Cisco IOS Router Hardening Template - NETSEC

Latest

Learning, Sharing, Creating

Cybersecurity Memo

Thursday, October 15, 2015

Cisco IOS Router Hardening Template

Here is the router configuration template modified from Team Cymru's.

!Without service nagle on a Cisco router, each character in a Telnet !session is a separate CPU interrupt. Hence, a command such as show !tech will force a large number of CPU interrupts, impacting the !performance of the router.
service nagle
!SERVICE PAD :The packet assembler/disassembler (PAD) service !supports X.25 links. This service is on by default, but it is not !needed unless your router is using X.25. Disable it from global !configuration mode as shown below.
no service pad
!TCP-KEEPALIVES-IN and TCP-KEEPALIVES-OUT: if you are going to !permit remote administration via Telnet, enable TCP keepalive !services. These services will cause the router to generate periodic !TCP keepalive messages, thus allowing it to detect and drop !orphaned (broken) TCP connections to/from remote systems. Using !this service does not remove the need for setting an exec-timeout !time as recommended above.
service tcp-keepalives-in
service tcp-keepalives-out
! Show copious timestamps in our logs
service timestamps debug datetime msec show-timezone localtime
service timestamps log datetime msec show-timezone localtime
! Ensures all passwords and secrets are obfuscated when showing configuration
service password-encryption
no service dhcp
no ip bootp server
!
hostname xxxxx
!

boot system flash:c2900-universalk9-mz.SPA.151-4.M.bin
!To turn ON buffered logging for warning messages. Rule of thumb, you should set it to 16K if your router has 16MB RAM. If you set it higher (i.e. 50K), make sure your router has more than 16MB RAM or at least 64MB RAM
logging buffered 163840 debugging
no logging console
!'secret' ensures MD5 is used when 'conf service password encryption' is used.
enable secret xxxxx
no enable password
!
! Use TACACS+ for AAA. 
aaa new-model
aaa authentication login default group tacacs+ local-case
aaa authentication enable default group tacacs+ enable
aaa authorization commands 15 default group tacacs+ local
aaa accounting exec default stop-only group tacacs+
aaa accounting commands 15 default stop-only group tacacs+
aaa accounting network default stop-only group tacacs+
tacacs-server host 10.2.2.2
tacacs-server key xxxxx
!
ip dhcp bootp ignore
! In the event that TACACS+ fails, use case-sensitve local authentication.
username radmin1 secret 0 1q2w3e4r!
! localit user only can show running configuration
username localit secret Cisco1234
username localit privilege 15 autocommand show running
! localadmin user can do more troubleshooting and run 'show config'
username localadmin privilege 7 secret Cisco1234
!
privilege exec level 7 show config

! Logging and archive the commands and changes
archive
 log config
  logging enable
  logging size 500
  notify syslog
  hidekeys
  path flash:backup-
  write-memory
  maximum 8
!
! Ensure TCL doesn't use an initilizaion file where available.
no scripting tcl init
no scripting tcl encdir
!
! Enable the netflow top talkers feature.You can see the top N talkers (50 in this example) with the show ip flow top-talkers command. This is a handy ! utility to use during DDoS attacks and traffic issues. You can sort-by either packets or bytes, as you prefer.
ip flow-top-talkers
 top 50
 sort-by packets
!
! Don't run the HTTP server.
no ip http server
no ip http secure-server
!
! Allow us to use the low subnet and go classless
ip subnet-zero
ip classless
!
! Disable noxious services
no service pad
no ip source-route
no ip finger
no ip bootp server
no ip domain-lookup
!
! Block brute force login attempts while maintaining access for legitimate source addresses.
login block-for 100 attempts 15 within 100
login quiet-mode access-class 100
login on-failure log
login on-success log
!
! Catch crash dumps; very important with a "security router."
ip ftp username rooter
ip ftp password <PASSWORD>
! Give our core dump files a unique name.
exception core-file secure-router01-core
exception protocol ftp
exception dump 10.2.2.3
!
! Fire up CEF for both performance and security.
ip cef
!
clock timezone EST -5 0
clock summer-time EDT recurring
ntp authentication-key 6767 md5 <SECRETKEY>
ntp authenticate
ntp update-calendar
ntp server 10.3.3.3
!
! Configure the loopback0 interface as the source of our log  messages. 
int loopback0
 ip address 10.10.10.10 255.255.255.255
 no ip redirects
 no ip unreachables
 no ip proxy-arp
!
! Configure null0 as a place to send naughty packets.
interface null0
 no ip unreachables
!
interface Ethernet2/0
 description Unprotected interface, facing towards Internet
 ip address 199.116.2.14 255.255.255.240
 ! Do we run CEF verify? Yes if the data path is symmetric. No if the data path is asymmetric.
 ip verify unicast reverse-path
 ! Apply our template ACL
 ip access-group 2010 in
 ! Allow UDP to occupy no more than 2 Mb/s of the pipe.
 rate-limit input access-group 150 2010000 250000 250000 conform-action transmit exceed-action drop
 ! Allow ICMP to occupy no more than 500 Kb/s of the pipe.
 rate-limit input access-group 160 500000 62500 62500 conform-action transmit exceed-action drop
 ! Allow multicast to occupy no more than 5 Mb/s of the pipe.
 rate-limit input access-group 170 5000000 375000 375000 conform-action transmit exceed-action drop
 ! Don't send redirects.
 no ip redirects
 ! Don't send unreachable. NOTE WELL that this may break PMTU discovery. For example, if this router is edge for a VPN of any sort, you might need to enable ip unreachable. A typical symptom is ping working but a larger transmission doesn't.
 no ip unreachables
 ! Don't propogate smurf attacks.
 no ip directed-broadcast
 ! Don't pretend to be something you're not.
 no ip proxy-arp
 ! Do not reveal our netmask
 no ip mask-reply
 ! Log all naughty business.
 ip accounting access-violations
 ! If you allow multicast in your network or participate in the
 ! MBONE, the following multicast filtering steps will help to
 ! ensure a secure multicast environment. These must be applied
 ! per interface.
 ip multicast boundary 30
 !
 ! Keep flow data for analysis. If possible, export it to a cflowd server.
 ip route-cache flow
 ! When you configure anything to do with ntp on an IOS box, it will start listening on all interfaces. It is therefore a good idea that interfaces with public addresses have ntp disabled and therefore don't show a socket, unless that is what the interface is intended to do.
 ntp disable
 ! Disable Maintenance Operations Protocol on all interfaces
 no mop enable
!
interface Ethernet2/1
 description Protected interface, facing towards DMZ
 ip address 172.16.2.10 255.255.255.240
 ip verify unicast reverse-path
 ! If we are using RPF, comment out the ACL below.
 ip access-group 115 in
 no ip redirects
 no ip unreachables
 no ip directed-broadcast
 no ip proxy-arp
 ip accounting access-violations
 ip multicast boundary 30
 no ip mask-reply
 ip route-cache flow
 no mop enable
!
! Default route to the Internet (could be a routing protocol instead)
ip route 0.0.0.0 0.0.0.0 199.116.2.1
! Route to network on the other side of the firewall
ip route 10.0.0.0 255.0.0.0 172.16.2.1
! Black hole routes. Do not combine this with TCP Intercept; in fact, don't use TCP Intercept at all.
!
! Bogons
! Team Cymru has removed all static bogon references from this template
! due to the high probability that the application of these bogon filters
! will be a one-time event. Unfortunately many of these templates are applied and never re-visited, despite our dire warnings that bogons do change.
!
! This doesn't mean bogon filtering can't be accomplished in an automated
! manner. Why not consider peering with our globally distributed bogon
! route-server project? Alternately you can obtain a current and well
! maintained bogon feed from our DNS and RADb services. Read more at the
! link below to learn how!
!
! https://www.team-cymru.org/Services/Bogons/
!
! Export our NetFlow data to our NetFlow server, 192.0.2.34. NetFlow
! provides some statistics that can be of use when tracing the true
! source of a spoofed attack.
ip flow-export source loopback0
ip flow-export destination 192.0.2.34 2055
ip flow-export version 5 origin-as
!
! Log anything interesting to the loghost. Capture all of
! the logging output with FACILITY LOCAL5.
logging trap debugging
logging facility local5
logging source-interface loopback0
logging 10.2.2.3
!
! With the ACLs, it is important to log the naughty folks.
! Thus, the implicit drop all ACL is replaced (augmented,
! actually) with an explicit drop all that logs the attempt.
! You may wish to keep a second list (e.g. 2011) that does not
! log. During an attack, the additional logging can impact the
! performance of the router. Simply copy and paste access-list 2010,
! remove the log-input keyword, and name it access-list 2011. Then
! when an attack rages, you can replace access-list 2010 on the
! Internet-facing interface with access-list 2011.
!
! Block SNMP access to all but the loghost
access-list 20 remark SNMP ACL
access-list 20 permit 192.0.2.34
access-list 20 deny any log
!
! Multicast - filter out obviously naughty or needless traffic
access-list 30 remark Multicast filtering ACL 
!Link local
access-list 30 deny 224.0.0.0 0.0.0.255 log
! Locally scoped
access-list 30 deny 239.0.0.0 0.255.255.255 log
! sgi-dogfight
access-list 30 deny host 224.0.1.2 log
! rwhod
access-list 30 deny host 224.0.1.3 log
! ms-srvloc
access-list 30 deny host 224.0.1.22 log
! ms-ds
access-list 30 deny host 224.0.1.24 log
! ms-servloc-da
access-list 30 deny host 224.0.1.35 log
! hp-device-disc
access-list 30 deny host 224.0.1.60 log
! Permit all other multicast traffic
access-list 30 permit 224.0.0.0 15.255.255.255 log
!
! Block access to all but the loghost and the firewall, and log any
! denied access attempts. This also serves to create an audit trail
! of all access to the router. Extended ACLs are used to log some
! additional data.
access-list 100 remark VTY Access ACL
access-list 100 permit tcp host 192.0.2.34 host 0.0.0.0 range 22 23 log-input
access-list 100 permit tcp host 192.0.2.30 host 0.0.0.0 range 22 23 log-input
access-list 100 deny ip any any log-input
!
! Leave one VTY safe for access, just in case. The host
! 192.0.2.40 is a secure host in the NOC. If all the VTYs are
! occupied, this leaves one VTY available.
access-list 105 remark VTY Access ACL
access-list 105 permit tcp host 192.0.2.40 host 0.0.0.0 range 22 23 log-input
access-list 105 deny ip any any log-input
!
! Configure an ACL that prevents spoofing from within our network.
! This ACL assumes that we need to access the Internet only from the
! 192.0.2.32/27 network. If you have additional networks behind
! 192.0.2.32/27, then add them into this ACL.
access-list 115 remark Anti-spoofing ACL
! First, allow our intranet to access the Internet.
access-list 115 permit ip 192.0.2.32 0.0.0.31 any
! Second, allow our firewall to access the Internet. This is useful
! for testing.
access-list 115 permit ip host 192.0.2.30 any
! Now log all other such attempts.
access-list 115 deny ip any any log-input
!
! Rate limit (CAR) ACLs for UDP, ICMP, and multicast.
access-list 150 remark CAR-UDP ACL
access-list 150 permit udp any any
access-list 160 remark CAR-ICMP ACL
access-list 160 permit icmp any any
access-list 170 remark CAR-Multicast ACL
access-list 170 permit ip any 224.0.0.0 15.255.255.255
!
! Deny any packets from the RFC 1918, IANA reserved, test,
! multicast as a source, and loopback netblocks to block
! attacks from commonly spoofed IP addresses.
access-list 2010 remark Anti-bogon ACL
! Claims it came from the inside network, yet arrives on the
! outside (read: Internet) interface. Do not use this if CEF
! has been configured to take care of spoofing.
! access-list 2010 deny ip 192.0.2.16 0.0.0.15 any log-input
! access-list 2010 deny ip 192.0.2.32 0.0.0.31 any log-input
!
! Bogons
! Team Cymru has removed all static bogon references from this template
! due to the high probability that the application of these bogon filters
! will be a one-time event. Unfortunately many of these templates are
! applied and never re-visited, despite our dire warnings that bogons do
! change.
!
! This doesn't mean bogon filtering can't be accomplished in an automated
! manner. Why not consider peering with our globally distributed bogon
! route-server project? Alternately you can obtain a current and well
! maintained bogon feed from our DNS and RADb services. Read more at the
! link below to learn how!
!
! https://www.team-cymru.org/Services/Bogons/
!
! Drop all ICMP fragments
access-list 2010 deny icmp any any fragments log-input
! Allow IP access to the intranet (firewall filters specific ports)
access-list 2010 permit ip any 192.0.2.32 0.0.0.31
! Allow multicast to enter. See also access-list 30 for more
! specific multicast rules.
access-list 2010 permit ip any 224.0.0.0 15.255.255.255
! Our explicit (read: logged) drop all rule
access-list 2010 deny ip any any log-input
!
! Do not share CDP information, which contains key bits about our
! configuration, etc. This command disabled CDP globally. If you
! require CDP on an interface, use cdp run and disable cdp
! (no cdp enable) on the Internet-facing interface.
no cdp run
! SNMP is VERY important, particularly with MRTG.
! Treat the COMMUNITY string as a password - keep it difficult to guess.
! For SNMP versions 1-2
snmp-server community <COMMUNITY> RO 20
!
! Introduce ourselves with an appropriately stern banner.
banner motd %
Access to this device or the attached
networks is prohibited without express written permission.
Violators will be prosecuted to the fullest extent of both civil
and criminal law.

%
!
line con 0
 exec-timeout 5 0
 transport input none
 login authentication CONAUTH
line aux 0
 exec-timeout 5 0
line vty 0 3
 access-class 100 in
 exec-timeout 5 0
! Enable SSH connectivity.
! Obviously, you must have an IOS image that supports SSH, and don't
! forget to generate the key with crypto key generate rsa.
! To enable SSH access to the device, you additionally require a domain
! name to be set via "ip domian name x" before generating RSA keys
 ip domain-name Test.com
! Disable SSHv1
 ip ssh version 2
 transport input ssh
line vty 4
 access-class 105 in
 exec-timeout 5 0
 login authentication VTYAUTH
 transport input ssh
!
! End of the configuration.
end






Reference:

  1. Cisco Guide to Harden Cisco IOS Devices
  2. Secure IOS Template Version 6.5 19 MAY 2014
  3. Hardening Cisco Routers
  4. Team CYMRU 



1 comment: