Router lockdown common best practices?

JohnnyBiggles

I have a 2911 and it is only being used for an IPSec tunnel and its traffic and our SSH access to manage it remotely. One interface faces the internet and I've already encountered a rogue user in Japan accessing the router via a vty line, even though only 2 users were specified. I was shocked first because it used a username that was not entered to access it, then when I tried to cut the access off ('clear line ###') they were able to regain access with another name immediately (from the same IP address) when I checked again ('show users'). I implemented an access-list to only allow remote SSH access from our office network and immediately the connection was cut off.

What are common, best-practice commands for locking down the router without killing the necessary connections? It's a fairly new device. So far, I've disabled http ('no ip http server') and telnet access ('transport input ssh' on the vty lines) and, as I mentioned, inserted an access-list to only allow traffic to the vty lines from our network over the internet, but I want to ensure we're not being hacked by any other means especially in any way "under-the-radar". Had I not randomly run the 'show users' command I would not have known someone else was logged in, and I still can't figure out how they were able to under a username that did not exist. Any assistance would be appreciated.

boredgamelad

Cisco Guide to Harden Cisco IOS Devices - Cisco Systems

Hope this helps!

DANMOH009

It might also be worth doing a who is on the IP and reporting it to there ISP or sending an email to there abuse department.