!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! ! Router Security Template Configuration ! ! Comment: ers@ers.msk.ru 26.11.2001 ! !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! service password-encryption no service udp-small-servers no service tcp-small-servers aaa new-model aaa authentication banner ^C This is private device. All unauthorized access prohibited by law. ^C aaa authentication username-prompt Login: aaa authentication password-prompt Password: no ip finger no ip http server no ip bootp server snmp-server community public RO 2 snmp-server community private RW 3 snmp-server enable traps all snmp-server host 1.1.1.1 public access-list 2 permit host 2.2.2.2 access-list 3 permit host 3.3.3.3 log access-list 4 permit host 4.4.4.4 log !!!!!!!!!!!!!!!!!!!! ! If we use TACACS ! !!!!!!!!!!!!!!!!!!!! aaa authentication login default local group tacacs+ none aaa authorization exec default group tacacs+ none tacacs-server host 5.5.5.5 tacacs-server key TACACSecretKey !!!!!!!!!!!!!!!!!!!! ! If we use RADIUS ! !!!!!!!!!!!!!!!!!!!! aaa authentication login default local group radius none aaa authorization exec default group radius none radius-server host 6.6.6.6 radius-server key RADIUSecretKey logging buffered 4096 logging 7.7.7.7 line vty 0 4 access-class 4 in !!!!!!!!!!!!!!!!!!!!! ! On each interface ! !!!!!!!!!!!!!!!!!!!!! no ip directed-broadcast no ip redirects no ip unreachebles no ip proxy-arp no ip mroute-cache no ip source-route ntp disable !!!!!!!!!!!!!!!!! ! Anti-spoffing ! !!!!!!!!!!!!!!!!! ip cef ip verify unicast rpf !!!!!!!!!!!!!!!!!!!!!!! ! If we don't use CDP ! !!!!!!!!!!!!!!!!!!!!!!! no cdp running ! If run and we don't want use on ! this interface no cdp enable !!!!!!!!!!!!!!!!! ! If we use RIP ! !!!!!!!!!!!!!!!!! key chain RIPChain key 1 key-string RIPKey interface x0 ip rip authentication key-chain RIPChain ip rip authentication mode md5 !!!!!!!!!!!!!!!!!! ! If we use OSPF ! !!!!!!!!!!!!!!!!!! interface x0 ip ospf message-digest-key 1 md5 OSPFKey router ospf 100 area 0 authentication message-digest log-adjacency-changes !!!!!!!!!!!!!!!!! ! If we use BGP ! !!!!!!!!!!!!!!!!! router bgp 100 bgp log-neighbor-changes neighbor 8.8.8.8 password HashedMD5Password