login block-for…

self explanatory…

r3(config)#login block-for 60 att 2 with 30
r3(config)#do sh login
A default login delay of 1 seconds is applied.
No Quiet-Mode access list has been configured.

Router enabled to watch for login Attacks.                                                                                  
     If more than 2 login failures occur in 30 seconds or less,                                                                  
     logins will be disabled for 60 seconds.   

a basic list of common services that should be blocked globally:

service finger
service pad
service udp-small-servers
service tcp-small-servers
cdp run
ip bootp server
ip http server
ip finger
ip source-route
ip gratuitous-arps
ip identd

and on interfaces:

ip redirects
ip proxy-arp
ip unreachables
ip directed-broadcast
ip mask-reply
mop enabled (ethernet only)