Link to this headingCisco IOS

Cisco IOS (Internetwork Operating System) is the proprietary operating system that runs on most Cisco networking equipment. This guide covers essential security hardening configurations, network setup, and recovery procedures for Cisco devices.

Initial Checklist:

  1. Reconfigure Passwords
  2. Encrypt Passwords
  3. Change Banner/motd
  4. Backup Config
  5. Turn off HTTP/HTTPS/SNMP
  6. Turn off default usernames
  7. Turn off finger
  8. Turn off DNS Lookup
  9. Turn off CDP
  10. Turn off Bootp
  11. Create ACL

Link to this headingDefaults to Change

Encrypt the Password on Config:

service password-encryption

Change Default username:

router# conf t router(conf)# username YOUR_NEW_USER password YOUR_NEW_PASSWORD router(conf)# enable secret YOUR_NEW_SERET_PASSWORD router(conf)# no username OLD_USER

Disable telnet:

CiscoDevice(config)# line vty 0 15 CiscoDevice(config-line)# transport input none

Disable DNS Lookup:

no ip domain-lookup

Disable CDP:

no cdp run

Have Linenumber on configs:

service linenumbers

Turn off default servers:

no snmp-server no ip http server no ip http secure-server no ip bootp server

Link to this headingLogging Changes

Default Logging Changes:

no logging console no logging monitor logging trap 6 logging buffered 4096 6 clock timezone EST -5 service timestamps log datetime msec localtime show-timezone

Transfer to Syslog:

logging <IP> logging source-interface <INTERFACE>

Link to this headingMonitoring SPAN Port

Setting up an Monitoring Port:

#Set the source monitor session 1 source int <INTERFACE> both monitor session 2 source int <INTERFACE> tx monitor session 3 source int <INTERFACE> rx #Set the destination monitor session 1 dest int <INTERFACE>

Link to this headingSSH

Enable secure SSH:

ip ssh version 2 ip domain-name mycompany.com crypto key generate rsa modulus 2048 ip ssh time-out 60 ip ssh authentication-retries 3 #Set SSH ACL ip access-list extended ssh-inbound permit 172.24.X.0 0.0.0.255 any eq 22 permit 192.168.14.0 0.0.0.255 any eq 22 permit 192.168.32.0 0.0.0.255 any eq 22 deny ip any any log #Disable line vty 0 1 access-class ssh-inbound in session-limit 2 login authentication default transport input ssh transport output ssh transport preferred none line vty 2 4 login authentication default transport input none transport output none transport preferred none

Link to this headingHardened Security

Disable AUX port:

line aux 0 transport input none transport output none no exec exec timeout 0 1 login authentication default

Require Console port login:

line con 0 login authentication default

Link to this headingBGP

Border Gateway Protocol (BGP) configuration for routing between autonomous systems. For more advanced BGP configurations, see [BGP](/Blue Team/Networking/BGP.md).

Enable BGP:

router bgp <64496|autonomous-system-number> address-family ipv4 unicast network 192.0.2.0

Configure BGP Neighbors:

neighbor <192.0.2.1|IP|Group Name> remote-as 64497

Reset BGP Connections:

clear ip bgp <address> clear ip bgp *

Disable BGP:

no router bgp <64496|autonomous-system-number>

Link to this headingDHCP

Setup DHCPv4:

ip dhcp pool <NAME> network 10.1.1.0 /24 default-router 10.4.4.1 dns-server 4.2.2.2 lease infinite

Setup DHCPv6:

ipv6 dhcp pool <NAME> dns-server <fe80::1ff:fe23:4567:890a> domain-name <domain> int type <0|number> ipv6 dhcp server <NAME> ipv6 nd other-config-flag ip name-server <fe80::1ff:fe23:4567:890a>

ACL for IPv6:

interface <Interface> ipv6 trafic-filter <access-list-name> {in|out}

Setup Dual Stack:

conf t ipv6 unicast-routing int <fa0/0> ip address <192.168.10.1|IP> <255.255.255.0|Subnet> ipv6 address 3ffe:b00:c18:1::3/127

Link to this headingVLANs

VLANs Setup:

#Group Physical Interfaces int range fastEthernet 0/1-10 spanning-tree portfast spanning-tree bpguard enable

Create Vlans:

vlan 14 name 192.168.14.0/24_SERVERS vlan 32 name 192.168.32.0/24_WORKSTATIONS vlan 500 name bogus_native

Add Servers to VLAN:

interface <fastEthernet 0/1> switchport mode access switchport access vlan 14

Add Workstations to VLAN:

interface <fastEthernet 0/5> switchport mode access switchport access vlan 32

Add Connection to router:

interface <fastEthernet 0/1> switchport mode trunk switchport trunk native vlan 500 switchport trunk encapsulation dot1q switchport trunk allowed vlan remove 500

Setup Router for VLANs:

interface <fastEthernet 0/1> no ip address exit #Setup VLAN 14 int <fa0/1.14> encapsulation dot1q 14 ip address 192.168.14.1 255.255.255.0 #Setup VLAN 32 int <fa0/1.32> encapsulation dot1q 32 ip address 192.168.32.1 255.255.255.0 exit #Setup Default VLAN int <fa0/1.1> encapsulation dot1q 1 native ip address 192.168.1.1 255.255.255.0 exit

Finalize the Settings:

ip default-gateway 192.168.32.1 int vlan 32 ip address 192.168.32.2 255.255.255.0 no shut

Link to this headingNAT/PAT

Create Connection between VLANS:

ip access-list standard NAT-ACL permit 192.168.14.0 0.0.0.255 permit 192.168.32.0 0.0.0.255 #Create External NAT ip nat pool NET-POOL 172.24.X.1 172.24.X.254 pre 24 ip nat inside source list NAT-ACL pool NET-POOL #Connect Internal and External NAT ip nat inside source static tcp 192.168.14.10 25 172.24.X.7 25 ip nat inside source static tcp 192.168.14.10 110 172.24.X.7 110 ip nat inside source static tcp 192.168.14.10 53 172.24.X.7 53 #Second Server ip nat inside source static tcp 192.168.14.12 80 172.24.X.25 80 ip nat inside source static tcp 192.168.14.12 443 172.24.X.25 443 #Third Server ip nat inside source static tcp 192.168.14.13 80 172.24.X.15 80 ip nat inside source static tcp 192.168.14.13 443 172.24.X.15 443 #Set interfaces to NATs interface <WAN> ip nat outside interface <SUBINTERFACE> ip nat inside

Link to this headingRecovery

Use Break/alt+b to enter rommon mode

Reset Router Password:

confreg 0x2142 reset copy start run change password config-reg 0x2102 copy run start reload

Reset Switch Password:

flash_init load_helper dir flash: rename flash:config.text flash:config.old boot write memory

Restore from TFTP:

IP_ADDRESS=192.168.20.1 IP_SUBNET_MASK=255.255.255.0 DEFAULT_GATEWAY=192.168.20.254 TFTP_SERVER=192.168.20.254 TFTP_FILE=c1841-ipbase-mz.123-14.T7.bin tftpdnld

Link to this headingACL Examples

Default ACL:

ip access-list extended NET-IN-ACL deny ip 127.0.0.0 0.255.255.255 any log deny ip 192.0.2.0 0.0.0.255 any log deny ip 224.0.0.0 31.255.255.255 any log deny ip host 255.255.255.255 any log deny ip host 0.0.0.0 any log deny ip 172.24.X.0 0.0.0.255 any log deny ip 192.168.0.0 0.0.255.255 any log deny tcp any any fragments deny udp any any fragments deny icmp any any fragments deny ip any any fragments permit tcp host <BGP Peer IP> host <WLAN IP> eq bgp permit tcp host <BGP Peer IP> eq bgp host <WLAN IP> deny ip any host <WLAN IP> log deny ip 192.168.14.0 0.0.0.255 any log deny ip 192.168.32.0 0.0.0.255 any log deny icmp any any #Introspection on Packets permit udp any eq domain host 172.24.X.7 gt 1023 permit udp any eq domain host 172.24.X.7 eq domain permit tcp any 172.24.X.0 0.0.0.255 established permit udp any range 1 1023 172.24.X.0 0.0.0.255 gt 1023 evaluate EGRESS-REF #External Services #DNS permit udp any gt 1023 host 172.24.x.7 eq domain deny udp any any eq domain deny tcp any any eq domain #Mail permit tcp any host 172.24.x.7 eq smtp permit tcp any host 172.24.x.7 eq pop3 #HTTP permit tcp any host 172.24.x.15 eq www permit tcp any host 172.24.x.15 eq 443 permit tcp any host 172.24.x.25 eq www permit tcp any host 172.24.x.25 eq 443 deny ip any any

Add a site to a blocklist:

access-list 101 deny tcp any host www.badsite.com eq www