Just compiled a list of services i used to check when i audit a Cisco router. Of course, there are lots more, but for now, i will just provide the basics. Enjoy and email me if there are any questions.
no cdp enable (Disbale cdp. It is susceptible to spoofing and DoS. Need Proof of Concept? Email me)
no ip unreachables (Disables ICMP unreachable messages)
no ip source-route (Disables source routing)
no service finger (Disables the finger daemon on the router. Finger has always been a problem source; it lets attackers know who is logged in and provides the user's real username)
no service udp-small-servers ( Disables all small UDP and TCP services on your router (echo, chargen, and some others))
no service tcp-small-servers (Same as udp-small-servers)
no snmp-server (Disable SNMP if not in use. SNMP provides lotsa juicy info when being enumerated)
no ip http server (Disable the internal http web server of the Cisco devices)
no service config (Disables the loading of remote configs files)
no ip bootp server (Disables the bootp server)
no tftp-server (Only enable this if you absolutely need the service, else disable it)
no ip directed-broadcast (Direct broadcasts allow smurf attacks)
no ip proxy-arp (Disable proxy-arp to prevent extending a LAN to multiple segments)
Senin, 26 Februari 2007
Don'ts for Cisco router p1
04.34
No comments
Langganan:
Posting Komentar (Atom)
0 komentar:
Posting Komentar