Cisco securing device
Switching off unnecessary
! ! Interfaces ! ! ICMP host unreachable messages are sent out if a router receives a nonbroadcast packet that uses an unknown protocol, ! or if the router receives a packet that it is unable to deliver to the ultimate destination because it knows of no route to the destination address. ! Because the null interface is a packet sink, packets forwarded there will always be discarded and, unless disabled, will generate host unreachable messages. interface Null0 no ip unreachables ! enables unicast Reverse Path Forwarding (RPF) on all interfaces that connect to the Internet. IP CEF need to be enabled. ! A feature that causes the router to check the source address of any packet against the interface through which the packet entered the router ! If the input interface is not a feasible path to the source address according to the routing table, the packet will be dropped. interface atm0/0/0 ip verify unicast reverse-path ! ! Unnecessary services ! no ip source-route ip options drop no ip http server no ip http secure-server no service tcp-small-servers no service udp-small-servers service tcp-keepalives-in service tcp-keepalives-out no ip bootp server no ip finger no service finger no ip identd no service config no lldp run no service pad ! ! NetFlow identifies flows of network packets based on the source and destination IP addresses and TCP port numbers. NetFlow then can use just the initial packet of a flow for comparison to ACLs and for other security checks, rather than having to use every packet in the network flow ip route-cache flow ! ! Setting the TCP synwait time to 20 seconds causes the router to shut down an incomplete connection after 20 ip tcp synwait-time 20 ! ! time-stamps ! service timestamps debug datetime localtime show-timezone msec service timestamps log datetime localtime show-timezone msec service sequence-numbers ! ! add logging buffer ! logging userinfo logging buffered 50000 ip ssh logging events login block-for 300 attempts 3 within 300
- This automatic time access-list will be created after applying
login block-forcommand
Extended IP access list sl_def_acl
10 deny tcp any any eq telnet log
20 deny tcp any any eq www log
30 deny tcp any any eq 22 log (8015 matches)
40 permit tcp any any eq 22 log
Access Control Lists
How to apply
- First remove ACL from interface
int dialer 0 no ip access-group 90 in exit
- Remove ACL from running-config
Use default statement to delete ACL, then recreate, see below:
default access-list 90 ip access-list standard 90 remark Block abusive IP addresses deny 42.117.7.53 0.0.0.0 deny 123.232.122.162 0.0.0.0 deny 216.38.217.76 0.0.0.0 permit any exit
- Third re apply ACL to interface
int dialer 0 ip access-group 90 in exit
Apply MAC address filtering to Access Point using TFTP
This method is the most secure way to apply multiple ACL lines. This method is nice because the ACL doesn't get updated until after the TFTP is complete, so it should be safe even if the change will interrupt network connectivity. Another safety measure is to schedule a reload. Please follow these steps:
Verify TFTP server is running
Windows machine
netstat -ap UDP | find 69 UDP 0.0.0.0:69 *:* <-- this is expected output
Linux
netstat -ul | grep 69
Schedule a reload
reload in 5 reason Applying ACLs System configuration has been modified. Save? [yes/no]: yes Building configuration... [OK] Reload scheduled for 22:16:38 UTC Sun Nov 24 2013 (in 5 minutes) by dsneteng on vty0 (10.0.99.13) Reload reason: Applying ACLs Proceed with reload? [confirm] *** *** --- SHUTDOWN in 0:05:00 --- ***
Copy ACL to running-config
Copy block-list-apply.txt to tftp root folder. In Windows version of SolarWinds-TFTP-Server its default folder is C:\TFTP-Root.
copy tftp: running-config
Example of block-list-apply.txt file.
! Updated on 24/11/2013@21:00 by user@ ! MAC Vendor Lookup http://www.macvendorlookup.com/list-lookup ! ! Exeption list: ! ! LocationID ! 0022.694C.AABB - Hon Hai Precision - user@ ! ! Apply following to all your APs ! ! interface Dot11Radio0.10 no bridge-group 10 input-address-list 700 exit ! no access-list 700 ! ! LocationID ! access-list 700 deny 0019.7E72.AABB 0000.0000.0000 access-list 700 deny 083E.8E36.CCDD 0000.0000.0000 ! ! Permit all rest ! access-list 700 permit 0000.0000.0000 ffff.ffff.ffff ! interface Dot11Radio0.10 bridge-group 10 input-address-list 700 exit end ! ! MAC filter list has been applied - check for connectivity
Cancel reload
reload cancel *** *** --- SHUTDOWN ABORTED --- ***
Safety cushion by scheduled reload
When applying ACLs or adding extra security it possible to lock out yourself. Therefore before you apply any changes you can schedule reload and do not save running-config to startup-config until you 100% sure all is working correctly. Then cancel scheduled reload and save changes.
- Schedule reload in 5 minutes
reload in 5 Reload scheduled for 19:57:04 GMT Sun Nov 17 2013 (in 5 minutes) by dsneteng on console Reload reason: Reload Command Proceed with reload? [confirm] *** *** --- SHUTDOWN in 0:05:00 --- ***
- Cancel reload
reload cancel *** *** --- SHUTDOWN ABORTED --- ***
- Other options
reload ? at Reload at a specific time/date cancel Cancel pending reload in Reload after a time interval reason Reload reason warm Reload should be warm
- Use copy tftp run when applying ACLs
Then to a copy tftp run to install the updated ACL into the running config. This method is nice because the ACL doesn't get updated until after the TFTP is complete, so it should be safe even if the change will interrupt network connectivity.