IOS basic security commands enable secret PASSWORD (MD5 hashed password) service password-encryption #vty, con, aux passwords (weakly) encrypted line vty 0 4 login password PASSWORD line con 0 login password PASSWORD logging synchronous #not security. exec-timeout 0 0 OR: no exec-timeout #no idle logout. bad security! line aux 0 login password PASSWORD banner login # Authorized Access ONLY! etc.....# no ip source-route (disable routing of source-routed packets, i.e. packet that contains list of hops. don't want user host telling router what to do) no service finger (finger tells username and logon status) ip finger? no service udp-small-servers (disable misc servers. default) no service tcp-small-servers Per Interface: no ip proxy-arp (don't act as a proxy for host on another net, use proper subnetting instead?) no ip directed-broadcast (don't allow translation of broadcast from other net, esp. external interfaces. smurf attack.) no ip unreachables (disable ICMP unreachable messages) no ip redirects (don't send back to host ICMP Redirect message. (router itself ignores Redirects to it)) #Setup for SDM: #Generate encryption keys for SSH and HTTPS: ip domain-name mydomainname.com crypto key generate rsa general-keys ip http server #start web server ip http secure-server #https too port 443 #create a user to use SDM: privliege level 15 (same as enable mode) username WORD privilege 15 secret PASSWORD #use local username database ip http authentication local #on by default? line vty 0 4 login local #enable SSH and/or telnet line vty 0 4 transport input ssh|telnet|all|none