Home > Others

Cisco Router Security Configuration

Source: Internet
Author: User
Tags snmp strong password traceroute command
Developer on Alibaba Coud: Build your first app with APIs, SDKs, and tutorials on the Alibaba Cloud. Read more >

CiscoRouter Security Configuration

1. Security Configuration of vro Access Control
1. strictly control the administrator who can access the vro. Record Filing is required for any maintenance.
2. For vrouters with remote access, we recommend that you use the access control list and high-strength password control.
3. Strictly control access to the con port and set a high-strength password for the con port.
4. disable this port if you do not use the Aux port. It is disabled by default. The forbidden command is:
Router (config) # Line aux 0
Router (config-line) # Transport input none
Router (config-line) # No Exec
5. We recommend that you use a permission classification policy. For example:
Router (config) # username blushin privilege 10 g00dpa55w0rd
Router (config) # privilege Exec level 10 Telnet
Router (config) # privilege Exec level 10 show IP Access-list
6. Set a strong password for privileged mode access. Do not use Enable password to set the password. Use the enablesecret command. And enable service password-encryption.
7. control access to vty. A strong password is required. Because vty is not encrypted during network transmission, strict control is required. For example, set a strong password, control the number of concurrent connections, strictly control the access address using the access list, and set user access control using AAA.
8. We recommend that you use FTP instead of TFTP for iOS upgrade and backup and configuration file backup. For example:
Router (config) # ip ftp Username blushin
Router (config) # ip ftp password 4tppa55w0rd
Router # copy startup-config ftp:
9. Upgrade and patch IOS software in a timely manner.

Ii. vro Network Service Security Configuration
1. disable CDP (Cisco Discovery Protocol ). For example:
Router (config) # No CDP run
Router (config-If) # No CDP enable
2. Disable other TCP and UDP small services.
Router (config) # No service TCP-small-servers
Router (config) # No service UDP-small-servers
3. Disable the Finger service.
Router (config) # No IP finger
Router (config) # No service finger
4. Disable the HTTP service.
Router (config) # no ip http server
5. Disable the BOOTP service.
Router (config) # No ip bootp Server
Disable starting from the network and automatically downloading the initial configuration file from the network.
Router (config) # No boot Network
Router (config) # No servic config
6. Disable IP source routing.
Router (config) # No IP Source-route
7. If you do not need the ARP-proxy service, disable it. The router is enabled by default.
Router (config) # No IP proxy-ARP

Router (config-If) # No IP proxy-ARP
8. Explicitly prohibit IP directed broadcast.
Router (config) # No IP directed-broadcast
9. Disable IP classless.
Router (config) # No IP classless
10. Disable ipunreachables, redirects, and mask replies of ICMP.
Router (config-If) # No IP unreacheables
Router (config-If) # no ip redirects
Router (config-If) # No IP mask-reply
11. We recommend that you disable the SNMP protocol service. You must delete the default configuration of some SNMP services when disabling them. Or you need to filter the access list. For example:
Router (config) # No SNMP-server community Ro
Router (config) # No SNMP-server community RW

Iii. Security Configuration of vro protection against attacks
1. Prevent tcp syn attacks. For example:
A: use the access list to prevent attacks.
Router (config) # No accesskey-list 106
Router (config) # access-list 106 permit TCP any 192.168.0.0 0.0.255established
Router (config) # access-list 106 deny ip any log
Router (config) # interface ETH 0/2
Router (config-If) # description "external Ethernet"
Router (config-If) # IP address 192.168.1.254 255.255.255.0
Router (config-If) # IP Access-group 106 in
B: TCP interception prevention.
Router (config) # ip tcp Intercept list 107
Router (config) # access-list 107 permit TCP any 192.168.0.0 0.0.255
Router (config) # access-list 107 deny ip any log
Router (config) # interface eth0
Router (config) # IP Access-group 107 in
2. defense against land. c attacks.
Router (config) # access-list 107 Deny IP host 192.168.1.254 host 192.168.1.254log
Router (config) # access-list permit IP any
Router (config) # interface ETH 0/2
Router (config-If) # IP address 192.168.1.254 255.255.255.0
Router (config-If) # IP Access-group 107 in
3. Prevention of Smurf attacks.
Router (config-If) # No IP directed-broadcast
Router (config) # access-list 108 deny ip any host 192.168.1.255 log

Router (config) # access-list 108 deny ip any host 192.168.1.0 log
4. ICMP protocol security configuration. For ICMP streams, we want to disable echo, redirect, and maskrequest of ICMP. You also need to disable traceroute command detection. For Outbound ICMP streams, we can allow ECHO, parameterproblem, and packet too big. You can also use the traceroute command.
! Outbound ICMP Control
Router (config) # access-list 110 deny ICMP any echo log
Router (config) # access-list 110 deny ICMP any Any redirect log
Router (config) # access-list 110 deny ICMP any mask-request log
Router (config) # access-list 110 permit ICMP any
! Inbound ICMP Control
Router (config) # access-list 111 permit ICMP any echo
Router (config) # access-list 111 permit ICMP any parameter-Problem
Router (config) # access-list 111 permit ICMP any packet-too-big
Router (config) # access-list 111 permit ICMP any source-quench
Router (config) # access-list 111 deny ICMP any log
! Outbound traceroute Control
Router (config) # access-list 112 deny UDP any range 33400 34400
! Inbound traceroute Control
Router (config) # access-list 112 permit UDP any range 33400 34400
5. Prevention of DDoS (Distributed Denial of Service.
! The Trinoo DDoS System
Router (config) # access-list 113 deny TCP any EQ 27665 log
Router (config) # access-list 113 deny UDP any EQ 31335 log
Router (config) # access-list 113 deny UDP any EQ 27444 log
! The stacheldtraht DDoS System
Router (config) # access-list 113 deny TCP any EQ 16660 log
Router (config) # access-list 113 deny TCP any EQ 65000 log
! The trinityv3 System
Router (config) # access-list 113 deny TCP any EQ 33270 log
Router (config) # access-list 113 deny TCP any EQ 39168 log

! The SubSeven DDoS system and some variants
Router (config) # access-list 113 deny TCP any range 6711 6712 log
Router (config) # access-list 113 deny TCP any EQ 6776 log
Router (config) # access-list 113 deny TCP any EQ 6669 log
Router (config) # access-list 113 deny TCP any EQ 2222 log
Router (config) # access-list 113 deny TCP any EQ 7000 log
Iv. Security Configuration of vro to prevent viruses
1. Used to control Nachi Worm Scanning
Access-list 110 deny ICMP any echo
2. used to control the propagation of the Blaster Worm
Access-list 110 deny tcp any eq 4444
Access-list 110 deny udp any eq 69
3. used to control the scanning and attack of the blster Worm
Access-list 110 deny tcp any eq 135
Access-list 110 deny udp any eq 135
Access-list 110 deny tcp any eq 139
Access-list 110 deny udp any eq 139
Access-list 110 deny tcp any eq 445
Access-list 110 deny udp any eq 445
Access-list 110 deny tcp any eq 593
Access-list 110 deny udp any eq 593
4. used to control the spread of the Slammer Worm
Access-list 110 deny udp any eq 1434
Access-list 110 permit IP any
5. Close possible vulnerabilities
Access-list 101 deny ip 127.0.0.0 0.20.255.255 any
Access-list 101 deny ip 172.16.0.0 0.240.255.255 any
Access-list 101 deny ip 192.168.0.0 0.0.255.255 any
Access-list 101 deny ICMP any echo-reply!
Reject any response
Access-list 101 deny ICMP any host-unreachable! Reject any host that cannot be connected
Access-list 101 deny udp any eq snmp! SNMP denied
Access-list 101 deny UDP any EQ 2000! Openwindows
Access-list 101 deny udp any gt 6000! X-Windows
Access-list 101 deny tcp any eq 2000! Openwindows

Access-list101 deny tcp any gt 6000! X-Windows
Access-list 101 deny udp any eq 69! Rejected tftpd
Access-list 101 deny udp any eq 111! Reject SunRPC
Access-list 101 deny udp any eq 2049! NFS not introduced
Access-list 101 deny tcp any eq 111! Reject SunRPC
Access-list 101 deny tcp any eq 2049! NFS not introduced
Access-list 101 deny tcp any eq 87! Connection denied
Access-list 101 deny tcp any eq 512! Reject the introduced bsd unix "R" command
Access-list 101 deny tcp any eq 513! Reject the introduced bsd unix "R" command
Access-list 101 deny tcp any eq 514! Reject the introduced bsd unix "R" command
Access-list 101 deny tcp any eq 515! LPD rejected
Access-list 101 deny tcp any eq 540! Uucpd rejected
Access-list 101 deny PIM any
Access-list 101 deny 55 any
Access-list 101 deny 77 Any any
Access-list 101 deny 225 Any any
Access-list 101 deny udp any eq 1434
Access-list 101 deny udp any eq 4672
Access-list 101 deny tcp any eq 445
Access-list 101 deny tcp any eq 5800
Access-list 101 deny tcp any eq 5900
Access-list 101 deny udp any eq 135
Access-list 101 deny udp any eq 445
Access-list 101 deny udp any eq 593
Access-list 101 deny udp any eq 53
Access-list 101 deny tcp any eq 135
Access-list 101 deny tcp any eq 139
Access-list 101 deny tcp any eq 42
Access-list 101 deny udp any eq NetBIOS-SS
Access-list 101 deny udp any eq NetBIOS-NS
Access-list 101 deny tcp any eq 593
Access-list 101 deny tcp any eq 3333
Access-list 101 deny udp any eq 4444
Access-list 101 permit IP any

This article is from the "kangh" blog and will not be reposted!

This article is an English version of an article which is originally in the Chinese language on aliyun.com and is provided for information purposes only. This website makes no representation or warranty of any kind, either expressed or implied, as to the accuracy, completeness ownership or reliability of the article or any translations thereof. If you have any concerns or complaints relating to the article, please send an email, providing a detailed description of the concern or complaint, to info-contact@alibabacloud.com. A staff member will contact you within 5 working days. Once verified, infringing content will be removed immediately.

Related Keywords:
cisco router configuration nsa router security configuration guide cisco 2811 router configuration examples snmp configuration on cisco router qos configuration on cisco router cisco router configuration commands pdf cisco router firewall security pdf

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

What's Trending
Top 10 Tags
datastax versions naming convention zookeeper client class definition md5 microsoft sql server 2005 data structures exception handling error handling
Top 10 Keywords
microsoft download center down wordpress address url site address url wordpress address url windows installer 4 0 download 302 not found web address url definition site address url wordpress db2 integer mac os installation step by step pdf abbreviation for return

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

Get Started for Free

  • Sales Support

    1 on 1 presale consultation

    Chat Contact Sales

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

    Open a Ticket

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.

    Learn More