Here are some of the configutaions I'd like to share to secure a Cisco router. There are default programs running on your Cisco router that attackers used to compromise the router.
A. Disable the TCP and UDP
Router(config)#no service tcp-small-servers
Router(config)#no service udp-small-servers
B. Disable Finger
Router(config)#no ip finger
Router(config)#no service finger
C. Don't use SNMP if possible. Don't use HTTP server if not necessary.
Router(config)#no ip http server
D. Disable Bootp Server
Router(config)#no ip bootp server
E. Disable Auto-Loading
Router(config)#no boot network
Router(config)#no service config
F. Disable IP Source Routing
Router(config)#no ip source-route
G. Disable Proxy ARP. It could be used to bypass security perimeter.
Router(config)#int fa0/0
Router(config-if)#no ip proxy-arp
H. If you are using a Classful Routing, disable the IP Classless Routing.
Router(config)#no ip classless
I. Disable IP Unreachables, Redirects, Mask Reply
Router(config)#int fa0/0
Router(config-if)#no ip unreachable
Router(config-if)#no ip redirect
Router(config-if)#no ip mask-reply
No comments:
Post a Comment