Hardening guide for Cisco Routers and Switches

Important note
The guide bellow instructs how to secure Cisco router/switch.
Not all commands will work on every device series (router/switch) or on every IOS version.
It is highly recommended to test each setting in a test lab before implementing changes to production systems.

Hardening phase
Configure AAA service:
aaa new-model

Configure AAA Authentication for Login:
aaa authentication login default local-case

Configure AAA Authentication for Enable Mode:
aaa authentication enable default enable

Configure AAA Authentication for Local Console Line:
line console 0
login authentication default
exit

Configure AAA Authentication for VTY Lines:
line vty 0 4
login authentication default
exit
line vty 5 15
login authentication default
exit

Set and secure passwords:
service password-encryption
enable secret 0 <password>

Configure Local User and Encrypted Password:
username <username> password <password>
Note: Use the following syntax for version after 12.0(18)S, 12.1(8a)E, 12.2(8)T:
username <username> secret <password>

Configure SSH:
hostname <device_hostname>
domain-name <domain-name>
crypto key generate rsa modulus 2048

Configure SSH for Remote Device Access:
ip ssh timeout 60
ip ssh authentication-retries 3

Configure VTY Transport SSH:
line console 0
transport input ssh
exit
line vty 0 4
transport input ssh
exit
line vty 5 15
transport input ssh
exit

Configure Timeout for Login Sessions:
line vty 0 4
exec-timeout 5 0
exit
line vty 5 15
exec-timeout 5 0
exit

Disable Auxiliary Port:
line aux 0
no exec
exec-timeout 0 10
transport input none
exit

Disable SNMP server (in-case not in use):
no snmp-server

Disable SNMP Community Strings private and public:
no snmp-server community private
no snmp-server community public

Configure Clock Timezone - GMT:
clock timezone GMT <hours>

Disable Router Name and DNS Name Resolution (in-case not in use):
no ip domain-lookup

Disable CDP Run Globally:
no cdp run

Disable PAD service (in-case not in use):
no service pad

Disable Finger Service:
no service finger

Disable Maintenance Operations Protocol (MOP):
interface <interface-id>
no mop enabled
exit

Disable DHCP server (in-case not in use):
no service dhcp

Disable IP BOOTP server (in-case not in use):
no ip bootp server

Disable Identification Service:
no identd

Disable IP HTTP Server (in-case not in use):
no ip http server

Disable Remote Startup Configuration:
no boot network
no service config

Configure TCP keepalives Services:
service tcp-keepalives-in
service tcp-keepalives-out

Disable small-servers:
no service tcp-small-servers
no service udp-small-servers

Disable TFTP Server:
no tftp-server

Configure Logging:
logging on
logging buffered 16000
logging console critical

Configure Service Timestamps for Debug and Log Messages:
service timestamps debug datetime msec show-timezone localtime
service timestamps log datetime msec show-timezone localtime

Disable IP source-route:
no ip source-route

Disable Directed Broadcast:
interface <interface-id>
no ip directed-broadcast
exit

Configure Unicast Reverse-Path Forwarding:
interface <interface-id>
ip verify unicast reverse-path
exit

Disable IP Proxy ARP:
interface <interface-id>
no ip proxy-arp
exit

Disable Gratuitous-Arps:
no ip gratuitous-arps

Configure switch port-security:
switchport port-security
switchport port-security violation shutdown
switchport port-security maximum 1
switchport port-security mac-address sticky

Save the changes:
wr