Created
August 8, 2020 13:58
-
-
Save mzpqnxow/e83d3431abd2ffaef5e11c2de69deec5 to your computer and use it in GitHub Desktop.
Basic reduced attack surface EdgeRouter configuration commands (L2-only configuration)
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
# | |
# This doesn't cover all of the hardening required for setting up an EdgeRouter as | |
# a router/firewall. This is more suitable for an Edge-X configured as a VLAN aware | |
# switch. There's a lot more to do to harden an L3 configuration, I'm not including it | |
# here | |
# | |
# Bind the management services to a specific IP address on a management VLAN interface | |
set service gui listen-address x.x.x.x | |
set service gui older-ciphers disable | |
# Use only HTTPS | |
set service gui https-port 8443 | |
delete service gui http-port | |
# Generate and install your own certificates and DH parameters file | |
# You must create /config/tls/ and the files inside of it | |
# All files on /config are persistent across reboots on ER devices | |
set service gui ca-file /config/tls/ca.pem | |
set service gui cert-file /config/tls/server.pem | |
set service gui dh-file /config/tls/dhparam.pem | |
# Disable IPv6 unless you actually use it | |
set system ipv6 disable | |
set system ipv6 disable-forwarding | |
# Disable the Unifi bloatware | |
set service ubnt-discover disable | |
set service ubnt-discover-server disable | |
set service unms disable | |
# Key-only authentication | |
set service ssh disable-password-authentication | |
# Bind the management services to a specific IP address on a management VLAN interface | |
set service ssh listen-address x.x.x.x | |
set service ssh port 22222 | |
# Force version 2 only | |
set service ssh protocol-version v2 |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment