exploit the possibilities
Home Files News &[SERVICES_TAB]About Contact Add New

cisco.txt

cisco.txt
Posted Jun 21, 2000
Authored by Brad Spengler

Enhancing network security through the use of inexpensive cisco routers. Describes local router security, turning off the routers services, access-lists, dos protection, and more.

tags | local
systems | cisco
SHA-256 | d03ff45dc98d26a5101627907163535a5bc7387cf4d3281a0eb76a95e6ecb9ad

cisco.txt

Change Mirror Download
################################################################################
# Securing Low-End Cisco Routers #
# (c) spender 2000 #
# ---------------------------------------------------------------------------- #
# greetz to tekneeq, rag, bansh33, ch1ckie (she's soooo cute!!!), boda (gotcha #
# again), negrox (just cuz u asked me), trumpet, v9 (i lub u), everyone from #
# ACPO, specially tashie..she's soo nice!, mrwhit3, bogey (ur still muh bitch) #
# axtrex (sorry i almost forgot u), sys-edit, and any of the rest of u who #
# have put up with my crap...special greetz tho those of u who mail me bout #
# my docs...makes a little boy feel all warm and tingly;) #
################################################################################

Table of Contents
--------------------------
I. Introduction
II. Local Security
III. Network Security
IV. Conclusion
V. Contact Me


I. Introduction
--------------------------
Ok, welp my 3rd public doc...in case u haven't read the other ones, i'm sure
u can find them on packetstorm. They've got the names of ipchains.txt and
Sysctl.sh. I'm kinda bored right now, and a little messed up..i saw that
guy on TV that wrestles crocodiles and grabs snakes by their tail and watches
them spit venom into his eyes...and it was kinda funny. mebbe i'll see some
of u at the sanitarium tour on july 4th...(mebbe if i can get some federal
agents or something to escort me..that'd be neato;) ) oh, and go see gone in
60 seconds...it was a good movie imo...lots of blowing up stuff and crashes
and CARS...lots and lots of CARS..and of course angelina jolie...and well i'm
just not gonna go there=P (h0tt!) oh..and while i'm here, since my interview
isn't gonna be out for a while, lemme say that i'm looking for whores..lots of
em (no not real ones). if ya wanna chat for a little..come find me on EFnet,
under nick spender-, or spender_ (not spender) ;) so anywayz, back on subject
here...i wrote this doc partially out of my disgust.....errr ok there's no
way out of this. Rant time. It's COMPLETELY ridiculous that for a user such
as myself to update buggy/exploitable software (IOS) currently on my routers,
i haveta pay CISCO a large sum of money (i was told $2000/yr). This is
completely preposterous that i have to pay so much money for an "incomplete"
product, and then to update it to a less "incomplete" state, i have to shell
out more money...and then when i got to that point, pay more money in a few
months to update it yet again because of some programmer's mistakes. Since
when does an error on the part of the company result in ME giving THEM money?
it's ridiculous! I can see them making ppl pay for hardware upgrades, but
REALLY how much does it cost for them to shell out another software update?
end users have paid out their ears already, and the only reason they pay these
ridiculous prices is because it's their business that's paying for it. If u
can give the boss pretty pictures showing how this'll help them out, they're
all for it, because the don't know what the heck it all means. It's pitiful
that these people are so money hungry....*sigh* </rant> Anywayz, for
those of us who don't have beaucoup bucks...(i've got a cisco 2514)...we don't
have the money for all the fancy upgrades or newest models...and many isps and
such don't...it's a shame that to protect our networks we have to pay more
money to update an inadequate system. The information applied in this document
will apply to virtually any Cisco Router, but is specifically written for ones
with IOS versions less than 11. But anwayz, there is still some things
you can do with low-end Cisco routers to enhance local security and network
security. This document aims to accomplish that. It assumes that you
have some experience in working with routers, ie knowing that the first rule
in a list takes precedence.

II. Local Security
--------------------------------
First thing to a secure router is having secure passwords of course. Make
em long, and random...i like 32bit hex values for my passes;) make sure
that your password is encrypted correctly using MD5 encryption. the simple
command "enable secret" should do the trick..it'll set your privileged
password and encrypt it. This however, provides no security against
sniffed passwords sent across telnet sessions to the router. Cisco was
grateful enough to make routers that didn't have any sort of encrypted
remote login..such as ssh or kerberized telnet. so in some cases, unless
you need it, it may be best to disable telnet access to the router. This
can be done with the command "transport input none" done from the
configuration menu...which is accessed by typing "configure". While i'm on
the issue of commands, "show" is helpful in showing the statistics of various
aspects of your router, and using the character "?" in commands displays help
for that command, or when done by itself, gives a list of commands that can
be entered in the current menu. enable tcp keepalives on the router with
the command "service tcp-keep-alives-in" to prevent ghost connections. keep
management services such as SNMP disabled unless you really need them.
Disable any services running that aren't going to be used. Here's the
commands i used to disable services on my router:
no service finger #gives too much information
no ntp enable #not needed
no cdp running #gives too much information
no cdp enable #gives too much information
no service tcp-small-servers #disables echo,chargen,discard
no service udp-small-servers #disables echo,chargen,discard
some of these are done from the interface configuration menu, while others
are done through the configuration menu.

III. Network Security
--------------------------------
One of the areas to focus on for low-end routers as far as network security
is setting up ACLs to prevent at least some spoofed attacks. Using the
access-list command...these can be configured. for my router, the following
configuration worked to prevent packets from certain ip ranges.
(done from the configure menu)
access-list 100 deny ip 127.0.0.0 0.255.255.255 any
access-list 100 deny ip 10.0.0.0 0.255.255.255 any
access-list 100 deny ip 224.0.0.0 31.255.255.255 any
access-list 100 deny ip host 0.0.0.0 any
access-list 100 deny ip host 255.255.255.255 any
access-list 100 deny ip 192.168.0.0 0.0.255.255 any
access-list 100 deny ip 172.16.0.0 0.0.255.255 any
access-list 100 deny ip yoursubnethere yoursubnetmaskhere any
access-list 100 permit ip any any
then after doing a "interface ethernet 0" or whatever your external ifaces
are for your router is/are...the following command binds it to the router
input.
ip access-group 100 in
There u go...sucker will be purrin like a kitty.
If you want to keep packet kiddies from working off your network, impliment
a ACL to allow only ip packets out with source addresses of your subnet. This
won't stop them from spoofing another host in your network, but it sure
stops them from spoofing any other host. something to the effect of:
access-list 101 deny ip any any
access-list 101 permit ip yoursubnethere yoursubnetmaskhere any
ip access-group 101 out
should do the trick.
To keep packets with an unreachable destination from entering your network
the command:
ip route 0.0.0.0 0.0.0.0 null 0 255
should do it.
Now, while you're here....u can add to your access-list by blocking out
all incoming IGMP packets...u don't need em anywayz(and fragmented ones
love being tossed at windows machines) so we add a rule like..
access-list 100 deny igmp any any
to our list
Now, to be protected against smurf attacks....a command like:
no ip directed-broadcast
should be done on all external ifaces (on my router, interface ethernet 0)
and this will keep ppl from using your broadcast as an amplifier.
While you're at it, disable source routing options on the router, as they're
never used for any legitimate purpose. "no ip source-route" should do the
trick. Being as ICMP redirect packets aren't used legitimately either, they
should be denied by the router as well. This can be done with the following:
access-list 100 deny icmp any any redirect.
As far as flooding is concerned, there's not much low-end routers can do.
Just about the only command that can help here is "fair-queue" which is
done at the interface configuration menu. To prevent the router from dying
from extreme flooding, the command "scheduler interval 500" should help...
it makes sure that system tasks are executed at the minimum of once every
500ms. And that's about all as far as network security is concerned.
The newer routers/IOS version have a bunch of new nifty features to help
in these regards, but that's out of the scope of this document, of course.

IV. Conclusion
--------------------------------
Hopefully i've helped some of you lazy sysadmins to configure your
routers properly, because it's your fault that we've got all these problems
with ip spoofing...smurfs..etc. And double shame on the ISPs, etc, who
are notified of these problems and fail to respond... Shit, if a 17 yr old
kid can figure out how to configure a router in a day, these guys who are
getting paid all the money shure as hell should know. I should commend
cisco at least for providing their users with documents on how to secure
their routers...so they don't haveta go elsewhere for them. i found them
to be inaccurate and incomplete in several areas, so i decided to write this
doc. Besides, wouldn't ya rather hear it from a bright young crackah
like myself?;)

V. Contact Me
--------------------------------
Email: spender@exterminator.net (yes i LOVE email)
IRC: spender_ or spender-
Login or Register to add favorites

File Archive:

May 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    May 1st
    44 Files
  • 2
    May 2nd
    5 Files
  • 3
    May 3rd
    11 Files
  • 4
    May 4th
    0 Files
  • 5
    May 5th
    0 Files
  • 6
    May 6th
    28 Files
  • 7
    May 7th
    3 Files
  • 8
    May 8th
    4 Files
  • 9
    May 9th
    54 Files
  • 10
    May 10th
    12 Files
  • 11
    May 11th
    0 Files
  • 12
    May 12th
    0 Files
  • 13
    May 13th
    17 Files
  • 14
    May 14th
    11 Files
  • 15
    May 15th
    17 Files
  • 16
    May 16th
    13 Files
  • 17
    May 17th
    22 Files
  • 18
    May 18th
    0 Files
  • 19
    May 19th
    0 Files
  • 20
    May 20th
    17 Files
  • 21
    May 21st
    18 Files
  • 22
    May 22nd
    7 Files
  • 23
    May 23rd
    111 Files
  • 24
    May 24th
    27 Files
  • 25
    May 25th
    0 Files
  • 26
    May 26th
    0 Files
  • 27
    May 27th
    6 Files
  • 28
    May 28th
    0 Files
  • 29
    May 29th
    0 Files
  • 30
    May 30th
    0 Files
  • 31
    May 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close