Create time: 2003-04-03
Article attribute: original
Article submission:
Bluesun (Yangtonuang_AT_163.com)
Cisco router security configuration simple program
Author: blushin
Auditor: Amy
E-mail: yangtonguang@163.com
Version 1.0
Date: 2002-12-15
First, the security configuration of router access control
1. Strictly control the administrator who can access the router. Any maintenance requires a record file.
2. It is recommended not to access the router remotely. Even if you need to remotely access the router, it is recommended to use the access control list and high-intensity password control.
3, strictly control the access of the CON port. Specific measures are:
A. If you can boot, you can cut off the physical line associated with the CON port.
B. You can change the default connection properties, such as modifying the baud rate (default is 96000, can be changed to other).
C, the access control list is used to control access to the CON port.
Router (config) # Access-list 1 permit 192.168.0.1
Router (config) #LINE CON 0
Router (config-line) #Transport Input None
Router (config-line) #login local
Router (config-line) # EXEC-TIMEOUTE 5 0
Router (config-line) # Access-Class 1 in
Router (config-line) #end
D, set high-strength passwords to the CON port.
4. If you do not use the AUX port, this port is prohibited. The default is not enabled. Forbidden:
Router (config) #line aux 0
Router (config-line) #Transport Input None
Router (config-line) #NO EXEC
5. It is recommended to use the right restriction strategy. Such as:
Router (config) # username Blushin Privilege 10 G00DPA55W0RD
Router (config) #Privilege Exec Level 10 Telnet
Router #Privilege Exec Level 10 show ip access-list
6. Set strong passwords for the entry of the privileged model. Do not set your password with Enable Password. And use the Enable Secret command to set. And to enable Service Password-Encryption.
7, control access to Vty. If you don't need a remote access, it is disabled. Set a strong password if needed. Since Vty is encrypted during the transmission of the network, it is necessary to strictly control it. Such as: set a strong password; control the concurrent number of connections; use the access list to strictly control the address of the accessed; you can use the AAA to set the user's access control.
8, iOS upgrades and backups, and backups of the configuration file recommendation using FTP instead of TFTP. Such as:
Router (config) #ip FTP Username Blushin
Router (config) #ip ftp password 4tppa55w0rd
Router # Copy Startup-Config FTP:
9. Timely upgrade and patch iOS software.
Second, router network service security configuration
1. Prohibit CDP (Cisco Discovery Protocol). Such as:
Router (config) #NO CDP Run
Router (config-if) # no cdp enable
2, prohibit other TCP, UDP Small services.
Router (config) # no service tcp-small-servers
Router # no service udp-samll-servers3, prohibiting the finger service.
Router (config) # no ip finger
Router (config) # no service finger
4. It is recommended to prohibit HTTP services.
Router (config) # no ip http server
If the HTTP service is enabled, it needs to be securely configured: set the username and password; use the access list to control. Such as:
Router (config) # Username Blushin Privilege 10 G00DPA55W0RD
Router (config) # ip http auth local
Router (config) # no access-list 10
Router (config) # Access-list 10 permit 192.168.0.1
Router (config) # Access-list 10 de Neny Any
Router (config) # ip http access-Class 10
Router (config) # ip http server
Router (config) # exit
5, prohibit BootP service.
Router (config) # no ip bootp server
It is forbidden to start and automatically download the initial profile from the network from the network.
Router (config) # no boot network
Router (config) # no servic config
6, prohibit IP Source Routing.
Router (config) # no ip Source-Route
7. It is recommended that if it is not necessary, it is disabled, the router defaults to open.
Router (config) # no ip proxy-ARP
ROUTER (config-if) # no ip proxy-arp
8, clear IP Directed Broadcast.
Router (config) # no ip Directed-Broadcast
9. Prohibit IP Classless.
Router (config) # no ip classless
10. IP Unreachables, Redirects, Mask Replies for ICMP protocols.
Router (config-if) # no ip unreacheables
Router (config-if) # no ip redirects
ROUTER (config-if) # no ip mask-reply
11. It is recommended to prohibit SNMP protocol services. The default configuration of some SNMP services must be deleted when prohibited. Or you need access to the list to filter. Such as:
Router (config) # no snmp-server community public ro
Router (config) # no snmp-server communication admin rw
Router (config) # no access-list 70
Router (config) # Access-list 70 de Neny
Router (config) # snmp-server community morehardpublic RO 70
Router (config) # no snmp-server enable traps
Router (config) # no snmp-server system-shutdown
Router (config) # no snmp-server trap-Anth
Router (config) # no SNMP-Server
Router (config) # end
12. If there is no need to prohibit WINS and DNS services.
Router (config) # no ip domain-lookup
If you need, you need to configure:
Router (config) # hostname RouterRouter (config) # ip name-server 202.102.134.96
13, clearly prohibiting the ports that are not used.
Router (config) # Interface Eth0 / 3
Router (config) # Shutdown
Third, router routing protocol security configuration
1. First prohibit the default ARP-Proxy, which is easy to cause confusion of the routing table.
Router # no ip proxy-ARP or
ROUTER (config-if) # no ip proxy-arp
2. Enable the authentication of the OSPF route protocol. The default OSPF authentication password is transfed in plaintext, and MD5 authentication is recommended. And set a certain strength key (Key, the relative router must have the same key).
Router (config) # Router OSPF 100
Router (config-router) # network 192.168.100.0 0.0.0.255 Area 100
! Enable MD5 authentication.
! area isa-id authentication enables authentication, which is a plain text password authentication.
! Area area-id authentication message-digest
Router (config-router) # area 100 Authentication Message-Digest
Router (config) # exit
Router (config) # Interface Eth0 / 1
! Enable the MD5 key Key to RouterOspfKey.
! IP OSPF Authentication-Key Key Enables authentication keys, but it will be expressly transmitted.
! IP OSPF Message-Digest-Key Key-ID (1-255) MD5 Key
Router (config-if) # ip ospf message-digest-key 1 md5 routerOspfKey
3, the authentication of the RIP protocol. Only RIP-V2 support, RIP-1 does not support. RIP-V2 is recommended. And use MD5 certification. Ordinary certification is also clearly transmitted.
Router (config) # Config Terminal
! Enable settings the key chain
Router (config) # Key Chain MykeychainName
Router (config-keychain) # kY 1
! Set the key string
Router (config-leychain-key) # key-string myfirstkeyString
Router (config-keyschain) # key 2
Router (config-keychain-key) # key-string mysecondKeystring
! Enable RIP-V2
Router (config) # Router RIP
Router (config-router) # Version 2
Router (config-router) # NetWork 192.168.100.0
Router (config) # Interface Eth0 / 1
! Use MD5 mode certification and select the configured keychain
Router (config-if) # ip rip authentication mode MD5
Router (config-if) # ip rip anthentative key-chain mykeychainname
4. Enabling the passive-interface command can disable ports that do not need to receive and forward routing information. It is recommended to enable Passive-Interface for ports that do not need routes. However, in the RIP protocol is only prohibited from forwarding routing, there is no prohibition of reception. In the OSPF protocol, it is forbidden to forward and receive routing information.
! RIP, prohibiting port 0/3 forwarding routing information ROUTER (config) # router rip
Router (config-router) # Passive-Interface Eth0 / 3
! In OSPF, the prohibition of port 0/3 receives and forwards routing information
Router (config) # Router OSPF 100
Router (config-router) # Passive-Interface Eth0 / 3
5. Enable access list filtering some garbage and malicious routing information, controlling the spam of the network.
Router (config) # Access-list 10 deny 192.168.1.0 0.0.0.255
Router (config) # Access-list 10 permit ANY
! Prohibition of routers receive routing information of the update 192.168.1.0 network
Router (config) # Router OSPF 100
Router (config-router) # distribute-list 10 in
! Prohibit router forwarding 192.168.1.0 network routing information
Router (config) # Router OSPF 100
Router (config-router) # distribute-list 10 out
6. It is recommended to enable ip unicast reverse-path verification. It can check the accuracy of the source IP address, so that certain IP spooling can be prevented. But it can only be used on the router that enables CEF (Cisco Express Forwarding).
Router # config t
! Enable CEF
Router # IP CEF
! Enable Unicast Reverse-Path Verification
Router (config) # Interface Eth0 / 1
Router (config) # i ip verify unicast reverse-path
Fourth, router audit security configuration
Five, other security configurations of routers
1. Timely upgrade iOS software and quickly install patch for iOS.
2, strictly seriously for the IOS for safe backup.
3. To make a secure backup for the configuration file of the router.
4. Buy a UPS device, or at least there must be redundant power.
5, have a complete router's security access and maintenance record log.
6. To set up sign in to Banner strictly. You must include a non-authorized user to prohibit login.
7. IP deceive is simple protection. Access the internal network as filtering non-public address. Filter your own internal network address; loop address (127.0.0.0.0); RFC1918 private address; DHCP custom address (169.254.0.0.0.0.0.04); scientific document author test address (192.0.2.0/24); unused multicast Address (224.0.0.0.0/4); SUN's ancient test address (20.20.20.0/24204.152.64.0/23); full network address (0.0.0.0.0/8).
Router (config) # Access-list 100 deny ip 192.168.0.0 0.0.0.255 Any log
Router (config) # Access-list 100 deny ip 127.0.0.0 0.255.255.255 Any log
Router (config) # Access-list 100 deny ip 192.168.0.0 0.0.255.255 Any log
Router (config) # Access-list 100 deny ip 172.16.0.0 0.15.255.255 Any log
Router (config) # Access-list 100 deny ip 10.0.0.0 0.255.255.255 Any log
Router (config) # Access-list 100 deny ip 169.254.0.0 0.0.255.255 Any logRouter # Access-list 100 deny ip 192.0.2.0 0.0.0.255 Any Log
Router (config) # Access-list 100 de Neny ip 224.0.0.0 15.255.255.255 Any
Router (config) # Access-list 100 deny ip 20.20.20.0 0.0.0.255 Any log
Router (config) # Access-list 100 deny ip 204.152.64.0 0.0.2.255 Any log
Router (config) # Access-list 100 deny ip 0.0.0.0 0.255.255.255 Any log
8. It is recommended to use access list to control the address that flows out of the internal network must be an internal network. Such as:
Router (config) # no access-list 101
Router (config) # Access-list 101 permit IP 192.168.0.0 0.0.0.255 Any
Router (config) # Access-list 101 deny ip Any Any log
Router (config) # Interface Eth 0/1
Router (config-if) # Description "Internet Ethernet"
Router (config-if) # ip address 192.168.0.254 255.255.255.0
ROUTER (config-if) # ip access-group 101 in
9. Prevention of TCP SYN. Such as:
A: Prevent the list of access.
Router (config) # no access-list 106
Router (config) # Access-list 106 permit TCP ANY 192.168.0.0 0.0.0.255 Establish
Router (config) # Access-list 106 deny ip Any Any log
Router (config) # Interface Eth 0/2
Router (config-if) # Description "External Ethernet"
Router (config-if) # ip address 192.168.1.254 255.255.255.0
ROUTER (config-if) # ip access-group 106 in
B: Defense through TCP. (This will generate a certain load to the router)
Router (config) # ip TCP Intercept List 107
Router (config) # Access-list 107 permit TCP ANY 192.168.0.0 0.0.0.255
Router (config) # Access-list 107 deny ip Any Any log
Router (config) # Interface Eth0
Router (config) # ip access-group 107 in
10, Land.c offensive.
Router (config) # Access-list 107 deny IP Host 192.168.1.254 Host 192.168.1.254 log
Router (config) # Access-list permit ip any Any
Router (config) # Interface Eth 0/2
Router (config-if) # ip address 192.168.1.254 255.255.255.0
Router (config-if) # ip access-group 107 in11, smurf offensive.
Router (config) # Access-list 108 deny ip any host 192.168.1.255 log
Router (config) # Access-list 108 deny ip Any Host 192.168.1.0 Log
12. Security configuration of the ICMP protocol. For entering ICMP streams, we must ban Echo, Redirect, Mask Request, ICMP protocol. It also needs to prohibit the probe of Traceroute commands. For ICMP streams that flow out, we can allow Echo, Parameter Problem, Packet TOO BIG. There is also the use of traceroute commands.
Outbound ICMP Control
Router (config) # Access-list 110 deny ICMP Any Any Echo log
Router (config) # Access-list 110 deny ICMP Any Any Redirect log
Router (config) # Access-list 110 deny ICMP Any Any Mask-Request Log
Router (config) # Access-list 110 permit ICMP Any Any
Inbound ICMP Control
Router (config) # Access-list 111 permit icmp any Any echo
Router (config) # Access-list 111 permit icmp any Any parameter-quhip
Router (config) # Access-list 111 permit icmp any Any packet-too-big
Router (config) # Access-list 111 permit icmp any Any Source-quench
Router (config) # access-list 111 deny ICMP Any Any Log
Outbound Traceroute Control
Router (config) # Access-list 112 deny udp any Any Range 33400 34400
Inbound Traceroute Control
Router (config) # access-list 112 permit udp any Any Range 33400 34400
13. Prevention of DDOS (Distributed Denial of Service).
! The trinoo ddos system
Router (config) # Access-list 113 deny tcp Any Any EQ 27665 log
Router (config) # Access-list 113 deny udp any Any EQ 31335 LOG
Router (config) # access-list 113 deny udp any Any EQ 27444 log
The Stacheldtraht DDOS System
Router (config) # Access-list 113 deny TCP Any Any EQ 16660 LOG
Router (config) # Access-list 113 deny TCP Any Any EQ 65000 LOG
! THE TRINITYV3 SYSTEM
Router (config) # Access-list 113 deny TCP Any Any EQ 33270 LOG
Router (config) # Access-list 113 deny tcp Any Any EQ 39168 LOG
! The subseven ddos system and some variantsrouter (config) # access-list 113 deny tcp any Any Range 6711 6712 LOG
Router (config) # Access-list 113 deny TCP Any Any EQ 6776 LOG
Router (config) # access-list 113 deny tcp Any Any EQ 6669 LOG
Router (config) # Access-list 113 deny TCP Any Any EQ 2222 LOG
Router (config) # Access-list 113 deny TCP ANY Any EQ 7000 LOG
13. It is recommended to enable SSH to discard Telnet. But only IOS supported and IPsec feature set supports SSH. And IOS12.0-iOS12.2 only supports SSH-V1. Examples of the SSH service are configured as follows:
Router (config) # Config T
Router (config) # no access-list 22
Router (config) # Access-list 22 permit 192.168.0.22
Router (config) # Access-list deny Any
Router (config) # Username Blushin Privilege 10 G00DPA55W0RD
! Set SSH's overt messages and attempt to log in
Router (config) # ip ssh Timeout 90
Router (config) # ip ssh anthentative-retries 2
Router (config) # line vty 0 4
Router (config-line) # Access-Class 22 in
Router (config-line) # Transport Input SSH
Router (config-line) # Login Local
Router (config-line) # exit
! Enable SSH service to generate RSA key pairs.
Router (config) # Crypto Key Generate RSA
The name for the keys will be: router.blushin.org
Choose the size of 360 to 2048 for your general purpose keys .chool .choosing a key modulus greater tour..
How Many Bits in The Modulus [512]: 2048
Generating RSA KEYS ...
[Ok]
Router (config) #
Sixth, router advanced security configuration
Attachment: Router Security Configuration Template ()