!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
! Router Security Template Configuration !
! Comment:
ers@ers.msk.ru 26.11.2001 !
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
service password-encryption
no service udp-small-servers
no service tcp-small-servers
aaa new-model
aaa authentication banner ^C
This is private device.
All unauthorized access prohibited by law.
^C
aaa authentication username-prompt Login:
aaa authentication password-prompt Password:
no ip finger
no ip http server
no ip bootp server
snmp-server community public RO 2
snmp-server community private RW 3
snmp-server enable traps all
snmp-server host 1.1.1.1 public
access-list 2 permit host 2.2.2.2
access-list 3 permit host 3.3.3.3 log
access-list 4 permit host 4.4.4.4 log
!!!!!!!!!!!!!!!!!!!!
! If we use TACACS !
!!!!!!!!!!!!!!!!!!!!
aaa authentication login default local group tacacs+ none
aaa authorization exec default group tacacs+ none
tacacs-server host 5.5.5.5
tacacs-server key TACACSecretKey
!!!!!!!!!!!!!!!!!!!!
! If we use RADIUS !
!!!!!!!!!!!!!!!!!!!!
aaa authentication login default local group radius none
aaa authorization exec default group radius none
radius-server host 6.6.6.6
radius-server key RADIUSecretKey
logging buffered 4096
logging 7.7.7.7
line vty 0 4
access-class 4 in
!!!!!!!!!!!!!!!!!!!!!
! On each interface !
!!!!!!!!!!!!!!!!!!!!!
no ip directed-broadcast
no ip redirects
no ip unreachebles
no ip proxy-arp
no ip mroute-cache
no ip source-route
ntp disable
!!!!!!!!!!!!!!!!!
! Anti-spoffing !
!!!!!!!!!!!!!!!!!
ip cef
ip verify unicast rpf
!!!!!!!!!!!!!!!!!!!!!!!
! If we don't use CDP !
!!!!!!!!!!!!!!!!!!!!!!!
no cdp running
! If run and we don't want use on
! this interface
no cdp enable
!!!!!!!!!!!!!!!!!
! If we use RIP !
!!!!!!!!!!!!!!!!!
key chain RIPChain
key 1
key-string RIPKey
interface x0
ip rip authentication key-chain RIPChain
ip rip authentication mode md5
!!!!!!!!!!!!!!!!!!
! If we use OSPF !
!!!!!!!!!!!!!!!!!!
interface x0
ip ospf message-digest-key 1 md5 OSPFKey
router ospf 100
area 0 authentication message-digest
log-adjacency-changes
!!!!!!!!!!!!!!!!!
! If we use BGP !
!!!!!!!!!!!!!!!!!
router bgp 100
bgp log-neighbor-changes
neighbor 8.8.8.8 password HashedMD5Password
(c)