################################################################################ # Securing Low-End Cisco Routers # # (c) spender 2000 # # ---------------------------------------------------------------------------- # # greetz to tekneeq, rag, bansh33, ch1ckie (she's soooo cute!!!), boda (gotcha # # again), negrox (just cuz u asked me), trumpet, v9 (i lub u), everyone from # # ACPO, specially tashie..she's soo nice!, mrwhit3, bogey (ur still muh bitch) # # axtrex (sorry i almost forgot u), sys-edit, and any of the rest of u who # # have put up with my crap...special greetz tho those of u who mail me bout # # my docs...makes a little boy feel all warm and tingly;) # ################################################################################ Table of Contents -------------------------- I. Introduction II. Local Security III. Network Security IV. Conclusion V. Contact Me I. Introduction -------------------------- Ok, welp my 3rd public doc...in case u haven't read the other ones, i'm sure u can find them on packetstorm. They've got the names of ipchains.txt and Sysctl.sh. I'm kinda bored right now, and a little messed up..i saw that guy on TV that wrestles crocodiles and grabs snakes by their tail and watches them spit venom into his eyes...and it was kinda funny. mebbe i'll see some of u at the sanitarium tour on july 4th...(mebbe if i can get some federal agents or something to escort me..that'd be neato;) ) oh, and go see gone in 60 seconds...it was a good movie imo...lots of blowing up stuff and crashes and CARS...lots and lots of CARS..and of course angelina jolie...and well i'm just not gonna go there=P (h0tt!) oh..and while i'm here, since my interview isn't gonna be out for a while, lemme say that i'm looking for whores..lots of em (no not real ones). if ya wanna chat for a little..come find me on EFnet, under nick spender-, or spender_ (not spender) ;) so anywayz, back on subject here...i wrote this doc partially out of my disgust.....errr ok there's no way out of this. Rant time. It's COMPLETELY ridiculous that for a user such as myself to update buggy/exploitable software (IOS) currently on my routers, i haveta pay CISCO a large sum of money (i was told $2000/yr). This is completely preposterous that i have to pay so much money for an "incomplete" product, and then to update it to a less "incomplete" state, i have to shell out more money...and then when i got to that point, pay more money in a few months to update it yet again because of some programmer's mistakes. Since when does an error on the part of the company result in ME giving THEM money? it's ridiculous! I can see them making ppl pay for hardware upgrades, but REALLY how much does it cost for them to shell out another software update? end users have paid out their ears already, and the only reason they pay these ridiculous prices is because it's their business that's paying for it. If u can give the boss pretty pictures showing how this'll help them out, they're all for it, because the don't know what the heck it all means. It's pitiful that these people are so money hungry....*sigh* Anywayz, for those of us who don't have beaucoup bucks...(i've got a cisco 2514)...we don't have the money for all the fancy upgrades or newest models...and many isps and such don't...it's a shame that to protect our networks we have to pay more money to update an inadequate system. The information applied in this document will apply to virtually any Cisco Router, but is specifically written for ones with IOS versions less than 11. But anwayz, there is still some things you can do with low-end Cisco routers to enhance local security and network security. This document aims to accomplish that. It assumes that you have some experience in working with routers, ie knowing that the first rule in a list takes precedence. II. Local Security -------------------------------- First thing to a secure router is having secure passwords of course. Make em long, and random...i like 32bit hex values for my passes;) make sure that your password is encrypted correctly using MD5 encryption. the simple command "enable secret" should do the trick..it'll set your privileged password and encrypt it. This however, provides no security against sniffed passwords sent across telnet sessions to the router. Cisco was grateful enough to make routers that didn't have any sort of encrypted remote login..such as ssh or kerberized telnet. so in some cases, unless you need it, it may be best to disable telnet access to the router. This can be done with the command "transport input none" done from the configuration menu...which is accessed by typing "configure". While i'm on the issue of commands, "show" is helpful in showing the statistics of various aspects of your router, and using the character "?" in commands displays help for that command, or when done by itself, gives a list of commands that can be entered in the current menu. enable tcp keepalives on the router with the command "service tcp-keep-alives-in" to prevent ghost connections. keep management services such as SNMP disabled unless you really need them. Disable any services running that aren't going to be used. Here's the commands i used to disable services on my router: no service finger #gives too much information no ntp enable #not needed no cdp running #gives too much information no cdp enable #gives too much information no service tcp-small-servers #disables echo,chargen,discard no service udp-small-servers #disables echo,chargen,discard some of these are done from the interface configuration menu, while others are done through the configuration menu. III. Network Security -------------------------------- One of the areas to focus on for low-end routers as far as network security is setting up ACLs to prevent at least some spoofed attacks. Using the access-list command...these can be configured. for my router, the following configuration worked to prevent packets from certain ip ranges. (done from the configure menu) access-list 100 deny ip 127.0.0.0 0.255.255.255 any access-list 100 deny ip 10.0.0.0 0.255.255.255 any access-list 100 deny ip 224.0.0.0 31.255.255.255 any access-list 100 deny ip host 0.0.0.0 any access-list 100 deny ip host 255.255.255.255 any access-list 100 deny ip 192.168.0.0 0.0.255.255 any access-list 100 deny ip 172.16.0.0 0.0.255.255 any access-list 100 deny ip yoursubnethere yoursubnetmaskhere any access-list 100 permit ip any any then after doing a "interface ethernet 0" or whatever your external ifaces are for your router is/are...the following command binds it to the router input. ip access-group 100 in There u go...sucker will be purrin like a kitty. If you want to keep packet kiddies from working off your network, impliment a ACL to allow only ip packets out with source addresses of your subnet. This won't stop them from spoofing another host in your network, but it sure stops them from spoofing any other host. something to the effect of: access-list 101 deny ip any any access-list 101 permit ip yoursubnethere yoursubnetmaskhere any ip access-group 101 out should do the trick. To keep packets with an unreachable destination from entering your network the command: ip route 0.0.0.0 0.0.0.0 null 0 255 should do it. Now, while you're here....u can add to your access-list by blocking out all incoming IGMP packets...u don't need em anywayz(and fragmented ones love being tossed at windows machines) so we add a rule like.. access-list 100 deny igmp any any to our list Now, to be protected against smurf attacks....a command like: no ip directed-broadcast should be done on all external ifaces (on my router, interface ethernet 0) and this will keep ppl from using your broadcast as an amplifier. While you're at it, disable source routing options on the router, as they're never used for any legitimate purpose. "no ip source-route" should do the trick. Being as ICMP redirect packets aren't used legitimately either, they should be denied by the router as well. This can be done with the following: access-list 100 deny icmp any any redirect. As far as flooding is concerned, there's not much low-end routers can do. Just about the only command that can help here is "fair-queue" which is done at the interface configuration menu. To prevent the router from dying from extreme flooding, the command "scheduler interval 500" should help... it makes sure that system tasks are executed at the minimum of once every 500ms. And that's about all as far as network security is concerned. The newer routers/IOS version have a bunch of new nifty features to help in these regards, but that's out of the scope of this document, of course. IV. Conclusion -------------------------------- Hopefully i've helped some of you lazy sysadmins to configure your routers properly, because it's your fault that we've got all these problems with ip spoofing...smurfs..etc. And double shame on the ISPs, etc, who are notified of these problems and fail to respond... Shit, if a 17 yr old kid can figure out how to configure a router in a day, these guys who are getting paid all the money shure as hell should know. I should commend cisco at least for providing their users with documents on how to secure their routers...so they don't haveta go elsewhere for them. i found them to be inaccurate and incomplete in several areas, so i decided to write this doc. Besides, wouldn't ya rather hear it from a bright young crackah like myself?;) V. Contact Me -------------------------------- Email: spender@exterminator.net (yes i LOVE email) IRC: spender_ or spender-