1. Home
  2. Networking
  3. Router firewall security

Manual Configuration Example of Disabling Services on a Perimeter Router

To reinforce all the services that you manually should disable on your perimeter router, take a look at an example. In this example, assume that the router has only two interfaces: Ethernet0 and Ethernet1. Example 4-21 shows the router's configuration to manually disable insecure and unnecessary services.

Example 4-21. How to Disable Insecure and Unnecessary Services

Router(config)# no cdp run

Router(config)# no service tcp-small-servers

Router(config)# no service udp-small-servers

Router(config)# no ip finger

Router(config)# no ip identd

Router(config)# no service finger

Router(config)# no ip source-route

Router(config)# no ftp-server enable

Router(config)# no ip http server

Router(config)# no ip http secure-server

Router(config)# no snmp-server community public RO

Router(config)# no snmp-server community private RW

Router(config)# no snmp-server enable traps

Router(config)# no snmp-server system-shutdown

Router(config)# no snmp-server trap-auth

Router(config)# no snmp-server

Router(config)# no ip domain-lookup

Router(config)# no ip bootp server

Router(config)# no service dhcp

Router(config)# no service pad

Router(config)# no boot network

Router(config)# no service config

Router(config)# interface ethernet 0

Router(config-if)# no ip proxy-arp

Router(config-if)# no ip directed-broadcast

Router(config-if)# no ip unreachable

Router(config-if)# no ip redirect

Router(config-if)# no ip mask-reply

Router(config-if)# exit

Router(config)# interface ethernet 1

Router(config-if)# no ip proxy-arp

Router(config-if)# no ip directed-broadcast

Router(config-if)# no ip unreachable

Router(config-if)# no ip redirect

Router(config-if)# no ip mask-reply

Router(config-if)# exit

Router(config)# service tcp-keepalives-in

Router(config)# service tcp-keepalives-out

Router(config)# username admin1 privilege 15 secret geekboy

Router(config)# hostname Bullmastiff

Bullmastiff(config)# ip domain-name quizware.com

Bullmastiff(config)# crypto key generate rsa

Bullmastiff(config)# line vty 0 4

Bullmastiff(config-line)# login local

Bullmastiff(config-line)# transport input ssh

Bullmastiff(config-line)# transport output ssh

Notice that the bottom part of this configuration restricts access to and from the router through SSH.



    		Part I: Security Overview and Firewalls
    		Part II: Managing Access to Routers
    		Chapter 3. Accessing a Router
    		Chapter 4. Disabling Unnecessary Services
    		Disabling Global Services
    		Disabling Interface Services
    		Manual Configuration Example of Disabling Services on a Perimeter Router
    		AutoSecure
    		Summary
    		Chapter 5. Authentication, Authorization, and Accounting
    		Part III: Nonstateful Filtering Technologies
    		Part IV: Stateful and Advanced Filtering Technologies
    		Part V: Address Translation and Firewalls
    		Part VI: Managing Access Through Routers
    		Part VII: Detecting and Preventing Attacks
    		Part VIII: Virtual Private Networks
    		Part IX: Case Study