!Disable unnecessary services
!------------------------------------------------
no service finger
no service udp-small-servers
no service tcp-small-servers
no service pad
no ip rarp-server
no ip http server
no ip bootp server
no cpd run
no ip source-route
!no ip unreachables
! Configure system scheduler to avoid I/O interrupt problems
process-max-time 200
!scheduler interval 500
!scheduler allocate 250000 10000
!
! Track TCP sessions and "kill" dead ones
service tcp-keepalives-in
!
! Configure SNMP for secure operations
snmp-server community hardToGuessString RO 4
snmp-server community hardToGuessString RW 5
snmp-server system-shutdown
snmp-server host trap-host hardToGuessString
snmp-server tftp-server-list 5
snmp-server enable traps config
snmp-server enable traps snmp
snmp-server enable traps link-status
snmp-server trap-source Loopback0
snmp-server contact [EMAIL PROTECTED]
snmp-server location #######################
snmp-server engineID local ###################
! Audit Logging and AAA Settings
!------------------------------------------------
! Logging Settings
service timestamps log datetime msec localtime
no logging console
logging buffered
logging facility local4
logging syslog-1
logging syslog-3
logging trap notifications
!
! AAA Settings (general)
aaa new-model
aaa processes 6
!
! Authentication service definitions
!aaa authentication local-override
aaa authentication enable default enable
aaa authentication login default group radius enable
aaa authentication login CONSOLE local enable
aaa authentication login AUX group radius local
aaa authentication login USE-RADIUS group radius local
aaa authentication login USE-TACACS group tacacs+ local
!
! Accounting service definitions
aaa accounting delay-start
aaa accounting exec default start-stop group radius
aaa accounting system default start-stop group radius
!
! AAA Server setting
ip radius source-interface Ethernet0
radius-server host radius-1 auth-port 1645 acct-port 1646 non-standard key
###################
radius-server host radius-2 auth-port 1645 acct-port 1646 non-standard key
###################
radius-server host radius-3 auth-port 1645 acct-port 1646 non-standard key
###################
radius-server host radius-4 auth-port 1645 acct-port 1646 non-standard key
###################
radius-server timeout 3
radius-server deadtime 1
! Miscellaneous Settings
!------------------------------------------------
ip subnet-zero
ip classless
ip flow-cache entries 131072
!
buffers small permanent 300
buffers small max-free 400
buffers small min-free 100
buffers middle permanent 200
buffers middle min-free 20
buffers large permanent 20
buffers large min-free 2
buffers huge permanent 1
line vty 4
exec-timeout 2 0
no password
login authentication CONSOLE
privilege 2
no snmp trap link-status
transport input telnet
access-class in 5
!
! Special Access Command Definitions for vty 4
privilege exec level 2 traceroute
privilege exec level 2 ping
privilege exec level 2 show configuration
privilege exec level 2 show
!
!
! Add warning banners
banner exec ~
*********************** WARNING *************************
Access to this information processing system is
restricted to authorized personnel ONLY!
Unauthorized access is subject to prosecution under
United States Title 8.
**********************************************************
~
!
Chris Brenton <[EMAIL PROTECTED]>
Sent by: [EMAIL PROTECTED]
06/27/00 07:21 PM
Please respond to cbrenton
To: "Brian J. Murrell" <[EMAIL PROTECTED]>
cc: [EMAIL PROTECTED]
Subject: Re: Disabling unneeded services on a Cisco Router
"Brian J. Murrell" wrote:
>
> However, what I am interested in is disabling *all* of the unnecessary
> services on the router. For example
>
> no cdp run
>
> Turns off CDP. Great. How about any others?
It really depends on the version of IOS you are running. For example
small-servers are enabled by default in 11.x but are off by default in
12.x.
You really have to watch out for this because it can bite you. For
example a "show running" will produce identical config files on both IOS
versions even though small-servers is active on 11.x but disable on
12.x. The reason the files look the same is that the config file only
shows _variations_ from the default settings. With this in mind its
always a good idea to double check your config by running a port scan of
the router once you have locked it down.
With that said, try these:
no service tcp-small-servers
no service udp-small-servers
no service finger
no ip bootp server
no ip http server
Based on the above commentary, don't be concerned if you run these
commands but "show running" does not display them. Its that "default
setting" thing mentioned above. A port scan is still a good sanity check
however.
Additionally, you may also want to run these:
no ip source-route
banner incoming # Unauthorized access of this device is prohibited #
no ip direct-broadcast (from interface config mode)
HTH,
Chris
--
**************************************
[EMAIL PROTECTED]
* Mastering Cisco Routers
http://www.amazon.com/exec/obidos/ASIN/078212643X/
* Mastering Network Security
http://www.amazon.com/exec/obidos/ASIN/0782123430/
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
