Here is the my router configuration template modified from Team Cymru’s.
!Without service nagle on a Cisco router, each character in a Telnet session is a separate CPU interrupt. Hence, a command such as show tech will force a large number of CPU interrupts, impacting the performance of the router.
service nagle
service tcp-keepalives-in
service tcp-keepalives-out
!
! Show copious timestamps in our logs
service timestamps debug datetime msec show-timezone localtime
service timestamps log datetime msec show-timezone localtime
! Ensures all passwords and secrets are obfuscated when showing configuration
service password-encryption
no service dhcp
no ip bootp server
!
hostname xxxxx
!
boot system flash:c2900-universalk9-mz.SPA.151-4.M.bin
logging buffered 16384 debugging
no logging console
!’secret’ ensures MD5 is used when ‘service password encryption’ is used.
enable secret xxxxx
no enable password
!
! Use TACACS+ for AAA.
aaa new-model
aaa authentication login default group tacacs+ local-case
aaa authentication enable default group tacacs+ enable
aaa authorization commands 15 default group tacacs+ local
aaa accounting exec default stop-only group tacacs+
aaa accounting commands 15 default stop-only group tacacs+
aaa accounting network default stop-only group tacacs+
tacacs-server host 10.2.2.2
tacacs-server key xxxxx
!
ip dhcp bootp ignore
! In the event that TACACS+ fails, use case-sensitve local authentication.
username radmin1 secret 0 1q2w3e4r!
! localit user only can show running configuration
username localit secret Cisco1234
username localit privilege 15 autocommand show running
! localadmin user can do more troubleshooting and run ‘show config’
username localadmin privilege 7 secret Cisco1234
!
privilege exec level 7 show config
! Logging and archive the commands and changes
archive
log config
logging enable
logging size 500
notify syslog
hidekeys
path flash:backup-
write-memory
maximum 8
!
! Ensure TCL doesn’t use an initilizaion file where available.
no scripting tcl init
no scripting tcl encdir
!
! Enable the netflow top talkers feature.You can see the top N talkers (50 in this example) with the show ip flow top-talkers command. This is a handy ! utility to use during DDoS attacks and traffic issues. You can sort-by either packets or bytes, as you prefer.
ip flow-top-talkers
top 50
sort-by packets
!
! Don’t run the HTTP server.
no ip http server
no ip http secure-server
!
! Allow us to use the low subnet and go classless
ip subnet-zero
ip classless
!
! Disable noxious services
no service pad
no ip source-route
no ip finger
no ip bootp server
no ip domain-lookup
!
! Block brute force login attempts while maintaining access for legitimate source addresses.
login block-for 100 attempts 15 within 100
login quiet-mode access-class 100
login on-failure log
login on-success log
!
! Catch crash dumps; very important with a “security router.”
ip ftp username rooter
ip ftp password <PASSWORD>
! Give our core dump files a unique name.
exception core-file secure-router01-core
exception protocol ftp
exception dump 10.2.2.3
!
! Fire up CEF for both performance and security.
ip cef
!
ntp authentication-key 6767 md5 <SECRETKEY>
ntp authenticate
ntp update-calendar
ntp server 10.3.3.3
!
! Configure the loopback0 interface as the source of our log messages.
int loopback0
ip address 10.10.10.10 255.255.255.255
no ip redirects
no ip unreachables
no ip proxy-arp
!
! Configure null0 as a place to send naughty packets.
interface null0
no ip unreachables
!
interface Ethernet2/0
description Unprotected interface, facing towards Internet
ip address 199.116.2.14 255.255.255.240
! Do we run CEF verify? Yes if the data path is symmetric. No if the data path is asymmetric.
ip verify unicast reverse-path
! Apply our template ACL
ip access-group 2010 in
! Allow UDP to occupy no more than 2 Mb/s of the pipe.
rate-limit input access-group 150 2010000 250000 250000 conform-action transmit exceed-action drop
! Allow ICMP to occupy no more than 500 Kb/s of the pipe.
rate-limit input access-group 160 500000 62500 62500 conform-action transmit exceed-action drop
! Allow multicast to occupy no more than 5 Mb/s of the pipe.
rate-limit input access-group 170 5000000 375000 375000 conform-action transmit exceed-action drop
! Don’t send redirects.
no ip redirects
! Don’t send unreachable. NOTE WELL that this may break PMTU discovery. For example, if this router is edge for a VPN of any sort, you might need to enable ip unreachable. A typical symptom is ping working but a larger transmission doesn’t.
no ip unreachables
! Don’t propogate smurf attacks.
no ip directed-broadcast
! Don’t pretend to be something you’re not.
no ip proxy-arp
! Do not reveal our netmask
no ip mask-reply
! Log all naughty business.
ip accounting access-violations
! If you allow multicast in your network or participate in the
! MBONE, the following multicast filtering steps will help to
! ensure a secure multicast environment. These must be applied
! per interface.
ip multicast boundary 30
!
! Keep flow data for analysis. If possible, export it to a cflowd server.
ip route-cache flow
! When you configure anything to do with ntp on an IOS box, it will start listening on all interfaces. It is therefore a good idea that interfaces with public addresses have ntp disabled and therefore don’t show a socket, unless that is what the interface is intended to do.
ntp disable
! Disable Maintenance Operations Protocol on all interfaces
no mop enable
!
interface Ethernet2/1
description Protected interface, facing towards DMZ
ip address 172.16.2.10 255.255.255.240
ip verify unicast reverse-path
! If we are using RPF, comment out the ACL below.
ip access-group 115 in
no ip redirects
no ip unreachables
no ip directed-broadcast
no ip proxy-arp
ip accounting access-violations
ip multicast boundary 30
no ip mask-reply
ip route-cache flow
no mop enable
!
! Default route to the Internet (could be a routing protocol instead)
ip route 0.0.0.0 0.0.0.0 199.116.2.1
! Route to network on the other side of the firewall
ip route 10.0.0.0 255.0.0.0 172.16.2.1
! Black hole routes. Do not combine this with TCP Intercept; in fact, don’t use TCP Intercept at all.
!
! Bogons
! Team Cymru has removed all static bogon references from this template
! due to the high probability that the application of these bogon filters
! will be a one-time event. Unfortunately many of these templates are applied and never re-visited, despite our dire warnings that bogons do change.
!
! This doesn’t mean bogon filtering can’t be accomplished in an automated
! manner. Why not consider peering with our globally distributed bogon
! route-server project? Alternately you can obtain a current and well
! maintained bogon feed from our DNS and RADb services. Read more at the
! link below to learn how!
!
! https://www.team-cymru.org/Services/Bogons/
!
! Export our NetFlow data to our NetFlow server, 192.0.2.34. NetFlow
! provides some statistics that can be of use when tracing the true
! source of a spoofed attack.
ip flow-export source loopback0
ip flow-export destination 192.0.2.34 2055
ip flow-export version 5 origin-as
!
! Log anything interesting to the loghost. Capture all of
! the logging output with FACILITY LOCAL5.
logging trap debugging
logging facility local5
logging source-interface loopback0
logging 10.2.2.3
!
! With the ACLs, it is important to log the naughty folks.
! Thus, the implicit drop all ACL is replaced (augmented,
! actually) with an explicit drop all that logs the attempt.
! You may wish to keep a second list (e.g. 2011) that does not
! log. During an attack, the additional logging can impact the
! performance of the router. Simply copy and paste access-list 2010,
! remove the log-input keyword, and name it access-list 2011. Then
! when an attack rages, you can replace access-list 2010 on the
! Internet-facing interface with access-list 2011.
!
! Block SNMP access to all but the loghost
access-list 20 remark SNMP ACL
access-list 20 permit 192.0.2.34
access-list 20 deny any log
!
! Multicast – filter out obviously naughty or needless traffic
access-list 30 remark Multicast filtering ACL
!Link local
access-list 30 deny 224.0.0.0 0.0.0.255 log
! Locally scoped
access-list 30 deny 239.0.0.0 0.255.255.255 log
! sgi-dogfight
access-list 30 deny host 224.0.1.2 log
! rwhod
access-list 30 deny host 224.0.1.3 log
! ms-srvloc
access-list 30 deny host 224.0.1.22 log
! ms-ds
access-list 30 deny host 224.0.1.24 log
! ms-servloc-da
access-list 30 deny host 224.0.1.35 log
! hp-device-disc
access-list 30 deny host 224.0.1.60 log
! Permit all other multicast traffic
access-list 30 permit 224.0.0.0 15.255.255.255 log
!
! Block access to all but the loghost and the firewall, and log any
! denied access attempts. This also serves to create an audit trail
! of all access to the router. Extended ACLs are used to log some
! additional data.
access-list 100 remark VTY Access ACL
access-list 100 permit tcp host 192.0.2.34 host 0.0.0.0 range 22 23 log-input
access-list 100 permit tcp host 192.0.2.30 host 0.0.0.0 range 22 23 log-input
access-list 100 deny ip any any log-input
!
! Leave one VTY safe for access, just in case. The host
! 192.0.2.40 is a secure host in the NOC. If all the VTYs are
! occupied, this leaves one VTY available.
access-list 105 remark VTY Access ACL
access-list 105 permit tcp host 192.0.2.40 host 0.0.0.0 range 22 23 log-input
access-list 105 deny ip any any log-input
!
! Configure an ACL that prevents spoofing from within our network.
! This ACL assumes that we need to access the Internet only from the
! 192.0.2.32/27 network. If you have additional networks behind
! 192.0.2.32/27, then add them into this ACL.
access-list 115 remark Anti-spoofing ACL
! First, allow our intranet to access the Internet.
access-list 115 permit ip 192.0.2.32 0.0.0.31 any
! Second, allow our firewall to access the Internet. This is useful
! for testing.
access-list 115 permit ip host 192.0.2.30 any
! Now log all other such attempts.
access-list 115 deny ip any any log-input
!
! Rate limit (CAR) ACLs for UDP, ICMP, and multicast.
access-list 150 remark CAR-UDP ACL
access-list 150 permit udp any any
access-list 160 remark CAR-ICMP ACL
access-list 160 permit icmp any any
access-list 170 remark CAR-Multicast ACL
access-list 170 permit ip any 224.0.0.0 15.255.255.255
!
! Deny any packets from the RFC 1918, IANA reserved, test,
! multicast as a source, and loopback netblocks to block
! attacks from commonly spoofed IP addresses.
access-list 2010 remark Anti-bogon ACL
! Claims it came from the inside network, yet arrives on the
! outside (read: Internet) interface. Do not use this if CEF
! has been configured to take care of spoofing.
! access-list 2010 deny ip 192.0.2.16 0.0.0.15 any log-input
! access-list 2010 deny ip 192.0.2.32 0.0.0.31 any log-input
!
! Bogons
! Team Cymru has removed all static bogon references from this template
! due to the high probability that the application of these bogon filters
! will be a one-time event. Unfortunately many of these templates are
! applied and never re-visited, despite our dire warnings that bogons do
! change.
!
! This doesn’t mean bogon filtering can’t be accomplished in an automated
! manner. Why not consider peering with our globally distributed bogon
! route-server project? Alternately you can obtain a current and well
! maintained bogon feed from our DNS and RADb services. Read more at the
! link below to learn how!
!
! https://www.team-cymru.org/Services/Bogons/
!
! Drop all ICMP fragments
access-list 2010 deny icmp any any fragments log-input
! Allow IP access to the intranet (firewall filters specific ports)
access-list 2010 permit ip any 192.0.2.32 0.0.0.31
! Allow multicast to enter. See also access-list 30 for more
! specific multicast rules.
access-list 2010 permit ip any 224.0.0.0 15.255.255.255
! Our explicit (read: logged) drop all rule
access-list 2010 deny ip any any log-input
!
! Do not share CDP information, which contains key bits about our
! configuration, etc. This command disabled CDP globally. If you
! require CDP on an interface, use cdp run and disable cdp
! (no cdp enable) on the Internet-facing interface.
no cdp run
! SNMP is VERY important, particularly with MRTG.
! Treat the COMMUNITY string as a password – keep it difficult to guess.
! For SNMP versions 1-2
snmp-server community <COMMUNITY> RO 20
!
! Introduce ourselves with an appropriately stern banner.
banner motd %
Access to this device or the attached
networks is prohibited without express written permission.
Violators will be prosecuted to the fullest extent of both civil
and criminal law.
%
!
line con 0
exec-timeout 5 0
transport input none
login authentication CONAUTH
line aux 0
exec-timeout 5 0
line vty 0 3
access-class 100 in
exec-timeout 5 0
! Enable SSH connectivity.
! Obviously, you must have an IOS image that supports SSH, and don’t
! forget to generate the key with crypto key generate rsa.
! To enable SSH access to the device, you additionally require a domain
! name to be set via “ip domian name x” before generating RSA keys
ip domain-name Test.com
! Disable SSHv1
ip ssh version 2
transport input ssh
line vty 4
access-class 105 in
exec-timeout 5 0
login authentication VTYAUTH
transport input ssh
!
! End of the configuration.
end
Reference:
- Cisco Guide to Harden Cisco IOS Devices
- Secure IOS Template Version 6.5 19 MAY 2014
- Hardening Cisco Routers
- Team CYMRU
nice, thorough and useful
thanks!