Date created: Friday, December 27, 2013 12:19:24 PM. Last modified: Thursday, April 28, 2022 7:53:02 AM
Securing IOS/IOS-XE Devices
Global config snippets to secure typical IOS devices;
! More accurate logging service timestamps log datetime show-timezone localtime year msec service timestamps debug datetime show-timezone localtime year msec ! Set the time zone and account for day-light savings clock summer-time BST recurring last Sun Mar 1:00 last Sun Oct 1:00 ! Configure NTP sources ntp source Loopback10 ! Lock to interface inside management VRF ntp logging ntp update-calendar ntp server 1.1.1.1 ntp server 2.2.2.2 prefer
! Lock down NTP updates and queries
access-list 60 remark DENY-NTP-QUERIES
access-list 60 deny any
access-list 65 remark OUR-NTP-SERVERS
access-list 65 permit 1.1.1.1
access-list 65 permit 2.2.2.2
ntp access-group query-only 60
ntp access-group serve 60
ntp access-group serve-only 60
ntp access-group peer 65 R1# *Oct 22 11:00:19.147: NTP message received from 192.168.56.2 on interface 'FastEthernet0/0' (192.168.56.35). *Oct 22 11:00:19.147: NTP Core(DEBUG): ntp_receive: message received *Oct 22 11:00:19.147: NTP Core(NOTICE): ntp_receive: dropping message: restricted.
! Disable NTP packets on customer interfaces ntp disable
! Disable unused services no ip bootp server no ip domain-lookup
no ip device tracking
no ip gratuitous-arps no ip http server no ip http secure-server no ip identd no ip source-route no service dhcp no service finger no service pad no service tcp-small-servers no service udp-small-servers
no ip forward-protocol nd
no ip forward-protocol udp
no ip forward-protocol udp tftp
no ip forward-protocol udp nameserver
no ip forward-protocol udp domain
no ip forward-protocol udp time
no ip forward-protocol udp netbios-ns
no ip forward-protocol udp netbios-dgm
no ip forward-protocol udp tacacs
! Disable IP device tracking on switches
no nmsp enable ! Disable IPDT globally
! nmsp attachment suppress ! to disable by interface
! Disable clusting and stacking protocols (on Catalyst switches)
no cluster run
! Disable Cisco Smart Install
no vstack
! Configure TCP keepalive checks service tcp-keepalives-in service tcp-keepalives-out ! Encrypt passwords on the router config service password-encryption ! No AAA here, its a seperate subject of it's own ! Log successful and unsuccessful login attempts login on-failure log login on-success log ! Use SSH v2 crypto key generate rsa modu 4096 ! 2048 for older clients
ip ssh dh min size 4096 ! 2048 for older putty versions ip ssh version 2 ip ssh timeout 60 ! Might be "time-out" on some platforms ip ssh authentication-retries 3 !ip ssh source-interface Loopback10 ! Lock to interface in management VRF
ip ssh logging events
! Disable insecure ciphers like CBC:
ip ssh server algorithm encryption aes256-ctr ! Only from IOS 15.5(2)
ip ssh server algorithm mac hmac-sha1 ! Only from IOS 15.5(2)
! Enable logging to a remote syslog server logging source-interface Loopback10 ! Lock to interface in management VRF logging 111.111.111.111
! Limit SNMP with an access-list access-list 55 remark SNMP ACCESS access-list 55 permit 123.123.123.123 snmp-server community c0mmun1t7 RO 55 ! Use a TACACS server if using AAA tacacs-server host 123.123.123.123 tacacs-server directed-request tacacs-server key 7 lalalalala ! ip tacacs source-interface Loopback10 ! Lock to interface in management VRF ! Add login and MOTD banners banner login ^C You are attempting to connect to a privately managed device If you are not an authorised user DISCONNECT IMMEDIATELY ^C banner motd ^C You are attempting to connect to a rivately managed device If you are not an authorised user DISCONNECT IMMEDIATELY ^C
! Enable session time outs and exec mode time outs for console line line con 0 session-timeout 15 exec-timeout 15 0 ! Disable the AUX port line aux 0 exec-timeout 0 1 no exec no password transport input none transport output none ! Enable session timeouts and exec mode timeouts for vty lines, also limit to SSH and enabled a password of abc123 for login (if not using AAA), limit to access-list SECURE-VTY ip access-list extended SECURE-VTY permit tcp 192.168.0.0 0.0.0.255 any eq 22 deny ip any any line vty 0 4 session-timeout 15 access-class SECURE-VTY in vrf-also exec-timeout 15 0 password abc123 ! Not needed if using AAA logging synchronous transport input ssh
Interface specifc config snippets to secure typical IOS devices;
interface xxx ntp disable no cdp enable no ip directed-broadcast
no keepalive no ip proxy-arp no ip redirects no ip unreachables no ip mask-reply
no lldp receive
no lldp transmit
no mop enable ! Probably not supported anymore
switchport nonegotiate ! For old devices which will sent DTP without
no vtp ! For older VTP enabled ports such as a 6500
ipv6 nd ra suppress all
no ipv6 redirects
no ipv6 unreachables
no ipv6 mld router
Previous page: Mini Protocol Analyzer (MPA)
Next page: Securing IOS-XR Devices