1. disable CDP (Cisco Discovery Protocol ). For example:
Router (config) # No CDP run
Router (config-If) # No CDP enable
2. Disable other TCP and UDP small services.
Router (config) # No service TCP-small-servers
Router (config) # No service UDP-Samll-servers
3. Disable the Finger service.
Router (config) # No IP finger
Router (config) # No service finger
4. We recommend that you disable the HTTP service.
Router (config) # no ip http server
If the HTTP service is enabled, You need to configure its security: Set the user name and password, and use the access list for control. For example:
Router (config) # username blushin privilege 10 g00dpa55w0rd
Router (config) # ip http auth local
Router (config) # No access-List 10
Router (config) # access-List 10 permit 192.168.0.1
Router (config) # access-List 10 deny any
Router (config) # ip http access-class 10
Router (config) # ip http server
Router (config) # exit
5. Disable the BOOTP service.
Router (config) # No ip bootp Server
Disable starting from the network and automatically downloading the initial configuration file from the network.
Router (config) # No boot Network
Router (config) # No servic config
6. Disable IP source routing.
Router (config) # No IP Source-route
7. If you do not need the ARP-proxy service, disable it. The router is enabled by default.
Router (config) # No IP proxy-ARP
Router (config-If) # No IP proxy-ARP
8. explicitly Disable IP directed broadcast.
Router (config) # No IP directed-broadcast
9. Disable IP classless.
Router (config) # No IP classless
10. Disable icmp ip unreachables, redirects, and mask replies.
Router (config-If) # No IP unreacheables
Router (config-If) # no ip redirects
Router (config-If) # No IP mask-reply
11. We recommend that you disable the SNMP protocol service. You must delete the default configuration of some SNMP services when disabling them. Or you need to filter the access list. For example:
Router (config) # No SNMP-server community public Ro
Router (config) # No SNMP-server community admin RW
Router (config) # No access-list 70
Router (config) # access-list 70 deny any
Router (config) # SNMP-server community morehardpublic Ro 70
Router (config) # No SNMP-server enable traps
Router (config) # No SNMP-Server System-Shutdown
Router (config) # No SNMP-server trap-anth
Router (config) # No SNMP-Server
Router (config) # End
12. If not necessary, disable wins and DNS services.
Router (config) # No IP domain-Lookup
If necessary, you need to configure:
Router (config) # hostname Router
Router (config) # IP name-server 202.102.134.96
13. Explicitly prohibit unused ports.
Router (config) # interface eth0/3
Router (config) # Shutdown
ArticleInput: CSH responsible editor: CSH