Cisco Router Security Template

Configuring Secure Passwords

1. Configure the enable secret

router (config)# enable secret <enable-secret>

If you have enable password, instead of an enable secret, the secret takes precedence over the
password.

2. Configure local database of users

router (config)# username <username> secret <username-secret>

Each individual user should have their own secret – avoid group access to have more
accountability of who accessed the system.

3. Ensure passwords in configuration files are encrypted

router (config)# service password-encryption

Configuring Console, AUX Port and VTY Access

1. Configure the console interface with local database authentication and a timeout of 5 minutes

router (config)# line console 0

router (config-line)# login local
router (config-line)# exec-timeout 5 0
router (config-line)# transport input none

The transport input none command is the default for later IOS releases and in those cases no
longer be configured.

2. Enable SSH connectivity

Generate the router key with the command: crypto key generate rsa Note that the command
is NOT performed in configuration mode. A longer key will be less subject to a brute-force
attack so a minimum key length of 1024 bits is recommended
3. Configure a filter to allow only the trusted hosts to have SSH access. Note that all tries are
logged to have an audit trail of all access to the router.

router (config)# access-list 103 remark SSH Access ACL

router (config)# access-list 103 permit tcp host <IP address> host 0.0.0.0 eq 22 log-input
router (config)# access-list 103 permit tcp host <IP address> host 0.0.0.0 eq 22 log-input
router (config)# access-list 103 deny ip any any log-input

4. Configure the VTY ports with local database authentication, timeout of 5 minutes and to only
allow SSH from specific IP addresses.

router (config)# line vty 0 4

router (config-line)# login local
router (config-line)# access-class 103 in
router (config-line)# transport input ssh
router (config-line)# exec-timeout 5 0

5. Disable login on AUX port

router (config)# line aux 0

router (config-line)# login local
router (config-line)# no password
router (config-line)# transport input none
router (config-line)# no exec
router (config-line)# exec-timeout 0 1

In the above example, note the tricky way to completely disable login. First you enable local
login, but do not assign a password, which will disallow anyone from logging in. If you do 'no
login', it will allow access to everyone without a password.

Configuring Logging

1. Configure good timestamps in the logs

router (config)# service timestamps debug datetime msec show-timezone localtime

router (config)# service timestamps log datetime msec show-timezone localtime

2. Configure fallback local logging as backup to syslog server and do not log anything to console
to save CPU cycles

router (config)# logging buffered 16384 debugging

router (config)# no logging console
3. Set the proper timezone. Note that it is good to standardize on one timezone for all routers
to simplify problem tracking.

router (config)# clock timezone GMT 0

4. Configure the loopback0 interface as the source of our log messages. This is often used for
routing protocols as well. Select an IP address that uniquely identifies this router. One trick is to
allocate a private address space subnet for use to provide addresses for loopback interfaces.

router (config)# int loopback0

router (config-if)# ip address 10.192.168.X 255.255.255.255
  router (config-if)# no ip redirects
  router (config-if)# no ip unreachables
  router (config-if)# no ip proxy-arp
router (config-if)# no ip directed-broadcast

5. Configure the syslog logging host and capture all of the logging output with FACILITY LOCAL5.

router (config)# logging trap debugging

router (config)# logging facility local5
router (config)# logging source-interface loopback0
router (config)# logging <IP address of syslog server>

Test logging by trying to connect to the router. Check the local buffer logging information by
using the command: show buffer

6. Synchronize the clocks with a local (trusted and authenticated) NTP server. When
authenticating between an NTP client (the router) and server, the configured key must be the
same on both the router and the NTP server.

router (config)# ntp authentication-key 6767 md5 <key>

router (config)# ntp authenticate
router (config)# ntp update-calendar
router (config)# ntp server <IP address of NTP server>

Secure SNMP Access

1. Configure the filter which only allows SNMP access to specific hosts

router (config)# access-list 20 remark SNMP ACL

router (config)# access-list 20 permit <IP Address of SNMP server>
router (config)# access-list 20 deny any log

2. Configure SNMP to have READ-ONLY access and treat the COMMUNITY string as a password -
keep it difficult to guess.
 router (config)# snmp-server community <COMMUNITY-string> RO 20

Secure HTTP Access

1. Disable the http server(s) if they are never used

router (config)# no ip http server

router (config)# no ip http server-secure

2. Restrict http access to known servers

router (config)# access-list 60 permit <IP address>

router (config)# access-list 60 deny any
router (config)# http access-class 60

Disable All Unused Access Capabilities and Services

1.Disable the cisco discovery protocol (CDP). It's a protocol used by Cisco routers/switches to
find information about connected routers. CDP should be disabled on all routers and switches.

It can be disabled globally:

router (config)# no cdp run

Or, it can be disabled per interface:

router (config)# int <interface-name>

router (config-if)#no cdp enable

2. Disable services which can be used for reconnaissance attempts or other attacks:

router (config)# no service pad

router (config)# no ip finger
router (config)# no ip bootp server
router (config)# no ip domain-lookup

3.Disable services on an interface level which can be used for malicious behavior:

router (config)# int <interface-name>

router (config-if)# no ip source-route
router (config-if)# no ip proxy-arp
router (config-if)# no ip mask-reply
Create Appropriate Device Login Banners

1.Login banner

router (config)# banner login $

Enter TEXT message. End with the Character '!'.
Warning !!!
Access to this device is prohibited without express written permission. All access is
logged. Violators will be prosecuted to the fullest extent of both civil and criminal law.
$!

2. Information to users

router (config)# banner exec $

Enter TEXT message. End with the Character '!'.
IMPORTANT Information
Please be careful with the commands you issue in this
mode. Take a backup of any configuration changes before writing
them to the router.
$!
logging console 7 -?

which will display the logs of Cisco user login in the

ip cef (cisco express forwarding) -> for making fast forwarding

Generally there are no adverse side effects from enabling CEF.

The main one to watch out for is that certain debugging will not work
for packets that are fast switched. I have spent many unhappy hours
struggling unsuccessfully to get the information that I wanted before
I realised what the problem was.

I have recently encountered a difference in behaviour between

fast switching and process switching where the firewall feature
was incorrectly blocking packets.

CEF is a "fast" switching method that allows the processing effort

required to "switch" a packet to be substantially reduced when
compared
to the traditional method of simply looking up the routing table for
each packet. The max forwarding rate of a router for any of the fast
switching methods is usually about 10 times the rate for process
switching. I would guess that CEF is the fast switching method to
use since it is the one that Cisco now most often recommend which
means that it will be the most often deployed and hopefully you will
be least likely to encounter a bug and cisco will be most likely
to be able to answer you support questions most effectively.

It has the advantage over the other methods of NOT needing to

process switch the first packet to each destination and can also
I suspect do per destination and per packet load balancing.
Enabling Syslog server in routers ..

service timestamps log datetime localtime

logging trap debugging
logging facility syslog
logging 192.168.5.9(SYSLOG server IP address)

Setting up SNMP facility in Cisco 1841 Router

snmp-server group beremotegroup v3 auth match exact

<snmp-server user beremoteuser beremotegroup v3 auth md5 beremoteuser1 priv des
beremoteuser1 >
snmp-server host 172.20.4.130 version 3 auth beremoteuser snmp
snmp-server host 172.20.4.42 version 3 auth beremoteuser snmp

snmp-server group Authentication_Only v3 auth

snmp-server group No_Authentication_No_Encryption v3 noauth
snmp-server user beremoteuser Authentication_Only v3 encrypted auth md5
59:63:3b:1d:65:bc:59:00:28:03:80:2d:7f:62:6a:5e

Enabling SSH in Cisco 1841 Router

ip ssh rsa keypair-name bloomsshkey

crypto key generate rsa usage-keys label bloomsshkey modulus 1024

ip ssh time-out 120

ip ssh version 2
line vty 0 4 (Enabling SSH in Virtual terminal)
transport input ssh

Enable SSH on my PIX / ASA

crypto key zeroize rsa

domain-name cisco.com
crypto key generate rsa modulus 1024
write memory
_______________________________________

Next of all we need to enable SSH on the appropriate interface(s) and address(es)

ssh xx.xx.xx.xx 255.255.255.255 inside

ssh timeout 30

aaa authentication ssh console LOCAL

username admin password admin privilege 15
ssh 10.2.1.160 255.255.255.255 inside
ssh timeout 5

-----------------------------------------------
Using SSH Secure Shell 3.2.9
 Connection tab
   Host name: 10.16.0.254
   User name: admin
   Port number: 22
    <default> on all the rest
 Profile Properties (Edit Profile)
  Cipher list tab
    Make sure DES is checked
  Authentication tab
     Make sure Password method is moved to the top
    At the bottom, check enable for SSH2 and SSH1, but not agent forwarding

You should get a Password prompt

You  may get prompted "Remote host uses SS1 protocol" OK to accept
You may get another prompt, just accept it with Yes

 I have this setup working just fine on  PIX w/ 6.35, PIX with 7.0(6), ASA with 7.22 and
ASA with 8.0