Search This Blog


IOS Harden Template

Here's a template I use for Cisco IOS routers. These are basic security best practices for IOS relating to access authentication, logging, system and IP stack tuning to harden IOS. Not included are ACLs and CABAC firewall configs (saving that for another post)

no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
service password-encryption
service linenumber

warm-reboot count 50
logging buffered 64000 debugging
no logging console

aaa new-model
aaa authentication login default local
aaa authorization exec default local
!****remember to set a user*****

clock timezone EST -5
clock summer-time EDT recurring
no ip source-route
no ip gratuitous-arps
ip options drop
ip cef
ip tcp synwait-time 10

ip dhcp bootp ignore
no ip bootp server
ip port-map ssh port tcp

login block-for 120 attempts 5 within 60
login delay 3
login on-failure log
login on-success log

memory reserve critical 2048
memory free low-watermark processor 4096
memory free low-watermark IO 4096

log config
logging enable

ip tcp path-mtu-discovery

ip domain name
crypto key generate rsa modulus 4096
ip ssh time-out 60
ip ssh port rotary 1
ip ssh version 2

buffers tune automatic

!int interface
!--- bandwidth
!--- ip verify unicast source reachable-via rx
!--- no ip redirects
!--- no ip proxy-arp
!--- ip route-cache flow

no ip forward-protocol nd
no ip http server
no ip http secure-server

logging history size 500
no cdp run

banner login ^C
* Unauthorized access prohibited

line con 0
no modem enable
line aux 0
exec-timeout 0 1
no exec
transport output none
line vty 0 4
exec-timeout 10
logging synchronous
rotary 1
transport preferred none
transport input ssh

! Use interval only if allocate isn't supported
scheduler allocate 3000 1000
!scheduler interval 1000

No comments:

Post a Comment

Note: Only a member of this blog may post a comment.