CCNP 筆記本

2009 年 02 月 09 日

CCNP-ISCW Module 05 Cisco Device Harding (2)

Filed under: CCNP-ISCW Module 05 — nkongkimo @ 06:33:44

IOS Unused 的服務

Service Description Default Disable 備註
Router Interface If cable accidentally or maliciously connected Disabled (config-if)#shutdown 不必要的介面建議要關掉
BOOTP server Service is rarely needed in modern networks
Enabled (config-if)#no ip bootp server *bootp須手動指定mac與IP的關係
CDP Unless needed inside the network,disable globally or per interface Enabled (config)# no cdp run

(config-if)# no cdp enable  介面關閉

Config auto loading Permits router to automatically load a config file from a network server. Remain disabled when not needed Disabled

(config)# no service config


FTP server Allows router to act as an FTP server. Remain disabled when not needed Disabled (config)# no ftp-server enable *router也是一台server,但功能較陽春,只支援匿名登入。
TFTP server Allows router to act as an TFTP server. Remain disabled when not needed Disabled (config)# no tftp-server file-sys:image-name *router也是一台server,但功能較陽春

NTP service

Correct time important for logging. Disable if not needed or restrict to only devices that require NTP  

(config)# no ntp server ip-address

(Packet Assem Disassem)
Allows access to X.25 PAD commands. Rarely needed in modern networks. Disable Enabled

(config)# no service pad

TCP and UDP minor services Small servers (daemons) used for diagnostics. Rarely used. Disabled Enabled (before 11.3)
Disabled (11.3 and later)
(config)# no service tcp-small server
(config)# no service udp-small server
Maint. Oper. Protocol (MOP) DEC maintenance protocol, rarely used. Disable Enabled
(most Ethernet interfaces)
(config-if)# no mop enabled *在Ethernet之前的網路


SNMP If not used, disable. If needed, restrict access using ACL and use SNMPv3


(config)# no snmp-server enabled *要有限制的開放,不可全部開放
HTTP Config and Monitoring ADM uses HTTP (HTTPS). If not used, disable. If needed, restrict access with ACLs and use HTTPS

Device dependent

(config)# no ip http sever
(config)# no ip http secure-server


DNS Cisco routers use as default add to reach DNS server. If not use disable or explicitly set DNS server Enabled (config)# no ip domain-lookup
(config)# ip domain-name
ICMP Redirects Disable if not needed Enabled

(config)# no ip icmp redirect


IP Source Routing

Rarely used, disable


(config)# no source-route


Finger Service

Finger protocol (port 79) retrieves list of users from a network device (show users). Should be disabled when not needed


(config)# no service finger

ICMP unreach

Should be disabled.


(config-if)# no ip unreachables *避免被port scan
ICMP mask reply Disable on interfaces to untrusted networks Disabled (config)# no ip maskreply *Router會回應自己遮罩是多少

IP directed broadcast

Unicast until it reaches router for that segment, than it becomes a broadcast. Should be disabled Enabled (before 12.0)
Disabled (12.0 and later)
(config)# no ip directed-broadcast *ping broadcast的位址在broadcast的電腦全部都會回應

IP ID service

RFC 1413 reports the identity of the TCP connection initiator


(config)# no ip identd


TCP keepalives

Helps clean up TCP connections when a host has stopped processing TCP packets. Should be enabled to help prevent DoS attacks


(config)# service tcp-keepalives-in

(config)# service tcp-keepalives-out



Gratuitous ARP

Unless needed, disable


(config)# no ip arp ratutous

*Gratuitous ARP會送出一個來源及目的地IP都是自己的封包,去告知區網內PC目前IP已經更換其他PC,使區網PC去更新ARP table。

Proxy ARP

Only used if router is acting as a layer 2 bridge. Should be disabled


(config-if)# no ip arp proxy


發表迴響 »


RSS feed for comments on this post. TrackBack URI


Please log in using one of these methods to post your comment: 標誌

您的留言將使用 帳號。 登出 /  變更 )

Google photo

您的留言將使用 Google 帳號。 登出 /  變更 )

Twitter picture

您的留言將使用 Twitter 帳號。 登出 /  變更 )


您的留言將使用 Facebook 帳號。 登出 /  變更 )

連結到 %s


%d 位部落客按了讚: