SoFunction
Updated on 2025-04-09

Router network service security configuration

 

1. CDP (Cisco Discovery Protocol) is prohibited. like:

Router(Config)#no cdp run

Router(Config-if)# no cdp enable

2. Other TCP and UDP Small services are prohibited.

Router(Config)# no service tcp-small-servers

Router(Config)# no service udp-samll-servers

3. Finger service is prohibited.

Router(Config)# no ip finger

Router(Config)# no service finger

4. It is recommended to prohibit HTTP services.

Router(Config)# no ip http server

If HTTP service is enabled, it needs to be configured securely: set the username and password; use the access list for control. like:

Router(Config)# username BluShin privilege 10 G00dPa55w0rd 

Router(Config)# ip http auth local 

Router(Config)# no access-list 10 

Router(Config)# access-list 10 permit 192.168.0.1 

Router(Config)# access-list 10 deny any 

Router(Config)# ip http access-class 10 

Router(Config)# ip http server 

Router(Config)# exit

5. BOOTp service is prohibited.

Router(Config)# no ip bootp server

Prohibits startup from the network and automatic download of initial configuration files from the network.

Router(Config)# no boot network

Router(Config)# no servic config

6. IP Source Routing is prohibited.

Router(Config)# no ip source-route

7. It is recommended that if the ARP-Proxy service is not required, it is prohibited, and the router is turned on by default.

Router(Config)# no ip proxy-arp

Router(Config-if)# no ip proxy-arp

8. Clearly prohibit IP Directed Broadcast.

Router(Config)# no ip directed-broadcast

9. IP Classless is prohibited.

Router(Config)# no ip classless

10. IP Unreachables, Redirects, and Mask Replies that prohibit ICMP protocol.

Router(Config-if)# no ip unreacheables

Router(Config-if)# no ip redirects

Router(Config-if)# no ip mask-reply

11. It is recommended to prohibit SNMP protocol services. When prohibited, some default configurations for SNMP services must be removed. Or you need to access the list to filter. like:

Router(Config)# no snmp-server community public Ro 

Router(Config)# no snmp-server community admin RW 

Router(Config)# no access-list 70 

Router(Config)# access-list 70 deny any 

Router(Config)# snmp-server community MoreHardPublic Ro 70 

Router(Config)# no snmp-server enable traps 

Router(Config)# no snmp-server system-shutdown 

Router(Config)# no snmp-server trap-anth 

Router(Config)# no snmp-server 

Router(Config)# end

12. If it is not necessary, WINS and DNS services are prohibited.

Router(Config)# no ip domain-lookup

If necessary, you need to configure:

Router(Config)# hostname Router

Router(Config)# ip name-server 202.102.134.96

13. Unused ports are explicitly prohibited.

Router(Config)# interface eth0/3

Router(Config)# shutdown

Article entry: csh     Editor in charge: csh