First it depends on what type of router you have. In it cleanest form and for max performance it just will do the routing part leaving filtering to a firewall, and serving to servers.
Second it depends on what you're attacked with. If a TCP/UDP/ICMP DoS is directed at your router there isn't match you can do beyond filtering obvious spoofs like protocols that aren't allowed from the outside, private range/broad/multicast addresses and rate limiting before calling your upstream provider to setup some filters or close the pipe.
If OTOH your router is attacked using routing protocols you'll have to get into docs on those. I've included a Router security reference list below.
Also NSA and Cisco laid out some basic guidelines for router configuration, and even tho it's geared towards Cisco's much on hardening the system and routing protocols applies to Linux as well.
*Btw, the "all that isn't specifically allowed is denied"
mantra should be on your mind while hardening the router.
Elaborating on what Grubjo said I'll try and specify:
- harden your system (GRsecurity/LIDS kernel patches, monolithic, obscure /proc/sys flags)
- remove default passes (like SNMP strings, if used)
- remove non-system user accounts and restrict logins by host, (virtual) terminal and user.
- chattr +iu configs and system binaries
- remove unused software (look at what LRP provides)
- a router is not a server: remove services to a (DMZ) server
- if remotely managed do it tru OpenSSH, not telnet.
- if remotely managed and it's got a web interface, make it use SSL using https
- where possible set up trusted hosts that connections are allowed from, if managed with SNMP, only allow from the local net cuz of cleartext passwords.
- review what you're routing it with (gated, routed, zebra, bird, netfilter/iptables, routing protocols like RIP/OSPF)
- review what you're routing (routed protocols like for instance TCP/UDP/ICMP)
- review who you're routing it to (private range/broad/multicast filters, rate limiting)
- install SIV like Aide, Tripwire, backup databases off site and check weekly.
- remote logging if possible
- backup cd for easy restoring after failure/break in
Some generic info:
CERT UNIX Security
Checklist v2.0
Router specific:
NSA Security Recommendation Guides
zipped pdf's,
Site Security Handbook
rfc,
*also check its companion rfc 2350.
Routing security
references.
