) # ip access-group 106 in
B: TCP interception prevention. (This will generate a certain load on the router)
Router (Config) # ip tcp intercept list 107
Router (Config) # access-list 107 permit tcp any 192.168.0.0 0.0.255
Router (Config) # access-list 107 deny ip any
Router (Config) # interface eth0
Router (Config) # ip access-group 107 in </P> <P> 3. defense against LAND. C attacks.
Router (Config) # access-list 107 deny ip host 192.168.1.254 host 192.168.1.254
Router (Config) # access-list 107 permit ip any
Router (Config) # interface eth 0/2
Router (Config-if) # ip address 192.168.1.254 255.255.255.0
Router (Config-if) # ip access-group 107 in </P> <P> 4. Prevention of Smurf attacks.
Router (Config) # access-list 108 deny ip any host 192.168.1.255
Router (Config) # access-list 108 deny ip any host 192.168.1.0
Router (Config) # access-list 108 permit ip any
Router (Config-if) # ip access-group 108 in </P> <P> 5. Security Configuration of ICMP protocol. For ICMP streams, we want to disable ECHO, Redirect, and Mask requests of ICMP. You also need to disable TraceRoute command detection. For Outbound ICMP streams, we can allow ECHO, Parameter Problem, and Packet too big. You can also use the TraceRoute command.
! Outbound ICMP Control
Router (Config) # access-list 110 deny icmp any echo
Router (Config) # access-list 110 deny icmp any redirect
Router (Config) # access-list 110 deny icmp any mask-request
Router (Config) # access-list 110 permit icmp any
! Inbound ICMP Control
Router (Config) # access-list 111 permit icmp any echo
Router (Config) # access-list 111 permit icmp any Parameter-problem
Router (Config) # access-list 111 permit icmp any packet-too-big
Router (Config) # access-list 111 permit icmp any source-quench
Router (Config) # access-list 111 deny icmp any
! Outbound TraceRoute Control
Router (Config) # access-list 112 deny udp any range 33400 34400
! Inbound TraceRoute Control
Router (Config) # access-list 112 permit udp any range 33400 34400 </P> <P> 6. Prevention of DDoS (Distributed Denial of Service.
! The TRINOO DDoS system
Router (Config) # access-list 113 deny tcp any eq 27665
Router (Config) # access-list 113 deny udp any eq 31335
Router (Config) # access-list 113 deny udp any eq 27444
! The Stacheldtraht DDoS system
Router (Config) # access-list 113 deny tcp any eq 16660
Router (Config) # access-list 113 deny tcp any eq 65000
! The TrinityV3 System
Router (Config) # access-list 113 deny tcp any eq 33270
Router (Config) # access-list 113 deny tcp any eq 39168
! The SubSeven DDoS system and some Variants
Router (Config) # access-list 113 deny tcp any range 6711 6712
Router (Config) # access-list 113 deny tcp any eq 6776
Router (Config) # access-list 113 deny tcp any eq 6669
Router (Config) # access-list 113 deny tcp any eq 2222
Router (Config) # access-list 113 deny tcp any eq 7000
Router (Config) # access-list 113 permit ip any
Router (Config-if) # ip access-group 113 in </P> <P> 7. SQL worm prevention
Router (Config) # access-list 114 deny udp any eq 1434
Router (Config) # access-list 114 permit ip any
Router (Config-if) # ip access-group 114 in </P> <P> 8. Reduce the BGP Convergence time and ensure that the network can be restored as soon as possible after hacker attacks. Www.2cto.com
We recommend that you add the following configurations: (you need to add them to all vrouters running BGP)
1. Add the hold-queue 1500 command on each BGP interconnection interface to increase the hold-queue of the interface from the default 75 to 1500. Before doing this configuration, check the memory of the Board to ensure that its free memory is at least 20 mb.
2. Add the following TCP configurations to enhance BGP Convergence performance.
Ip tcp selective-ack
Ip tcp mss 1460
Ip tcp window-size 65535
Ip tcp queuemax 50
Ip tcp path-mtu-discovery
3. Add the ip cef linecard ipc memory 10000 command on GSR to speed up download FIB. </P> <P> 9. Enable CAR and system logs (Omitted) </P> <P> Other considerations:
1. promptly upgrade IOS software and install patches for IOS.
2. perform security backup for IOS strictly and conscientiously.
3. Make a security backup for the vro configuration file.
4. purchase a UPS device, or at least have redundant power sources.
5. Complete Log recording for secure access and maintenance of vrouters.