Basic Cisco Template

I have a template that I apply each and every time I configure a Cisco router or switch. I find it disheartening that a lot of people don’t take the care and attention to disable unused services and secure the used one’s properly. You only have to do a simple search on SHODAN (free login required) to see this.
First of all, we need to set our timezone and add your countries summer-time setting, time is incredibly important when your reviewing logs for either troubleshooting or security purposes.
clock timezone UTC 0
clock summer-time BST recurring last Sunday March 01:00 last Sunday October 01:00

Now we need to configure some ACL’s that will be used through various services to lock down access to only your management subnet(s).
access-list 92 remark Management Access List
access-list 92 permit 10.0.0.0 0.0.0.255
access-list 92 permit 10.0.255.0 0.0.0.255
access-list 91 remark Block Everything
access-list 91 deny any

Now, we set our NTP Servers and secure them
ntp server 0.uk.pool.ntp.org
ntp server 1.uk.pool.ntp.org
ntp server 2.uk.pool.ntp.org
ntp access-group serve 91

If this router/switch will not have a connection to the internet, you could use an internal time source instead, which is actually highly recommended when you have a centralised logging/SIEM solution aggregating log’s from many devices in your network.
Now.. the above NTP servers actually wont work.. yet.. as we need to add DNS resolution to the router to be able to resolve the dns name of the NTP servers. This should be your ISP’s DNS servers, a public DNS service such as Google or OpenDNS or this could be your internal DNS servers if for example you run an Active Directory domain.
ip name-server 8.8.8.8
ip name-server 8.8.4.4

Next we need to set our local credentials. This should always be done even if your using AAA with TACACS+/RADIUS in case your AAA server(s) are ever unavailable and you need access to the device. If this device is to be internet facing this should be a long secure password and I highly recommend you use a password generator.
enable secret SuperSecretPasswordThatsHardToGuessPlusAnExclamaionPoint!
username privilege 15 secret AnotherHopefullySuperSecretPassword

Next we enable password encryption for any unencrypted passwords i.e. radius server secrets, ppp credentials etc. I say encryption, but its not really, its just a very weak hash and can be cracked in microseconds, but it does stop a shoulder surfer catching a glimpse of your passwords.
service password-encryption
Next we want our logs to have sequence numbers as well as full timestamps.
service sequence-numbers
service timestamps debug datetime localtime show-timezone msec
service timestamps log datetime localtime show-timezone msec

lets just take a second to examine the difference;
Before..
*Apr 11 21:01:55: %SEC-6-IPACCESSLOGS: list 1 permitted x.x.x.x 135 packets
*Apr 11 21:01:55: %SEC-6-IPACCESSLOGS: list 1 permitted x.x.x.x 180 packets

and After
393764: Apr 11 21:02:00.724 BST: %SEC-6-IPACCESSLOGS: list 1 permitted x.x.x.x 8285 packets
393765: Apr 11 21:02:00.764 BST: %SEC-6-IPACCESSLOGS: list 1 permitted x.x.x.x 691 packets

Much better!
Next we minimise the amount of logging to the console session, and increase the log buffer, this will give you a lot more history than the amount of buffer space allocated by default.
logging console critical
logging buffered informational
logging buffered 65536

Next we stop all unnecessary services, as per Cisco’s Hardening Guide. I also like to add the deny all ACL to the HTTP server incase someone ever enables it by mistake and forgets to take it off. You could use your management subnet ACL if you use something like the Cisco Network Assistant tool.
ip http access-class 91
no ip http server
no ip http secure-server
no ip source-route
no service finger
no service pad
no service udp-small-servers
no service tcp-small-servers
service password-encryption
service tcp-keepalives-in
service tcp-keepalives-out
no ip bootp server
no ip finger
no ip gratuitous-arps

We now enable SSH set our vty line’s up for remote access and secure our console.
ip domain-name mycompany.net
crypto key generate rsa general-keys modulus 2048
line vty 0 15
- logging synchronous
- login local
- privilege level 15
- exec-timeout 60
- access-class 92 in
line con 0
- logging synchronous
- login local
- privilege level 15
- exec-timeout 60

Last but not least, one of my favourite’s is to actually log login attempts to the buffer (and to your syslog server if you have one). Combined with AAA this is great way of keeping track of who’s logging onto your devices. I also like to block logins for 5 minutes (300 seconds) if we have 10 or more invalid login attempts within 2 minutes.
login on-failure log
login on-success log
login block-for 300 attempts 10 within 120

This is my full template;
clock timezone UTC 0
clock summer-time BST recurring last Sunday March 01:00 last Sunday October 01:00
access-list 91 remark Block Everything
access-list 91 deny any
access-list 92 remark Management Access List
access-list 92 permit 10.0.0.0 0.0.0.255
access-list 92 permit 10.0.255.0 0.0.0.255
ntp server 0.uk.pool.ntp.org
ntp server 1.uk.pool.ntp.org
ntp server 2.uk.pool.ntp.org
ntp access-group serve 91
ip name-server 8.8.8.8
ip name-server 8.8.4.4
enable secret SuperSecretPasswordThatsHardToGuessPlusAnExclamaionPoint!
username privilege 15 secret AnotherHopefullySuperSecretPassword
service password-encryption
service sequence-numbers
service timestamps debug datetime localtime show-timezone msec
service timestamps log datetime localtime show-timezone msec
logging console critical
logging buffered informational
logging buffered 65536
ip http access-class 91
no ip http server
no ip http secure-server
no ip source-route
no service finger
no service pad
no service udp-small-servers
no service tcp-small-servers
service password-encryption
service tcp-keepalives-in
service tcp-keepalives-out
no ip bootp server
no ip finger
no ip gratuitous-arps
ip domain-name mycompany.net
crypto key generate rsa general-keys modulus 2048
line vty 0 15
- logging synchronous
- login local
- privilege level 15
- exec-timeout 60
- access-class 92 in
line con 0
- logging synchronous
- login local
- privilege level 15
- exec-timeout 60
login on-failure log
login on-success log
login block-for 300 attempts 10 within 120

Add a Comment

Your email address will not be published. Required fields are marked *