[c-nsp] open ports on a Cisco device & IOS hardening

Todd, Douglas M. DTODD at PARTNERS.ORG
Mon Apr 18 09:12:29 EDT 2005 

Goh:

Try disabling your small udp/tcp servers:

No service tcp-small-servers
No service udp-small-servers

You might want to try looking at this url:

http://www.cisco.com/en/US/customer/tech/tk648/tk361/technologies_tech_note09186
a0080120f48.shtml

==DMT>

old>>-----Original Message-----
old>>From: cisco-nsp-bounces at puck.nether.net 
old>>[mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of 
old>>Hank Nussbacher
old>>Sent: Saturday, April 16, 2005 15:28
old>>To: Cis Ckp; cisco-nsp at puck.nether.net
old>>Subject: Re: [c-nsp] open ports on a Cisco device & IOS hardening
old>>
old>>At 11:46 PM 16-04-05 +0800, Cis Ckp wrote:
old>>>Hi,
old>>>
old>>>
old>>>Someone from the security group would do "Open port" scan 
old>>monthly for 
old>>>the networks & servers.  For the Sun servers, we would usually do 
old>>>"netstat -n" to see the "open ports" & then edit the 
old>>inetd.conf to 
old>>>close up unnecessary ports.
old>>>
old>>>Is there something similar for Cisco devices/routers, say, tweak 
old>>>existing ACLs or create new ACLs so that the unnecessary 
old>>ports are not 
old>>>opened?  Besides ACL, is there anything more I could do?  
old>>If anyone can 
old>>>point to a url that explains these, appreciate it.
old>>>
old>>>Is the command to see what's the open ports for a Cisco device as 
old>>>follows :
old>>
old>>This only shows TCP ports.  You need also 'sho ip sockets':
old>>
old>>TAU-gp1#sho ip sockets
old>>Proto    Remote      Port      Local       Port  In Out 
old>>Stat TTY OutputIF
old>>  17   --listen--          62.40.103.70     9875   0   0    1   0
old>>  17 128.139.197.70    514 192.114.99.250  53806   0   0   10   0
old>>  17 128.139.197.70     49 192.114.99.250     49   0   0   11   0
old>>  17   --listen--          224.0.1.40        496   0   0   31   0
old>>  17 0.0.0.0             0 62.40.103.70       67   0   0  489   0
old>>  17   --listen--          62.40.103.70      123   0   0    1   0
old>>  17 212.150.52.10   47836 192.114.99.250    161   0   0    1   0
old>>  17   --listen--          62.40.103.70      162   0   0    9   0
old>>  17   --listen--          62.40.103.70    58576   0   0    9   0
old>>
old>>protocol 17 is UDP.
old>>
old>>-Hank
old>>
old>>>
old>>>Router#sh tcp brief
old>>>TCB       Local Address           Foreign Address        (state)
old>>>637202B8  10.0.0.19.12298       172.16.112.29.49       ESTAB
old>>>6371C978  10.0.0.19.12238       172.16.112.29.49       ESTAB
old>>>636CB228  10.0.0.19.12081       172.16.112.29.49       CLOSEWAIT
old>>>
old>>>
old>>>Regards
old>>>Goh
old>>>
old>>>  Yahoo! Mobile
old>>>- Download the latest ringtones, games, and more!
old>>>_______________________________________________
old>>>cisco-nsp mailing list  cisco-nsp at puck.nether.net 
old>>>https://puck.nether.net/mailman/listinfo/cisco-nsp
old>>>archive at http://puck.nether.net/pipermail/cisco-nsp/
old>>>
old>>>  +++++++++++++++++++++++++++++++++++++++++++
old>>>  This Mail Was Scanned By Mail-seCure System  at the Tel-Aviv 
old>>> University CC.
old>>
old>>_______________________________________________
old>>cisco-nsp mailing list  cisco-nsp at puck.nether.net 
old>>https://puck.nether.net/mailman/listinfo/cisco-nsp
old>>archive at http://puck.nether.net/pipermail/cisco-nsp/
old>>

More information about the cisco-nsp mailing list