HostedDB - Dedicated UNIX Servers
index_219
UNCLASSIFIED Appendices  Version 1.0g  UNCLASSIFIED 219   North(config)# access-list 107 deny ip 127.0.0.1 0.0.0.255 any log North(config)# ! block multicast North(config)# access-list 107 deny ip 224.0.0.0 0.0.255.255 any North(config)# ! block broadcast North(config)# access-list 107 deny ip host 0.0.0.0 any log North(config)# ! block ICMP redirects North(config)# access-list 107 deny icmp any any redirect log    .    . North(config)# interface eth 0/0 North(config-if)# ip access-group 107 in 13.  Block incoming packets that claim to have the same destination and source address (i.e. a ‘Land’ attack on the router itself).  Incorporate this protection into the access list used to restrict incoming traffic into each interface, using a rule like the one shown below (part of the configuration file for router East).  [Section 4.3] no access-list 102 access-list 102 deny ip host 14.2.6.250                                   host 14.2.6.250 log access-list 102 permit ip any any interface Eth 0/0 ip address  14.2.6.250 255.255.255.0 ip access-group 102 in 14.  Prevent the router from unexpectedly forwarding packets with no clear route by using the global configuration command  no ip classless.   [Section 4.2] 15.  Proxy ARP is used to set up routes on the fly for internal hosts or subnets and may reveal internal addresses. Disable it by applying the command no proxy-arp to each external interface.  If proxy ARP is not needed, disable it on all interfaces. [Section 4.2] Central(config)# interface eth 0/0 Central(config-if)# no proxy-arp 16.  Except on the rarely-seen Cisco 1000 series routers, the HTTP server is off by default.  To be safe, however, include the command no ip http server in all router configurations. [Section 4.2] 17.  To disable the use of subnetting with a zero subnet address (which is confusing and illegal) include the command  no ip subnet-zero  in all router configurations.   18.  So that the complete date and time are stamped onto entries in the routers buffered log, use the global configuration command service timestamps as shown in the example below.  [Section 4.5]