Security Basics mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Re: Help hardening router

From: notareal () email com
Date: Tue, 16 Mar 2010 19:05:31 -0600
I have to agree with David...looks like you changed the actual interface to a broadcast IP, which is good....but looks 
like alot of other identifying ip's are still in there that allow us to find out which one it is (change stuff like "ip 
default-gateway", "ip nat pool" ip's, dns servers, certain public access-list ip's, and vpn end-point ip's as well if 
you post another config...just for safety's sake.  if you already did with this config, good, if not, this sort of 
stuff can enable some of us to find this router relatively easily, even if you just changed the interface ip)

to mirror what other people have mentioned:

* log in with ssh instead of telnet
* create access lists to allow the types of traffic you need, add an entry at the end to deny anything else.
* there are some redundant access control list rules in here, i would recommend looking up some ACL best practices.
* definitely get rid of all the password 7 authentication...cracked in seconds on the web ('router871' for telnet for 
example....enable is password7 as well...which is the quickest way to give someone root to your router), enable MD5 
password hashing.
* add tacacs server or something like that for authentication if possible.

i don't have the exact commands off the top of my head to accomplish all of this, but all of it should be easily found 
by some google searching.  part of the process is taking what you need to do and doing some personal research to find 
out exactly how to do it....it's how we all learn. :)

good luck!

-savage soma

------------------------------------------------------------------------
Securing Apache Web Server with thawte Digital Certificate
In this guide we examine the importance of Apache-SSL and who needs an SSL certificate.  We look at how SSL works, how 
it benefits your company and how your customers can tell if a site is secure. You will find out how to test, purchase, 
install and use a thawte Digital Certificate on your Apache web server. Throughout, best practices for set-up are 
highlighted to help you ensure efficient ongoing management of your encryption keys and digital certificates.

http://www.dinclinx.com/Redirect.aspx?36;4175;25;1371;0;5;946;e13b6be442f727d1
------------------------------------------------------------------------
Previous By Date Next
Previous By Thread Next

Current thread: