Security Basics mailing list archives

RE: Help hardening router

From: "Jatmoko, Arif (ID - Jakarta)" <ajatmoko () deloitte com>
Date: Tue, 9 Mar 2010 10:12:52 +0700
If this is a Cisco Catalyst, that should be support SSH. Just enable SSH by entering the command :
crypto key generate rsa
line vty 0 4
And disable telnet, make SSH the only transport agent, use ACL to restrict inbound & outbound packet passing your 
interfaces (by ip address & services), enable logging, secure your login, etc...etc.

You should, at least learn some basic command or consults about configuring Catalyst IOS to someone has adequate 
skills. Your router has some weak config and looks messy with many duplicate ACL entries. Furthermore, exposing your 
complete router config (username = martin; password = monto??) with this kind of question is sloppy thing!
Just read some basic book, or ask Google about certain command will lead you to enhance your question.



Best regards,
Arif Jatmoko, CISA CISSP


-----Original Message-----
From: listbounce () securityfocus com [mailto:listbounce () securityfocus com] On Behalf Of mzcohen2682 () aim com
Sent: Tuesday, March 09, 2010 3:27 AM
To: security-basics () securityfocus com
Subject: Help hardening router

HI ALL !

I have a task to harden a small organization router, today the have
only the router and they dont use a FW.

Im pasting here the config (not before changing the Ip's ) can someone
recommend which commands to implement in order to harden the router?

they use some VPN's and the admin configs the router throw telnet.
another thing.. how I know if this IOS supports SSH?

also in the endo of the access list they have a line saying:

access-list 111 permit ip any any

I think this is bad config right?

thanks a lot all !!

joe

MARIO#sh run
Building configuration...

Current configuration : 4851 bytes
!
version 12.3
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
no service dhcp
!
hostname mario
!
boot-start-marker
boot-end-marker
!
logging buffered 4096 debugging
enable secret 5 $1$3pD5$Nd5kRQonH.zmpZ3rzyn1G0
enable password 7 01119908410A0800
!
username martin password 7 011E090A4F041200
aaa new-model
!
!
aaa authentication login default local
aaa authentication ppp default local
aaa authorization network default none
aaa session-id common
ip subnet-zero
ip cef
no ip dhcp conflict logging
ip dhcp excluded-address 192.168.8.1 192.168.8.100
!
ip dhcp pool pool1
   network 192.168.8.0 255.255.255.0
   default-router 192.168.8.2
   dns-server 204.60.193.1 192.168.8.4 204.60.193.2
!
!
ip dhcp-server 192.168.8.2
vpdn enable
!
vpdn-group 1
! Default PPTP VPDN group
 accept-dialin
  protocol pptp
  virtual-template 1
!
no ftp-server write-enable
!
!
!
!
!
!
!
interface Tunnel8
 description Tunel israel Central
 ip unnumbered FastEthernet4
 ip route-cache flow
 no ip mroute-cache
 tunnel source FastEthernet4
 tunnel destination 195.77.213.228
!
interface Tunnel351
 description Tunel sucursal Cordoba Argentina
 ip unnumbered FastEthernet4
 ip route-cache flow
 no ip mroute-cache
 tunnel source FastEthernet4
 tunnel destination 204.60.231.161
!
interface FastEthernet0
 no ip address
!
interface FastEthernet1
 no ip address
!
interface FastEthernet2
 no ip address
!
interface FastEthernet3
 no ip address
!
interface FastEthernet4
 ip address 227.68.72.193 255.255.255.252
 ip access-group 110 in
 no ip unreachables
 no ip proxy-arp
 ip nat outside
 ip virtual-reassembly
 duplex auto
 speed auto
!
interface Virtual-Template1
 ip unnumbered FastEthernet4
 peer default ip address pool grupoIPclientePPTP
 no keepalive
 ppp authentication ms-chap ms-chap-v2
!
interface Vlan1
 ip address 192.168.8.2 255.255.255.0
 ip access-group 111 in
 ip nat inside
 ip virtual-reassembly
 ip route-cache flow
!
ip local pool grupoIPclientePPTP 192.168.160.1 192.168.160.50
ip default-gateway 204.68.72.194
ip classless
ip route 0.0.0.0 0.0.0.0 204.60.72.194
ip route 192.168.0.0 255.255.0.0 Tunnel8
ip route 192.168.1.0 255.255.255.0 Tunnel8
ip route 192.168.5.0 255.255.255.0 Tunnel8
ip route 192.168.8.0 255.255.255.0 Vlan1
ip route 192.168.81.0 255.255.255.0 Tunnel351
!
no ip http server
no ip http secure-server
ip nat pool traduccion 204.60.72.193 204.60.72.193 netmask
255.255.255.252
ip nat inside source list 100 pool traduccion overload
ip nat inside source static tcp 192.168.8.7 25 204.60.72.193 25
extendable
ip nat inside source static tcp 192.168.8.7 80 204.60.72.193 80
extendable
ip nat inside source static tcp 192.168.8.7 110 204.60.72.193 110
extendable
ip nat inside source static tcp 192.168.8.7 143 204.60.72.193 143
extendable
ip nat inside source static tcp 192.168.8.7 5900 204.60.72.193 6007
extendable
!
access-list 100 permit ip 192.168.8.0 0.0.0.255 any
access-list 110 permit ip 192.168.0.0 0.0.255.255 any
access-list 110 permit ip 194.140.64.0 0.0.31.255 any
access-list 110 permit ip host 62.97.66.136 any
access-list 110 permit ip 192.0.0.0 0.255.255.255 any
access-list 110 permit gre host 80.36.126.67 host 204.60.72.193
access-list 110 permit tcp any host 204.60.72.193 eq smtp
access-list 110 permit tcp any host 204.60.72.193 eq 6024
access-list 110 permit tcp any host 204.60.72.193 eq 6050
access-list 110 permit tcp any 192.168.8.0 0.0.0.255 eq ftp-data log
access-list 110 permit tcp any 192.168.8.0 0.0.0.255 eq ftp log
access-list 110 permit tcp any host 192.168.8.4 eq domain
access-list 110 permit udp any host 192.168.8.4 eq domain
access-list 110 permit tcp any any eq 81
access-list 110 permit tcp any any eq www
access-list 110 permit tcp any eq www any
access-list 110 permit tcp any eq smtp any
access-list 110 permit tcp any eq 443 any
access-list 110 permit udp any eq domain any
access-list 110 permit tcp any eq domain any
access-list 110 permit tcp 192.168.0.0 0.0.255.255 any eq telnet
access-list 110 permit tcp 135.76.213.240 0.0.0.15 any eq telnet
access-list 110 permit tcp host 80.44.216.45 any eq telnet
access-list 110 permit tcp any any
access-list 110 permit udp any any
access-list 110 permit gre host 143.76.213.250 host 204.60.72.193
access-list 110 permit gre host 143.76.213.228 host 204.60.72.193
access-list 110 permit tcp any host 204.60.72.193 eq 6007
access-list 110 permit ip any any
access-list 110 permit gre host 201.216.254.145 host 204.60.72.193
access-list 111 permit ip any any
!
control-plane
!
!
line con 0
 no modem enable
 transport preferred all
 transport output all
line aux 0
 transport preferred all
 transport output all
line vty 0 4
 password 7 105C060C111200535B55
 transport preferred all
 transport input all
 transport output all
!
scheduler max-task-time 5000
end

mARIO#


------------------------------------------------------------------------
Securing Apache Web Server with thawte Digital Certificate
In this guide we examine the importance of Apache-SSL and who needs an SSL certificate.  We look at how SSL works, how 
it benefits your company and how your customers can tell if a site is secure. You will find out how to test, purchase, 
install and use a thawte Digital Certificate on your Apache web server. Throughout, best practices for set-up are 
highlighted to help you ensure efficient ongoing management of your encryption keys and digital certificates.

http://www.dinclinx.com/Redirect.aspx?36;4175;25;1371;0;5;946;e13b6be442f727d1
------------------------------------------------------------------------


Deloitte refers to one or more of Deloitte Touche Tohmatsu, a Swiss Verein, and its network of member firms, each of 
which is a legally separate and independent entity. Please see http://www.deloitte.com/id/about for a detailed 
description of the legal structure of Deloitte Touche Tohmatsu and its member firms.
CONFIDENTIALITY: The information contained in or attached to this electronic transmission is confidential and may be 
legally privileged. It is intended only for the person or entity to which it is addressed. If you are not the intended 
recipient, you are hereby notified that any distribution, copying, review, retransmission, dissemination or other use 
of this electronic transmission or the information contained in it is strictly prohibited. If you have received this 
electronic transmission in error, please immediately contact the sender to arrange for the return of the original 
documents.

------------------------------------------------------------------------
Securing Apache Web Server with thawte Digital Certificate
In this guide we examine the importance of Apache-SSL and who needs an SSL certificate.  We look at how SSL works, how 
it benefits your company and how your customers can tell if a site is secure. You will find out how to test, purchase, 
install and use a thawte Digital Certificate on your Apache web server. Throughout, best practices for set-up are 
highlighted to help you ensure efficient ongoing management of your encryption keys and digital certificates.

http://www.dinclinx.com/Redirect.aspx?36;4175;25;1371;0;5;946;e13b6be442f727d1
------------------------------------------------------------------------
Current thread:

Help hardening router mzcohen2682 (Mar 08)
- Re: Help hardening router David Goldsmith (Mar 09)
- Re: Help hardening router John Morrison (Mar 09)
  - Re: Help hardening router Mike Hale (Mar 09)
- RE: Help hardening router Jatmoko, Arif (ID - Jakarta) (Mar 09)
- Re: Help hardening router Alex (Mar 09)
- Re: Help hardening router Curt Shaffer (Mar 09)
  - Re: Help hardening router Dave LaDuke (Mar 10)
- Re: Help hardening router doug schmidt (Mar 10)
  - RE: Help hardening router Michael Yelland (Mar 15)
- <Possible follow-ups>
- FW: Help hardening router Craig S. Wright (Mar 09)