Cisco IOS Security Basic Example Template
If you are not actively securing your network devices themselves, you might as well not have any additional security in place at all. Cisco has many ways to prevent known attacks from taking place against IOS devices. Use the following example as a starter template for switch configurations with security being the primary concern. This configuration will cover a good portion of initial setup for new devices, however you may need to still make modifications to add trunk or routed links, VLANs, and more to complete the configuration.
! BEGIN hostname secureIOS service password-encryption ! CHANGE CREDENTIALS AND DOMAIN NAME AS DESIRED username cisco privilege 15 secret 0 cisco123!@! enable secret 0 c1sc0!! ip domain-name N3TW0RK ! GENERATING AN RSA KEY FOR SSH crypto key generate rsa modulus 1024 ! ENABLING SSH V2 AND SETTING PARAMETERS TO MITIGATE BRUTE FORCE ATTEMPTS ip ssh version 2 ip ssh authentication-retries 3 ip ssh time-out 120 ! DISABLE SERVICES THAT OPEN MORE VULNERABILITIES no ip http server no ip http secure-server ! CONSOLE SECURITY line console 0 login local exec-timeout 3 exit ! MITIGATION BANNER MESSAGE banner login # UNAUTHORIZED ACCESS TO THIS DEVICE IS PROHIBITED You must have explicit, authorized permission to access or configure this device. Unauthorized attempts and actions to access or use this system may result in civil and/or criminal penalties. All activities performed on this device are logged and monitored. # ! LOGIN RESTRICTIONS login block-for 5 attempts 3 within 20 login delay 5 login on-failure log login on-success log ! REMOTE ACCESS SECURITY ip access-list standard SSH remark Administrative SSH Management ACL ! ADJUST THE PERMIT STATEMENT TO YOUR SUBNET YOU WILL BE REMOTING IN FROM ONLY. permit X.X.X.X log deny any log exit login quiet-mode access-class SSH-ADMIN line vty 0 15 access-class SSH in ! MANAGEMENT RESTRICTION TO SPECIFIC INTERFACE control-plane host management-interface Vlan 10 allow ssh tftp snmp exit ! ACCESS PORT SECURITY interface range FastEthernet1 - 48 description ACCESS-PORT switchport mode access ! Change the following vlans to match your network. switchport access vlan 5 switchport voice vlan 10 ! Remove the following 2 lines for any trunk ports. spanning-tree portfast spanning-tree bpuguard no cdp enable switchport port-security switchport port-security mac-address sticky switchport port-security maximum 2 ! Remove the following to keep the ports closed initially. no shutdown exit