Ios安全模板

　　 

　　/*John nagle`s algorithm (RFC 896) helps alleviate the small-packet problem  in TCP. The  effect is to aclearcase/" target="_blank" >ccumulate characters into larger chunks, and pace them out to the network at a rate matching the round-trip time of the given connection. Keepalives ensure that no tcp connections via  the router get hung.

Service nagle
Service tcp-keepalive-in
Service tcp-keepalive-out

!*
Provide timestamps in all debug messages and log entries down to the millisecond, make sure your router clock is set properly! The service password-encryption ‘ command provides minimal security for user, line ,ppp, radius and assorted other passwords and keys that must be stored in the Ios configuration file。The command causes passwords in the config file to be encrypted  with a reversible encryption that keeps people from finding your passwords by glancing at your  configurations.

Service timestamps debug datetime msec show-timezone localtime
Service timestamps log datetime msec show-timezone localtime
Service password-encryption

!*
cisco has enabled routers by default to now act as DHCP clients by default, this is really not a necessary service to have running so shut if off. Also given the issues with TCP&UDP Small Server make sure they are off!  “Chargen”  is character generator service that is used to  generate a stream of characters for diagnostic purposes. The “echo” service merely echos back everything that is sent to it 。Pointing the  “Chargen” service at the “echo” service creates a loop which causes an enormous amount of traffic to be generated and will eventually overwhelm the router`s cpu and ram resources, thus we have the makings o
f a very serious Denail of Service Attack. The easiest way to prevent this kind of attack from happening is to disable these services on the router。The commands to do so are “no tcp-smallservers” disable echo，chargen，discard and daytime；“no udp-smallservers” disables echo， chargen and discard。

No service udp-small-servers
No service tcp-small-servers
No service dhcp


！*
not all servers are bad， in fact this new entry to the service category is quite useful， essentially by enabling it your syslog entries will be numbered to ensure they are not tampered with to hide hacking from you ！Cisco helps us with our servers， aren`t they nice ？

service sequence-numbers
hostname OSPF-Rocks

！*
logging is a must in almost every case so turn it on！ Plus with all the logging we doing in this configuration it might be a good idea to rate limit the log messages sent per second to not overwhelm your server， as  when you  are logging ACLs the entries can climb rapidly！

Logging 7.7.7.5
Logging buffered 16384 debugging
Logging rate-limit ？

！*
Whenever a message is sent to the console port of the router this results in cpu interrupt to delivered and considering the level of logging we have going on ， disable console logging until needed。
No logging console

！*
Of course the most secure password type is enable secret so use it with some CAPITAL letters and some NUMBER as well， it makes brute force attacks harder。

Enable secret 〈password〉
No enable password

！*
use TACACS+ for AAA。 Ensure that the local account is case-sensitive，thus making brute-force attacks less effective。

Aaa new-model
Aaa authentication login default group tacacs+  local-case
Aaa authentication enable default group tacacs+ enable
Aaa authorization commands 15 default group tacacs+ local
Aaa accounting exec default stop-only group tacacs+
Aaa accounting commands 15 default stop–only  group tacacs+
Aaa accounting network default stop-only group tacacs+
Tacacs-server host 7.7.7.5
Tacacs-sever key OSPF-rock2

!*
In the event that tacacs+ fails，use case-sensitive local authentication instead。Keeps the hackers guessing，and the router more secure， remembers security is all about layers of defense。
Username 〈username〉 password 〈password〉

！*
Do I really need to explain why you should not use the built-in web server ？ sometimes cisco takes the web to far， it`s a router  Jim！
No ip http server

！*
Allows us to user the low subnets and go classless which are areas that have not typically been used。
Ip subnet-zero
Ip classless

!*
why these services are still on by default AND in IOS is anyone`s guess however for the security of your network and sanity turn them off。
No service pad
No ip source-route
No ip finger
No ip bootp server
No ip domain-lookup

!*
TCP intercept helps prevent SYN-flooding attacks by intercepting and validating TCP connection requests。In intercept mode， the TCP intercept software intercepts TCP synchronization （SYN）
Packets from clients to servers that match an extended list 。 The router responds， if it is a valid connection they are allowed to communicate。
Ip tcp intercept list 120

！*
IOS will watch and manage a TCP connection for 24 hours after no activity ， why？ Who knows？ Regardless it should be changed。
Ip tcp intercept connection-timeout 60

！*
keep half-open sockets open only 10 seconds instead of the default 30 seconds all the while waiting for a response 。
ip tcp intercept watch-timeout 10

！*
These commands determine when tcp intercept should deactivate or activate ， in this case 1500 and respectively，the defaults are not very realistic at 900 and 1100
Ip tcp intercept one-minute low 1500
Ip tcp intercept ont-minute high 6000

！*
Catch core dump in case of a router crash； very important with a “security router” as an attack may have been successful so it`s good to know what happened。We have configured our network management server beyond our firewall to accept ftp connections from the router。 Make sure you give the core dump files a unique name。
Ip ftp username rooter
Ip ftp password 〈password〉
Exception core-file secure-router01-core
Exception protocol ftp
Exception dump 7.7.7.5

！*
CEF is  an advanced， layer 3 switching technology inside a router。It defines the fastest method by which a cisco router forwards packets form ingress to egress interfaces。 The ip cef command enables CEF globally，not all router support CEF so check your docs。
Ip cef

！*
set the time zone properly。It is best to standardize on one time zone for all routers and servers，thus making problem tracking easier。
Clock timezone GMT 0

！*
synchronize the routers clock with a local （trusted and authenticated ）NTP server。The secret  key must be the same on both the router and the NTP server。Remember that NTP is slow to get going properly，it`s a cisco thing， so be patient。
Ntp authentication-key 6767 md5 〈secret-key〉
Ntp authenticate
Ntp update-calendar
Ntp server 7.7.7.5

！*
configure the loopback0 interface as the source of our log massage。This is often used for routing protocols as well since as a logical interface does not go down thus it is very reliable。Assign an IP address that uniquely identifies this router。One trick is to allocate a netblock for use as the router loopback netblock。
Int loopback0
Ip address 10.10.10.10 255.255.255.255
No ip redirects
No ip unreachables
No ip proxy-arp

！*
configure and thus activate the null0 interface as a place to send naughty packets。This becomes the “roach motel ” for packets – they can route in ，but they  can`t route out。
Interface null0
No ip unreachables

Interface ethernet2/0
Description unprotected interface ,facing towards internet
Ip address 5.5.5.254 255.255.255.0
！*
Do we run cef verify？ Yes If the data path is symmetric。No if the data path is asymmetric。Use the ip verify unicast reverse-path interface command on the input interface on the router at the upstream end of the connection。This feature examines each packet received as input on that interface。If the source ip address does not have a route in the cef tables that points back to the same interface on which the packet arrived，the router droops the packet。
Ip verify unicast reverse-path

！*
Apply our template ACL ，more on what this ACL is covering later in the configuration，but applying it is crucial to its success。
Ip access-group 2010 in

！*
Rate limiting traffic to protect the router and by default your infrastructure is extremely important。The values maybe tweaked to meet your needs but in general we recommend the following。Allow udp to use no more than 2 MB/s of pipe。
Rate-limit  input access-group 150 2010000 250000 250000 conform-action transmit exceed-actioin drop

！*
Disables the sending of ICMP redirect messages to learn routes，let the hackers wonder！
No ip redirects

！*
disables the sending of ICMP protocol unreachable and host unreachable messages and once again there is no reason to allow icmp to educate hackers about your network。
No ip unreachable

！*
ip directed broadcasts are dropped；they are not forwarded。Dropping ip directed broadcast makes routers less susceptible to denial-of-service attacks
no ip directed-broadcast

！*
Source routing allows the path to be specified in a packet this could allow the packet to bypass firewalls，etc。。。disable this feature！
no ip source-route

！*
Don`t pretend to be something you`re not。
No ip proxy-arp

！*
Disables the sending of ICMP mask reply messages。The default for cisco routers is not to do this but it never hurts to input the command anyway just to be sure。
No ip mask-reply

！*
enables ip accounting with the ability to identify ip traffic that fails ip access lists allowing your router to log all naughty businee，be sure to check it ！
ip accounting access-violations

！*
if you allow multicast in your network or participate in the MBONE，the following multicast filtering steps will help to ensure a secure multicast environment。These must be applied per interface。
Ip multicast boundary 30

！*
keep flow data for analysis。If possible export it to a cflowd server。
Ip route-cache flow

！*
Interface ethernet2/1
Description protected interface，facing towards DMZ
Ip address 6.6.6.254 255.255.255.0
Ip verify unicast reverse-path

！*
if we are using reverse path forwarding ，comment out the ACL bellow。
Ip access-group 115 in

！*
no ip redirects
no ip unreachables
no ip directed-broadcast
no ip arp-proxy
ip accounting access-violations
ip multicast boundary 30
no ip mask-reply
ip route-cache flow
no ip source-route

！*
The following static routes will black hole networks that are not supposed to be routable on the public internet。Be very careful about enabling these when running tcp intercept 。tcp intercept command directs the router to act as a TCP socket proxy。 When the router receives the SYN packet the router （instead of destination）initially responds with the SYN|ACK。 This is where the interaction between tcp intercept and black hole routes causes a problem。If you create black hole routes for all bogon ranges and point them to the null device，and if someone launches a syn flood form a bogon range，then the router will send the SYN|ACK to the null device。The router isn`t clueful enough to realize it has done this，and the TCP intercept queue begins to built quite quickly。The timeout aren`t ，by default ，aggressive enough to work through this problem。
Warning – The internet sometimes changes without notice to check the validty of this list prior to implementing it。
Ip route 1.0.0.0 255.0.0.0 null0
。。。。。

！*
export our netflow data to our netflow server，7.7.7.5。Netflow provides some statistics that can be of use when tracing back to the true source of a spoofed attack。We also use the source as the loopback interface which is a best practice。
Ip flow-export source loopback0
Ip flow-export destination 7.7.7.5 2055
Ip flow-export version 5 origin-as

！*
log anything interesting to the syslog server。Capture all of logging output sent from the loopback interface，which makes ID of this router in the various places recording data easy and uniform to identify。
Logging trap debugging
Logging source-interface loopback0
Logging 7.7.7.5

！*
With the ACLs，it is important to log the attempts or activity of naughty folks。Thus，the implicit drop all normal entry at the end of every ACL is replaced with an explicit drop all that logs the attempt。You may wish to keep a second list （eg 2011）that does not log。During an attack， the additional logging can impact the performance of the router。Simply copy and paste access-list 2010，remove the log-input keyword， and name  it access-list 2011。Then when an attack rages，you can replace access-list 2010 on the internet-facing interface with access-list 2011。Thus aoolwing the router to concentrate on defending against the attack。
！
Block SNMP access from any location to the router，except the server，which Is our network mgmt/syslog server in our template and of course log anyone else that tries to access SNMP info on the router。
Access-list 20 remark SNMP ACL
Access-list 20 permit 7.7.7.5
Access-list 20 deny any log

！*
Multicast filter out obviously naughty or needless traffic access-list 30 is the multicast filtering ACL。
Link local access-list 30 deny 224.0.0.0 0.0.0.255 log
Locally scoped  access-list 30 deny 239.0.0.0 0.255.255.255 log
Sgi-dogfight access-list 30 deny host 224.0.1.2  log
Rwhod  access-list 30 deny host 224.0.1.3  log
Ms-srvloc access-list 30 deny host 224.0.1.22  log
Ms-ds access-list 30 deny host 224.0.1.24  log
Ms-srvloc-da access-list 30 deny host 224.0.1.35  log
Hp-device-disc access-list 30 deny host 224.0.1.60  log
Permit all other multicast traffic
Access-list 30 permit 224.0.0.0 15.255.255.255 log

！*
block access to the router from everyone except from the network  mgmt server or the firewall and then only if SSH（port 22） or telnet  is used，we will log every successful access as well。Of course we will also any denied access attempts。This also serves to create an audit trail of all access to the router through the use of extended ACLs are used to log some additional data。
Access-list 100 remark VTY access
Access-list 100 permit tcp host 7.7.7.5 host 0.0.0.0 range 22 23 log-input
Access-list 100 permit tcp host 6.6.6.1 host 0.0.0.0 range 22 23 log-input
Access-list 100 deny ip any any log-input

！*
Leave one vty safe for emergency access ，just in case。The host 7.7.7.8 is a secure host in the NOC。If all the VTY are occupied，this leaves one VTY availables and logging is also happening。
Access-list 105 remark VTY access
Access-list 105 permit tcp host 7.7.7.8 host 0.0.0.0 range 22 23 log-input
Access-list 105 deny ip any any log-input

！*
configure an ACL that prevents spoofing from within our network，which recognizes and protects against a hacker gaining access to network via some other means。This ACL assumes that we need to access the internet only from the 7.7.7.0/24 network。If you have additional network behind 7.7.7.0/24 ，then add them into this ACL。
Access-list 115 remark Anti-spoofing ACL
Access-list 115 permit ip 7.7.7.0 0.0.0.255 any
Access-list 115 permit ip host 6.6.6.1 any
Access-list 115 deny ip any any log-input

！*
Configure an ACL for TCP intercept。This will protect the hosts on the intranet from SYN floods。
Access-list 120 remark TCP intercept ACL
Access-list 120 permit tcp any 7.7.7.0 0.0.0.255

！*
Rate-limit ACLs for UDP，ICMP，multicast
Access-list 150 remark CAR-udp ACL
Access-list 150 permit udp any any
Access-list 160 remark CAR-icmp ACL
Access-list 160 permit ICMP any any
Access-list 170 remark CAR-multicast ACL
Access-list 170 permit ip any 224.0.0.0 15.255.255.255

！*
Deny any packets from the FRC 1918，IANA reserved，test，multicast as a source，and loopback netblock to block attacks from commonly spoofed IP addresses。
Access-list 2010 remark Anti-bogon ACL
Access-list 2010 deny ip 6.6.6.0 0.0.0.255 any log-input
Access-list 2010 deny ip 7.7.7.0 0.0.0.255 any log-input
Access-list 2010 deny ip 1.0.0.0 0.255.255.255 any log-input
Access-list 2010 deny ip 2.0.0.0 0.255.255.255 any log-input
Access-list 2010 deny ip 10.0.0.0 0.255.255.255 any log-input
Access-list 2010 deny ip 172.16.0.0 0.15.255.255 any log-input
Access-list 2010 deny ip 192.168.0.0 0.0.255.255 any log-input
Access-list 2010 deny icmp any any fragments log-input
Access-list 2010 permit ip any 7.7.7.0 0.0.0.255
Access-list 2010 permit ip any 224.0.0.0 15.255.255.255
Access-list 2010 deny ip any any log-input

！*
Do not share cisco discovery protocol information from your secure router it`s just not wise，because CDP contains crucial bits of information about your network topology，device configuration，network devices in use， ip addresses，etc。this command disabled CDP globally。If you require CDP on an interface，use cdp run and disable cdp on the internet-facing interface。In other words use CDP only on interfaces where it is needed，never globally！
No cdp run

！*
SNMP is very important for network management，particularly when in conjunction with mrtg to track usage statistics。To keep SNMP access even more secure treat the community string as a password –keep is difficult to guess by using caps，lowercase and numbers all together。Then include the ACL that we created to further increase security。Notice that we do not allow SNMP read/write。
Snmp-server community 〈〉 RO 20
Introduce ourselves with an appropriately stern banner that reflect the level of security and monitoring applied to our network。It is also important to set the expectations of everyone accessing the router as well as what will happen if attacks are made against it。While we are just showing the message of the Day banner it is recommended that you apply the same banner to the console port，aux port，aaa login，and whenever a user exec mode。
Banner motd %
。。。。。。。。。。。。。。
%

！*
apply a password to the console port of a router。It can often be accessed physical so another layer of security helps。Including the transport input none disables reverse telnet and protect the physical ports against access。
Line con 0
Exec-timeout 15 0
Transport input none
Line aux 0
Exec-timeout 15 0
Transport input none
Line vty 0 3
Access-class 100 in
Exec-timeout 15 0
Transport input ssh telnet
Line vty 4
Access-class 105 in
Exec-timeout 15 0
Transport input ssh telnet
！

原文转自：http://www.ltesting.net