hostname <host> ip domain-name <domain.tld> crypto key generate rsa modulus 2048 ! ip ssh time-out 60 ip ssh version 2 ip ssh authentication-retries 3 ! service nagle no service pad service tcp-keepalives-in service tcp-keepalives-out service timestamps debug datetime msec localtime show-timezone service timestamps log datetime localtime show-timezone service password-encryption service sequence-numbers ip icmp rate-limit unreachable DF 2000 ! no ip http server no ip http secure-server
There's a lot more to do. You should also look into autosecure as well as the "Router Security Strategies" book. Plus all the config for AAA, VTY, SNMP, NTP, logging, Lock & Key, CoPP, etc. The Cymru Secure IOS Template is worth looking at too. http://www.cymru.com/Documents/secure-ios-template.html Justin Joseph Jackson wrote: > After reading this message it brought to mind the default steps I take > whenever a new router is configured for our network. Here's the list of the > stuff I do which I got from the hardening cisco routers book. What do you > guys think? Should there be anything else? I also try to run ssh on any > router that can support it. > > GLOBAL CONFIG > > no service finger > no service pad > no service udp-small-servers > no service tcp-small-servers > service password-encryption > service tcp-keepalives-in > service tcp-keepalives-out > no cdp run > no ip bootp server > no ip http server > no ip finger > no ip source-route > no ip gratuitous-arps > > END GLOBAL CONFIG > > > Per Interface Config > > no ip redirects > no ip proxy-arp > no ip unreachables > no ip directed-broadcast > no ip mask-reply > ip cef > END Per Interface Config > >> -----Original Message----- >> From: [EMAIL PROTECTED] [mailto:cisco-nsp- >> [EMAIL PROTECTED] On Behalf Of Eric Cables >> Sent: Friday, March 21, 2008 2:13 PM >> To: [email protected] >> Subject: [c-nsp] Proxy ARP -- To disable, or not to disable.. >> >> A recent network audit has discovered that Proxy ARP is enabled on >> pretty >> much every L3 interface in the network. As a Cisco default, this isn't >> surprising, since no template configs have it disabled. >> >> The question is: whether or not I should go back and disable it, or >> just >> leave it be, since it doesn't appear to be causing any problems. >> >> Any feedback would be appreciated. >> >> -- >> Eric Cables >> _______________________________________________ >> cisco-nsp mailing list [email protected] >> https://puck.nether.net/mailman/listinfo/cisco-nsp >> archive at http://puck.nether.net/pipermail/cisco-nsp/ > _______________________________________________ > cisco-nsp mailing list [email protected] > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > > _______________________________________________ cisco-nsp mailing list [email protected] https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
