Re: Help hardening router

["Dave LaDuke" <dave () davesdomain org>]

Thanks for telling him, I had planned to have some fun later.



--------------------------------------------------
From: "Curt Shaffer" <cshaffer () gmail com>
Sent: Tuesday, March 09, 2010 1:49 AM
To: <mzcohen2682 () aim com>
Cc: <security-basics () securityfocus com>
Subject: Re: Help hardening router

> Step one is to now change all of your passwords unless you put bogus 
> hashes in there when you posted this. Otherwise, everyone on this list can 
> tell you what they are now :)
>
>
> On Mar 8, 2010, at 3:27 PM, mzcohen2682 () aim com wrote:
>
> > HI ALL !
> >
> > I have a task to harden a small organization router, today the have only 
> > the router and they dont use a FW.
> >
> > Im pasting here the config (not before changing the Ip's ) can someone 
> > recommend which commands to implement in order to harden the router?
> >
> > they use some VPN's and the admin configs the router throw telnet. 
> > another thing.. how I know if this IOS supports SSH?
> >
> > also in the endo of the access list they have a line saying:
> >
> > access-list 111 permit ip any any
> >
> > I think this is bad config right?
> >
> > thanks a lot all !!
> >
> > joe
> >
> > MARIO#sh run
> > Building configuration...
> >
> > Current configuration : 4851 bytes
> > !
> > version 12.3
> > no service pad
> > service timestamps debug datetime msec
> > service timestamps log datetime msec
> > service password-encryption
> > no service dhcp
> > !
> > hostname mario
> > !
> > boot-start-marker
> > boot-end-marker
> > !
> > logging buffered 4096 debugging
> > enable secret 5 $1$3pD5$Nd5kRQonH.zmpZ3rzyn1G0
> > enable password 7 01119908410A0800
> > !
> > username martin password 7 011E090A4F041200
> > aaa new-model
> > !
> > !
> > aaa authentication login default local
> > aaa authentication ppp default local
> > aaa authorization network default none
> > aaa session-id common
> > ip subnet-zero
> > ip cef
> > no ip dhcp conflict logging
> > ip dhcp excluded-address 192.168.8.1 192.168.8.100
> > !
> > ip dhcp pool pool1
> >  network 192.168.8.0 255.255.255.0
> >  default-router 192.168.8.2
> >  dns-server 204.60.193.1 192.168.8.4 204.60.193.2
> > !
> > !
> > ip dhcp-server 192.168.8.2
> > vpdn enable
> > !
> > vpdn-group 1
> > ! Default PPTP VPDN group
> > accept-dialin
> > protocol pptp
> > virtual-template 1
> > !
> > no ftp-server write-enable
> > !
> > !
> > !
> > !
> > !
> > !
> > !
> > interface Tunnel8
> > description Tunel israel Central
> > ip unnumbered FastEthernet4
> > ip route-cache flow
> > no ip mroute-cache
> > tunnel source FastEthernet4
> > tunnel destination 195.77.213.228
> > !
> > interface Tunnel351
> > description Tunel sucursal Cordoba Argentina
> > ip unnumbered FastEthernet4
> > ip route-cache flow
> > no ip mroute-cache
> > tunnel source FastEthernet4
> > tunnel destination 204.60.231.161
> > !
> > interface FastEthernet0
> > no ip address
> > !
> > interface FastEthernet1
> > no ip address
> > !
> > interface FastEthernet2
> > no ip address
> > !
> > interface FastEthernet3
> > no ip address
> > !
> > interface FastEthernet4
> > ip address 227.68.72.193 255.255.255.252
> > ip access-group 110 in
> > no ip unreachables
> > no ip proxy-arp
> > ip nat outside
> > ip virtual-reassembly
> > duplex auto
> > speed auto
> > !
> > interface Virtual-Template1
> > ip unnumbered FastEthernet4
> > peer default ip address pool grupoIPclientePPTP
> > no keepalive
> > ppp authentication ms-chap ms-chap-v2
> > !
> > interface Vlan1
> > ip address 192.168.8.2 255.255.255.0
> > ip access-group 111 in
> > ip nat inside
> > ip virtual-reassembly
> > ip route-cache flow
> > !
> > ip local pool grupoIPclientePPTP 192.168.160.1 192.168.160.50
> > ip default-gateway 204.68.72.194
> > ip classless
> > ip route 0.0.0.0 0.0.0.0 204.60.72.194
> > ip route 192.168.0.0 255.255.0.0 Tunnel8
> > ip route 192.168.1.0 255.255.255.0 Tunnel8
> > ip route 192.168.5.0 255.255.255.0 Tunnel8
> > ip route 192.168.8.0 255.255.255.0 Vlan1
> > ip route 192.168.81.0 255.255.255.0 Tunnel351
> > !
> > no ip http server
> > no ip http secure-server
> > ip nat pool traduccion 204.60.72.193 204.60.72.193 netmask 
> > 255.255.255.252
> > ip nat inside source list 100 pool traduccion overload
> > ip nat inside source static tcp 192.168.8.7 25 204.60.72.193 25 
> > extendable
> > ip nat inside source static tcp 192.168.8.7 80 204.60.72.193 80 
> > extendable
> > ip nat inside source static tcp 192.168.8.7 110 204.60.72.193 110 
> > extendable
> > ip nat inside source static tcp 192.168.8.7 143 204.60.72.193 143 
> > extendable
> > ip nat inside source static tcp 192.168.8.7 5900 204.60.72.193 6007 
> > extendable
> > !
> > access-list 100 permit ip 192.168.8.0 0.0.0.255 any
> > access-list 110 permit ip 192.168.0.0 0.0.255.255 any
> > access-list 110 permit ip 194.140.64.0 0.0.31.255 any
> > access-list 110 permit ip host 62.97.66.136 any
> > access-list 110 permit ip 192.0.0.0 0.255.255.255 any
> > access-list 110 permit gre host 80.36.126.67 host 204.60.72.193
> > access-list 110 permit tcp any host 204.60.72.193 eq smtp
> > access-list 110 permit tcp any host 204.60.72.193 eq 6024
> > access-list 110 permit tcp any host 204.60.72.193 eq 6050
> > access-list 110 permit tcp any 192.168.8.0 0.0.0.255 eq ftp-data log
> > access-list 110 permit tcp any 192.168.8.0 0.0.0.255 eq ftp log
> > access-list 110 permit tcp any host 192.168.8.4 eq domain
> > access-list 110 permit udp any host 192.168.8.4 eq domain
> > access-list 110 permit tcp any any eq 81
> > access-list 110 permit tcp any any eq www
> > access-list 110 permit tcp any eq www any
> > access-list 110 permit tcp any eq smtp any
> > access-list 110 permit tcp any eq 443 any
> > access-list 110 permit udp any eq domain any
> > access-list 110 permit tcp any eq domain any
> > access-list 110 permit tcp 192.168.0.0 0.0.255.255 any eq telnet
> > access-list 110 permit tcp 135.76.213.240 0.0.0.15 any eq telnet
> > access-list 110 permit tcp host 80.44.216.45 any eq telnet
> > access-list 110 permit tcp any any
> > access-list 110 permit udp any any
> > access-list 110 permit gre host 143.76.213.250 host 204.60.72.193
> > access-list 110 permit gre host 143.76.213.228 host 204.60.72.193
> > access-list 110 permit tcp any host 204.60.72.193 eq 6007
> > access-list 110 permit ip any any
> > access-list 110 permit gre host 201.216.254.145 host 204.60.72.193
> > access-list 111 permit ip any any
> > !
> > control-plane
> > !
> > !
> > line con 0
> > no modem enable
> > transport preferred all
> > transport output all
> > line aux 0
> > transport preferred all
> > transport output all
> > line vty 0 4
> > password 7 105C060C111200535B55
> > transport preferred all
> > transport input all
> > transport output all
> > !
> > scheduler max-task-time 5000
> > end
> >
> > mARIO#
> >
> >
> > ------------------------------------------------------------------------
> > Securing Apache Web Server with thawte Digital Certificate
> > In this guide we examine the importance of Apache-SSL and who needs an 
> > SSL certificate.  We look at how SSL works, how it benefits your company 
> > and how your customers can tell if a site is secure. You will find out 
> > how to test, purchase, install and use a thawte Digital Certificate on 
> > your Apache web server. Throughout, best practices for set-up are 
> > highlighted to help you ensure efficient ongoing management of your 
> > encryption keys and digital certificates.
> >
> > http://www.dinclinx.com/Redirect.aspx?36;4175;25;1371;0;5;946;e13b6be442f727d1
> > ------------------------------------------------------------------------
>
>
> ------------------------------------------------------------------------
> Securing Apache Web Server with thawte Digital Certificate
> In this guide we examine the importance of Apache-SSL and who needs an SSL 
> certificate.  We look at how SSL works, how it benefits your company and 
> how your customers can tell if a site is secure. You will find out how to 
> test, purchase, install and use a thawte Digital Certificate on your 
> Apache web server. Throughout, best practices for set-up are highlighted 
> to help you ensure efficient ongoing management of your encryption keys 
> and digital certificates.
>
> http://www.dinclinx.com/Redirect.aspx?36;4175;25;1371;0;5;946;e13b6be442f727d1
> ------------------------------------------------------------------------
>
>
> --
> This message has been scanned for viruses and
> dangerous content by MailScanner, and is
> believed to be clean.

------------------------------------------------------------------------
Securing Apache Web Server with thawte Digital Certificate
In this guide we examine the importance of Apache-SSL and who needs an SSL certificate.  We look at how SSL works, how 
it benefits your company and how your customers can tell if a site is secure. You will find out how to test, purchase, 
install and use a thawte Digital Certificate on your Apache web server. Throughout, best practices for set-up are 
highlighted to help you ensure efficient ongoing management of your encryption keys and digital certificates.

http://www.dinclinx.com/Redirect.aspx?36;4175;25;1371;0;5;946;e13b6be442f727d1
------------------------------------------------------------------------