Network & Security Engineering
  • My Training Course
  • Network Engineering
    • CompTIA Network+
      • OSI Model: Layers 1-7 (Functions & Devices)
      • TCP/IP Model: Layers & Protocols
      • Encapsulation & De-encapsulation Process in Networking
      • Star, Mesh, Bus, Ring, Hybrid
      • LAN, WAN, WLAN, MAN, CAN, PAN
      • IPv4 Addressing & Classes
      • CIDR Notation & Subnet Masks
      • Private vs. Public IPs
      • Common TCP & UDP Ports
      • Twisted Pair (CAT5e, CAT6, CAT7, etc.)
      • Fiber Optic Cables
      • Ethernet Frame Structure
      • Switches
      • Router
      • Traceroute Test
      • Setting Up a Wireless Network in Cisco Packet Tracer
    • CCNA
      • Cisco Systems History
      • Cisco Certification Roadmap
      • Cisco Router Port Naming
      • Configuring Hostname, Passwords, and Banners in GNS3
      • Setting Router Clocks in Cisco Devices
      • Assigning IP Addresses to Interfaces
      • How to Back Up and Restore Router Configurations with TFTP
      • SSH Configuration on a Cisco Router
      • Configuring Static Routes on Routers
      • Configuring RIP v2 and Verifying Routes
      • Configuring EIGRP
      • Implementing Single-Area OSPF
      • Implementing Multiple OSPF Areas
      • Troubleshooting with show ip route
      • Configuring Standard ACLs in Cisco Routers
      • Getting Internet in GNS3 using a Cisco Router
      • Securing Remote Management and Disabling Unnecessary Services
      • Setting up a DHCP Server on a Cisco Router
      • Creating VLANs and Assigning Ports
      • Blackhole VLAN
      • Configuring 802.1Q Trunking
      • Configuring SSH on a Cisco Switch
      • Configuring Router-on-a-stick (ROAS) for VLANs
      • Setting up Syslog for Network Monitoring
      • Serial Point-to-Point Overview
      • Point-to-Multipoint OSPF in Metro Ethernet WAN Network
      • Frame Relay Configuration
    • CCNP
      • OSPF Single Area Configuration
      • OSPF Multi-Area Configuration
    • GNS3
      • About GNS3
      • GNS3 Architecture
      • Windows Installation
      • Linux Installation
      • Cisco IOS images for Dynamips
      • Add Router IOS Image in GNS3
      • Add a Virtual Machine in GNS3
      • Upgrade The GNS3 VM
      • L2 Switching Simulation
      • L3 switching Simulation
      • Lab 01 : Connect 2 PCs
      • Lab 02 : Configuring Ethernet and Serial Interfaces
      • Lab 03 : Basic switch setup
      • Lab 04 : Basic router setup
      • Lab 05 : Connect Router to Cloud in GNS3
      • Lab 06 : Router Remote Access via Telnet
      • Lab 07 : Configure Static Route in GNS3
      • Lab 08 : Syslog Server for Cisco Router in GNS3
      • Lab 09 : DHCP configuration in GNS3
      • Lab 10 : PPP Configuration
      • Lab 11 : Configuring Switch Security Features
    • MTCNA
      • Module 1 : Introduction
        • History
        • Cisco vs. MikroTik
        • Training Programs
        • MikroTik RouterOS
        • MikroTik RouterBOARD
        • Product Categories
        • Product Naming
        • First Time Access
        • Winbox
        • Default Configuration
        • Neighbor Discovery
        • Command Line Interface
        • Router Identity
        • Upgrading RouterOS
        • Package Management
        • Users and Services
        • Reset Configuration
        • RouterOS Licensing
      • Module 2 : DHCP
        • Overview of DHCP
        • DHCP Client
        • DHCP Server
        • RouterOS ARP table
      • Module 3 : Bridging
        • OSI Model
        • Overview of Bridging
      • Module 4 : Routing
        • IP Addressing
        • Routing Concepts
        • Static routing
      • Module 5 : Wireless
        • Basics of Radio Waves
        • Wireless Agencies
        • 802.11a/b/g/n/ac Concepts
        • Setup a simple wireless link
        • Link Budget Calculation
        • Wireless Network Topologies
        • 2.4 GHz Band
        • 5 GHz Band
      • Module 6 : Firewall
        • Firewall Principles
        • Firewall (Input Chain)
      • Module 7 : QoS
        • Quality of Service
  • Network Administrator
    • Linux Commands
      • The ls command
      • The cd command
      • The cat command
      • The head command
      • The tail command
      • The pwd command
      • The touch Command
      • The cal Command
      • The uname command
      • The mkdir command
      • The gzip command
      • The who command
      • The man command
      • The passwd command
      • The w command
      • The whoami command
      • The cp command
    • Windows Server 2012
      • Windows Server 2012 - Home
      • Installation
      • Server Roles
      • PowerShell
      • Windows Firewall
      • Remote Desktop Management
      • Resource Monitor
      • Active Directory
      • Group Policy Overview
      • DC Accounts
      • DHCP Role
      • DNS Role
      • Primary Zones
      • Manage Records
      • IIS Overview
      • IIS Security
      • Sharing of Files
      • Print Server
    • VMware Workstation
      • Install VMware Workstation on Windows
      • Customize Network Settings in VMware Workstation
      • Install VMware Tools on Windows and Windows Server VMs
      • Configure Autologin for a Windows VM on VMware Workstation
      • Lab 01 - Install Windows 7 on a VMware Workstation
      • Lab 02 - Install CentOS 8 on a VMware Workstation
      • Lab 03 - Install Kali Linux on VMware Workstation
      • Lab 04 - Install The Mikrotik CHR On VMware Workstation​
      • Lab 05 - Install Ubuntu in VMware Workstation
      • Lab 06 - Installing GNS3 VM on VMware Workstation
      • Lab 07 - Install Windows Server 2012 R2 on VMWare Workstation
      • Lab 08 - Install Windows 10 in VMware Workstation
    • LPIC-1
      • 101.1 Determine and configure hardware settings
  • Security Engineering
    • Practical Packet Analysis
      • Network Traffic Analysis with Wireshark in GNS3
      • Echo Requests and Responses
      • Dynamic Host Configuration Protocol
      • Cisco Discovery Protocol
      • Routing Information Protocol
    • PRTG Network Monitoring
      • Overview of PRTG Network Monitor
      • Internet Uptime/Availability Monitoring
      • Configuring SNMP v2 on Cisco Devices
    • Classical Ciphers
      • Caesar Cipher
      • Atbash Cipher
      • Vigenère Cipher
      • Affine Cipher
      • Hill Cipher
      • Rail Fence Cipher
      • Scytale Cipher
      • Bacon's Cipher
      • Beaufort Cipher
      • ROT13
      • Gronsfeld Cipher
  • Web Development
    • HTML
      • What is HTML?
      • Basic HTML Structure
      • Headings and Paragraphs
      • Text Formatting Tags
      • Working with Links
      • Adding Images to a Webpage
      • Embedding Videos and Audio
      • Creating Lists
      • Building Tables
      • HTML Forms
Powered by GitBook
On this page
  • Objective:
  • Topology Diagram:
  • Step 1: Configure Secure Remote Access
  • Step 2: Configure Session Management
  • Step 3: Configure Login and EXEC Banners
  • Step 4: Disable Unnecessary Services
  • Verification:
  • Keywords
  1. Network Engineering
  2. CCNA

Securing Remote Management and Disabling Unnecessary Services

Nerd Cafe

PreviousGetting Internet in GNS3 using a Cisco RouterNextSetting up a DHCP Server on a Cisco Router

Last updated 1 month ago

Objective:

Configure a Cisco router to ensure secure remote management and minimize exposure to potential threats by disabling unused services.

Topology Diagram:

Step 1: Configure Secure Remote Access

  • Set the Router's Hostname and Domain Name:

R1#configure terminal
R1(config)#hostname RO-nerd-cafe
RO-nerd-cafe(config)#ip domain-name nerd-cafe.ir
RO-nerd-cafe(config)#

  • Generate RSA Key Pair for SSH:

RO-nerd-cafe(config)#crypto key generate rsa
The name for the keys will be: RO-nerd-cafe.nerd-cafe.ir
Choose the size of the key modulus in the range of 360 to 4096 for your
  General Purpose Keys. Choosing a key modulus greater than 512 may take
  a few minutes.

How many bits in the modulus [512]: 2048
% Generating 2048 bit RSA keys, keys will be non-exportable...
[OK] (elapsed time was 2 seconds)

RO-nerd-cafe(config)#
*Mar 31 07:27:49.995: %SSH-5-ENABLED: SSH 1.99 has been enabled
RO-nerd-cafe(config)#

Note: A key modulus of 2048 bits is recommended for stronger encryption.​

  • Configure VTY Lines for SSH Access Only:

RO-nerd-cafe(config)#line vty 0 4
RO-nerd-cafe(config-line)#transport input ssh
RO-nerd-cafe(config-line)#exit
RO-nerd-cafe(config)#

  • Create an Access Control List (ACL) to Restrict Management Access:

RO-nerd-cafe(config)#access-list 10 permit 192.168.202.0 0.0.0.255

Explanation: This ACL permits access only from the 192.168.202.0/24 network. Adjust the IP range as per your management network.

  • Apply the ACL to VTY Lines:

RO-nerd-cafe(config)#line vty 0 4
RO-nerd-cafe(config-line)#access-class 10 in
RO-nerd-cafe(config-line)#exit
RO-nerd-cafe(config)#

Step 2: Configure Session Management

  • Set an EXEC Timeout for Idle Sessions:

RO-nerd-cafe(config)#line vty 0 4
RO-nerd-cafe(config-line)#exec-timeout 10 0
RO-nerd-cafe(config-line)#exit
RO-nerd-cafe(config)#

Explanation: This configuration disconnects idle sessions after 10 minutes.​

  • Disable the Auxiliary (AUX) Port:

RO-nerd-cafe(config)#line aux 0
RO-nerd-cafe(config-line)#transport input none
RO-nerd-cafe(config-line)#exit
RO-nerd-cafe(config)#

Explanation: Disabling the AUX port prevents unauthorized access via modem connections.​

Step 3: Configure Login and EXEC Banners

  • Set the Login Banner:

RO-nerd-cafe(config)#banner login ^C
Enter TEXT message.  End with the character '^'.
Unauthorized access is prohibited. All activities are monitored.
^C
RO-nerd-cafe(config)#

Explanation: The ^C is a delimiter; you can use any character not present in the banner text.

  • Set the EXEC Banner:

RO-nerd-cafe(config)#banner exec ^C
Enter TEXT message.  End with the character '^'.
Welcome to SecureRouter. Authorized users only.
^C
RO-nerd-cafe(config)#

Step 4: Disable Unnecessary Services

  • Disable HTTP and HTTPS Servers:

RO-nerd-cafe(config)#no ip http server
RO-nerd-cafe(config)#no ip http secure-server

Explanation: Disabling these services prevents web-based management interfaces, which can be security risks if not properly secured.

  • Disable Identification Service:

RO-nerd-cafe(config)#no ip identd

Explanation: The Identification Protocol can provide unnecessary information to potential attackers.

  • Disable BOOTP Server:

RO-nerd-cafe(config)#no ip bootp server

Explanation: BOOTP is rarely used and can be disabled to reduce potential attack vectors.

  • Disable Proxy ARP on Interfaces:

RO-nerd-cafe(config)#interface fastEthernet 0/0
RO-nerd-cafe(config-if)#no ip proxy-arp
RO-nerd-cafe(config-if)#exit
RO-nerd-cafe(config)#interface fastEthernet 1/0
RO-nerd-cafe(config-if)#no ip proxy-arp
RO-nerd-cafe(config-if)#exit
RO-nerd-cafe(config)#

Explanation: Disabling Proxy ARP prevents the router from answering ARP queries on behalf of other devices, enhancing security.

Verification:

  • Check SSH Configuration:

RO-nerd-cafe#show ip ssh
SSH Enabled - version 1.99
Authentication timeout: 120 secs; Authentication retries: 3
Minimum expected Diffie Hellman key size : 1024 bits
IOS Keys in SECSH format(ssh-rsa, base64 encoded):
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCTCpIlSlfPs6UWdJubjBHI8F5yalncOr3ApX1/+seW
VwIlSXc2MjIgv0uzeQZBtdr0FHAOinVyaBbZkjh3yLwbu74YuKjWUlxepxC3ViyKGjAvuPTMWNDxTJzJ
17JOOoP46EAIpzt0683vYe4ixuByD3IU+BY6UfYDpib4Z1AXjAl/PCDkDj14lVBUsaI+aZPkZDV5ZMyH
Gh1qDMjUhnkpRljTfNw0QZ6ks4MFmvfTUtRguKVrI8pkpCv5IupQ73I1XdY0EpXz0Bx5L4Qo/h7O6Wfg
02IWXFgOuAEH0zmpJ/LpKqbP8hE7LEoEWO4DxqlhnWdrDTzBEfL8JzycjRw/
RO-nerd-cafe#

  • Verify VTY Line Configuration:

RO-nerd-cafe#show running-config | section line vty
line vty 0 4
 access-class 10 in
 login
 transport input ssh
RO-nerd-cafe#

  • Confirm Disabled Services:

RO-nerd-cafe#show running-config | include ip http | ip identd | ip bootp
no ip bootp server
no ip http server
no ip http secure-server
RO-nerd-cafe#

By following these steps, you've configured your Cisco router to allow secure remote management while disabling unnecessary services, aligning with the CIS Cisco IOS 12 Benchmark recommendations. Always remember to tailor configurations to your organization's specific security policies and operational requirements.

Keywords

CIS Cisco IOS 12 Benchmark, Cisco router security, secure remote management, SSH configuration, disable unused services, ACL configuration, VTY lines security, EXEC timeout, login banner, disable HTTP server, disable proxy ARP, disable AUX port, RSA key pair, network security, CIS benchmarks, access control list, Cisco IOS hardening, SSH-only access, router security best practices, secure Cisco configurations, سیسکو

Topology