Review router access controls

1.1 Remote vty, con, or aux terminal access should require a user to login
All remotely accessible terminals (vty, con, aux)should have login checking turned on (require EXEC
password). Any modem or network device that gives access to the Cisco console port must provide a
password challenge. All access to the router (be it remote or direct) should be password controlled. All
remote management should be performed using SSH to ensure traffic is encrypted esp. password. Anyone
with network visibility to the router can gain command prompt access, if the login directive is not given in
the Cisco configuration.

1.2 To gain command prompt access, all routers should require a password to be supplied
All remotely accessible terminals should have passwords implemented. No one will be allowed access to a
router through an interface, if the login directive is applied to the interface and no password has been
assigned to that interface.

1.3 Gaining administrator access to router requires an ‘enable secret’

Ensure an ‘enable secret’ is used. Do not use ‘enable password’ as it uses an older, weak algorithm. And
ensure there is a password in the first place. If no enable secret is set, and a password is configured for the
console TTY line, the console password may be used to get privileged access, even from a remote VTY
session. This is almost certainly not what you want, and is another reason to be certain to configure an
enable secret.

1.4 Passwords in the configuration file should be encrypted

Ensure all passwords used are encrypted. Anyone with a printout of the configuration files can read the
clear text passwords and use it later for unauthorised access.

1.5 Hosts that can access the login prompt should be restricted by use of access lists
Review the access lists implemented on each vty, con or aux terminal access for appropriateness. The risk
of unauthorised access is increased if anyone on the network is allowed access to the login prompt.

1.6 Non-default SNMP community strings should be used on all routers being monitored by SNMP.
Routers not being monitored by SNMP should have SNMP disabled. SNMP community strings should
have been changed from the default of ‘public’ and ‘private’. If at all possible, you should avoid using the
same community strings for all network devices; use a different string or strings for each device, or at least
for each area of the network. Do not make a read-only string the same as a read-write string. If possible,
periodic SNMP version 1 polling should be done with a read-only community string; read-write strings
should be used only for actual write operations. Read-only and read-write SNMP access to a Cisco router
can allow an intruder to gain unauthorized access to the Cisco router. Default SNMP strings, such as
'public' and 'private' or 'read' and 'write, are easily guessed by potential intruders.

If at all possible, use SNMP version 2 which uses an MD5-based digest authentication scheme, and allows
for restricted access to various management data. SNMP version 1 uses a very weak authentication scheme.

In most networks, legitimate SNMP messages will come only from certain management stations. If this is
true in your network, you should probably use the access list number option on the snmp-server
community command to restrict SNMP version 1 access to only the IP addresses of the management
stations. Do not use the snmp-server community command for any purpose in a pure SNMP version 2
environment; this command implicitly enables SNMP version 1.

For SNMP version 2, configure digest authentication with the authentication and md5 keywords of the
snmp-server party configuration command. If possible, use a different MD5 secret value for each router.

SNMP management stations often have large databases of authentication information, such as community
strings. This information may provide access to many routers and other network devices. This
concentration of information makes the SNMP management station a natural target for attack, and it should
be secured accordingly.

1.7 Appropriate session timeout values should have been assigned

All interfaces where connections can be established (vty, con, aux) have timeout session limits set to 2
minutes. Similarly, enabling TCP keepalives on incoming connections (with service tcp-keepalives-in)
can help to guard against both malicious attacks and "orphaned" sessions caused by remote system crashes.
Additional security can be provided to consoles that have been left unattended by using session timeouts.
Anyone gaining access to an unattended console can potentially modify the routers configuration that the
terminal is accessing.

1.8 Ensure that appropriate controls are applied on all lines, including both VTY lines and TTY lines
Administrators should make sure that logins on all lines are controlled using some sort of authentication
mechanism. This is especially important for VTY lines and for lines connected to modems or other remote
access devices.

Interactive logins may be completely prevented on any line by configuring it with the login and no
password commands. This is the default configuration for VTYs, but not for TTYs.

1.9 Disable reverse Telnet feature

To disable this reverse Telnet feature, apply the configuration command transport input none to any
asynchronous or modem line that shouldn't be receiving connections from network users. If at all possible,
don't use the same modems for both dial-in and dial-out, and don't allow reverse Telnet connections to the
lines you use for dial-in. This will prevent a remote user connecting to a local asynchronous terminal port,
or even to a dial-in modem port, and simulating the router's login prompt to steal passwords, or to do other
things that may trick local users or interfere with their work.

Restrict Telnet access to specific workstations on the internal network side of the router only.

1.10 Ensure vtys are appropriately controlled

Any VTY should be configured to accept connections only with the protocols actually needed. This is done
with the transport input command. For example, a VTY that was expected to receive only Telnet sessions
would be configured with transport input telnet. It's also usually a good idea to use the ip access-class
command to restrict the IP addresses from which the VTY will accept connections.

1.11 Prevent denial of service attacks against vty lines

Cisco IOS device has a limited number of VTY lines (usually five). When all of the VTYs are in use, no
more remote interactive connections can be established. This creates the opportunity for a denial-of-service
attack; if an attacker can open remote sessions to all the VTYs on the system, the legitimate administrator
may not be able to log in. The attacker doesn't have to log in to do this; the sessions can simply be left at
the login prompt.
One way of reducing this exposure is to configure a more restrictive ip access-class command on the last
VTY in the system than on the other VTYs. The last VTY (usually VTY 4) might be restricted to accept
connections only from a single, specific administrative workstation, whereas the other VTYs might accept
connections from any address in a corporate network.

Complete VTY protection can be provided by disabling all non-IP-based remote access protocols, and
using IPSec encryption for all remote interactive connections to the router.

1.12 Implement warning banners

Ensure that a warning banner is in place. Using the banner login command enable the following:
- A notice that the system is to be logged in to or used only by specifically authorized
personnel, and perhaps information about who may authorize use.
- A notice that any unauthorized use of the system is unlawful, and may be subject to civil
and/or criminal penalties.
 - A notice that any use of the system may be logged or monitored without further notice, and
that the resulting logs may be used as evidence in court.
- The login banner usually should not contain any specific information about your router, its
name, its model, what software it's running, or who owns it; such information may be abused
by crackers.

1.13 HTTP security is in place

If you choose to use HTTP for management, you should restrict access to appropriate IP addresses using the
ip http access-class command. You should also configure authentication using the ip http authentication
command. As with interactive logins, the best choice for HTTP authentication is probably to use a
TACACS+ or RADIUS server. It's usually wisest to avoid using the "enable" password as an HTTP
password.

1.14 Implement adequate packet filtering

- Stop RIP (Router Interface Protocol) and OSPF (Open Shortest Path First) protocol on the
Internet interface both inbound and outbound.
- Consider disabling inbound Telnet from the Internet and even disabling the telnet listener
completely. Use VPN if remote administration is required.
- If DNS traffic must pass, then is there a rule that specifies authorised DNS servers?
- Does the router allow ICMP ECHO, ICMP ECHO REPLY, and UDP packets? ICMP ECHO
and ICMP REPLY must be disabled to prevent an attack using loki.
- Incoming echo request (ping and Windows traceroute), outgoing echo replies, time exceeded,
unreachable messages and ICMP redirects. Limits DoS attacks.
- The following ICMP message types should be filtered:
 ICMP echo request and reply (type 0 and 8)
 ICMP timestamp request and reply (type 13 and 14)
 ICMP information request and reply (type 15 and 16)
 ICMP types 3 and 5
Uncontrolled ICMP and DMZ access to the router increases the risk of intruders circumventing router
controls.

1.15 Control default ports

The router comes with several ports open (default). These ports are for administration. They should
disabled.
If the ports or services are needed to administer the router, then set up a rule that limits what source IPs can
connect to them.

1.16 Where possible use TACACS+ or RADIUS authentication and authorisation should be used
Where possible use TACACS+ or RADIUS authentication and authorisation to allow telnet, ftp, http or serial
access to router consoles. Ensure that a difficult to guess secret key is in place for communication between
the router and the authentication server and that the traffic is encrypted. Also configure accounting on router.
Achieved by using the console option in the command aaa authentication and specifying the appropriate
access and prompt options (serial, telnet, enable).
Use aaa authentication and aaa authorisation. The aaa-server command gives the encryption option for
traffic between the server and the router. This command provides options to encrypt traffic to the
authentication server.
Use aaa accounting <acctg_service> for any services requiring accounting. Server designated by the
command aaa-server will receive the logs.
Logical access to the router console should be restricted to authorised personnel. By using strong secret
keys, the possibility of an unauthorised authentication server communication with the router is reduced.
It may be difficult to track intrusions if user authentication is not logged.

1.17 Ensure appropriate password controls are in place

In to order access the router console using console or telnet, ensure that a cryptic password has been
assigned. Determine the individuals who have log in capability to the router components are appropriate
Determine password management features in place for the applicable router components. Discuss with the
appropriate staff:
- Password management guidelines exist and are documented.
- Password is required.
- Passwords are not displayed.
- Password is user maintainable.
- Password is changed every 30 days.
- Password is not reused within a one-year period of time.
- Minimum password length is at least 8 characters.
- Password construction requirements address:
- Upper case letters,
- Lower case letters,
- Numbers,
- Special characters,
- Include characters from 3 of the four groups of characters, and
- UID is not part of the password.
- Grace restrictions limited to 1.
- Number of login attempts allowed before account being blocked? Is this logged?
- Account should only be re-enabled by administrator and the attempt count should be
remembered for 24 hours.
- User ids & passwords encrypted across network (one-time passwords - uniquely encrypted
each sign on)
- Automatic timeout feature exists
Configuration mode – issue command passwd
Anyone that can access to the login prompt can attempt to access the router through the console or telnet
connection if no password has been assigned or if the default password cisco is still in place.

1.18 Logical connects are secured

Determine logical connections to the router components are secured, i.e., authentication for all connections
to the router, particularly remote connections, encryption, IP restrictions for remote administration needs.
Products such as ssh (encryption connection) and TCP wrappers (IP restrictions) may be appropriate.
If TCP wrappers are used determine if the reverse look up (paranoid) option was activated (compiled).
Second, determine if the advance configuration is used. This configuration keeps all the binaries in their
original locations, which may be critical for future patches.

1.19 Dial in access is appropriately controlled

 Review for dial in access directly to the router server.
 Are modems automatically disconnected by the system after a specified length of time of
inactivity? After connection is broken?
 Who has dial-in access?
 Who authorises and approves dial-in access?
 What security mechanism is used to control dial-in or remote access? Should involve user
authentication by the modem and separate modems should be used for dial-in and dial-out.
 Is there an audit trail (i.e. any reports) of dial-in access and are these reports reviewed?

1.20 Concurrent connections to the router are controlled

Through the connection_limit parameter, how many concurrent active connections are allowed? The default
is set to “0.” This means unlimited connections.
Through the embryonic_limit parameter, how many concurrent half-open connections are allowed? The
default is set to “0.” This means unlimited connections. With a setting of “0”, a DoS attack is possible.
After changes are made, is the clear xlate command run to clear the cache?
Allowing uncontrolled connections to the router increases the risk of DoS attacks.
Review network security

2.1 Only required router services should be enabled

All unnecessary services should be disabled. These are:
 finger services (no service finger)
 NTP if not used (NTP disable). If used configure trusted time source and use proper authentication
 CDP (Cisco Discovery Protocol) (no CDP running). On an interface – no CDP enable
 UDP small servers (no service udp-small-servers)
 TCP small servers (echo, discard, chargen) (no service tcp-small-servers)
 Echo
 Discard
 Daytime
 Chargen
 Bootp
 tftp
 NIS
 NFS
 UUCP
 X

User names and other security related information can be disclosed to unauthorised users by default router
services, such as finger or tcp/udp small servers.

2.2 Source routing

Source routing should be disabled. The router’s route table can be bypassed by using source routing. This
could then be used to gain unauthorised access to portions of the network.

2.3 Directed broadcasts on appropriate interfaces should be disabled

Directed broadcasts on appropriate interfaces (interfaces are listed in the router configuration tables – see
table at end) should be disabled. Attackers can generate large floods of ICMP packets, typically targeted at
a remote host by using directed broadcasts. Disabling directed broadcasts on appropriate interfaces can
eliminate these ‘smurf’ attacks.

2.4 Disable the ip alias command

Disable the ip alias command. TCP connections to any destination port are considered valid connections, if
the ip alias command is enabled on Cisco products.

2.5 TCP intercept mode should be active on all routers

TCP intercept mode should be active on all routers. TCP intercept mode actively intercepts or watches
each incoming connection request and is used to prevent denial of service attacks such as SYN floods.
Routers configured for CEF perform well under SYN floods (directed at hosts, not at the routers
themselves) than do routers using the traditional cache. CEF is recommended when available.

2.6 Enable flood protection using scheduler configuration

When a Cisco router is fast-switching a large number of packets, it is possible for the router to spend so
much time responding to interrupts from the network interfaces that no other work gets done. Some very
fast packet floods can cause this condition. The effect can be reduced by using the scheduler interval
command, which instructs the router to stop handling interrupts and attend to other business at regular
intervals. A typical configuration might include the command scheduler interval 500, which indicates that
process-level tasks are to be handled no less frequently than every 500 milliseconds.
Many newer Cisco platforms use the command scheduler allocate instead of scheduler interval. The
scheduler allocate command takes two parameters: a period in microseconds for the system to run with
interrupts enabled, and a period in microseconds for the system to run with interrupts masked. If your
system doesn't recognize the scheduler interval 500 command, try scheduler allocate 3000 1000.
Ensure that appropriate filtering is in place

3.1 Inbound and outbound traffic should be filtered using Cisco access lists

Assess the access lists for appropriateness. Restricting the traffic entering a network greatly minimises the
risk of intruder attacks. For instance, if a particular machine only requires HTTP traffic, then all other
traffic should be blocked. This would greatly reduce the risk of attacks as attackers only have one protocol
to use.
Determine a lockdown rule has been placed at the beginning of the rule base. The lockdown rule protects
the router, ensuring that whatever other rules you put in later will not inadvertently compromise your
router. If administrative access is required then a rule should be placed before the lockdown rule. All other
rules should go after the lockdown rule going from most restrictive to general rules. Review the remaining
rules.

3.2 Apply access lists to appropriate interfaces

Ensure all interfaces have access lists applied to them. All traffic is allowed to pass through an interface if
an access list is created, but not applied to the interface as the access list is not used.

3.3 IP spoofing should be prevented by access lists

All incoming traffic that have a source address of that of the internal network should be dropped by the
router. Any outgoing traffic that has a source address of that of the external networks should be dropped.
This should be controlled using lines in the access lists that drop this type of traffic. It maybe possible that
unauthorised traffic may bypass access control lists on the router by claiming that the traffic came from the
internal network, if IP spoofing is allowed.
In general, anti-spoofing filters must be built with input access lists; that is, packets must be filtered at the
interfaces through which they arrive at the router, not at the interfaces through which they leave the router.
This is configured with the ip access-group list in interface configuration command.
When anti-spoofing access lists exist, they should always reject datagrams with broadcast or multicast
source addresses, and datagrams with the reserved "loopback" address as a source address. It's usually also
appropriate for an anti-spoofing access list to filter out all ICMP redirects, regardless of source or
destination address. Appropriate commands would be:

access-list number deny icmp any any redirect

access-list number deny ip 127.0.0.0 0.255.255.255 any
access-list number deny ip 224.0.0.0 31.255.255.255 any
3.4 Activity not explicitly allowed in the access lists should be logged
Access lists should have an overall deny all all rule applied at the end of the access lists and logging should
be applied on it. Unwarranted attempts to access the network can be examined by logging and reviewing
the logging provided on the access list that denies all traffic. Ensure that the following is logged:
 Interface status changes
 Changes to the system configuration
 Access list matches
 All access denials
 All logon and logoffs and unsuccessful logons for administrative purposes
 Successful and unsuccessful use of privileged commands
 Successful and unsuccessful access control permission modification
 Ensure that a logging buffer has been enabled on the router to locally log events. Use the
show memory command to check this. Create the buffer using the logging buffered buffer-size
configuration command.
 You can send logging information to a server with logging server-ip-address, and you can
control the urgency threshold for logging to the server with logging trap urgency. Even if you have a
syslog server, you should probably still enable local logging.

 If your router has a real-time clock or is running NTP, you will probably want to time-stamp
log entries using service timestamps log datetime msecs.

 Log packets that violate your filtering criteria. Older Cisco IOS software versions support
logging using the log keyword, which causes logging of the IP addresses and port numbers associated
with packets matching an access list entry. Newer versions provide the log-input keyword, which adds
information about the interface from which the packet was received, and the MAC address of the host
that sent it.
 Is the date and time correct on the router? Ensure the accuracy with the show clock command.
Which time zone is it set for? This helps to determine exactly when an event occurred.
 Is the Network Time Protocol (NTP) used to keep accurate time? Enabling NTP will help to
prevent hackers from attacking based on time (expired time blocks, etc.). Configure NTP to allow
updates from the internal time servers only. Disable NTP on the Internet interface inbound and
outbound. Synchronising your Internet Access Router time with the rest of your network will be
invaluable in the event an attackers does break into your network.

3.5 Ensure logs are appropriately reviewed

Ensure that logs are generated and stored securely on a separate server.
 Who has access to these logs?
 Who reviews the logs and how often?
 Are logs reviewed in real-time?
 How are the logs protected from unauthorised access, manipulation, and deletion?
 What is the message count set to?
 Is time stamping used for logging?
 Is encryption used if logs are sent over the wire?
 Are the logs archived?
 If so, then is it local or remote? Remote logging allows for an analysis of the messages.
 What level of logging is used (0-7)?
 Do the logs capture URL and FTP requests and actions performed?
 Are the logs limited in size? Helps prevent an attack from using all the storage space.
 Without appropriate logging in place, it will be very difficult to track attacks and intruder
activities.

3.6 Enable routing protocol filtering and authentication

If you're using a dynamic routing protocol that supports authentication, it's a good idea to enable that
authentication. This prevents some malicious attacks on the routing infrastructure, and can also help to
prevent damage caused by misconfigured "rogue" devices on the network.
For the same reasons, service providers and other operators of large networks are generally well advised to
use route filtering (with the distribute-list in command) to prevent their routers from accepting clearly
incorrect routing information.

3.7 Ensure Activex is filtered

The router should drop active code from incoming web traffic.
Issue filter activex to filter web traffic on designated ports.
The internal network could be exposed to potential security risks if active code in web traffic is uncontrolled.

3.8 Ensure floodguard is enabled

Ensure floodguard is enabled.
Configuration mode - type floodguard enable. It should be enabled by default.
Floodguard reclaims systems resources in an attempt to prevent running out of resources that could make a
system unavailable.

3.9 Enable TCP Intercept and Reverse-Path Forwarding

Is TCP Intercept enabled. No packets enter until there is a three way handshake. Does the version used
enable this feature?
Is Reverse-Path Forwarding enabled? This allows the router to check the packet’s source address against the
table. It ensures that the packet arrived on the same interface that is listed in the entry. If it is not listed, then
it is presumed to be spoofed. It is disabled by default.
Packet verification reduces the risks of attacks on the internal systems.

3.10 Ensure proxy-arps have been disabled

Ensure that proxy-arps have been disabled.
Configuration mode – issue sysopt noproxyarp command.

3.11 Ensure internal Telnet access is appropriately restricted

Restrictions on telnet access from the internal network has been implemented by the use of an appropriate
telnet access list. Ensure that encryption is used over telnet.
Configuration mode – use the telnet command to create and appropriate access-list. The command has to be
issued for each IP address or IP subnet that requires telnet access to the router.
Allowing uncontrolled access to the login prompt from the internal network increases the chances of
unauthorised access.
Ensure management and interactive access via the Internet is secure

4.1 Ensure protection against password sniffing for logon over the Internet

If at all possible, you should avoid logging in to your router using any unencrypted protocol over any
untrusted network. If your router software supports it, it's a good idea to use an encrypted login protocol such
as SSH or Kerberized Telnet. Another possibility is to use IPSec encryption for all router management
traffic, including Telnet, SNMP, and HTTP.
If you don't have access to an encrypted remote access protocol, another possibility is to use a one-time
password system such as S/KEY or OPIE, together with a TACACS+ or RADIUS server, to control both
interactive logins and privileged access to your router.
If you absolutely must send passwords over cleartext Telnet sessions, you should change your passwords
frequently, and pay close attention to the path traversed by your sessions.

Ensure appropriate administration policies have been documented, adequate physical and
environmental controls are in place, and appropriate disaster recovery arrangements have been made

5.1 Ensure adequate administration policies are in place

Ensure that the stated polices (administration, change control, logging, backup and recover, etc) are in place.
These should explicitly address the periodic review of router security and the regular reviewing of audit logs.
Without these policies, the administration and management of routers and other network devices becomes
difficult.

5.2 Ensure appropriate change control procedures are in place

Determine if there is a change control process in place for the rule base. Note if the following information is
included in the rule:
 Name of person modifying rule
 Date/time of rule change
 Reason for rule change.
Uncontrolled changes being applied to routers could lead to operational issues or worse create loopholes
leading to security incidents.

5.3 Ensure firmware/software updates are made on a timely basis

Check the version of the firmware/software. For the Cisco router, enter show version at the prompt. Note the
Licensed Features and serial number.
How is the IT department notified of firmware/software updates?

5.4 Router should be physically and environmentally secure

Physical access to the various components (routers, router software) of the router solution is appropriately
restricted to the individuals with an authorised need for such access.
How is:
 The building housing the router physically secured?
 The room housing the router physically secured?
Are there:
 Raised floors?
 Dual air conditioning unit?
 One point of entry that is locked?
 No windows?
 Is the location ok – not underground, etc?
 Servers in racks and the racks bolted to the ground?
 Fire protection?
Document and explain the lines connected to the router hardware for reasonableness.
Obtain a schematic of the lines connected to the applicable router hardware.
Discuss with the appropriate staff the purpose of each line.
The router should be properly documented. The following should be listed:
o Version number
o Location
o Hostname
o Internet connections
Ensure all routers are in the network diagram
Management and control of routers and other network appliances becomes difficult with proper
documentation.

5.5 Ensure adequate fault tolerance feature are in place.

Ensure appropriate disaster recovery arrangements are in place for the router
This will reduce downtime due to a router outage.

5.6 Ensure appropriate backup procedures are in place

Ensure backups of the running configurations are made. All changes should be backed up immediately.
Backups should be made and taken offsite. The backups should be protected and made regularly and
whenever changes are made.

 Tools – Solarwinds Engineers Toolkit, Data Sniffer- buttsniff (use a public share to load, use-L to
find interface)
 RIP Spoofing – rprobe –v xxx.xxx.xxx.xxx, capture return traffic with sniffer
 RIP Spoofing
o Redirect traffic through your system so you can sniff it
 Use prior sniffing to know internal network addresses
 Add a route on spoofed router (use srip)
 Ip address 10.0.50.01
 Netmask 255.255.255.255
 Gateway mymachineaddress
 Metric 1
 Send the packet on to normal destination
 Add ip forwarding onto our machine
 Vi /proc/sys/net/ipv4/ip_forward 1
 Changing 0 to the above metric 1
 Start your sniffer(more info find ripar.txt)
!
version 12.0
service timestamps debug datetime localtime
service timestamps log datetime localtime
service password-encryption (1.4)
!
hostname unknown
!
logging buffered 4096 debugging
enable secret 5 askjhfncka (1.3)
!
memory-size iomem 10
ip subnet-zero
no ip source-route (2.2)
no ip finger (2.1)
no small-tcp-servers (2.1)
no small-udp-servers (2.1)
clock timezone ABC
clock summer-time ABC
!
!
!
interface Ethernet0/0
no ip address
no ip directed-broadcast (2.3)
shutdown
!
interface Serial0/0
no ip address
no ip directed-broadcast (2.3)
encapsulation frame-relay
!
interface Serial0/0.1 point-to-point
description PVC to Internet Service Provider(Internet)
bandwidth 1920
ip address 203.97.41.2 255.255.255.252
ip access-group 100 in (3.2) (3.3)
no ip directed-broadcast (2.3)
frame-relay interface-dlci 51 IETF
!
interface Ethernet0/1
ip address 144.66.236.94 255.255.255.252
no ip directed-broadcast (2.3)
!
interface Serial0/1
no ip address
no ip directed-broadcast (2.3)
shutdown
!
ip classless
ip route 0.0.0.0 0.0.0.0 203.97.41.1
ip route 134.251.0.0 255.255.0.0 144.66.236.93
ip route 144.66.0.0 255.255.0.0 144.66.236.93
ip route 203.167.232.176 255.255.255.240 144.66.236.93
!
access-list 5 permit 134.251.0.0 0.0.255.255 (3.1)
access-list 95 permit 134.251.37.253 (3.1)
access-list 95 permit 134.251.37.243 (3.1)
access-list 100 deny ip 144.66.0.0 0.0.255.255 any log (3.1/3.4)
access-list 100 deny ip 134.251.0.0 0.0.255.255 any log (3.1/3.4)
access-list 100 deny ip 203.167.232.176 0.0.0.15 any log (3.1/3.4)
access-list 100 deny ip 127.0.0.0 0.0.0.255 any log (3.1/3.4)
access-list 100 deny ip any host 203.167.232.177 log (3.1/3.4)
access-list 100 deny ip any host 203.167.232.178 log (3.1/3.4)
access-list 100 permit icmp any host 203.97.41.2 echo (3.1)
access-list 100 permit icmp any host 203.97.41.2 echo-reply (3.1)
access-list 100 permit icmp any 203.167.232.176 0.0.0.15 echo (3.1)
access-list 100 permit icmp any 203.167.232.176 0.0.0.15 echo-reply (3.1)
access-list 100 permit tcp any 203.167.232.176 0.0.0.15 eq www (3.1)
access-list 100 permit tcp any 203.167.232.176 0.0.0.15 eq 443 (3.1)
access-list 100 permit tcp any 203.167.232.176 0.0.0.15 eq 1494 (3.1)
access-list 100 deny ip any any log (3.4)
no cdp run (2.1)
snmp-server community fred RO 95 (1.6)
snmp-server community wally RW 95 (1.6)
snmp-server packetsize 8192
snmp-server enable traps snmp
snmp-server host 134.251.37.253 traps XXXXXXXXXX
!
line con 0
transport input none (1.9/1.10)
line aux 0
line vty 0 4
access-class 5 in (1.5) (1.10)
exec-timeout 5 0 (1.7)
password 7 asdkjncankca (1.2)
login (1.1)
!
ntp clock-period 17208436 (2.1)
ntp server 134.251.37.254 (2.1)
end
Useful Security Related Command List

Use To

enable secret Configure a password for privileged router access.

service password-encryption Provide a minimum of protection for configured passwords.

no service tcp-small-servers
Prevent abuse of the "small services" for denial of service or other attacks.
no service udp-small-servers

no service finger Avoid releasing user information to possible attackers.

no cdp running
Avoid releasing information about the router to directly-connected devices.
no cdp enable

ntp disable Prevent attacks against the NTP service.

no ip directed-broadcast Prevent attackers from using the router as a "smurf" amplifier.

Control which protocols can be used by remote users to connect interactively to the
transport input
router's VTYs or to access its TTY ports.

Control which IP addresses can connect to TTYs or VTYs. Reserve one VTY for
ip access-class
access from an administrative workstation.

exec-timeout Prevent an idle session from tying up a VTY indefinitely.

service tcp-keepalives-in Detect and delete "dead" interactive sessions, preventing them from tying up VTYs.

Save logging information in a local RAM buffer on the router. With newer software,
logging buffered buffer-size
the buffer size may be followed with an urgency threshold.

ip access-group list in Discard "spoofed" IP packets. Discard incoming ICMP redirects.

ip verify unicast rpf Discard "spoofed" IP packets in symmetric routing environments with CEF only.

no ip source-route Prevent IP source routing options from being used to spoof traffic.
access-list number action
criteria log
Enable logging of packets that match specific access list entries. Use log-input if it's
access-list number action available in your software version.
criteria log-input
scheduler-interval
Prevent fast floods from shutting down important processing.
scheduler allocate

ip route 0.0.0.0 0.0.0.0 null

Rapidly discard packets with invalid destination addresses.
0 255

distribute-list list in Filter routing information to prevent accepting invalid routes.

snmp-server community
something-inobvious ro list Enable SNMP version 1, configure authentication, and restrict access to certain IP
addresses. Use SNMP version 1 only if version 2 is unavailable, and watch for
snmp-server community sniffers. Enable SNMP only if it's needed in your network, and don't configure read-
something-inobvious rw list write access unless you need it.

snmp-server party... Configure MD5-based SNMP version 2 authentication. Enable SNMP only if it's
authentication md5 secret ... needed in your network.

ip http authentication
Authenticate HTTP connection requests (if you've enabled HTTP on your router).
method

Further control HTTP access by restricting it to certain host addresses (if you've
ip http access-class list
enabled HTTP on your router).

banner login Establish a warning banner to be displayed to users who try to log into the router.

Reference:
http://www.cisco.com/warp/public/707/21.html