!=== cisco IOS router template ===! ! router services: service password-encryption service timestamps debug datetime msec localtime service timestamps log datetime msec localtime ! router services to turn off no service udp-small-servers no service tcp-small-servers no service pad no service finger no logging console no ip domain-lookup no ip source-route no ip finger no ip bootp server no ip http server ip classless ip subnet-zero ! passwords: enable secret no enable password username root password (use TACACS or RADIUS, better yet!) ! logging: ip tftp source-interface Loopback0 ip telnet source-interface Loopback0 logging buffered 16384 debugging logging source-interface Loopback0 !clock timezone PST -8 !clock summer-time PDT recurring !clock timezone MST -7 !clock summer-time MDT recurring !clock timezone CST -6 !clock summer-time CDT recurring !clock timezone EST -5 !clock summer-time EDT recurring ! access-lists: ! SNMP access-list 80 permit ! VTY 0 3 access-list 90 permit ! VTY 4 access-list 91 permit ! ICMP rate-limit access-list 170 permit icmp any any ! ISP Ingress ! deny spoofing attempts access-list 110 deny ip any log-input ! deny loopback class A network access-list 110 deny ip 127.0.0.0 0.255.255.255 any log-input access-list 110 deny ip any 127.0.0.0 0.255.255.255 log-input ! deny source if rfc-1918 space access-list 110 deny ip 10.0.0.0 0.255.255.255 any log-input access-list 110 deny ip 172.16.0.0 0.15.255.255 any log-input access-list 110 deny ip 192.168.0.0 0.0.255.255 any log-input ! deny source if broadcast address access-list 110 deny ip 192.0.0.255 63.255.255.0 any log-input access-list 110 deny ip 128.0.255.255 63.255.0.0 any log-input access-list 110 deny ip 0.255.255.255 63.0.0.0 any log-input ! deny source if network address access-list 110 deny ip 192.0.0.0 63.255.255.0 any log-input access-list 110 deny ip 128.0.0.0 63.255.0.0 any log-input access-list 110 deny ip 0.0.0.0 63.0.0.0 any log-input ! deny multicast networks access-list 110 deny ip 224.0.0.0 31.255.255.255 any log-input access-list 110 permit tcp any established access-list 110 permit tcp any eq www access-list 110 permit tcp any eq 443 access-list 110 permit tcp any eq smtp access-list 110 permit tcp any eq ftp access-list 110 permit tcp any eq ftp-data gt 1023 access-list 110 permit tcp any eq 22 access-list 110 permit udp any eq domain access-list 110 permit udp any eq domain gt 1023 access-list 110 permit udp any eq ntp access-list 110 deny icmp any any redirect log-input access-list 110 permit icmp any any access-list 110 deny ip any any log-input ! [ Narrow down even further at the firewall ] ! ! ISP Egress ! deny the Microsoft suite of protocols access-list 111 deny tcp any any range 135 139 log-input access-list 111 deny udp any any range 135 netbios-ss log-input access-list 111 deny tcp any range 135 139 any log-input access-list 111 deny udp any range 135 netbios-ss any log-input ! deny SunRPC access-list 111 deny tcp any eq sunrpc any log-input access-list 111 deny udp any eq sunrpc any log-input ! deny rfc-1918 space access-list 111 deny ip any 10.0.0.0 0.255.255.255 log-input access-list 111 deny ip any 172.16.0.0 0.15.255.255 log-input access-list 111 deny ip any 192.168.0.0 0.0.255.255 log-input access-list 111 permit ip any access-list 111 deny ip any any log-input ! SNMP: snmp-server community RO 80 snmp-server community RW 80 snmp-server location snmp-server contact snmp-server chassis-id snmp-server enable traps envmon snmp-server enable traps bgp (on our BGP routers) snmp-server host traps travel2air ! interface commands: no ip directed-broadcast no ip redirects no ip proxy-arp no ip unreachables ! additional interface commands for external interfaces no cdp enable ntp disable ! rate-limit ICMP packets on ISP interfaces (example is for a T-1 interface, ! 1.544 bandwidth. limits ICMP traffic to 56k.) rate-limit input access-group 170 56000 28000 28000 conform-action transmit exceed-action drop ! VTY commands: line con 0 exec-timeout 60 0 login length 55 transport input none escape-character 3 line vty 0 3 access-class 90 in exec-timeout 180 0 login local length 55 transport input telnet (ssh, better yet!) escape-character 3 ! leave one VTY for safe access, just in case all others are in use. line vty 4 access-class 91 in exec-timeout 180 0 login local length 55 transport input telnet escape-character 3 ! banner: banner motd % NOTICE: This system is to be used ONLY by AUTHORIZED personnel. Any unauthorized use of the system is unlawful, and may be subject to civil and/or criminal penalties. Use of the system may be logged or monitored without further notice. % !=== edge router stuff ===! ! NTP: ntp source ntp access-group peer 12 ntp access-group serve-only 80 ntp update-calendar ntp server 128.249.1.1 ntp server 128.249.2.2 ntp server 192.5.41.40 ntp server 63.192.96.2 ntp server 198.68.212.30 ntp server 128.105.39.11 ntp server 204.152.184.72 ntp server 138.39.7.20 ntp server 192.5.5.250 ntp peer !=== end router template ===!