Cisco IOS Device Hardening: AAA, SSH, RADIUS, NTP, and Privilege
Working reference for Cisco IOS device-access hardening. The bare-minimum local-auth setup (enable secret, login local, transport input ssh, access-class on VTY, service password-encryption, security passwords min-length), SSH config (2048-bit RSA, ip ssh version 2, public-key auth via pubkey-chain), brute-force defense with login block-for, full AAA stack with RADIUS and the critical local fallback, NTP with authentication and Loopback source-interface, privilege levels vs the modern parser-view RBAC alternative, and the 10-item hardening checklist (no Telnet, weak keys, missing fallback, default communities, etc.).