Cisco routers disable unnecessary services

I. Cisco Discovery Protocol

CDP is a dedicated Cisco protocol that runs on Layer 2 of all Cisco products and is used to share basic device information with other directly connected Cisco devices. Independent of media and protocols.

Hackers can use CDP information in the investigation and attack again, which is less likely. Because only CDP multicast frames can be viewed in the same broadcast domain. Therefore, we recommend that you disable CDP on the VBR or at least on interfaces connected to the public network.

It is enabled by default. Disable CDP globally and run the no cdp run Command. Use show cdp to verify whether CDP is disabled.

Ii. TCP and UDP low port services

TCP and UDP low port services are services running on ports 19 and lower on the device. All these services are outdated, such as date and time (daytime, Port 13), test connectivity (echo, port 7), and generate a string (chargen, port 19 ).

The following shows an opened connection. The chargen service is enabled on the connected vro: Router # telnet 192.168.1.254 chargen

To disable these services on a vro, use the following configuration: Router (config) # no service tcp-small-serversRouter (config) # no service udp-small-servers

After these services are disabled, use the following method for testing, such as: Router (config) # telnet 192.168.1.254 daytime

Iii. Finger

The Finger protocol (port 79) allows users on the network to obtain a list of users who are currently using a specific route to select devices, the displayed information includes processes, link numbers, connection names, idle time, and terminal locations in the system. Provided by the show user command.

Finger is a UNIX program that detects who has logged on to a host, instead of logging on to the device to view it.

The following shows an example of how to verify that the finger service is enabled and how to disable it: Router # telnet 192.168.1.254 finger

(Connect 192.168.1.254 finger) Router (config) # no ip fingerRouter (config) # no service finger

When performing a finger operation on a vro, The vro responds with the output of the show users command. To stop the response, use the no ip finger command to disable the finger service. In earlier versions, run the no service finger command. In a newer version, both commands apply.

Iv. IdentD

IP address authentication supports querying the identity of a TCP port. Report the identity of a client initiating a TCP connection and the identity of the host responding to the connection.

IdentD allows remote devices to query a TCP port for recognition purposes. Is an insecure protocol designed to help identify a device that you want to connect. A device sends a request to the Ident port (TCP 113). The destination device uses its identity information as a response, such as the host and device name.

If IP authentication is supported, attackers can connect to a TCP port of the host, publish a simple string to request information, and obtain a returned simple string response.

To disable the IdentD service, run the following command: Router (config) # no ip identd

You can Telnet to port 113 of the device for testing.

V. IP Source Routing

Disable all vrouters, including vbrs. You can use the following command: Router (config) # no ip source-route to prohibit the forwarding of IP packets with the source route option.

Vi. FTP and TFTP

A vro can be used as an FTP server and a TFTP server. You can copy an image from one vro to another. We recommend that you do not use this function because FTP and TFTP are both insecure protocols.

By default, the FTP server is disabled on the vro. However, to ensure security, we recommend that you run the following command on the vrouter: Router (config) # no ftp-server write-enable (starting from version 12.3) Router (config) # no ftp-server enable

You can use an FTP client to perform a test from the PC and try to establish a connection to the vro.

VII. HTTP

Test method: Use a Web browser to access the vro. You can also run the following command from a command prompt on the vro: Router # telnet 192.168.1.254 80 Router # telnet 192.168.1.254 443

To disable and verify the preceding two services, perform the following steps: Router (config) # no ip http serverRouter (config) # no ip http secure-serverRouter # telnet 192.168.1.254 80 Router # telnet 192.168.1.254 443

Cisco Security Device Manager (SDM) uses HTTP to access the router. If you want to use SDM to manage the router, you cannot disable the HTTP service.

If you choose to use HTTP for management, use the ip http access-class command to restrict access to the ip address. In addition, you should also use the ip http authentication command to configure authentication. For interactive login, the best choice for HTTP authentication is to use a TACACS + or RADIUS server, which can avoid using the enable password as an HTTP password.

8. SNMP

SNMP can be used to remotely monitor and manage Cisco devices. However, SNMP has many security problems, especially in SNMP v1 and v2. To disable the SNMP service, you must do the following:

* Delete the default group string from the vro configuration;

* Disable SNMP Traps and system shutdown features;

* Disable the SNMP service.

To check whether the SNMP command is configured, run the show running-config command.

The configuration for completely disabling SNMP is shown below: Router (config) # no snmp-server community public RORouter (config) # no snmp-server community private RWRouter (config) # no snmp-server enable trapsRouter (config) # no snmp-server system-shutdownRouter (config) # no snmp-server trap-authRouter (config) # no snmp-server

The first two commands Delete read-only and read-write group strings (group strings may be different ). The following three commands disable the SNMP Trap, shut down the system, and pass the SNMP Authentication Trap. Finally, disable the SNMP service on the vro. After the SNMP service is disabled, use the show snmp command for verification.

 
By default, the Cisco router DNS Service sends a name query to the 255.255.255.255 broadcast address. This broadcast address should be avoided because attackers may pretend to be a DNS server.

If the vrodns uses DNS to resolve the name, a similar command is displayed in the configuration: Router (config) # hostname santaRouter (config) # ip domain-name claus. govRouter (config) # ip name-server 200.1.1.1 202.1.1.1Router (config) # ip domain-lookup

You can use the show hosts command to view the Resolved Name.

Because DNS does not have an inherent security mechanism and is vulnerable to session attacks, hackers first send a forged response before the target DNS server responds. If the router gets two replies, the second reply is usually ignored.

To solve this problem, either make sure that the router has a secure path to the DNS server, or do not use DNS instead use manual resolution. With manual resolution, you can disable DNS and use the ip host command to statically define the host name. If you want to prevent a vrodns from generating DNS queries, either configure a specific DNS server (ip name-server) or broadcast these queries locally (when the DNS server is not configured ), use the following configuration: Router # telnetwww. quizware. com80 (TEST) Router (config) # no ip domain-lookupRouter # telnetwww. cisco. com80

10. BootP

BootP is a UDP Service that can be used to specify the address information for a diskless workstation, and in many other cases, load the operating system on the device (use it to access IOS copies on another vroboorunning The BOOTP service and download IOS to The BOOTP client vro ).

This Protocol sends a local broadcast to UDP port 67 (same as DHCP ). To implement this application, you must configure a BootP server to specify the IP address information and any requested files.

The Cisco router can act as a BootP server to provide files in flash memory to the requested device. for the following three reasons, you should temporarily disable BootP on the router: * there is no real need to use BootP; * BootP does not have an inherent authentication mechanism. Anyone can access the vro request file. No matter what is configured, The vro will reply. * The vro is vulnerable to DoS attacks.

By default, this service is enabled. To disable BootP, use the following configuration: Router (config) # no ip bootp server

XI. DHCP

DHCP allows you to obtain all IP address information from the server, including IP address, subnet mask, domain name, DNS server address, WINS server address, TFTP server address, and other information. A Cisco router can act as both a DHCP client and a server.

When using a Cisco router as a virtual border router, you should set the vrodhcp as a DHCP client. The only situation is that, if the router is connected to the ISP through a DSL and cable modem, ISP uses DHCP to specify the address information. Otherwise, you must never set the vrodhcp as a DHCP client.

Similarly, a router should be set as a DHCP server. The only situation is that when a router is used in a SOHO environment, in this small network, this router is basically the only device that can specify the IP address for the PC. If this is done, make sure that UDP port 67 is filtered out on the external interface of the router, which blocks DHCP and BootP requests from the outside.

Generally, DHCP servers are enabled by default. Disable using the following configuration: Router (config) # no service dhcp, which prevents the Router from becoming a DHCP server or a relay proxy.

 
Packet Composition/splitting (PAD) is used on the X.25 network. To provide reliable connections between remote sites.

PAD can provide useful functions for hackers. Assume that the hacker can gain control of the devices directly connected to the vropad, and if the vro is running the PAD service, it will accept any PAD connection.

To disable this service, run the following command: Router (config) # no service pad

13. Automatic Configuration Loading

When a Cisco router is started, several test phases are performed and the Cisco IOS and configuration files are found before the CLI prompt appears. When a vro is started, it usually goes through the following five steps: * load and execute POST, find ROM, and test hardware components, such as flash memory and interfaces; * load and execute Bootstrap; * The bootstrap detects and loads the Cisco IOS image file. These image files can come from flash memory, TFTP server, or flash memory. * after loading Cisco IOS, a configuration file is found and executed: the configuration file is stored in NVRAM, but if NVRAM is empty, the system configuration dialog box starts, or the vro uses TFTP to obtain a configuration file. * give the user a cli exec prompt.

When a Cisco IOS file is found, assuming there is no boot system command in NVRAM, the router first looks for a valid Cisco IOS image file in flash memory. If there is no IOS image file in flash memory, the vro performs TFTP startup or network startup. It sends a local broadcast request to obtain the operating system file from the TFTP server. If this process also fails, the router loads the IOS image file from the memory.

Because TFTP is used during startup, there is no security protection for the loading process. Therefore, the router should not be allowed to use this function. To disable this function, use the following Configuration:

Router (config) # no boot network remote-url-ftp:

[[// [Username: [: password] @] location]/directory]/filename]-rcp:

[[// [Username @]/location]/directory]/filename]-tftp:

[[// Location]/directory]/filename

After the IOS image is loaded, a configuration file is found. If no configuration file exists in NVRAM, The vro uses the system configuration dialog box to create a configuration file, or uses the network configuration option: TFTP broadcast to discover the configuration file. Therefore, use the following command to disable this feature: Router (config) # no service config

14. Disable the remote ARP

Most Cisco routers (by default) Send an invalid ARP message to the outside, regardless of when the client connects and negotiates an IP address based on the PPP connection. ARP virus attacks mainly use ARP messages.

Even if the client receives an address from a local address pool, the Cisco router generates an asynchronous ARP transfer.

Disable transfer without using ARP. Run the following command: Router (config) # no ip gratuitous-arps 15th. Disable the IP classless routing selection service.

A vro may receive packets sent to a subnet without a default network route. If the IP address-less service is enabled, these packets will be forwarded to the most likely router.

To Disable IP classless routing, use the no ip classless command in global configuration mode.