This is a short list of initial management / setup tasks that can be used a a base template:
Setting up AAA
Setting up remote access (SSH)
Setting up SNMP
Setting up logging / syslog
Automatic configuration backups
Setting up NTP
If (like me) you prefer to disable DNS lookups - you can find the IP addresses of stratum 1 and 2 providers here.
(Ideally it's best that the stratum 1 provider takes precedence)
ntp server 81.168.77.149 prefer
ntp server 194.164.127.6
ntp server 194.164.127.4
Hardening / Disabling Unnecessary Services
no ip http server
no ip http secure-server
Ensure there are no vty lines with telnet enabled.
no ip domain-lookup
If you do not need any DHCP services - including DHCP relay (ip helpers) - you can issue:
no service dhcp
Unless you are connecting to an X.25 network - you can safely issue the 'pad' (packet assembler/disassembler service):
no service pad
EXEC Timeout: This defines how long on the session will remain available on a line before logging you out - by default this is commonly set at 10 minutes - although this should generally be much shorter:
line vty 0
exec timeout <minutes>
TCP Keepalives: By enabling these it allows the switch to identify if remote connections (inbound or outbound via SSH, Telnet etc.) are still active or not:
service tcp-keepalives-in
service tcp-keepalives-out
Sources:
Cisco Guide to Harden Cisco IOS Devices: http://www.cisco.com/c/en/us/support/docs/ip/access-lists/13608-21.html#anc19
NTP Servers UK List: http://www.atomic-clock.galleon.eu.com/ntp-servers/time/ntp-servers-uk.html
0 comments:
Post a Comment