Cisco disables Some uncommon Services 1. Cisco Discovery Protocol CDP is a Cisco dedicated protocol that runs on Layer 2 of all Cisco products, shared basic device information with other directly connected Cisco devices. Independent of media and protocols. Hackers can use CDP information in the investigation and attack again, which is less likely. Because only CDP multicast frames can be viewed in the same broadcast domain. Therefore, we recommend that you disable CDP on the VBR or at least disable CDP. www.2cto.com on interfaces connected to the public network. Disable CDP globally and run the no cdp run Command. Use show cdp to verify whether CDP is disabled. 2. TCP and UDP low port services are services running on ports 19 and lower on the device. All these services are outdated, such as date and time (daytime, Port 13), test connectivity (echo, port 7), and generate a string (chargen, port 19 ). The following shows an opened connection with the chargen service enabled on the connected vro: Router # telnet 192.168.1.254 chargen to disable these services on the vro. Use the following configuration: Router (config) # no service tcp-small-serversRouter (config) # no service udp-small-servers after closing these services, use the following method for testing, such as: Router (config) # telnet 192.168.1.254 daytime 3. The Finger protocol (port 79) allows users on the network to obtain a list of users who are currently using a specific route to select devices, the displayed information includes processes, link numbers, connection names, idle time, and terminal locations in the system. Provided by the show user command. Www.2cto.com Finger is a UNIX program that detects who has logged on to a host, instead of logging on to the device to view it. The following example shows how to verify that the finger service is turned on and disabled: Router # telnet 192.168.1.254 finger (connect 192.168.1.254 finger) Router (config) # no ip fingerRouter (config) # no service finger when performing an finger operation on the vro, The vro responds with the output of the show users command. To stop the response, use the no ip finger command to disable the finger service. In earlier versions, run the no service finger command. In a newer version, both commands apply. 4. IdentD IP address authentication supports querying the identity of a TCP port. Report the identity of a client initiating a TCP connection and the identity of the host responding to the connection. IdentD allows remote devices to query a TCP port for recognition purposes. Is an insecure protocol designed to help identify a device that you want to connect. A device sends a request to the Ident port (TCP 113). The destination device uses its identity information as a response, such as the host and device name. If IP authentication is supported, attackers can connect to a TCP port of the host, publish a simple string to request information, and obtain a returned simple string response. To disable the IdentD service, run the following command: Router (config) # no ip identd can be tested by Telnet to port 113 of the device. 5. The IP source route should be disabled on all routers, including the border router. You can use the following command: Router (config) # no ip source-route to prohibit the forwarding of IP packets with the source route option. 6. FTP and TFTP routers can be used as FTP servers and TFTP servers, and images can be copied from one vro to another. We recommend that you do not use this function because FTP and TFTP are both insecure protocols. By default, the FTP server is disabled on the vro. However, to ensure security, we recommend that you run the following command on the vrouter: Router (config) # no ftp-server write-enable (started in version 12.3) Router (config) # no ftp-server enable can be tested from a PC using an FTP client, try to establish a connection to the vro. VII. HTTP test method a Web browser can be used to try to access the vro. You can also run the following command from the command prompt of the vro to test the function: Router # telnet 192.168.1.254 80 Router # telnet 192.168.1.254 443 to disable and verify the above two services. perform the following steps: router (config) # no ip http serverRouter (config) # no ip http secure-serverRouter # telnet 192.168.1.254 80 Router # telnet 192.168.1.254 443 Cisco Security Device Manager (SDM) use HTTP to access the vro. If you want to use SDM to manage the vro, you cannot disable the HTTP service. If you choose to use HTTP for management, use the ip http access-class command to restrict access to the ip address. In addition, you should also use the ip http authentication command to configure authentication. For interactive login, the best choice for HTTP authentication is to use a TACACS + or RADIUS server, which can avoid using the enable password as an HTTP password. 8. SNMP can be used to remotely monitor and manage Cisco devices. However, SNMP has many security problems, especially in SNMP v1 and v2. To disable the SNMP service, you need to do the following: * Delete the default group string from the vro configuration; * disable the SNMP Trap and system shutdown features; * disable the SNMP service. To check whether the SNMP command is configured, run the show running-config command. The configuration for completely disabling SNMP is shown below: Router (config) # no snmp-server community public RORouter (config) # no snmp-server community private RWRouter (config) # no snmp-server enable trapsRouter (config) # no snmp-server system-shutdownRouter (config) # no snmp-server trap-authRouter (config) # The first two commands of no snmp-server Delete the read-only and read/write group strings (the Group strings may be different ). The following three commands disable the SNMP Trap, shut down the system, and pass the SNMP Authentication Trap. Finally, disable the SNMP service on the vro. After the SNMP service is disabled, run the show snmp command to verify. 9. By default, the Cisco router DNS Service sends a name query to the 255.255.255.255 broadcast address. This broadcast address should be avoided because attackers may pretend to be a DNS server. If the vrodns uses DNS to resolve the name, a similar command is displayed in the configuration: Router (config) # hostname santaRouter (config) # ip domain-name claus. govRouter (config) # ip name-server 200.1.1.1 202.1.1.1Router (config) # ip domain-lookup you can use the show hosts command to view the Resolved name. Because DNS does not have an inherent security mechanism and is vulnerable to session attacks, hackers first send a forged response before the target DNS server responds. If the router gets two replies, the second reply is usually ignored. To solve this problem, either make sure that the router has a secure path to the DNS server, or do not use DNS instead use manual resolution. With manual resolution, you can disable DNS and use the ip host command to statically define the host name. If you want to prevent a vrodns from generating DNS queries, either configure a specific DNS server (ip name-server) or broadcast these queries locally (when the DNS server is not configured ), use the following configuration: Router # telnetwww. quizware. com80 (TEST) Router (config) # no ip domain-lookupRouter # telnetwww. cisco. com80 10, BootP is a UDP Service that can be used to specify the address information for a diskless workstation, and in many other cases, load the operating system on the device (use it to access IOS copies on another vroboorunning The BOOTP service and download IOS to The BOOTP client vro ). This Protocol sends a local broadcast to UDP port 67 (same as DHCP ). To implement this application, you must configure a BootP server to specify the IP address information and any requested files. The Cisco router can act as a BootP server to provide files in flash memory to the requested device. for the following three reasons, you should temporarily disable BootP on the router: * there is no real need to use BootP; * BootP does not have an inherent authentication mechanism. Anyone can access the vro request file. No matter what is configured, The vro will reply. * The vro is vulnerable to DoS attacks. By default, this service is enabled. To disable BootP, use the following configuration: Router (config) # no ip bootp server 11. DHCP allows you to obtain all ip address information from the server, includes IP address, subnet mask, domain name, DNS server address, WINS server address, TFTP server address, and other information. A Cisco router can act as both a DHCP client and a server. When using a Cisco router as a virtual border router, you should set the vrodhcp as a DHCP client. The only situation is that, if the router is connected to the ISP through a DSL and cable modem, ISP uses DHCP to specify the address information. Otherwise, you must never set the vrodhcp as a DHCP client. Similarly, a router should be set as a DHCP server. The only situation is that when a router is used in a SOHO environment, in this small network, this router is basically the only device that can specify the IP address for the PC. If this is done, make sure that UDP port 67 is filtered out on the external interface of the router, which blocks DHCP and BootP requests from the outside. Generally, DHCP servers are enabled by default. Disable using the following configuration: Router (config) # no service dhcp this prevents the vrodhcp from becoming a DHCP server or relay proxy 12. packet combination/splitting (PAD) used on the X.25 network. To provide reliable connections between remote sites. PAD can provide useful functions for hackers. Assume that the hacker can gain control of the devices directly connected to the vropad, and if the vro is running the PAD service, it will accept any PAD connection. To disable this service, run the following command: Router (config) # no service pad 13. When configuring to automatically load the Cisco Router to start, before the CLI prompt appears, it will go through several testing phases and discover Cisco IOS and configuration files. When a vro is started, it usually goes through the following five steps: * load and execute POST, find ROM, and test hardware components, such as flash memory and interfaces; * load and execute Bootstrap; * The bootstrap detects and loads the Cisco IOS image file. These image files can come from flash memory, TFTP server, or flash memory. * after loading Cisco IOS, a configuration file is found and executed: the configuration file is stored in NVRAM, but if NVRAM is empty, the system configuration dialog box starts, or the vro uses TFTP to obtain a configuration file. * give the user a cli exec prompt. When a Cisco IOS file is found, assuming there is no boot system command in NVRAM, the router first looks for a valid Cisco IOS image file in flash memory. If there is no IOS image file in flash memory, the vro performs TFTP startup or network startup. It sends a local broadcast request to obtain the operating system file from the TFTP server. If this process also fails, the router loads the IOS image file from the memory. Because TFTP is used during startup, there is no security protection for the loading process. Therefore, the router should not be allowed to use this function. To disable this function, use the following configuration: www.2cto.com Router (config) # no boot network remote-url-ftp: [[[// [username :[: password] @] location]/directory]/filename]-rcp: [[[// [username @]/location]/directory]/filename]-tftp: [[// location]/directory]/filename after loading the IOS image, a configuration file is found. If no configuration file exists in NVRAM, The vro uses the system configuration dialog box to create a configuration file, or uses the network configuration option: TFTP broadcast to discover the configuration file. Therefore, use the following command to disable this feature: Router (config) # no service config 14. Disable most Cisco routers without ARP (by default) sends an out-of-source ARP message, regardless of when the client connects and negotiates an IP address based on the PPP connection. ARP virus attacks mainly use ARP messages. Even if the client receives an address from a local address pool, the Cisco router generates an asynchronous ARP transfer. Disable transfer without using ARP. Run the following command: Router (config) # no ip gratuitous-arps 15th. If you disable the IP classless routing option, the Service Router may receive packets sent to a subnet without the default network route. If you enable the IP classless service, these packets will be forwarded to the Super network that is most likely to be routed. To Disable IP classless routing, use the no ip classless command in global configuration mode.