!!
!! Commands for locking down the majority of IOS platforms
!! Paul Day, paul ( at ) bur.st
!!
!! Turn off all the un-needed services
no service pad 
no ip finger
no ip bootp server
no service udp-small-servers
no service tcp-small-servers
! Turning off http depends on version of IOS... One of these'll work.
no ip http-server
no ip http server
no ip source-route 
! Some people like CDP - I don't
no cdp run 
!! Global security settings
service password-encryption
service timestamps debug datetime msec localtime show-timezone 
service timestamps log datetime msec localtime show-timezone 
service tcp-keepalives-in 
enable secret
logging console warnings
!! Other global features that should be set
ip subnet-zero
ip classless
no domain-loookup
! Change to your time-zone...
clock timezone AWST +8
! Put your own ntp server in... Accurate times = useful logs
ntp server <your ntp server>
! Set banner to state the obvious
banner motd !

<hostname> - Authorized Users only.

!
banner login !

<hostname> - Authorized Users only.

!
! Set a meaningful hostname
hostname <hostname>
ip domain-name <domain-name>

!! Configure ssh if you've got crypto support in your IOS
! Generate a decent length ssh key
crypto key generate rsa
1024
! set ssh time-outs
ip ssh time-out 120
ip ssh authentication-retries 2
! create the aaa username for ssh - depends on which version of IOS
aaa new-model
login local
! set the username
username cisco secret 0 <vty passwd>


!! Turn on SNMP but lock it down
! Only allow hosts in acl 10 to access SNMP and make it read-only.
snmp-server community public RO 10
! Define ACL 10 to restrict to your SNMP monitoring host - depends on version of IOS
! Either:
ip access-list standard 10 permit <IP of SNMP host>
ip access-list standard 10 deny any
! Or:
ip access-list standard 10
permit <IP of SNMP host>
deny any

! Configure remote access
line vty 0 15
! Make it ssh only - only if you have crypto support
transport input ssh
transport preferred ssh
! restrict vty to network management hosts
access-class 11 in
! time-outs
session-timeout 35791 
exec-timeout 35791 0
exit
! acl for vty access
access-list 11 permit <network management host>
access-list 11 deny any

!! And then for _each_ interface...
no ip redirects
no ip unreachables
no ip directed-broadcast
no ip proxy-arp
! Some of you may want CDP left on - only do it for internal ifs!
no cdp enable
! Set it to auto
speed auto
no shutdown
exit
exit