Last active
November 8, 2023 08:47
-
-
Save lucashalbert/b30ff2c7f34e54e942cd5b3acd4b07d7 to your computer and use it in GitHub Desktop.
A Hardened Vanilla Cisco Config for use on switches
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
en | |
conf t | |
crypto key zeroize | |
no ip finger | |
no service tcp-small-servers | |
no service udp-small-servers | |
no service config | |
no ip source-route | |
no service pad | |
service tcp-keepalives-in | |
service tcp-keepalives-out | |
service timestamps debug datetime msec localtime show-timezone | |
service timestamps log datetime msec localtime show-timezone | |
service password-encryption | |
service sequence-numbers | |
username manager privilege 15 secret {remote manager password} | |
username support privilege 15 secret {support password} | |
ip tacacs source-interface vlan{xxxx} | |
ip tftp source-interface vlan{site_vlan} | |
archive | |
log config | |
logging enable | |
logging size 200 | |
hidekeys | |
exit | |
path flash:archived-configs | |
maximum 5 | |
write-memory | |
time-period 10080 | |
exit | |
logging on | |
logging host {log host} | |
logging source-interface vlan{xx} | |
logging console critical | |
logging trap errors | |
hostname {hostname} | |
ip domain-name {client domain name} | |
crypto key generate rsa general-keys modulus 2048 | |
no ip http server | |
no ip http secure-server | |
enable secret {remote manager password} | |
ip ssh time-out 60 | |
ip ssh authentication-retries 2 | |
password encryption aes | |
login block-for 15 attempts 5 within 5 | |
login on-failure log | |
errdisable recovery cause bpduguard | |
int range g1/0/1 - 48 | |
switch access vlan {site_vlan} | |
switchport host | |
spanning-tree bpduguard enable | |
no shut | |
int vlan{site_vlan} | |
no shut | |
desc Connection to LAN - Site {hostname} | |
ip address {site_lan_ip} {mask} | |
exit | |
int vlan1 | |
shut | |
exit | |
ntp server {ntp server ip} prefer source {vlan id} version 3 | |
ntp server {ntp server ip} source {vlan id} version 3 | |
clock timezone EST -5 | |
clock summer-time EDT recurring 2 Sunday March 2:00 1 Sunday November 2:00 | |
snmp-server community {RO Community} RO 10 | |
snmp-server contact {Contact Info} | |
snmp-server host {trap server if used} | |
snmp-server location {site_location} | |
access-list 10 remark Access list for SNMP Connections | |
access-list 10 permit {network} {wildcard mask} | |
ip default-gateway {site_default_gateway} | |
line con 0 | |
exec-timeout 5 | |
session-timeout 10 | |
logging synchronous | |
line vty 0 15 | |
exec-timeout 5 | |
session-timeout 10 | |
transport input ssh | |
logging synchronous | |
exit | |
configuration mode exclusive auto | |
vtp mode trans | |
aaa new-model | |
aaa authentication attempts login 5 | |
aaa authentication login default local | |
aaa authentication login console none | |
aaa authorization exec default local | |
banner exec ^ | |
***************************************************************************** | |
* Corporation * | |
* WARNING: * | |
* FOR AUTHORIZED USE ONLY. This system and all data * | |
* are the property of Corporation. Unauthorized * | |
* use or attempted unauthorized use of this system * | |
* by persons not issued a user account is not permitted and * | |
* may constitute a state or federal offense. Use of this * | |
* system is only permitted under the authority of Corporation * | |
* and subject to the polices, procedures and acceptable use as * | |
* defined by Corporation. * | |
* Any use of this computer system constitutes express consent * | |
* for authorized personnel to monitor, intercept, record, * | |
* read, copy access and capture such information for use or * | |
* disclosure without additional prior notice. Users have * | |
* no legitimate expectation of privacy during any use of this * | |
* system or in any data on this system. Your access may be * | |
* logged at any time. * | |
* * | |
* By logging into this system, you are agreeing that you have * | |
* read and accepted the above terms and conditions. * | |
* * | |
*****************************************************************************^ | |
banner login ^ | |
*************************************************************** | |
* ACCESS IS RESTRICTED TO AUTHORIZED USERS ONLY! * | |
* UNAUTHORIZED ACCESS IS A VIOLATION OF STATE AND FEDERAL, * | |
* CIVIL AND CRIMINAL LAWS. * | |
***************************************************************^ | |
exit | |
wr mem |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment