1. disable CDP (Cisco Discovery Protocol ). For example:
Router (Config) # no cdp run
Router (Config-if) # no cdp enable
2. Disable other TCP and UDP Small services.
Router (Config) # no service tcp-small-servers
Router (Config) # no service udp-samll-servers
3. Disable the Finger service.
Router (Config) # no ip finger
Router (Config) # no service finger
4. We recommend that you disable the HTTP service.
Router (Config) # no ip http server
If the HTTP service is enabled, You need to configure its security: Set the user name and password, and use the access list for control. For example:
Router(Config)# username BluShin privilege 10 G00dPa55w0rd Router(Config)# ip http auth local Router(Config)# no access-list 10 Router(Config)# access-list 10 permit 192.168.0.1 Router(Config)# access-list 10 deny any Router(Config)# ip http access-class 10 Router(Config)# ip http server Router(Config)# exit |
5. Disable the BOOTp service.
Router (Config) # no ip bootp server
Disable starting from the network and automatically downloading the initial configuration file from the network.
Router (Config) # no boot network
Router (Config) # no servic config
6. Disable IP Source Routing.
Router (Config) # no ip source-route
7. If you do not need the ARP-Proxy service, disable it. The router is enabled by default.
Router (Config) # no ip proxy-arp
Router (Config-if) # no ip proxy-arp
8. explicitly Disable IP Directed Broadcast.
Router (Config) # no ip directed-broadcast
9. Disable IP Classless.
Router (Config) # no ip classless
10. Disable icmp ip Unreachables, Redirects, and Mask Replies.
Router (Config-if) # no ip unreacheables
Router (Config-if) # no ip redirects
Router (Config-if) # no ip mask-reply
11. We recommend that you disable the SNMP protocol service. You must delete the default configuration of some SNMP services when disabling them. Or you need to filter the access list. For example:
Router(Config)# no snmp-server community public Ro Router(Config)# no snmp-server community admin RW Router(Config)# no access-list 70 Router(Config)# access-list 70 deny any Router(Config)# snmp-server community MoreHardPublic Ro 70 Router(Config)# no snmp-server enable traps Router(Config)# no snmp-server system-shutdown Router(Config)# no snmp-server trap-anth Router(Config)# no snmp-server Router(Config)# end |
12. If not necessary, disable WINS and DNS services.
Router (Config) # no ip domain-lookup
If necessary, you need to configure:
Router (Config) # hostname Router
Router (Config) # ip name-server 202.102.134.96
13. Explicitly prohibit unused ports.
Router (Config) # interface eth0/3
Router (Config) # shutdown