Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Firewalls
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: Router config question

from [richardw] Network Security [Permanent Link]
Subject: Re: Router config question
Date: Mon, 08 Nov 2004 16:43:43 -0600 
Fer you fancy infersec bubbas that gots syslog servers:

access-list 110 deny ip any any log

For sending email on the regular, published SMTP port:

Access-list 110 permit tcp 25 10.0.1.11 255.255.255.255

Also, the above list allows for other type of "undesirable" traffic - you could also add this to the TOP of your list:

access-list 110 deny ip 0.0.0.255 255.255.255.0 any log
access-list 110 deny ip 0.0.0.0 255.255.255.0 any log
access-list 110 deny ip 10.0.0.0 0.255.255.255 any log
access-list 110 deny ip 127.0.0.0 0.255.255.255 any log
access-list 110 deny ip 169.254.0.0 0.0.255.255 any log
access-list 110 deny ip 172.0.0.0 0.31.255.255 any log
access-list 110 deny ip 192.0.2.0 0.0.0.255 any log
access-list 110 deny ip 192.168.0.0 0.0.255.255 any log
access-list 110 deny ip 240.0.0.0 0.255.255.255 any log
access-list 110 deny ip 248.0.0.0 7.255.255.255 any log

It is probably not exhaustive, but it is a good start, and will keep a lot of amateurs out.

Dennis Dimka wrote: 
This is a little sloppy.  If you don't have a dedicated firewall (and the
2611 is essentially your firewall) you should allow only what you need in,
and deny the rest.  Not only is this leaps and bounds more secure, it
mitigates the need to deny specific ports.  For example, if you have a
public mail and a public web server and email server...

Access-list 110 permit tcp 80 10.0.1.10 255.255.255.255
Access-list 110 permit tcp 24 10.0.1.11 255.255.255.255
Access-list 110 deny ip any any

The last line is already implied at the end of any access list, but having
it in your ACL reminds you of this, and also shows you a HITCOUNT.

-----Original Message-----
From: Dan Tesch [mailto:dan.tesch@comcast.net] Sent: Monday, November 08, 2004 7:23 AM
To: Firewalls Securityfocus
Subject: Router config question

Hello, I inherited a Cisco 2611 that I have been trying to
clean up and understand the config on.

For a while I have been wondering why the following
were being specifically blocked...

access-list 110 deny   53 any any
access-list 110 deny   55 any any
access-list 110 deny   77 any any
access-list 110 deny   pim any any

I was doing some reading trying to learn about PIM
and found this link which references a DOS vuln.

http://securecomputing.stanford.edu/alerts/cisco-update-17jul2003.html

Was this a way to circumvent the listed vuln.?  the doc references IOS
below 12.3, as I am now above that - may I safely remove these denys?

Thanks

[More with this subject...]




<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  RE: Router config question, Eric McCarty
Next by Date:  RE: Router config question, James Williams
Previous by Thread:  RE: Router config question, Dennis Dimka
Next by Thread:  RE: Router config question, Eric McCarty
Indexes:  [Date] [Thread] [Top] [All Lists]