Ever wanted a config you could paste into your router that would provide you with most of the security needs met and disable the services you needed disabled as well enables most of the services you needed enabled? I keep a base config in a .txt file that I copy & paste into a newly booted router so that I don’t have retype all that stuff over and over again. I will post it here so that you can do the same. Please note that this is not an all encompassing config & there are other services that you may need to enable depending on the functions the router is providing as well as the area of the network the router is being being deployed in. For instance, if it’s an I-net facing router, I would recommend in most cases you enable ZBF on the router. So use this config as a starting point guide.
no service pad
no service finger
no service udp-small-servers
no service tcp-small-servers
service timestamps debug datetime localtime show-timezone msec
service timestamps log datetime localtime show-timezone msec
service password-encryption
service tcp-keepalives-in
service tcp-keepalives-out
service sequence-numbers
ip cef
ip tcp synwait-time 5
ip spd mode aggressive
login block-for 300 attempts 3 within 60
login delay 5
login on-failure log every 5
login on-success log every 5
no cdp run
no ip bootp server
no ip http server
no ip finger
clock timezone CST -6
clock summer-time CDT recurring
no ip source-route
no ip gratuitous-arps
no ip identd
no ip domain-lookup
logging facility local2
logging trap debugging
logging console critical
logging buffered 4096
security passwords min-length 6
security authentication failure rate 10 log
enable secret 5
!
ip http server
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
!
int FastEthernet0/0
no ip redirects
no ip proxy-arp
no ip unreachables
no ip directed-broadcast
no ip mask-reply
no mop enabled
load-interval 30
carrier-delay msec 0
!
banner motd #
***********************************************************************************
You have entered $(hostname).$(domain) on line $(line).This host is the property of ABC Company, and is for authorized use only.Users (authorized or unauthorized) have no explicit or implicit expectation of privacy. Use of this system constitutes consent to monitoring, recording, auditing, inspection, and disclosure at the discretion of <name>
***********************************************************************************
!
line con 0
session-timeout 15
exec-timeout 30 0
logging synchronous
transport output telnet
!
line aux 0
no exec
!
line vty 0 4
session-timeout 15
exec-timeout 30 0
logging synchronous
transport input telnet ssh
transport output none
session-disconnect-warning 180
exec prompt timestamp
!
********
As a follow-up I received an emial from Kevin Downes, CCIE# 1987 and Kevin provided a MOTD banner that he typically uses and that I really like so I thought I would post it here:
**********Warning**********
You have accessed a private computer system. This system is for authorized use only and user activities are monitored and recorded by company personnel. Unauthorized access to or use of this system is strictly prohibited and Constitutes a violation of federal, state criminal, and civil laws, including Title 18, Section 1030 of the United States Code and applicable international laws. Violators will be prosecuted to the fullest extent of the law.By logging on you certify that you have read and understood these terms and that you are authorized to access and use this system.
