Simple security configuration solution for Cisco routers
1. Security configuration of router access control
1. Strictly control the administrator who can access the router. Any maintenance requires record and filing.
2. It is recommended not to remotely access the router. Even if you need to access the router remotely, it is recommended to use access control lists and high-strength password control.
3. Strictly control the access of CON ports. Specific measures include:
A. If the chassis can be opened, the physical lines interconnected with the CON port can be cut off.
B, you can change the default connection attributes, such as modifying the baud rate (the default is 96000, which can be changed to other ones).
C. Use access control lists to control access to the CON port.
For example: Router(Config)#Access-list 1 permit 192.168.0.1
Router(Config)#line con 0
Router(Config-line)#Transport input none
Router(Config-line)#Login local
Router(Config-line)#Exec-timeoute 5 0
Router(Config-line)#access-class 1 in
Router(Config-line)#end
D, set a high-strength password to the CON port.
4. If the AUX port is not used, this port is prohibited. The default is not enabled. For example:
Router(Config)#line aux 0
Router(Config-line)#transport input none
Router(Config-line)#no exec
5. It is recommended to adopt a permission hierarchical strategy. like:
Router(Config)#username BluShin privilege 10 G00dPa55w0rd
Router(Config)#privilege EXEC level 10 telnet
Router(Config)#privilege EXEC level 10 show ip access-list
6. Set a strong password for entry of privileged mode. Do not use enable password to set password. But use the enable secret command to set it. And you want to enable Service password-encryption.
7. Control access to VTY. Disable it if remote access is not required. If necessary, be sure to set a strong password. Since VTY is encrypted during the transmission of the network, it needs to be strictly controlled. For example: setting a strong password; controlling the number of concurrent connections; using access lists to strictly control the access address; using AAA can set up user access control, etc.
8. It is recommended to use FTP instead of TFTP for IOS upgrades and backups, as well as configuration files. like:
Router(Config)#ip ftp username BluShin
Router(Config)#ip ftp password 4tppa55w0rd
Router#copy startup-config ftp:
9. Timely upgrade and repair IOS software.
2. Router network service security configuration
1. CDP (Cisco Discovery Protocol) is prohibited. like:
Router(Config)#no cdp run
Router(Config-if)# no cdp enable
2. Other TCP and UDP Small services are prohibited.
Router(Config)# no service tcp-small-servers
Router(Config)# no service udp-samll-servers
3. Finger service is prohibited.
Router(Config)# no ip finger
Router(Config)# no service finger
4. It is recommended to prohibit HTTP services.
Router(Config)# no ip http server
If HTTP service is enabled, it needs to be configured securely: set the username and password; use the access list for control. like:
Router(Config)# username BluShin privilege 10 G00dPa55w0rd
Router(Config)# ip http auth local
Router(Config)# no access-list 10
Router(Config)# access-list 10 permit 192.168.0.1
Router(Config)# access-list 10 deny any
Router(Config)# ip http access-class 10
Router(Config)# ip http server
Router(Config)# exit
5. BOOTp service is prohibited.
Router(Config)# no ip bootp server
Prohibits startup from the network and automatic download of initial configuration files from the network.
Router(Config)# no boot network
Router(Config)# no servic config
6. IP Source Routing is prohibited.
Router(Config)# no ip source-route
7. It is recommended that if the ARP-Proxy service is not required, it is prohibited, and the router is turned on by default.
Router(Config)# no ip proxy-arp
Router(Config-if)# no ip proxy-arp
8. Clearly prohibit IP Directed Broadcast.
Router(Config)# no ip directed-broadcast
9. IP Classless is prohibited.
Router(Config)# no ip classless
10. IP Unreachables, Redirects, and Mask Replies that prohibit ICMP protocol.
Router(Config-if)# no ip unreacheables
Router(Config-if)# no ip redirects
Router(Config-if)# no ip mask-reply
11. It is recommended to prohibit SNMP protocol services. When prohibited, some default configurations for SNMP services must be removed. Or you need to access the list to filter. like:
Router(Config)# no snmp-server community public Ro
Router(Config)# no snmp-server community admin RW
Router(Config)# no access-list 70
Router(Config)# access-list 70 deny any
Router(Config)# snmp-server community MoreHardPublic Ro 70
Router(Config)# no snmp-server enable traps
Router(Config)# no snmp-server system-shutdown
Router(Config)# no snmp-server trap-anth
Router(Config)# no snmp-server
Router(Config)# end
12. If it is not necessary, WINS and DNS services are prohibited.
Router(Config)# no ip domain-lookup
If necessary, configuration is required:
Router(Config)# hostname Router
Router(Config)# ip name-server 202.102.134.96
13. Unused ports are explicitly prohibited.
Router(Config)# interface eth0/3
Router(Config)# shutdown
3. Router routing protocol security configuration
1. First, ARP-Proxy is disabled by default, it can easily cause confusion in routing tables.
Router(Config)# no ip proxy-arp or
Router(Config-if)# no ip proxy-arp
2. Enable authentication of OSPF routing protocol. The default OSPF authentication password is transmitted in plain text, and it is recommended to enable MD5 authentication. And set a certain strength key (key, the relative router must have the same key).
Router(Config)# router ospf 100
Router(Config-router)# network 192.168.100.0 0.0.0.255 area 100
! Enable MD5 authentication.
! area area-id authentication enables authentication, which is clear text password authentication.
!area area-id authentication message-digest
Router(Config-router)# area 100 authentication message-digest
Router(Config)# exit
Router(Config)# interface eth0/1
! Enable the MD5 key to routerospfkey.
! ip ospf authentication-key key Enables authentication key, but will be transmitted in plaintext.
!ip ospf message-digest-key key-id(1-255) md5 key
Router(Config-if)# ip ospf message-digest-key 1 md5 routerospfkey
3. Authentication of RIP protocol. Only RIP-V2 supports it, RIP-1 does not. It is recommended to enable RIP-V2. And adopt MD5 certification. Normal authentication is also transmitted in plain text.
Router(Config)# config terminal
! Enable Settings Keychain
Router(Config)# key chain mykeychainname
Router(Config-keychain)# key 1
! Set the key string
Router(Config-leychain-key)# key-string MyFirstKeyString
Router(Config-keyschain)# key 2
Router(Config-keychain-key)# key-string MySecondKeyString
! Enable RIP-V2
Router(Config)# router rip
Router(Config-router)# version 2
Router(Config-router)# network 192.168.100.0
Router(Config)# interface eth0/1
! Use MD5 mode authentication and select the configured key chain
Router(Config-if)# ip rip authentication mode md5
Router(Config-if)# ip rip anthentication key-chain mykeychainname
4. Enable the passive-interface command to disable some ports that do not need to receive and forward routing information. It is recommended to enable passive-interface for ports that do not require routing. However, in the RIP protocol, it only prohibits forwarding of routing information and does not prohibit receiving. In the OSPF protocol, forwarding and receiving routing information is prohibited.
! In Rip, forwarding routing information on port 0/3 is prohibited
Router(Config)# router Rip
Router(Config-router)# passive-interface eth0/3
! In OSPF, port 0/3 is prohibited from receiving and forwarding routing information.
Router(Config)# router ospf 100
Router(Config-router)# passive-interface eth0/3
5. Enable access list to filter some spam and malicious routing information to control the spam flow on the network.
Router(Config)# access-list 10 deny 192.168.1.0 0.0.0.255
Router(Config)# access-list 10 permit any
! The router is prohibited from receiving routing information updated on the 192.168.1.0 network
Router(Config)# router ospf 100
Router(Config-router)# distribute-list 10 in
! Prohibit router forwarding and propagating routing information on 192.168.1.0 network
Router(Config)# router ospf 100
Router(Config-router)# distribute-list 10 out
6. It is recommended to enable IP Unicast Reverse-Path Verification. It can check the accuracy of the source IP address, thus preventing certain IP spooling. But it can only be used on CEF (Cisco Express Forwarding) enabled routers.
Router# config t
! Enable CEF
Router(Config)# ip cef
! Enable Unicast Reverse-Path Verification
Router(Config)# interface eth0/1
Router(Config)# ip verify unicast reverse-path
Fourth, router audit security configuration
Five, other security configurations of routers
1. Upgrade the IOS software in a timely manner and install patches for the IOS quickly.
2. Strictly and conscientiously make secure backups for IOS.
3. Make a secure backup of the router's configuration file.
4. Purchase UPS equipment, or at least have redundant power supplies.
5. Have a complete router secure access and maintenance log.
6. Strictly set up the login banner. Must contain the words that unauthorized users are prohibited from logging in.
7. Simple protection for IP spoofing. Such as filtering non-public addresses to access the internal network. Filter your own internal network address; loopback address (127.0.0.0/8); RFC1918 private address; DHCP custom address (169.254.0.0/16); scientific document author test address (192.0.2.0/24); unused multicast address (224.0.0.0/4); SUN's ancient test address (20.20.20.0/24; 204.152.64.0/23); network-wide address (0.0.0.0/8).
Router(Config)# access-list 100 deny ip 192.168.0.0 0.0.0.255 any log
Router(Config)# access-list 100 deny ip 127.0.0.0 0.255.255.255 any log
Router(Config)# access-list 100 deny ip 192.168.0.0 0.0.255.255 any log
Router(Config)# access-list 100 deny ip 172.16.0.0 0.15.255.255 any log
Router(Config)# access-list 100 deny ip 10.0.0.0 0.255.255.255 any log
Router(Config)# access-list 100 deny ip 169.254.0.0 0.0.255.255 any log
Router(Config)# access-list 100 deny ip 192.0.2.0 0.0.0.255 any log
Router(Config)# access-list 100 deny ip 224.0.0.0 15.255.255.255 any
Router(Config)# access-list 100 deny ip 20.20.20.0 0.0.0.255 any log
Router(Config)# access-list 100 deny ip 204.152.64.0 0.0.2.255 any log
Router(Config)# access-list 100 deny ip 0.0.0.0 0.255.255.255 any log
8. It is recommended to use access list to control the address that flows out of the internal network must belong to the internal network. like:
Router(Config)# no access-list 101
Router(Config)# access-list 101 permit ip 192.168.0.0 0.0.0.255 any
Router(Config)# access-list 101 deny ip any any log
Router(Config)# interface eth 0/1
Router(Config-if)# description "internet Ethernet"
Router(Config-if)# ip address 192.168.0.254 255.255.255.0
Router(Config-if)# ip access-group 101 in
9. Prevention of TCP SYN. like:
A: Prevent by accessing the list.
Router(Config)# no access-list 106
Router(Config)# access-list 106 permit tcp any 192.168.0.0 0.0.0.255 established
Router(Config)# access-list 106 deny ip any any log
Router(Config)# interface eth 0/2
Router(Config-if)# description "external Ethernet"
Router(Config-if)# ip address 192.168.1.254 255.255.255.0
Router(Config-if)# ip access-group 106 in
B: Intercept and prevention through TCP. (This will create a certain load on the router)
Router(Config)# ip tcp intercept list 107
Router(Config)# access-list 107 permit tcp any 192.168.0.0 0.0.0.255
Router(Config)# access-list 107 deny ip any any log
Router(Config)# interface eth0
Router(Config)# ip access-group 107 in
10. Offensive defense.
Router(Config)# access-list 107 deny ip host 192.168.1.254 host 192.168.1.254 log
Router(Config)# access-list permit ip any any
Router(Config)# interface eth 0/2
Router(Config-if)# ip address 192.168.1.254 255.255.255.0
Router(Config-if)# ip access-group 107 in
11. Smurf's defense of offense.
Router(Config)# access-list 108 deny ip any host 192.168.1.255 log
Router(Config)# access-list 108 deny ip any host 192.168.1.0 log
12. Security configuration of ICMP protocol. For entering the ICMP stream, we must prohibit the ECHO, Redirect, and Mask request of the ICMP protocol. The detection of the TraceRoute command is also required. For outgoing ICMP streams, we can allow ECHO, Parameter Problem, Packet too big. There is also the use of the TraceRoute command.
! outbound ICMP Control
Router(Config)# access-list 110 deny icmp any any echo log
Router(Config)# access-list 110 deny icmp any any redirect log
Router(Config)# access-list 110 deny icmp any any mask-request log
Router(Config)# access-list 110 permit icmp any any
! Inbound ICMP Control
Router(Config)# access-list 111 permit icmp any any echo
Router(Config)# access-list 111 permit icmp any any Parameter-problem
Router(Config)# access-list 111 permit icmp any any packet-too-big
Router(Config)# access-list 111 permit icmp any any source-quench
Router(Config)# access-list 111 deny icmp any any log
! Outbound TraceRoute Control
Router(Config)# access-list 112 deny udp any any range 33400 34400
! Inbound TraceRoute Control
Router(Config)# access-list 112 permit udp any any range 33400 34400
13. Prevention of DDoS (Distributed Denial of Service).
! The TRINOO DDoS system
Router(Config)# access-list 113 deny tcp any any eq 27665 log
Router(Config)# access-list 113 deny udp any any eq 31335 log
Router(Config)# access-list 113 deny udp any any eq 27444 log
! The Stacheldtraht DDoS system
Router(Config)# access-list 113 deny tcp any any eq 16660 log
Router(Config)# access-list 113 deny tcp any any eq 65000 log
! The TrinityV3 System
Router(Config)# access-list 113 deny tcp any any eq 33270 log
Router(Config)# access-list 113 deny tcp any any eq 39168 log
! The SubSeven DDoS system and some Variants
Router(Config)# access-list 113 deny tcp any any range 6711 6712 log
Router(Config)# access-list 113 deny tcp any any eq 6776 log
Router(Config)# access-list 113 deny tcp any any eq 6669 log
Router(Config)# access-list 113 deny tcp any any eq 2222 log
Router(Config)# access-list 113 deny tcp any any eq 7000 log
13. It is recommended to enable SSH and abandon Telnet. But only IOS that supports and has an IPSec feature set supports SSH. And IOS12.0-IOS12.2 only supports SSH-V1. The following example of configuring SSH services:
Router(Config)# config t
Router(Config)# no access-list 22
Router(Config)# access-list 22 permit 192.168.0.22
Router(Config)# access-list deny any
Router(Config)# username BluShin privilege 10 G00dPa55w0rd
! Set the timeout interval of SSH and the number of login attempts
Router(Config)# ip ssh timeout 90
Router(Config)# ip ssh anthentication-retries 2
Router(Config)# line vty 0 4
Router(Config-line)# access-class 22 in
Router(Config-line)# transport input ssh
Router(Config-line)# login local
Router(Config-line)# exit
! Enable SSH service and generate an RSA key pair.
Router(Config)# crypto key generate rsa
The name for the keys will be:
Choose the size of the key modulus in the range of 360 to 2048 for your General Purpose Keys .Choosing a key modulus greater than 512 may take a few minutes.
How many bits in the modulus[512]: 2048
Generating RSA Keys... Article entry: csh Editor in charge: csh
1. Security configuration of router access control
1. Strictly control the administrator who can access the router. Any maintenance requires record and filing.
2. It is recommended not to remotely access the router. Even if you need to access the router remotely, it is recommended to use access control lists and high-strength password control.
3. Strictly control the access of CON ports. Specific measures include:
A. If the chassis can be opened, the physical lines interconnected with the CON port can be cut off.
B, you can change the default connection attributes, such as modifying the baud rate (the default is 96000, which can be changed to other ones).
C. Use access control lists to control access to the CON port.
For example: Router(Config)#Access-list 1 permit 192.168.0.1
Router(Config)#line con 0
Router(Config-line)#Transport input none
Router(Config-line)#Login local
Router(Config-line)#Exec-timeoute 5 0
Router(Config-line)#access-class 1 in
Router(Config-line)#end
D, set a high-strength password to the CON port.
4. If the AUX port is not used, this port is prohibited. The default is not enabled. For example:
Router(Config)#line aux 0
Router(Config-line)#transport input none
Router(Config-line)#no exec
5. It is recommended to adopt a permission hierarchical strategy. like:
Router(Config)#username BluShin privilege 10 G00dPa55w0rd
Router(Config)#privilege EXEC level 10 telnet
Router(Config)#privilege EXEC level 10 show ip access-list
6. Set a strong password for entry of privileged mode. Do not use enable password to set password. But use the enable secret command to set it. And you want to enable Service password-encryption.
7. Control access to VTY. Disable it if remote access is not required. If necessary, be sure to set a strong password. Since VTY is encrypted during the transmission of the network, it needs to be strictly controlled. For example: setting a strong password; controlling the number of concurrent connections; using access lists to strictly control the access address; using AAA can set up user access control, etc.
8. It is recommended to use FTP instead of TFTP for IOS upgrades and backups, as well as configuration files. like:
Router(Config)#ip ftp username BluShin
Router(Config)#ip ftp password 4tppa55w0rd
Router#copy startup-config ftp:
9. Timely upgrade and repair IOS software.
2. Router network service security configuration
1. CDP (Cisco Discovery Protocol) is prohibited. like:
Router(Config)#no cdp run
Router(Config-if)# no cdp enable
2. Other TCP and UDP Small services are prohibited.
Router(Config)# no service tcp-small-servers
Router(Config)# no service udp-samll-servers
3. Finger service is prohibited.
Router(Config)# no ip finger
Router(Config)# no service finger
4. It is recommended to prohibit HTTP services.
Router(Config)# no ip http server
If HTTP service is enabled, it needs to be configured securely: set the username and password; use the access list for control. like:
Router(Config)# username BluShin privilege 10 G00dPa55w0rd
Router(Config)# ip http auth local
Router(Config)# no access-list 10
Router(Config)# access-list 10 permit 192.168.0.1
Router(Config)# access-list 10 deny any
Router(Config)# ip http access-class 10
Router(Config)# ip http server
Router(Config)# exit
5. BOOTp service is prohibited.
Router(Config)# no ip bootp server
Prohibits startup from the network and automatic download of initial configuration files from the network.
Router(Config)# no boot network
Router(Config)# no servic config
6. IP Source Routing is prohibited.
Router(Config)# no ip source-route
7. It is recommended that if the ARP-Proxy service is not required, it is prohibited, and the router is turned on by default.
Router(Config)# no ip proxy-arp
Router(Config-if)# no ip proxy-arp
8. Clearly prohibit IP Directed Broadcast.
Router(Config)# no ip directed-broadcast
9. IP Classless is prohibited.
Router(Config)# no ip classless
10. IP Unreachables, Redirects, and Mask Replies that prohibit ICMP protocol.
Router(Config-if)# no ip unreacheables
Router(Config-if)# no ip redirects
Router(Config-if)# no ip mask-reply
11. It is recommended to prohibit SNMP protocol services. When prohibited, some default configurations for SNMP services must be removed. Or you need to access the list to filter. like:
Router(Config)# no snmp-server community public Ro
Router(Config)# no snmp-server community admin RW
Router(Config)# no access-list 70
Router(Config)# access-list 70 deny any
Router(Config)# snmp-server community MoreHardPublic Ro 70
Router(Config)# no snmp-server enable traps
Router(Config)# no snmp-server system-shutdown
Router(Config)# no snmp-server trap-anth
Router(Config)# no snmp-server
Router(Config)# end
12. If it is not necessary, WINS and DNS services are prohibited.
Router(Config)# no ip domain-lookup
If necessary, configuration is required:
Router(Config)# hostname Router
Router(Config)# ip name-server 202.102.134.96
13. Unused ports are explicitly prohibited.
Router(Config)# interface eth0/3
Router(Config)# shutdown
3. Router routing protocol security configuration
1. First, ARP-Proxy is disabled by default, it can easily cause confusion in routing tables.
Router(Config)# no ip proxy-arp or
Router(Config-if)# no ip proxy-arp
2. Enable authentication of OSPF routing protocol. The default OSPF authentication password is transmitted in plain text, and it is recommended to enable MD5 authentication. And set a certain strength key (key, the relative router must have the same key).
Router(Config)# router ospf 100
Router(Config-router)# network 192.168.100.0 0.0.0.255 area 100
! Enable MD5 authentication.
! area area-id authentication enables authentication, which is clear text password authentication.
!area area-id authentication message-digest
Router(Config-router)# area 100 authentication message-digest
Router(Config)# exit
Router(Config)# interface eth0/1
! Enable the MD5 key to routerospfkey.
! ip ospf authentication-key key Enables authentication key, but will be transmitted in plaintext.
!ip ospf message-digest-key key-id(1-255) md5 key
Router(Config-if)# ip ospf message-digest-key 1 md5 routerospfkey
3. Authentication of RIP protocol. Only RIP-V2 supports it, RIP-1 does not. It is recommended to enable RIP-V2. And adopt MD5 certification. Normal authentication is also transmitted in plain text.
Router(Config)# config terminal
! Enable Settings Keychain
Router(Config)# key chain mykeychainname
Router(Config-keychain)# key 1
! Set the key string
Router(Config-leychain-key)# key-string MyFirstKeyString
Router(Config-keyschain)# key 2
Router(Config-keychain-key)# key-string MySecondKeyString
! Enable RIP-V2
Router(Config)# router rip
Router(Config-router)# version 2
Router(Config-router)# network 192.168.100.0
Router(Config)# interface eth0/1
! Use MD5 mode authentication and select the configured key chain
Router(Config-if)# ip rip authentication mode md5
Router(Config-if)# ip rip anthentication key-chain mykeychainname
4. Enable the passive-interface command to disable some ports that do not need to receive and forward routing information. It is recommended to enable passive-interface for ports that do not require routing. However, in the RIP protocol, it only prohibits forwarding of routing information and does not prohibit receiving. In the OSPF protocol, forwarding and receiving routing information is prohibited.
! In Rip, forwarding routing information on port 0/3 is prohibited
Router(Config)# router Rip
Router(Config-router)# passive-interface eth0/3
! In OSPF, port 0/3 is prohibited from receiving and forwarding routing information.
Router(Config)# router ospf 100
Router(Config-router)# passive-interface eth0/3
5. Enable access list to filter some spam and malicious routing information to control the spam flow on the network.
Router(Config)# access-list 10 deny 192.168.1.0 0.0.0.255
Router(Config)# access-list 10 permit any
! The router is prohibited from receiving routing information updated on the 192.168.1.0 network
Router(Config)# router ospf 100
Router(Config-router)# distribute-list 10 in
! Prohibit router forwarding and propagating routing information on 192.168.1.0 network
Router(Config)# router ospf 100
Router(Config-router)# distribute-list 10 out
6. It is recommended to enable IP Unicast Reverse-Path Verification. It can check the accuracy of the source IP address, thus preventing certain IP spooling. But it can only be used on CEF (Cisco Express Forwarding) enabled routers.
Router# config t
! Enable CEF
Router(Config)# ip cef
! Enable Unicast Reverse-Path Verification
Router(Config)# interface eth0/1
Router(Config)# ip verify unicast reverse-path
Fourth, router audit security configuration
Five, other security configurations of routers
1. Upgrade the IOS software in a timely manner and install patches for the IOS quickly.
2. Strictly and conscientiously make secure backups for IOS.
3. Make a secure backup of the router's configuration file.
4. Purchase UPS equipment, or at least have redundant power supplies.
5. Have a complete router secure access and maintenance log.
6. Strictly set up the login banner. Must contain the words that unauthorized users are prohibited from logging in.
7. Simple protection for IP spoofing. Such as filtering non-public addresses to access the internal network. Filter your own internal network address; loopback address (127.0.0.0/8); RFC1918 private address; DHCP custom address (169.254.0.0/16); scientific document author test address (192.0.2.0/24); unused multicast address (224.0.0.0/4); SUN's ancient test address (20.20.20.0/24; 204.152.64.0/23); network-wide address (0.0.0.0/8).
Router(Config)# access-list 100 deny ip 192.168.0.0 0.0.0.255 any log
Router(Config)# access-list 100 deny ip 127.0.0.0 0.255.255.255 any log
Router(Config)# access-list 100 deny ip 192.168.0.0 0.0.255.255 any log
Router(Config)# access-list 100 deny ip 172.16.0.0 0.15.255.255 any log
Router(Config)# access-list 100 deny ip 10.0.0.0 0.255.255.255 any log
Router(Config)# access-list 100 deny ip 169.254.0.0 0.0.255.255 any log
Router(Config)# access-list 100 deny ip 192.0.2.0 0.0.0.255 any log
Router(Config)# access-list 100 deny ip 224.0.0.0 15.255.255.255 any
Router(Config)# access-list 100 deny ip 20.20.20.0 0.0.0.255 any log
Router(Config)# access-list 100 deny ip 204.152.64.0 0.0.2.255 any log
Router(Config)# access-list 100 deny ip 0.0.0.0 0.255.255.255 any log
8. It is recommended to use access list to control the address that flows out of the internal network must belong to the internal network. like:
Router(Config)# no access-list 101
Router(Config)# access-list 101 permit ip 192.168.0.0 0.0.0.255 any
Router(Config)# access-list 101 deny ip any any log
Router(Config)# interface eth 0/1
Router(Config-if)# description "internet Ethernet"
Router(Config-if)# ip address 192.168.0.254 255.255.255.0
Router(Config-if)# ip access-group 101 in
9. Prevention of TCP SYN. like:
A: Prevent by accessing the list.
Router(Config)# no access-list 106
Router(Config)# access-list 106 permit tcp any 192.168.0.0 0.0.0.255 established
Router(Config)# access-list 106 deny ip any any log
Router(Config)# interface eth 0/2
Router(Config-if)# description "external Ethernet"
Router(Config-if)# ip address 192.168.1.254 255.255.255.0
Router(Config-if)# ip access-group 106 in
B: Intercept and prevention through TCP. (This will create a certain load on the router)
Router(Config)# ip tcp intercept list 107
Router(Config)# access-list 107 permit tcp any 192.168.0.0 0.0.0.255
Router(Config)# access-list 107 deny ip any any log
Router(Config)# interface eth0
Router(Config)# ip access-group 107 in
10. Offensive defense.
Router(Config)# access-list 107 deny ip host 192.168.1.254 host 192.168.1.254 log
Router(Config)# access-list permit ip any any
Router(Config)# interface eth 0/2
Router(Config-if)# ip address 192.168.1.254 255.255.255.0
Router(Config-if)# ip access-group 107 in
11. Smurf's defense of offense.
Router(Config)# access-list 108 deny ip any host 192.168.1.255 log
Router(Config)# access-list 108 deny ip any host 192.168.1.0 log
12. Security configuration of ICMP protocol. For entering the ICMP stream, we must prohibit the ECHO, Redirect, and Mask request of the ICMP protocol. The detection of the TraceRoute command is also required. For outgoing ICMP streams, we can allow ECHO, Parameter Problem, Packet too big. There is also the use of the TraceRoute command.
! outbound ICMP Control
Router(Config)# access-list 110 deny icmp any any echo log
Router(Config)# access-list 110 deny icmp any any redirect log
Router(Config)# access-list 110 deny icmp any any mask-request log
Router(Config)# access-list 110 permit icmp any any
! Inbound ICMP Control
Router(Config)# access-list 111 permit icmp any any echo
Router(Config)# access-list 111 permit icmp any any Parameter-problem
Router(Config)# access-list 111 permit icmp any any packet-too-big
Router(Config)# access-list 111 permit icmp any any source-quench
Router(Config)# access-list 111 deny icmp any any log
! Outbound TraceRoute Control
Router(Config)# access-list 112 deny udp any any range 33400 34400
! Inbound TraceRoute Control
Router(Config)# access-list 112 permit udp any any range 33400 34400
13. Prevention of DDoS (Distributed Denial of Service).
! The TRINOO DDoS system
Router(Config)# access-list 113 deny tcp any any eq 27665 log
Router(Config)# access-list 113 deny udp any any eq 31335 log
Router(Config)# access-list 113 deny udp any any eq 27444 log
! The Stacheldtraht DDoS system
Router(Config)# access-list 113 deny tcp any any eq 16660 log
Router(Config)# access-list 113 deny tcp any any eq 65000 log
! The TrinityV3 System
Router(Config)# access-list 113 deny tcp any any eq 33270 log
Router(Config)# access-list 113 deny tcp any any eq 39168 log
! The SubSeven DDoS system and some Variants
Router(Config)# access-list 113 deny tcp any any range 6711 6712 log
Router(Config)# access-list 113 deny tcp any any eq 6776 log
Router(Config)# access-list 113 deny tcp any any eq 6669 log
Router(Config)# access-list 113 deny tcp any any eq 2222 log
Router(Config)# access-list 113 deny tcp any any eq 7000 log
13. It is recommended to enable SSH and abandon Telnet. But only IOS that supports and has an IPSec feature set supports SSH. And IOS12.0-IOS12.2 only supports SSH-V1. The following example of configuring SSH services:
Router(Config)# config t
Router(Config)# no access-list 22
Router(Config)# access-list 22 permit 192.168.0.22
Router(Config)# access-list deny any
Router(Config)# username BluShin privilege 10 G00dPa55w0rd
! Set the timeout interval of SSH and the number of login attempts
Router(Config)# ip ssh timeout 90
Router(Config)# ip ssh anthentication-retries 2
Router(Config)# line vty 0 4
Router(Config-line)# access-class 22 in
Router(Config-line)# transport input ssh
Router(Config-line)# login local
Router(Config-line)# exit
! Enable SSH service and generate an RSA key pair.
Router(Config)# crypto key generate rsa
The name for the keys will be:
Choose the size of the key modulus in the range of 360 to 2048 for your General Purpose Keys .Choosing a key modulus greater than 512 may take a few minutes.
How many bits in the modulus[512]: 2048
Generating RSA Keys... Article entry: csh Editor in charge: csh