Basic reduced attack surface EdgeRouter configuration commands (L2-only configuration)

commands.config

#
# This doesn't cover all of the hardening required for setting up an EdgeRouter as
# a router/firewall. This is more suitable for an Edge-X configured as a VLAN aware
# switch. There's a lot more to do to harden an L3 configuration, I'm not including it
# here
#

# Bind the management services to a specific IP address on a management VLAN interface
set service gui listen-address x.x.x.x
set service gui older-ciphers disable
# Use only HTTPS
set service gui https-port 8443
delete service gui http-port
# Generate and install your own certificates and DH parameters file
# You must create /config/tls/ and the files inside of it
# All files on /config are persistent across reboots on ER devices
set service gui ca-file /config/tls/ca.pem
set service gui cert-file /config/tls/server.pem
set service gui dh-file /config/tls/dhparam.pem
# Disable IPv6 unless you actually use it 
set system ipv6 disable
set system ipv6 disable-forwarding
# Disable the Unifi bloatware
set service ubnt-discover disable
set service ubnt-discover-server disable
set service unms disable
# Key-only authentication
set service ssh disable-password-authentication
# Bind the management services to a specific IP address on a management VLAN interface
set service ssh listen-address x.x.x.x
set service ssh port 22222
# Force version 2 only
set service ssh protocol-version v2