Router security template

From CT3

Jump to: navigation, search

Contents

By Sebastian Majewski

The default configuration of Cisco router is far from being secure. Although there are many 'security templates' available on the internet, i found a lot of them outdated and not covering latest 12.4T IOS releases. Since recently i needed to secure couple of Cisco routers, i have compiled short template that can be a good start for setting up initial secure router configuration.


General config

configuration mode exclusive auto expire 600
hostname RT-SEC
no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec
service timestamps log datetime msec localtime show-timezone year
service password-encryption
service sequence-numbers
no service dhcp
logging buffered 64000 informational
logging persistent url flash:/LOG size 4096000 filesize 64000
no logging console
no logging monitor
logging origin-id hostname
logging source-interface Loopback0
logging count
logging x.x.x.x
logging y.y.y.y
aaa new-model
aaa local authentication attempts max-fail 10
aaa authentication login default local
aaa authentication enable default enable
aaa authorization console
aaa authorization exec default local
username user privilege 1 secret 5 <MD5>
username admin privilege 15 secret 5 <MD5>
enable secret 5 <MD5>
no ip source-route
ip options drop
ip cef
ip dhcp bootp ignore
no ip bootp server
no ip domain lookup
memory reserve critical 16000
secure boot-image
warm-reboot count 10
archive
 log config
  logging enable
  logging size 1000
  hidekeys
 path flash:/ARCHIVE/config
 write-memory
no ip http server
no ip http secure-server
no cdp run


Lines

line con 0
 exec-timeout 60 0
 logging synchronous
 transport preferred none
 transport output none
line aux 0
 exec-timeout 60 0
 logging synchronous
 transport preferred none
 transport output none
line vty 0 n
 no exec
 transport input none
 transport output none


Interfaces

interface Null0
 no ip unreachables
interface Loopback0
 no ip redirects
 no ip unreachables
 no ip proxy-arp
interface FastEthernet0/0
 no ip redirects
 no ip proxy-arp
 no mop enabled
 no cdp enabled

NTP

ntp authentication-key 1 md5 <MD5> 7
ntp authenticate
ntp trusted-key 1
ntp source Loopback0
ntp update-calendar
ntp server x.x.x.x key 1
ntp server y.y.y.y key 1


Basic CPPr for DOS protection

Valid for 12.4.15T, will be changed in 12.4.16T release.

class-map match-any CPPR_HOST_CRITICAL
 match protocol bgp
class-map match-any CPPR_HOST_ICMP
 match protocol icmp
class-map match-any CPPR_HOST_NORMAL
 match protocol ntp
 match protocol ssh
 match protocol sntp
class-map match-any CPPR_HOST_IP
 match protocol ip
class-map match-any CPPR_TRANSIT_CRITICAL
 match protocol ospf
 match protocol bgp
class-map match-any CPPR_TRANSIT_IP
 match protocol ip
class-map match-any CPPR_CEF-EXCEPTION_CRITICAL
 match protocol arp
class-map match-any CPPR_CEF-EXCEPTION_IP
 match protocol ip


policy-map CPPR_HOST
 class CPPR_HOST_CRITICAL
 class CPPR_HOST_ICMP
   police 128000
 class CPPR_HOST_NORMAL
   police 512000
 class CPPR_HOST_IP
   drop
policy-map CPPR_TRANSIT
 class CPPR_TRANSIT_CRITICAL
 class CPPR_TRANSIT_IP
   police 512000
policy-map CPPR_CEF-EXCEPTION
 class CPPR_CEF-EXCEPTION_CRITICAL
 class CPPR_CEF-EXCEPTION_IP
   police 512000
control-plane host
 service-policy input CPPR_HOST
control-plane transit
 service-policy input CPPR_TRANSIT
control-plane cef-exception
 service-policy input CPPR_CEF-EXCEPTION
Personal tools

CT3

Main menu