Tek-Tips is the largest IT community on the Internet today!
Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!
-
Congratulations strongm on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!
Router Security 2
- Thread starter jalee
- Start date
-
2
- #2
fartingfrog
MIS
You ask a lot.
no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec
service timestamps log datetime msec localtime show-timezone
service password-encryption
service sequence-numbers
hostname Hudson
boot-start-marker
boot-end-marker
memory-size iomem 5
security authentication failure rate 2 log
logging count
logging userinfo
logging buffered 64000 debugging
logging rate-limit console 5
logging console warnings
as well as...
no ip source-route
ip tcp synwait-time 10
ip cef
ip domain name local
no ip bootp server
ip inspect udp idle-time 3600
ip inspect dns-timeout 60
ip inspect tcp synwait-time 60
ip inspect name DEFAULT100 tcp
ip inspect name DEFAULT100 udp
ip inspect name ipv4-FireWall tcp
ip inspect name ipv4-FireWall udp
ip inspect name ipv4-FireWall ftp
ip inspect name ipv4-FireWall h323
ip inspect name ipv4-FireWall skinny
ip inspect name ipv4-FireWall icmp
ip inspect name ipv4-FireWall fragment maximum 256 timeout 1
ip inspect name ipv4-FireWall realaudio
ip ips po max-events 100
ip ssh time-out 60
ip ssh authentication-retries 2
login block-for 300 attempts 1 within 300
login delay 1
login quiet-mode access-class ssh-clients
login on-failure log
login on-success log
no ftp-server write-enable
interface Null0
no ip unreachables
for your ethernet interface...
interface Ethernet0
description Connected to Local Network
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat inside
ip inspect ipv4-FireWall in
ip inspect ipv4-FireWall out
ip virtual-reassembly
ip route-cache flow
priority-group 1
no cdp enable
here's a partial for the Dialer interface, if you use DSL...
(if not, it's for your outbound WAN interface)...
interface Dialer1
description Connected to ADSL Circuit
ip address negotiated
ip access-group ipv4-inet-in in
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat outside
ip inspect DEFAULT100 out
ip virtual-reassembly
encapsulation ppp
ip route-cache flow
you always need these...
ip http server
ip http authentication local
no ip http secure-server
I have no ip http server in mine
And here are some named acl's...
ip access-list extended ipv4
permit icmp any any echo-reply
permit icmp any any packet-too-big
permit icmp any any time-exceeded
permit icmp any any unreachable
permit tcp any any eq 22 log
permit tcp any any eq smtp
permit udp any any eq domain
permit tcp any any eq domain
permit tcp any any eq www
permit tcp any any eq 443
permit 41 any any
deny ip any any log
ip access-list extended ssh-clients
permit tcp 192.168.0.0 0.0.255.255 any eq 22 log
deny tcp any any eq 22 log
permit tcp 10.0.0.0 0.255.255.255 any eq 22 log
logging trap debugging
and for the lines...
no cdp run
control-plane
banner login ^CGo Away.^C
line con 0
exec-timeout 300 0
password XXXXX
login
no modem enable
transport output telnet
stopbits 1
line aux 0
login local
transport output telnet
stopbits 1
line vty 0 4
session-timeout 15 output
access-class 10 in
exec-timeout 300 0
password XXXXX
login
transport input telnet ssh
no scheduler max-task-time
scheduler interval 500
I have nothing set on the AUX because I have nothing plugged into it. For "logging trap debugging", that's for snmp, which I think is not the best idea to run on a Cisco device. AAA configuration and debug commands do all the things snmp does. I have already given you too much free info. Have fun.
Tim
no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec
service timestamps log datetime msec localtime show-timezone
service password-encryption
service sequence-numbers
hostname Hudson
boot-start-marker
boot-end-marker
memory-size iomem 5
security authentication failure rate 2 log
logging count
logging userinfo
logging buffered 64000 debugging
logging rate-limit console 5
logging console warnings
as well as...
no ip source-route
ip tcp synwait-time 10
ip cef
ip domain name local
no ip bootp server
ip inspect udp idle-time 3600
ip inspect dns-timeout 60
ip inspect tcp synwait-time 60
ip inspect name DEFAULT100 tcp
ip inspect name DEFAULT100 udp
ip inspect name ipv4-FireWall tcp
ip inspect name ipv4-FireWall udp
ip inspect name ipv4-FireWall ftp
ip inspect name ipv4-FireWall h323
ip inspect name ipv4-FireWall skinny
ip inspect name ipv4-FireWall icmp
ip inspect name ipv4-FireWall fragment maximum 256 timeout 1
ip inspect name ipv4-FireWall realaudio
ip ips po max-events 100
ip ssh time-out 60
ip ssh authentication-retries 2
login block-for 300 attempts 1 within 300
login delay 1
login quiet-mode access-class ssh-clients
login on-failure log
login on-success log
no ftp-server write-enable
interface Null0
no ip unreachables
for your ethernet interface...
interface Ethernet0
description Connected to Local Network
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat inside
ip inspect ipv4-FireWall in
ip inspect ipv4-FireWall out
ip virtual-reassembly
ip route-cache flow
priority-group 1
no cdp enable
here's a partial for the Dialer interface, if you use DSL...
(if not, it's for your outbound WAN interface)...
interface Dialer1
description Connected to ADSL Circuit
ip address negotiated
ip access-group ipv4-inet-in in
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat outside
ip inspect DEFAULT100 out
ip virtual-reassembly
encapsulation ppp
ip route-cache flow
you always need these...
ip http server
ip http authentication local
no ip http secure-server
I have no ip http server in mine
And here are some named acl's...
ip access-list extended ipv4
permit icmp any any echo-reply
permit icmp any any packet-too-big
permit icmp any any time-exceeded
permit icmp any any unreachable
permit tcp any any eq 22 log
permit tcp any any eq smtp
permit udp any any eq domain
permit tcp any any eq domain
permit tcp any any eq www
permit tcp any any eq 443
permit 41 any any
deny ip any any log
ip access-list extended ssh-clients
permit tcp 192.168.0.0 0.0.255.255 any eq 22 log
deny tcp any any eq 22 log
permit tcp 10.0.0.0 0.255.255.255 any eq 22 log
logging trap debugging
and for the lines...
no cdp run
control-plane
banner login ^CGo Away.^C
line con 0
exec-timeout 300 0
password XXXXX
login
no modem enable
transport output telnet
stopbits 1
line aux 0
login local
transport output telnet
stopbits 1
line vty 0 4
session-timeout 15 output
access-class 10 in
exec-timeout 300 0
password XXXXX
login
transport input telnet ssh
no scheduler max-task-time
scheduler interval 500
I have nothing set on the AUX because I have nothing plugged into it. For "logging trap debugging", that's for snmp, which I think is not the best idea to run on a Cisco device. AAA configuration and debug commands do all the things snmp does. I have already given you too much free info. Have fun.
Tim
- Status