To reinforce all the services that you manually should disable on your perimeter router, take a look at an example. In this example, assume that the router has only two interfaces: Ethernet0 and Ethernet1. Example 4-21 shows the router's configuration to manually disable insecure and unnecessary services.
Router(config)# no cdp run Router(config)# no service tcp-small-servers Router(config)# no service udp-small-servers Router(config)# no ip finger Router(config)# no ip identd Router(config)# no service finger Router(config)# no ip source-route Router(config)# no ftp-server enable Router(config)# no ip http server Router(config)# no ip http secure-server Router(config)# no snmp-server community public RO Router(config)# no snmp-server community private RW Router(config)# no snmp-server enable traps Router(config)# no snmp-server system-shutdown Router(config)# no snmp-server trap-auth Router(config)# no snmp-server Router(config)# no ip domain-lookup Router(config)# no ip bootp server Router(config)# no service dhcp Router(config)# no service pad Router(config)# no boot network Router(config)# no service config Router(config)# interface ethernet 0 Router(config-if)# no ip proxy-arp Router(config-if)# no ip directed-broadcast Router(config-if)# no ip unreachable Router(config-if)# no ip redirect Router(config-if)# no ip mask-reply Router(config-if)# exit Router(config)# interface ethernet 1 Router(config-if)# no ip proxy-arp Router(config-if)# no ip directed-broadcast Router(config-if)# no ip unreachable Router(config-if)# no ip redirect Router(config-if)# no ip mask-reply Router(config-if)# exit Router(config)# service tcp-keepalives-in Router(config)# service tcp-keepalives-out Router(config)# username admin1 privilege 15 secret geekboy Router(config)# hostname Bullmastiff Bullmastiff(config)# ip domain-name quizware.com Bullmastiff(config)# crypto key generate rsa Bullmastiff(config)# line vty 0 4 Bullmastiff(config-line)# login local Bullmastiff(config-line)# transport input ssh Bullmastiff(config-line)# transport output ssh
Notice that the bottom part of this configuration restricts access to and from the router through SSH.