index_216
Router Security Configuration Guide
UNCLASSIFIED
216
UNCLASSIFIED
Version 1.0g
the commands no service udp-small-servers and no
service tcp-small-servers to turn these off. [Section 4.2]
§ Finger - the finger daemon. Use the command no service
finger (IOS 11.2 and earlier) or no ip finger (IOS 11.3 and
later). [Section 4.2]
§ NTP - the Network Time Protocol. If NTP is not being employed
for time synchronization, turn if off with no ntp server. NTP
can also be disabled for only a specific interface with the no
ntp enable command. [Sections 4.2, 4.5]
§ BOOTP the IP bootp server. Turn off this little -used server with
the command no ip bootp server. [Section 4.2]
2. Don't be a Smurf buddy! While the Smurf attack doesn't usually attack
the router itself, a Smurf attack can let an attacker use your network to
launch denial of service raids on other sites; the attacks will appear to
come from you. To prevent this, use the command no ip directed-
broadcast on all interfaces. This may be the default on some recent
versions of IOS, but include it in your configuration explicitly anyway.
[Section 4.2]
Central(config)# interface eth 0/0
Central(config-if)# no ip directed-broadcast
3. Shut down unused interfaces using the shutdown command. Check
them with the show interfaces command. If the router has an auxiliary
console port (aux port) and it is not in use, shut it down as shown below.
[Section 4.1]
Central(config)# interface eth 0/3
Central(config-if)# shutdown
Central(config-if)# exit
Central(config)# line aux 0
Central(config-line)# no exec
Central(config-line)# transport input none
Central(config-line)# exit
4. Always start an access-list definition with the command no access-
list nnn to make sure it starts out clean. [Section 4.3]
East(config)# no access-list 51
East(config)# access-list 51 permit host 14.2.9.6
East(config)# access-list 51 deny any log
5. Log access list port messages properly. For reasons of efficiency, Cisco
IOS doesn't look at an entire packet header unless it has to. If packets are
rejected by an access list filter for other reasons, the log message will
often list the packet as using port 0. To prevent this from happening,
instead of the usual logging access list command (such as access-list
106 deny ip any any log), use the special port range arguments
shown below.