CiscoRouter Security Configuration
1. Security Configuration of vro Access Control
1. strictly control the administrator who can access the vro. Record Filing is required for any maintenance.
2. For vrouters with remote access, we recommend that you use the access control list and high-strength password control.
3. Strictly control access to the con port and set a high-strength password for the con port.
4. disable this port if you do not use the Aux port. It is disabled by default. The forbidden command is:
Router (config) # Line aux 0
Router (config-line) # Transport input none
Router (config-line) # No Exec
5. We recommend that you use a permission classification policy. For example:
Router (config) # username blushin privilege 10 g00dpa55w0rd
Router (config) # privilege Exec level 10 Telnet
Router (config) # privilege Exec level 10 show IP Access-list
6. Set a strong password for privileged mode access. Do not use Enable password to set the password. Use the enablesecret command. And enable service password-encryption.
7. control access to vty. A strong password is required. Because vty is not encrypted during network transmission, strict control is required. For example, set a strong password, control the number of concurrent connections, strictly control the access address using the access list, and set user access control using AAA.
8. We recommend that you use FTP instead of TFTP for iOS upgrade and backup and configuration file backup. For example:
Router (config) # ip ftp Username blushin
Router (config) # ip ftp password 4tppa55w0rd
Router # copy startup-config ftp:
9. Upgrade and patch IOS software in a timely manner.
Ii. vro Network Service Security Configuration
1. disable CDP (Cisco Discovery Protocol ). For example:
Router (config) # No CDP run
Router (config-If) # No CDP enable
2. Disable other TCP and UDP small services.
Router (config) # No service TCP-small-servers
Router (config) # No service UDP-small-servers
3. Disable the Finger service.
Router (config) # No IP finger
Router (config) # No service finger
4. Disable the HTTP service.
Router (config) # no ip http server
5. Disable the BOOTP service.
Router (config) # No ip bootp Server
Disable starting from the network and automatically downloading the initial configuration file from the network.
Router (config) # No boot Network
Router (config) # No servic config
6. Disable IP source routing.
Router (config) # No IP Source-route
7. If you do not need the ARP-proxy service, disable it. The router is enabled by default.
Router (config) # No IP proxy-ARP
Router (config-If) # No IP proxy-ARP
8. Explicitly prohibit IP directed broadcast.
Router (config) # No IP directed-broadcast
9. Disable IP classless.
Router (config) # No IP classless
10. Disable ipunreachables, redirects, and mask replies of ICMP.
Router (config-If) # No IP unreacheables
Router (config-If) # no ip redirects
Router (config-If) # No IP mask-reply
11. We recommend that you disable the SNMP protocol service. You must delete the default configuration of some SNMP services when disabling them. Or you need to filter the access list. For example:
Router (config) # No SNMP-server community Ro
Router (config) # No SNMP-server community RW
Iii. Security Configuration of vro protection against attacks
1. Prevent tcp syn attacks. For example:
A: use the access list to prevent attacks.
Router (config) # No accesskey-list 106
Router (config) # access-list 106 permit TCP any 192.168.0.0 0.0.255established
Router (config) # access-list 106 deny ip any log
Router (config) # interface ETH 0/2
Router (config-If) # description "external Ethernet"
Router (config-If) # IP address 192.168.1.254 255.255.255.0
Router (config-If) # IP Access-group 106 in
B: TCP interception prevention.
Router (config) # ip tcp Intercept list 107
Router (config) # access-list 107 permit TCP any 192.168.0.0 0.0.255
Router (config) # access-list 107 deny ip any log
Router (config) # interface eth0
Router (config) # IP Access-group 107 in
2. defense against land. c attacks.
Router (config) # access-list 107 Deny IP host 192.168.1.254 host 192.168.1.254log
Router (config) # access-list permit IP any
Router (config) # interface ETH 0/2
Router (config-If) # IP address 192.168.1.254 255.255.255.0
Router (config-If) # IP Access-group 107 in
3. Prevention of Smurf attacks.
Router (config-If) # No IP directed-broadcast
Router (config) # access-list 108 deny ip any host 192.168.1.255 log
Router (config) # access-list 108 deny ip any host 192.168.1.0 log
4. ICMP protocol security configuration. For ICMP streams, we want to disable echo, redirect, and maskrequest of ICMP. You also need to disable traceroute command detection. For Outbound ICMP streams, we can allow ECHO, parameterproblem, and packet too big. You can also use the traceroute command.
! Outbound ICMP Control
Router (config) # access-list 110 deny ICMP any echo log
Router (config) # access-list 110 deny ICMP any Any redirect log
Router (config) # access-list 110 deny ICMP any mask-request log
Router (config) # access-list 110 permit ICMP any
! Inbound ICMP Control
Router (config) # access-list 111 permit ICMP any echo
Router (config) # access-list 111 permit ICMP any parameter-Problem
Router (config) # access-list 111 permit ICMP any packet-too-big
Router (config) # access-list 111 permit ICMP any source-quench
Router (config) # access-list 111 deny ICMP any log
! Outbound traceroute Control
Router (config) # access-list 112 deny UDP any range 33400 34400
! Inbound traceroute Control
Router (config) # access-list 112 permit UDP any range 33400 34400
5. Prevention of DDoS (Distributed Denial of Service.
! The Trinoo DDoS System
Router (config) # access-list 113 deny TCP any EQ 27665 log
Router (config) # access-list 113 deny UDP any EQ 31335 log
Router (config) # access-list 113 deny UDP any EQ 27444 log
! The stacheldtraht DDoS System
Router (config) # access-list 113 deny TCP any EQ 16660 log
Router (config) # access-list 113 deny TCP any EQ 65000 log
! The trinityv3 System
Router (config) # access-list 113 deny TCP any EQ 33270 log
Router (config) # access-list 113 deny TCP any EQ 39168 log
! The SubSeven DDoS system and some variants
Router (config) # access-list 113 deny TCP any range 6711 6712 log
Router (config) # access-list 113 deny TCP any EQ 6776 log
Router (config) # access-list 113 deny TCP any EQ 6669 log
Router (config) # access-list 113 deny TCP any EQ 2222 log
Router (config) # access-list 113 deny TCP any EQ 7000 log
Iv. Security Configuration of vro to prevent viruses
1. Used to control Nachi Worm Scanning
Access-list 110 deny ICMP any echo
2. used to control the propagation of the Blaster Worm
Access-list 110 deny tcp any eq 4444
Access-list 110 deny udp any eq 69
3. used to control the scanning and attack of the blster Worm
Access-list 110 deny tcp any eq 135
Access-list 110 deny udp any eq 135
Access-list 110 deny tcp any eq 139
Access-list 110 deny udp any eq 139
Access-list 110 deny tcp any eq 445
Access-list 110 deny udp any eq 445
Access-list 110 deny tcp any eq 593
Access-list 110 deny udp any eq 593
4. used to control the spread of the Slammer Worm
Access-list 110 deny udp any eq 1434
Access-list 110 permit IP any
5. Close possible vulnerabilities
Access-list 101 deny ip 127.0.0.0 0.20.255.255 any
Access-list 101 deny ip 172.16.0.0 0.240.255.255 any
Access-list 101 deny ip 192.168.0.0 0.0.255.255 any
Access-list 101 deny ICMP any echo-reply!
Reject any response
Access-list 101 deny ICMP any host-unreachable! Reject any host that cannot be connected
Access-list 101 deny udp any eq snmp! SNMP denied
Access-list 101 deny UDP any EQ 2000! Openwindows
Access-list 101 deny udp any gt 6000! X-Windows
Access-list 101 deny tcp any eq 2000! Openwindows
Access-list101 deny tcp any gt 6000! X-Windows
Access-list 101 deny udp any eq 69! Rejected tftpd
Access-list 101 deny udp any eq 111! Reject SunRPC
Access-list 101 deny udp any eq 2049! NFS not introduced
Access-list 101 deny tcp any eq 111! Reject SunRPC
Access-list 101 deny tcp any eq 2049! NFS not introduced
Access-list 101 deny tcp any eq 87! Connection denied
Access-list 101 deny tcp any eq 512! Reject the introduced bsd unix "R" command
Access-list 101 deny tcp any eq 513! Reject the introduced bsd unix "R" command
Access-list 101 deny tcp any eq 514! Reject the introduced bsd unix "R" command
Access-list 101 deny tcp any eq 515! LPD rejected
Access-list 101 deny tcp any eq 540! Uucpd rejected
Access-list 101 deny PIM any
Access-list 101 deny 55 any
Access-list 101 deny 77 Any any
Access-list 101 deny 225 Any any
Access-list 101 deny udp any eq 1434
Access-list 101 deny udp any eq 4672
Access-list 101 deny tcp any eq 445
Access-list 101 deny tcp any eq 5800
Access-list 101 deny tcp any eq 5900
Access-list 101 deny udp any eq 135
Access-list 101 deny udp any eq 445
Access-list 101 deny udp any eq 593
Access-list 101 deny udp any eq 53
Access-list 101 deny tcp any eq 135
Access-list 101 deny tcp any eq 139
Access-list 101 deny tcp any eq 42
Access-list 101 deny udp any eq NetBIOS-SS
Access-list 101 deny udp any eq NetBIOS-NS
Access-list 101 deny tcp any eq 593
Access-list 101 deny tcp any eq 3333
Access-list 101 deny udp any eq 4444
Access-list 101 permit IP any
This article is from the "kangh" blog and will not be reposted!