Difference between revisions of "Cisco securing device"
Jump to navigation
Jump to search
| Line 16: | Line 16: | ||
! add logging buffer | ! add logging buffer | ||
logging userinfo | |||
logging buffered 50000 | logging buffered 50000 | ||
ip ssh logging events | |||
login block-for 300 attempts 3 within 300 | login block-for 300 attempts 3 within 300 | ||
;This automatic time access-list will be created after applying <code>login block-for</code> command | |||
Extended IP access list sl_def_acl | |||
10 deny tcp any any eq telnet log | |||
20 deny tcp any any eq www log | |||
30 deny tcp any any eq 22 log (8015 matches) | |||
40 permit tcp any any eq 22 log | |||
= Access Control Lists = | = Access Control Lists = | ||
Revision as of 20:32, 19 November 2013
Switching off unnecessary
no ip source-route ip options drop no ip http server no ip http secure-server no service tcp-small-servers no service udp-small-servers service tcp-keepalives-in service tcp-keepalives-out no ip bootp server no ip finger no ip identd no service config no lldp run no service pad ! add logging buffer logging userinfo logging buffered 50000 ip ssh logging events login block-for 300 attempts 3 within 300
- This automatic time access-list will be created after applying
login block-forcommand
Extended IP access list sl_def_acl
10 deny tcp any any eq telnet log
20 deny tcp any any eq www log
30 deny tcp any any eq 22 log (8015 matches)
40 permit tcp any any eq 22 log
Access Control Lists
How to apply
- First remove ACL from interface
int dialer 0 no ip access-group 90 in exit
- Remove ACL from running-config
Use default statement to delete ACL, then recreate, see below:
default access-list 90 ip access-list standard 90 remark Block abusive IP addresses deny 42.117.7.53 0.0.0.0 deny 123.232.122.162 0.0.0.0 deny 216.38.217.76 0.0.0.0 permit any exit
- Third re apply ACL to interface
int dialer 0 ip access-group 90 in exit
Safety cushion by scheduled reload
When applying ACLs or adding extra security it possible to lock out yourself. Therefore before you apply any changes you can schedule reload and do not save running-config to startup-config until you 100% sure all is working correctly. Then cancel scheduled reload and save changes.
- Schedule reload in 5 minutes
reload in 5 Reload scheduled for 19:57:04 GMT Sun Nov 17 2013 (in 5 minutes) by dsneteng on console Reload reason: Reload Command Proceed with reload? [confirm] *** *** --- SHUTDOWN in 0:05:00 --- ***
- Cancel reload
reload cancel *** *** --- SHUTDOWN ABORTED --- ***
- Other options
reload ? at Reload at a specific time/date cancel Cancel pending reload in Reload after a time interval reason Reload reason warm Reload should be warm
- Use copy tftp run when applying ACLs
Then to a copy tftp run to install the updated ACL into the running config. This method is nice because the ACL doesn't get updated until after the TFTP is complete, so it should be safe even if the change will interrupt network connectivity.