分享
 
 
 

Cisco IOS Cookbook 中文精简版第二十七章安全(完)

王朝other·作者佚名  2008-05-31
窄屏简体版  字體: |||超大  

27.1. 使用AutoSecure

提问 傻瓜化的方式来加固你的路由器

回答

Router2#auto secure

--- AutoSecure Configuration ---

*** AutoSecure configuration enhances the security of

the router, but it will not make it absolutely resistant

to all security attacks ***

AutoSecure will modify the configuration of your device.

All configuration changes will be shown. For a detailed

eXPlanation of how the configuration changes enhance security

and any possible side effects, please refer to Cisco.com for

Autosecure documentation.

At any prompt you may enter '?' for help.

Use ctrl-c to abort this session at any prompt.

Gathering information about the router for AutoSecure

Is this router connected to internet? [no]:

<Removed for brevity>

注释 12.3(1)开始路由器增加了autosecure的特性来通过问题的方式自动对路由器进行加固,下面是一个生成的配置实例

Router2#show auto secure config

no service finger

no service pad

no service udp-small-servers

no service tcp-small-servers

service passWord-encryption

service tcp-keepalives-in

service tcp-keepalives-out

no cdp run

no ip bootp server

no ip http server

no ip finger

no ip source-route

no ip gratuitous-arps

no snmp-server community public

no snmp-server community private

banner ^C Test ^C

security passwords min-length 6

security authentication failure rate 10 log

enable password 7 00071A1507545B54

aaa new-model

aaa authentication login local_auth local

line con 0

login authentication local_auth

exec-timeout 5 0

transport output telnet

line aux 0

login authentication local_auth

exec-timeout 10 0

transport output telnet

line vty 0 6

login authentication local_auth

transport input telnet

login block-for 5 attempts 5 within 6

crypto key generate rsa general-keys modulus 1024

ip ssh time-out 60

ip ssh authentication-retries 2

line vty 0 6

transport input ssh telnet

service timestamps debug datetime msec localtime show-timezone

service timestamps log datetime msec localtime show-timezone

logging facility local2

logging trap debugging

service sequence-numbers

logging console critical

logging buffered

interface FastEthernet0/0

no ip redirects

no ip proxy-arp

no ip unreachables

no ip directed-broadcast

no ip mask-reply

!

interface Serial0/0

no ip redirects

no ip proxy-arp

no ip unreachables

no ip directed-broadcast

no ip mask-reply

!

ip cef

Router2#

27.2. 使用基于上下文的控制列表(Context-Based Access-Lists)

提问 配置路由器类似防火墙的高级过滤功能

回答

Router1#configure terminal

Enter configuration commands, one per line. End with CNTL/Z.

Router1(config)#access-list 166 deny ip any any

Router1(config)#access-list 167 permit tcp any any eq telnet

Router1(config)#ip inspect name Telnet tcp

Router1(config)#interface Serial0/1

Router1(config-if)#ip access-group 166 in

Router1(config-if)#ip access-group 167 out

Router1(config-if)#ip inspect Telnet out

Router1(config-if)#exit

Router1(config)#end

Router1#

注释 必须安装了支持IOS防火墙特性集的IOS才可以有此功能。CBAC提供了类似防火墙的状态检查功能,可以动态的生成控制列表来答应回程的数据包,对于上述例子,回来的telnet数据包可以答应通过

Router1#show ip inspect sessions

Established Sessions

Session 821061C0 (172.25.1.1:1379)=>(10.2.2.2:23) tcp SIS_OPEN

Router1#

对于以前提到的被动FTP访问问题,也可以采用才方法安全解决

Router1#configure terminal

Enter configuration commands, one per line. End with CNTL/Z.

Router1(config)#access-list 155 permit tcp any any eq ftp

Router1(config)#access-list 155 deny ip any any

Router1(config)#ip inspect name TEST ftp

Router1(config)#interface Serial0/0

Router1(config-subif)#ip access-group 155 in

Router1(config-subif)#ip inspect TEST in

Router1(config-subif)#exit

Router1(config)#end

Router1#

Router1#show ip access-list 155

Extended IP access list 155

permit tcp host 172.20.1.2 eq 11252 host 172.25.1.3 eq 49155 (1415 matches)

permit tcp any any eq ftp (151 matches)

deny ip any any (3829 matches)

Router1#

同时也提供了对不同的会话的定时器配置

Router1#configure terminal

Enter configuration commands, one per line. End with CNTL/Z.

Router1(config)#ip inspect tcp idle-time 1800

Router1(config)#ip inspect udp idle-time 20

Router1(config)#ip inspect tcp finwait-time 1

Router1(config)#ip inspect tcp synwait-time 15

Router1(config)#end

Router1#

通过show ip inspect config命令来显示当前CBAC的配置

也增加了对log的支持ip inspect name Telnet tcp audit-trail on

进入讨论组讨论。

27.3. 透明IOS防火墙

提问 配置路由器作为2层防火墙

回答

首先配置Integrated Routing and Bridging (IRB)的支持

Router1#configure terminal

Enter configuration commands, one per line. End with CNTL/Z.

Router1(config)#

bridge 1 protocol ieee

Router1(config)#interface FastEthernet0/0

Router1(config-if)#

bridge-group 1

Router1(config-if)#interface FastEthernet0/1

Router1(config-if)#

bridge-group 1

Router1(config-if)#exit

Router1(config)#

bridge irb

Router1(config)#

bridge 1 route ip

Router1(config)#interface BVI1

Router1(config-if)#ip address 172.25.1.101 255.255.255.0

Router1(config-if)#no shutdown

Router1(config-if)#end

Router1#

然后配置防火墙的检查规则和ACL

Router1#configure terminal

Enter configuration commands, one per line. End with CNTL/Z.

Router1(config)#ip inspect name OREILLY tcp

Router1(config)#interface FastEthernet0/0

Router1(config-if)#ip inspect OREILLY in

Router1(config-if)#exit

Router1(config)#access-list 111 deny tcp any host 172.25.1.102 eq 23

Router1(config)#access-list 111 permit ip any any

Router1(config)#access-list 112 deny ip any any

Router1(config)#interface FastEthernet0/0

Router1(config-if)#ip access-group 111 in

Router1(config-if)#interface FastEthernet0/1

Router1(config-if)#ip access-group 112 in

Router1(config-if)#end

Router1#

注释 从12.3(7)T开始支持这种2层防火墙或者说透明防火墙的支持,这样可以透明于网络不需要做地址的更改,采用了CBAC的方式来过滤

27.4. 防止拒绝服务攻击

提问 通过对半开放连接的限制来防范拒绝服务攻击

回答

Router1#configure terminal

Router1(config)#access-list 109 permit ip any host 192.168.99.2

Router1(config)#ip tcp intercept list 109

Router1(config)#ip tcp intercept max-incomplete high 10

Router1(config)#ip tcp intercept one-minute high 15

Router1(config)#ip tcp intercept max-incomplete low 5

Router1(config)#ip tcp intercept one-minute low 10

Router1(config)#end

Router1#

注释 除了上述的配置以外还可以对丢弃模式等进行控制

Router1(config)#ip tcp intercept drop-mode random

Router1(config)#ip tcp intercept watch-timeout 15

Router1(config)#ip tcp intercept mode watch

比较有用的一个统计命令

Router1#show tcp intercept statistics

Intercepting new connections using access-list 109

9 incomplete, 1 established connections (total 10)

8 connection requests per minute

Router1#

27.5. 在非标准端口检查应用

提问 检查非标准端口的应用

回答

Router1#configure terminal

Enter configuration commands, one per line. End with CNTL/Z.

Router1(config)#ip port-map http port tcp 8000

Router1(config)#end

Router1#

注释 也可以将PAM应用于特定的地址

Router1#configure terminal

Enter configuration commands, one per line. End with CNTL/Z.

Router1(config)#access-list 22 permit host 10.1.2.14

Router1(config)#ip port-map http port 8080 list 22

Router1(config)#end

Router1#

Router1#show ip port-map http

Default mapping: http tcp port 80 system defined

Default mapping: http tcp port 8000 user defined

Host specific: http tcp port 8080 in list 22 user defined

27.6. 入侵监测和预防

提问 利用内置的入侵监测软件来防范攻击

回答

12.3(8)T之前叫IDS

Router1#configure terminal

Enter configuration commands, one per line. End with CNTL/Z.

Router1(config)#access-list 21 deny 192.168.100.205

Router1(config)#access-list 21 permit any

Router1(config)#ip audit notify log

Router1(config)#ip audit info action alarm drop reset

Router1(config)#ip audit attack action alarm drop reset

Router1(config)#ip audit smtp spam 10

Router1(config)#ip audit signature 1107 disable

Router1(config)#ip audit signature 2004 disable

Router1(config)#ip audit name COOKBOOK info list 21 action alarm drop reset

Router1(config)#ip audit name COOKBOOK attack list 21 action alarm drop reset

Router1(config)#interface FastEthernet0/0

Router1(config-if)#ip audit COOKBOOK in

Router1(config-if)#exit

Router1(config)#end

Router1#

以后叫IPS

Router1#configure terminal

Enter configuration commands, one per line. End with CNTL/Z.

Router1(config)#access-list 21 deny 192.168.100.205

Router1(config)#access-list 21 permit any

Router1(config)#ip ips name NEOSHI list 21

Router1(config)#ip ips signature 4050 disable

Router1(config)#ip ips fail closed

Router1(config)#interface FastEthernet0/0

Router1(config-if)#ip ips NEOSHI in

Router1(config-if)#exit

Router1(config)#end

Router1#

注释 Router1#show ip ips statistics

Signature statistics [process switch:fast switch]

signature 4050:0 packets checked: [0:85]

Interfaces configured for ips 1

Session creations since subsystem startup or last reset 0

Current session counts (estab/half-open/terminating) [0:0:0]

Maxever session counts (estab/half-open/terminating) [0:0:0]

Last session created never

Last statistic reset never

27.7. 登录密码重试锁定

提问 防止对登录密码的暴力破解

回答

Router1#configure terminal

Enter configuration commands, one per line. End with CNTL/Z.

Router1(config)#username kwiley password test123

Router1(config)#aaa new-model

Router1(config)#aaa authentication login local_auth local

Router1(config)#aaa local authentication attempts max-fail 6

Router1(config)#line vty 0 4

Router1(config-line)#login authentication local_auth

Router1(config-line)#end

Router1#

注释 12.3(14)T以后开始可以限制对登录密码的尝试限定,解除锁定使用Router1#clear aaa local user lockout username kwiley 当然要防止黑客利用才方法对合法用户名进行故意的锁定攻击

27.8. 认证代理(Authentication Proxy)

提问 对单个用户进行认证和授权的访问控制

回答

Router1#configure terminal

Enter configuration commands, one per line. End with CNTL/Z.

Router1(config)#aaa new-model

Router1(config)#aaa authorization auth-proxy default local

Router1(config)#ip auth-proxy auth-proxy-banner http

Router1(config)#ip auth-proxy name HTTPPROXY http

Router1(config)#ip admission auth-proxy-banner http

Router1(config)#interface FastEthernet0/0

Router1(config-if)#ip auth-proxy HTTPPROXY

Router1(config-if)#ip http server

Router1(config)#ip http authentication local

Router1(config)#end

Router1#

注释 此认证代理可以截取用户的访问请求,然后用户可以在任何地方输入认证信息后访问,查看当前的认证缓存

Router1#show ip auth-proxy cache

Authentication Proxy Cache

Client Name ijbrown, Client IP 172.25.1.52, Port 4224, timeout 60, Time Remaining 53, state ESTAB

进入讨论组讨论。

 
 
 
免责声明:本文为网络用户发布,其观点仅代表作者个人观点,与本站无关,本站仅提供信息存储服务。文中陈述内容未经本站证实,其真实性、完整性、及时性本站不作任何保证或承诺,请读者仅作参考,并请自行核实相关内容。
2023年上半年GDP全球前十五强
 百态   2023-10-24
美众议院议长启动对拜登的弹劾调查
 百态   2023-09-13
上海、济南、武汉等多地出现不明坠落物
 探索   2023-09-06
印度或要将国名改为“巴拉特”
 百态   2023-09-06
男子为女友送行,买票不登机被捕
 百态   2023-08-20
手机地震预警功能怎么开?
 干货   2023-08-06
女子4年卖2套房花700多万做美容:不但没变美脸,面部还出现变形
 百态   2023-08-04
住户一楼被水淹 还冲来8头猪
 百态   2023-07-31
女子体内爬出大量瓜子状活虫
 百态   2023-07-25
地球连续35年收到神秘规律性信号,网友:不要回答!
 探索   2023-07-21
全球镓价格本周大涨27%
 探索   2023-07-09
钱都流向了那些不缺钱的人,苦都留给了能吃苦的人
 探索   2023-07-02
倩女手游刀客魅者强控制(强混乱强眩晕强睡眠)和对应控制抗性的关系
 百态   2020-08-20
美国5月9日最新疫情:美国确诊人数突破131万
 百态   2020-05-09
荷兰政府宣布将集体辞职
 干货   2020-04-30
倩女幽魂手游师徒任务情义春秋猜成语答案逍遥观:鹏程万里
 干货   2019-11-12
倩女幽魂手游师徒任务情义春秋猜成语答案神机营:射石饮羽
 干货   2019-11-12
倩女幽魂手游师徒任务情义春秋猜成语答案昆仑山:拔刀相助
 干货   2019-11-12
倩女幽魂手游师徒任务情义春秋猜成语答案天工阁:鬼斧神工
 干货   2019-11-12
倩女幽魂手游师徒任务情义春秋猜成语答案丝路古道:单枪匹马
 干货   2019-11-12
倩女幽魂手游师徒任务情义春秋猜成语答案镇郊荒野:与虎谋皮
 干货   2019-11-12
倩女幽魂手游师徒任务情义春秋猜成语答案镇郊荒野:李代桃僵
 干货   2019-11-12
倩女幽魂手游师徒任务情义春秋猜成语答案镇郊荒野:指鹿为马
 干货   2019-11-12
倩女幽魂手游师徒任务情义春秋猜成语答案金陵:小鸟依人
 干货   2019-11-12
倩女幽魂手游师徒任务情义春秋猜成语答案金陵:千金买邻
 干货   2019-11-12
 
推荐阅读
 
 
 
>>返回首頁<<
 
靜靜地坐在廢墟上,四周的荒凉一望無際,忽然覺得,淒涼也很美
© 2005- 王朝網路 版權所有