Hi, On Sun, Mar 23, 2008 at 08:29:59PM -0700, Joseph Jackson wrote: > > After reading this message it brought to mind the default steps I take > whenever a new router is configured for our network. Here's the list of the > stuff I do which I got from the hardening cisco routers book. What do you > guys think? Should there be anything else? I also try to run ssh on any > router that can support it. > > GLOBAL CONFIG > > no service finger > no service pad > no service udp-small-servers > no service tcp-small-servers > service password-encryption > service tcp-keepalives-in > service tcp-keepalives-out > no cdp run > no ip bootp server > no ip http server > no ip finger > no ip source-route > no ip gratuitous-arps
some other candidates to add here (may depend on platform/image and only to be applied after careful reconsideration ;-): no service config no ip http-secure no service dhcp no boot network no boot host no mop enabled no ip host-routing as for the interface stuff... > > Per Interface Config > > no ip redirects > no ip unreachables personally, I don't like those two. what's wrong about a router _sending_ icmp redirects or (even more important/useful) icmp unreachables? keep in mind those commands are not about accepting those (but, as said: sending them). and, depending on the environment (e.g. in some IXs this can be found), you might want to add this one: no keepalive be aware this can lead to serious problems (e.g. on Gig-Ifs) when applied inappropriately ;-)) thanks, Enno -- Enno Rey Check out www.troopers08.org! ERNW GmbH - Breslauer Str. 28 - 69124 Heidelberg - www.ernw.de Tel. +49 6221 480390 - Fax 6221 419008 - Cell +49 173 6745902 PGP FP 055F B3F3 FE9D 71DD C0D5 444E C611 033E 3296 1CC1 Handelsregister Heidelberg: HRB 7135 Geschaeftsfuehrer: Roland Fiege, Enno Rey _______________________________________________ cisco-nsp mailing list [email protected] https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
