| Command | Level | Resulting action |
|---|---|---|
| no ip proxy-arp | Interface | Ignores incoming ARP requests for hosts within the network. |
| no ip directed-broadcast | Interface | Disables translations of directed broadcasts to physical broadcasts. |
| no ip unreachables | Interface | Disables ICMP unreachable messages on an interface. |
| no ip redirects | Interface | Disables redirect messages. A redirect message is generated to another device when a datagram is sent out over the same interface through which it was received. The redirect message tells the sending host that it should have been able to get to the destination without going through the router. Redirects have played a role in a number of attacks, so it's safest to disable them. |
| no ip source-route | Global | Causes the router to discard any packet with source-route information. Presumably, we don't want hosts telling our router how to route the traffic. |
| no service finger | Global | Disables the finger daemon on the router. Finger has always been a problem source; it lets attackers know who is logged in and provides the user's real username. Now all they need is a password! |
| no service udp-small-servers no service tcp-small-servers | Global | Disables all small UDP and TCP services on your router (echo, chargen, and some others). These are services that outsiders shouldn't see anyway. |
Tuesday, September 21, 2010
Router Security
Subscribe to:
Post Comments (Atom)
No comments:
Post a Comment