ComWare Device Hardening Configuration template

!##### Enter System-View mode #####

system-view
!
!##### Standardize Login Banner #####
header login #
*****************************************************************************
!!! WARNING! ONLY AUTHORIZED USERS ARE ALLOWED TO LOGIN UNDER PENALTY OF LAW !!!
<additional_banner_text_here>
*****************************************************************************
#
!
!
!##### Disable other banners not needed #####
undo copyright-info enable
undo header motd
undo header legal
undo header incoming
undo header shell
!
!
!##### Disable Unnecessary Services #####
undo ip http enable
undo telnet server enable
!
!
!##### SSH Configuration #####
ssh server enable
ssh server authentication-retries 3
ssh server authentication-timeout 60
!
!#### Optional: Generate SSH keys ####
!# WARNING! SSH keys should be created
!#if this is a pristine network device (out of the box)
public-key local create dsa
1024
!
public-key local create rsa
1024
!
!
!##### Configure Local Administrator Account #####
local-user admin
!# WARNING! The password here should be in clear text (the configuration will s
ave it in encrypted)
password cipher <admin_password>
authorization-attribute level 3
service-type ssh terminal
quit
!
!##### Configure Super (enable) Password #####
!# WARNING! The password here should be in clear text (the configuration will sa
ve it in encrypted)
super password level 3 cipher <super_password>
!
!
!##### Define Management Access-lists (ACLs) #####
!#WARNING! These ACLs are required to restrict access to the network device
acl number 2000 name Remote-Management-ACL
rule 10 remark # Network Administrator Workstation #

rule 10 permit source <admin_workstation_ip> 0

!# place additional rules if needed
quit
!
acl number 2001 name SNMP-Management-ACL
rule 10 remark # Network Monitoring Server #
rule 10 permit source <monitoring_server_ip> 0
!# place additional rules if needed
quit
!
!
!##### Device Login Access Configuration #####
! Secure remote access (only SSH allowed)
user-interface vty 0 15
undo user privilege level
authentication-mode scheme
protocol inbound ssh
!# WARNING! Enable below ACL only when confirmed operational to prevent lockout
!acl 2000 inbound
quit
!
! Secure auxiliary access
user-interface aux 0
authentication-mode scheme
quit
!
! Secure console access
user-interface con 0
authentication-mode scheme
quit
!
!
!##### Syslog Configuration #####
info-center enable
info-center loghost <syslog_server_ip>
info-center logbuffer size 1024
info-center trapbuffer size 1024
info-center timestamp loghost no-year-date
!
!
!##### SNMP version2 Configuration #####
snmp-agent
snmp-agent sys-info version v2c
snmp-agent sys-info location <device_location>
snmp-agent sys-info contact <device_administrator_contact_information>
snmp-agent community read <snmp_read_community_string> acl 2001
snmp-agent community write <snmp_write_community_string> acl 2001
!
!##### Timezone & NTP Configuration #####
!# WARNING! Important for troubleshooting and correlating network incidents
clock timezone <time_zone_string> [add/minus] <hour_offset>
ntp-service unicast-server <ntp_server_ip>
!
!
!##### Exit System-View mode #####
return
lldp should not enable globally and it should only enable on trusted interfaces

Unnecessary services should disable

DHCP
DNS
Below services must disable
HTTP
Telnet
Timeout setting
Exec Timeout
Idle-Timeout
Banners
Warning banners
Timestamps
logging timestamps
Configuration Change notification should enable in logging
snmp-agent trap enable