Knowledgebase
DrVoIP Support > DrVoIP Network, VoIP, Security & AWS Cloud! > Knowledgebase

Sample basic router configuraiton Security hardening

Solution
service password-encryption
enable secret <password>
no enable password
banner login # stuff to show before login and #



ip subnet-zero
no ip domain-lookup
no service finger
no ip boot server
no ip http server
no sftp-server
no ip identd
no ip source-route

interface 
ip address <ip address> <netmask>
description Inside Interface to DMZ
no ip redirects
 no ip unreachables
no ip proxy-arp
no ip mroute-cache
no cdp enable
no ip mask-reply
ip access-group inbound-filter out
ip access-group outbound-filter in

no ip directed-broadcast
ip accounting access-violations

Interface 
ip address <ip address> <netmask>
description Outside Interface to Internet
no ip redirects
no ip unreachables
no ip proxy-arp
no ip mroute-cashe
no dep enable
no ip mask-reply
ip access-group inbound-filter in
ip access-group outbound-fifer out
no ip directed-broadcast
ip accounting access-violations

ip classless

no cap run

ip route 0.0.0.0 0.0.0.0 <next hop router>


Banner login#
write stuff until next #

logging buffered 32768 informational
no logging console
logging trap degguging
logging facility local7
logging <syslog server ip address>

access-list 90 permit <snmp host> log
access-list 90 deny any log
access-list 99 permit < host ip>
access-list 99 deny any log

ip access-list extended inbound-filter
deny ip <local networks> <local network wildcard> any log
deny ip 0.0.0.0 0.255.255.255 any log
deny ip host 255.255.255.255. any log
denify 127.0.0.0 0.255.255.255 any log
deny ip 224.0.0.0 15.255.255.255. any log
deny ip 240.0.0.0 7.255.255.255  any log
deny ip 10.0.0.0 0.255.255.255 any log
deny ip 172.16.0.0 0.115.255.255 any log
deny ip 192.168.0.0 0.255.255.255 any log
deny ip 192.0.2. 0.0.0.255 any log
deny ip 169.254.0.0 0.0.255.255 any log
deny ip host 0.0.0.0 any log

permit icmp any <local networks> <local networks wildcard> pacer-too-big
permit icmp any <local networks> <local networks wildcard> echo-reply
permit icmp any <local networks> <local networks wildcard> echo
permit imp any <localnetworks> <local networks wildcard> ttl-exceeded
deny imp any any
permit ip any <local networks> <local networks wildcard>
deny up any range 1 54535 any log
deny tcp any range 1 65535 any log
deny ip any any log
ip access-list extended outbound-filter
permit icmp <local networks> <local networks wildcard> any packet-too-big
permit icmp <local networks> <local networks wildcard> any echo
permit icmp <local networks> <Local networks wildcard> any echo-reply
permit icmp <localnetworks> <local networks wildcard> any ttl-exceeded
deny up any range 1 65535 any log
deny tcp any range 1 65535 any log
deny ip any any log
access-list 120 permit tcp any <screened subnet> <screened subnet wildcard>


ip tcp intercept list 120
ip tcp intercept connection -timeout 60
ip tcp intercept watch-timeout 10
ip tcp intercept one-minute low 1500
ip tcp intercept one-minute high 6000


snd-server community <string> RO 90
snmp-server trap-authentication
snmp-server nost <snmp ip> <authentication string>


line con 0
transport input none
Line aux 0 
no exec
exec-timeout 0 10
transport input none


line vty 0 4
access-class 99 in
exec-timeout 15 0 
passowrd <choose a password>
login
transport input telnet ssh


ntp server <server ip address> key <key number>
ntp authenticate
ntp authentication-key <key number> md5 <string>
ntp trusted-key <key number>
ntp  update-calendar

 
Was this article helpful? yes / no
Related articles SIP Secruity Recommendations
Article details
Article ID: 72
Category: CISCO IOS Notes
Rating (Votes): Article rated 3.0/5.0 (10)

 
« Go back