Securing IOS/IOS-XE Devices

Global config snippets to secure typical IOS devices;

! More accurate logging
service timestamps log datetime show-timezone localtime year msec
service timestamps debug datetime show-timezone localtime year msec

! Set the time zone and account for day-light savings
clock summer-time BST recurring last Sun Mar 1:00 last Sun Oct 1:00

! Configure NTP sources
ntp source Loopback10 ! Lock to interface inside management VRF
ntp logging
ntp update-calendar
ntp server
ntp server prefer
! Lock down NTP updates and queries
access-list 60 remark DENY-NTP-QUERIES
access-list 60 deny any

access-list 65 remark OUR-NTP-SERVERS
access-list 65 permit
access-list 65 permit

ntp access-group query-only 60
ntp access-group serve 60
ntp access-group serve-only 60
ntp access-group peer 65 R1# *Oct 22 11:00:19.147: NTP message received from on interface 'FastEthernet0/0' ( *Oct 22 11:00:19.147: NTP Core(DEBUG): ntp_receive: message received *Oct 22 11:00:19.147: NTP Core(NOTICE): ntp_receive: dropping message: restricted.
! Disable NTP packets on customer interfaces
ntp disable
! Disable unused services
no ip bootp server
no ip domain-lookup
no ip device tracking
no ip gratuitous-arps no ip http server no ip http secure-server no ip identd no ip source-route no service dhcp no service finger no service pad no service tcp-small-servers no service udp-small-servers
no ip forward-protocol nd
no ip forward-protocol udp
no ip forward-protocol udp tftp
no ip forward-protocol udp nameserver
no ip forward-protocol udp domain
no ip forward-protocol udp time
no ip forward-protocol udp netbios-ns
no ip forward-protocol udp netbios-dgm
no ip forward-protocol udp tacacs
! Disable IP device tracking on switches
no nmsp enable ! Disable IPDT globally
! nmsp attachment suppress ! to disable by interface

! Disable clusting and stacking protocols (on Catalyst switches)
no cluster run
no vstack
! Configure TCP keepalive checks service tcp-keepalives-in service tcp-keepalives-out ! Encrypt passwords on the router config service password-encryption ! No AAA here, its a seperate subject of it's own ! Log successful and unsuccessful login attempts login on-failure log login on-success log ! Use SSH v2 crypto key generate rsa modu 4096 ! 2048 for older clients
ip ssh dh min size 4096 ! 2048 for older putty versions ip ssh version 2 ip ssh timeout 60 ! Might be "time-out" on some platforms ip ssh authentication-retries 3 !ip ssh source-interface Loopback10 ! Lock to interface in management VRF
ip ssh logging events
! Disable insecure ciphers like CBC:
ip ssh server algorithm encryption aes256-ctr ! Only from IOS 15.5(2)
ip ssh server algorithm mac hmac-sha1 ! Only from IOS 15.5(2)
! Enable logging to a remote syslog server logging source-interface Loopback10 ! Lock to interface in management VRF logging
! Limit SNMP with an access-list
access-list 55 remark SNMP ACCESS
access-list 55 permit
snmp-server community c0mmun1t7 RO 55

! Use a TACACS server if using AAA
tacacs-server host
tacacs-server directed-request
tacacs-server key 7 lalalalala
! ip tacacs source-interface Loopback10 ! Lock to interface in management VRF

! Add login and MOTD banners
banner login ^C
You are attempting to connect to a privately managed device
If you are not an authorised user DISCONNECT IMMEDIATELY


banner motd ^C
You are attempting to connect to a rivately managed device
If you are not an authorised user DISCONNECT IMMEDIATELY

! Enable session time outs and exec mode time outs for console line
line con 0
 session-timeout 15 
 exec-timeout 15 0

! Disable the AUX port
line aux 0
 exec-timeout 0 1
 no exec
 no password
 transport input none
 transport output none

! Enable session timeouts and exec mode timeouts for vty lines, also limit to SSH and enabled a password of abc123 for login (if not using AAA), limit to access-list SECURE-VTY

ip access-list extended SECURE-VTY
 permit tcp any eq 22
 deny   ip any any

line vty 0 4
 session-timeout 15
 access-class SECURE-VTY in vrf-also
 exec-timeout 15 0
 password abc123 ! Not needed if using AAA
 logging synchronous
 transport input ssh

Interface specifc config snippets to secure typical IOS devices;

interface xxx
 ntp disable
 no cdp enable
 no ip directed-broadcast
no keepalive no ip proxy-arp no ip redirects no ip unreachables no ip mask-reply
 no lldp receive
 no lldp transmit
no mop enable ! Probably not supported anymore
switchport nonegotiate ! For old devices which will sent DTP without
no vtp ! For older VTP enabled ports such as a 6500
ipv6 nd ra suppress all
no ipv6 redirects
no ipv6 unreachables
no ipv6 mld router