Router#auto secure 自动安全
####################################
密码
Boston(config)#security passwords min-length 10 强制最小长度密码
Boston(config)#service password-encryption 加密所有密码
Boston(config)#no service password-recovery 阻止console访问ROMMON
设置失败比率,前提AAA
Boston(config)#security authentication failure rate 10 log 配置允许一定数量的不成功的登陆尝试,默认允许10次登陆失败在15秒延迟初始前,超过时产生系统日志消息
Boston(config)#login block-for 100 attempts 2 within 100 用指定周期配置一定数量尝试登陆失败后,阻止访问。减轻DOS攻击
Boston(config)#login quiet-mode access-class myacl 指定一个ACL应用到路由器当它转换到一个静止模式
Boston(config)#login delay 30 配置延时在连续登陆尝试之间,减轻字典攻击,如果没有设置,默认延时是一秒
Boston(config)#show login 显示登陆参数和失败
设置超时
Boston(config)#line console 0
Boston(config-line)#exec-timeout 3 30 终止无动作的console,aux连接在3分30秒后
设置多特权级别
Boston(config)#privilege exec level 2 ping
Boston(config)#enable secret level 2 Patriot 设置多特权级别
配置banner消息
Boston(config)#banner motd % WARNING: You are connected to (hostname) on the Cisco Systems, Incorporated network. Unauthorized access and use of this network will be vigorously prosecuted. %
配置基于角色的命令行
Boston(config)#aaa new-model
Boston(config)#exit
Boston#enable view
Boston(config)#parser view monitor_view
Boston(config-view)#password 5 hErMeNe%GiLdE!
Boston(config-view)#commands exec include show version 增加命令或接口到view
Boston(config)#parser view monitor_audit
Boston(config-view)#password 5 AnA6TaSiA$
Boston(config-view)#view monitor_view
Boston(config-view)#view audit_view 增加view到一个superview
show parser view [all]
debug parser view
配置文件的安全
Boston(config)#secure boot-image 开启IOS image恢复
Boston(config)#secure boot-config 存储主要引导设置的安全copy在一个持久存储体
show secure bootset 显示配置回复状态和主要引导设置文件名
##############################################
用ACL减轻威胁与攻击
access-list 10 permit 192.168.3.0 0.0.0.255 基于源
access-list 101 permit tcp 172.31.9.0 0.0.0.255 any eq 80 基于几个属性:协议类型、IP、端口
过滤网络传输减轻威胁
IP地址哄骗减轻:内部
R2(config)#access-list 150 deny ip 10.2.1.0 0.0.0.255 any log
R2(config)#access-list 150 deny ip 127.0.0.0 0.255.255.255 any log
R2(config)#access-list 150 deny ip 0.0.0.0 0.255.255.255 any log
R2(config)#access-list 150 deny ip 172.16.0.0 0.15.255.255 any log
R2(config)#access-list 150 deny ip 192.168.0.0 0.0.255.255 any log
R2(config)#access-list 150 deny ip 224.0.0.0 15.255.255.255 any log
R2(config)#access-list 150 deny ip host 255.255.255.255 any log
R2(config)#access-list 150 permit ip any 10.2.1.0 0.0.0.255
R2(config)#interface e0/0
R2(config-if)#ip access-group 150 in
R2(config-if)#exit
IP地址哄骗减轻:外部
R2(config)#access-list 105 permit ip 10.2.1.0 0.0.0.255 any
R2(config)#access-list 105 deny ip any any log
R2(config)#interface e0/1
R2(config-if)#ip access-group 105 in
R2(config-if)#end
Dos tcp syn攻击减轻用阻止外部访问
R2(config)#access-list 109 permit tcp any 10.2.1.0 0.0.0.255 established
R2(config)#access-list 109 deny ip any any log
R2(config)#interface e0/0
R2(config-if)#ip access-group 109 in
R2(config-if)#end
Dos tcp syn攻击减轻用TCP截取
R2(config)#ip tcp intercept list 110
R2(config)#access-list 110 permit tcp any 10.2.1.0 0.0.0.255
R2(config)#access-list 110 deny ip any any
R2(config)#interface e0/0
R2(config-if)#ip access-group 110 in
R2(config-if)#end
no ip directed-broadcast
R2(config)#access-list 111 deny ip any host 10.2.1.255 log
R2(config)#access-list 111 permit ip any 10.2.1.0 0.0.0.255 log
R2(config)#access-list 112 deny ip any host 10.1.1.255 log
R2(config)#access-list 112 permit ip any 10.1.1.0 0.0.0.255 log
R2(config)#interface e0/0
R2(config-if)#ip access-group 111 in
R2(config-if)#end
R2(config)#interface e0/1
R2(config-if)#ip access-group 112 in
R2(config-if)#end
过滤内部ICMP消息
access-list 112 deny icmp any any echo log
access-list 112 deny icmp any any redirect log
access-list 112 deny icmp any any mask-request log
access-list 112 permit icmp any 10.2.1.0 0.0.0.255
(access-list 112 permit icmp host 10.0.0.138 host 10.0.0.101
access-list 112 permit icmp host 10.0.0.101 host 10.0.0.138)
R2(config)#interface e0/0
R2(config-if)#ip access-group 112 in
R2(config-if)#end
过滤外部ICMP消息
R2(config)#access-list 114 permit icmp 10.2.1.0 0.0.0.255 any echo
R2(config)#access-list 114 permit icmp 10.2.1.0 0.0.0.255 any parameter-problem
R2(config)#access-list 114 permit icmp 10.2.1.0 0.0.0.255 any packet-too-big
R2(config)#access-list 114 permit icmp 10.2.1.0 0.0.0.255 any source-quench
R2(config)#access-list 114 deny icmp any any log
R2(config)#interface e0/1
R2(config-if)#ip access-group 114 in
R2(config-if)#end
Filtering UDP Traceroute Messages
R2(config)#access-list 120 deny udp any any range 33400 34400 log
R2(config)#access-list 120 permit ip any 10.1.1.0 0.0.0.255 log
R2(config)#interface e0/1
R2(config-if)#ip access-group 120 in
R2(config-if)#end
减轻分布式dos攻击
#############################################################################
为安全管理报告配置SSH服务
Austin2#configure terminal
Austin2(config)#ip domain-name cisco.com
Austin2(config)#crypto key generate rsa general-keys modulus 1024
Sept 22 13:20:45: %SSH-5-ENABLED: SSH 1.5 has been enabled
Austin2(config)#ip ssh timeout 120
Austin2(config)#ip ssh authentication-retries 4
Austin2(config)#line vty 0 4
Austin2(config-line)#no transport input telnet
Austin2(config-line)#transport input ssh
Austin2(config-line)#end
日志
R3(config)#logging 10.0.0.110 主机
R3(config)#logging trap informational 等级
R3(config)#logging source-interface fa0/0 源接口
R3(config)#logging on 开启
10.0.0.110安装客户端
SNMP
NTP
#############################################################################
AAA
Router(config)#aaa new-model
Router(config)#tacacs-server host 192.168.229.76 single-connection
Router(config)#tacacs-server key share1
Router(config)#radius-server host 192.178.229.76
Router(config)#radius-server key shared1
Router(config)#aaa authentication login default group tacacs+ local line
Router#debug aaa authentication
router(config)#aaa authorization exec default group radius local none
Router#debug aaa authorization
R2(config)#aaa accounting exec default start-stop group tacacs+
Router#debug aaa accounting
#############################################################################
防火墙
包过滤
Router(config)# access-list 100 permit tcp any 16.1.1.0 0.0.0.255 established
Router(config)# access-list 100 deny ip any any log
Router(config)# interface Serial0/0
Router(config-if)# ip access-group 100 in
Router(config-if)# end
防火墙的执行
从命令行配置防火墙
Router(config)#logging on
Router(config)#logging host 10.0.0.3
Router(config)#ip inspect audit-trail 用系统日志开启审计追踪的传输信息
Router(config)#no ip inspect alert-off 开启实时警报
Router(config)#ip inspect name FWRULE smtp alert on audit-trail on timeout 300
Router(config)#ip inspect name FWRULE ftp alert on audit-trail on timeout 300
Router(config)#interface e0/0
Router(config-if)#ip inspect FWRULE in 应用检查规则到接口的in方向
show ip inspect name inspection-name
show ip inspect config
show ip inspect interfaces
show ip inspect session [detail]
show ip inspect statistics
show ip inspect all 显示检查,接口配置,会话和统计
debug ip inspect function-trace
debug ip inspect object-creation
debug ip inspect object-deletion
debug ip inspect events
debug ip inspect timers
debug ip inspect detail 全局调试
debug ip inspect protocol 指定协议调试
基本与高级防火墙向导
2接口
3接口
SDM