ISR Computing -

CCIE Security - How to disable unused/unnecessary services

To detect and disable unnecessary services running on Cisco IOS device use Port-filter Policy feature of the Control Plane Protection:

The classification and match criteria for the new port-filter class-maps support only a constrained subset of the overall global MQC match criteria.
The actions supported by the new port-filter service policy is limited. Only the drop action is supported.
Some IOS TCP/UDP-based services, when configured, may not be auto-detected by the port filter. That is, they do not get listed under the "show control plane host open ports" output and are not classified as an open port. This type of port must be manually added to the active port filter class-map to be unblocked when using the `closed-port' match criteria.

As of the beginning of this exercise, IOS router has detected a few ports inluding SSH, HTTP, telnet port tcp/23 and BOOTP udp/67.

router#show control-plane host open-ports    
Active internet connections (servers and established)   Prot        Local Address      Foreign Address                  Service    State    
tcp                 *:22                  *:0               SSH-Server   LISTEN    
tcp                 *:23                  *:0                   Telnet   LISTEN    
tcp                 *:23   161.44.52.179:2462                   Telnet ESTABLIS    
tcp                 *:80                  *:0                HTTP CORE   LISTEN    
udp               *:2067    255.255.255.255:0         IOS host service   LISTEN    
udp                 *:49     192.168.130.66:0           TACACS service   LISTEN    
udp              *:57554                  *:0                  IP SNMP   LISTEN    
udp                 *:67                  *:0            DHCPD Receive   LISTEN    
udp                *:161                  *:0                  IP SNMP   LISTEN    
udp                *:162                  *:0                  IP SNMP   LISTEN    
udp               *:1985                  *:0               cisco HSRP   LISTEN    
router#

The goal of our exercise is to block BOOTP.

router#class-map type port-filter match-all BOOTP_TRAFFIC
 match port udp 67
 exit
policy-map type port-filter BOOTP_POLICY
 class BOOTP_TRAFFIC
  drop
  exit
control-plane host
 service-policy type port-filter input BOOTP_POLICY

In addition you can issue "auto secure" and router will be smart enough to disable unnecessary services.

Go to top

Search

Moving your apps to Amazon or Miscrosoft Clouds?

We can help you analyze your existing infrastructure, identify the cost savings we can achieve by migrating to a cloud provider. We can then execute end-to-end migration plan of your infrastructure and bringing down your TCO.

Ready for IPv6 Migration?

The Internet is running out of the equivalent of phone numbers - familiar problem, non-trivial solution.

The world has to move to IPv6, with its 128-bit addresses. But that's easier said than done.

Are you fluent in "Linux"?

Learn Linux from a leading expert and quickly master you Linux skills.

Learn how to simplify your workflow and increase your productivity using tips and techniques of the pros.

Ideal training for Corporate IT Beginners and Advanced IT Admins alike.