Securing Cisco IOS

Best Practices and Securing Cisco IOS

ip scp server enable

!
hostname Rooter
ip domain-name routerjockey.com
crypto key generate rsa modulus 2048
ip ssh time-out 120
ip ssh version 2
ip scp server enable
!
login block-for 300 attempts 4 within 120
login delay 2
login on-failure log
login on-success log
!
username admin privilege 15 secret 0 cisco
!
aaa new-model
aaa authentication login default local-case
aaa authorization exec default local if-authenticated
!
!
ip access-list extended VTY-in
 remark == Network Engineering VPNs
 permit ip 10.255.200.0 0.3.0.31 any
 remark == Network Management Servers
 permit ip 192.168.42.0 0.0.0.255 any
!
line con 0
 logging synchronous
 transport preferred none
 escape-character 3
line aux 0
 exec-timeout 0 1
 no exec
 transport output none
line vty 0 15
 access-class VTY-in in
 logging synchronous
 transport preferred none
 transport input ssh
 escape-character 3
!
no ip source-route
ip options drop
no ip http server
no ip http secure-server
no service tcp-small-servers
no service udp-small-servers
service password-encryption
service tcp-keepalives-in
service tcp-keepalives-out
no service dhcp
no ip bootp server
no ip finger
no ip identd
no service config
no lldp run global
no mop enabled
no service pad
!
banner login ^
************************************************************************
You have logged on to a COMPANY proprietary device. 

This device may be used only for the authorized business purposes
of COMPANY. Anyone found using this device or its information for
any unauthorized purpose may be subject to disciplinary action
and/or prosecution. Have a nice day! :)
************************************************************************
^
!
!
snmp-server location HQ
ip access-list 60 remark == SNMP RO
ip access-list 60 remark -ServerName
ip access-list 60 permit 192.168.42.23
ip access-list 60 deny ip any any log
!
! SNMP v2
snmp-server community r0u73rj0ck3y RO 60
!
! SNMP v3 <-- More Secure
snmp-server user snmpv3user PRIVGROUP v3 auth md5 authpassword priv 3des privpassword access 60
!
logging host 192.168.42.42
service timestamps log datetime localtime msec show-timezone
!
ntp server 10.1.1.10 preferred
ntp server 10.2.1.10

 

 

 

This entry was posted in Cisco. Bookmark the permalink.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s