In the router, there is a command: auto secure, which is convenient to use, and can disable some insecure services and enable some secure services. Then, the command is summarized. (Note: IOS 12.3 (1) or later versions are supported)
Summary:
1. Disable some global insecure services as follows:
Finger
Pad
Small servers
BOOTP
HTTP service
Identification Service
CDP
NTP
Source Routing
2. enable some global security services as follows:
Password-encryption service
Tuning of scheduler interval/allocation
TCP synwait-time
TCP-keepalives-in and TCP-kepalives-out
SPD Configuration
No IP unreachables for null 0
3. Some insecure services that disable the interface are as follows:
ICMP
Proxy-ARP
Directed broadcast
Disables mop Service
Disables ICMP unreachables
Disables ICMP Mask Reply messages.
4. Provide log security as follows:
Enables sequence numbers & Timestamp
Provides a console log
Sets log buffered size
Provides an interactive dialogue to configure the logging Server IP address.
5. Protect the Access Router as follows:
Checks for a banner and provides facility to add text to automatically configure:
Login and password
Transport input & Output
Exec-Timeout
Local aaa
SSH timeout and SSH Authentication-retries to minimum number
Enable only SSH and SCP for access and file transfer to/from the router
6. Protect forwarding plane
Enables Cisco Express Forwarding (CEF) or distributed CEF on the router, when available
Anti-Spoofing
Blocks all IANA reserved IP address blocks
Blocks private address blocks if customer desires
Installa default route to null 0, if a default route is not being used
Configures TCP Intercept for connection-Timeout, if TCP Intercept feature is available and the user is interested
Starts interactive configuration for CBAC on interfaces facing the Internet, when using a Cisco IOS Firewall image,
Enables NetFlow on software forwarding platforms