27.1. 使用AutoSecure
提問(wèn) 傻瓜化的方式來(lái)加固你的路由器
回答
Router2#auto secure
--- AutoSecure Configuration ---
*** AutoSecure configuration enhances the security of
the router, but it will not make it absolutely resistant
to all security attacks ***
AutoSecure will modify the configuration of your device.
All configuration changes will be shown. For a detailed
eXPlanation of how the configuration changes enhance security
and any possible side effects, please refer to Cisco.com for
Autosecure documentation.
At any PRompt you may enter '?' for help.
Use ctrl-c to abort this session at any prompt.
Gathering information about the router for AutoSecure
Is this router connected to internet? [no]:
<Removed for brevity>
注釋 12.3(1)開始路由器增加了autosecure的特性來(lái)通過(guò)問(wèn)題的方式自動(dòng)對(duì)路由器進(jìn)行加固,下面是一個(gè)生成的配置實(shí)例
Router2#show auto secure config
no service finger
no service pad
no service udp-small-servers
no service tcp-small-servers
service passWord-encryption
service tcp-keepalives-in
service tcp-keepalives-out
no cdp run
no ip bootp server
no ip http server
no ip finger
no ip source-route
no ip gratuitous-arps
no snmp-server community public
no snmp-server community private
banner ^C Test ^C
security passwords min-length 6
security authentication failure rate 10 log
enable password 7 00071A1507545B54
aaa new-model
aaa authentication login local_auth local
line con 0
login authentication local_auth
exec-timeout 5 0
transport output telnet
line aux 0
login authentication local_auth
exec-timeout 10 0
transport output telnet
line vty 0 6
login authentication local_auth
transport input telnet
login block-for 5 attempts 5 within 6
crypto key generate rsa general-keys modulus 1024
ip ssh time-out 60
ip ssh authentication-retries 2
line vty 0 6
transport input ssh telnet
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
logging facility local2
logging trap debugging
service sequence-numbers
logging console critical
logging buffered
interface FastEthernet0/0
no ip redirects
no ip proxy-arp
no ip unreachables
no ip directed-broadcast
no ip mask-reply
!
interface Serial0/0
no ip redirects
no ip proxy-arp
no ip unreachables
no ip directed-broadcast
no ip mask-reply
!
ip cef
Router2#
27.2. 使用基于上下文的控制列表(Context-Based access-Lists)
提問(wèn) 配置路由器類似防火墻的高級(jí)過(guò)濾功能
回答
Router1#configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
Router1(config)#access-list 166 deny ip any any
Router1(config)#access-list 167 permit tcp any any eq telnet
Router1(config)#ip inspect name Telnet tcp
Router1(config)#interface Serial0/1
Router1(config-if)#ip access-group 166 in
Router1(config-if)#ip access-group 167 out
Router1(config-if)#ip inspect Telnet out
Router1(config-if)#exit
Router1(config)#end
Router1#
注釋 必須安裝了支持IOS防火墻特性集的IOS才可以有此功能。CBAC提供了類似防火墻的狀態(tài)檢查功能,可以動(dòng)態(tài)的生成控制列表來(lái)答應(yīng)回程的數(shù)據(jù)包,對(duì)于上述例子,回來(lái)的telnet數(shù)據(jù)包可以答應(yīng)通過(guò)
Router1#show ip inspect sessions
Established Sessions
Session 821061C0 (172.25.1.1:1379)=>(10.2.2.2:23) tcp SIS_OPEN
Router1#
對(duì)于以前提到的被動(dòng)FTP訪問(wèn)問(wèn)題,也可以采用才方法安全解決
Router1#configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
Router1(config)#access-list 155 permit tcp any any eq ftp
Router1(config)#access-list 155 deny ip any any
Router1(config)#ip inspect name TEST ftp
Router1(config)#interface Serial0/0
Router1(config-subif)#ip access-group 155 in
Router1(config-subif)#ip inspect TEST in
Router1(config-subif)#exit
Router1(config)#end
Router1#
Router1#show ip access-list 155
Extended IP access list 155
permit tcp host 172.20.1.2 eq 11252 host 172.25.1.3 eq 49155 (1415 matches)
permit tcp any any eq ftp (151 matches)
deny ip any any (3829 matches)
Router1#
同時(shí)也提供了對(duì)不同的會(huì)話的定時(shí)器配置
Router1#configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
Router1(config)#ip inspect tcp idle-time 1800
Router1(config)#ip inspect udp idle-time 20
Router1(config)#ip inspect tcp finwait-time 1
Router1(config)#ip inspect tcp synwait-time 15
Router1(config)#end
Router1#
通過(guò)show ip inspect config命令來(lái)顯示當(dāng)前CBAC的配置
也增加了對(duì)log的支持ip inspect name Telnet tcp audit-trail on
進(jìn)入討論組討論。27.3. 透明IOS防火墻
提問(wèn) 配置路由器作為2層防火墻
回答
首先配置Integrated Routing and Bridging (IRB)的支持
Router1#configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
Router1(config)#bridge 1 protocol ieee
Router1(config)#interface FastEthernet0/0
Router1(config-if)#bridge-group 1
Router1(config-if)#interface FastEthernet0/1
Router1(config-if)#bridge-group 1
Router1(config-if)#exit
Router1(config)#bridge irb
Router1(config)#bridge 1 route ip
Router1(config)#interface BVI1
Router1(config-if)#ip address 172.25.1.101 255.255.255.0
Router1(config-if)#no shutdown
Router1(config-if)#end
Router1#
然后配置防火墻的檢查規(guī)則和ACL
Router1#configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
Router1(config)#ip inspect name OREILLY tcp
Router1(config)#interface FastEthernet0/0
Router1(config-if)#ip inspect OREILLY in
Router1(config-if)#exit
Router1(config)#access-list 111 deny tcp any host 172.25.1.102 eq 23
Router1(config)#access-list 111 permit ip any any
Router1(config)#access-list 112 deny ip any any
Router1(config)#interface FastEthernet0/0
Router1(config-if)#ip access-group 111 in
Router1(config-if)#interface FastEthernet0/1
Router1(config-if)#ip access-group 112 in
Router1(config-if)#end
Router1#
注釋 從12.3(7)T開始支持這種2層防火墻或者說(shuō)透明防火墻的支持,這樣可以透明于網(wǎng)絡(luò)不需要做地址的更改,采用了CBAC的方式來(lái)過(guò)濾
27.4. 防止拒絕服務(wù)攻擊
提問(wèn) 通過(guò)對(duì)半開放連接的限制來(lái)防范拒絕服務(wù)攻擊
回答
Router1#configure terminal
Router1(config)#access-list 109 permit ip any host 192.168.99.2
Router1(config)#ip tcp intercept list 109
Router1(config)#ip tcp intercept max-incomplete high 10
Router1(config)#ip tcp intercept one-minute high 15
Router1(config)#ip tcp intercept max-incomplete low 5
Router1(config)#ip tcp intercept one-minute low 10
Router1(config)#end
Router1#
注釋 除了上述的配置以外還可以對(duì)丟棄模式等進(jìn)行控制
Router1(config)#ip tcp intercept drop-mode random
Router1(config)#ip tcp intercept watch-timeout 15
Router1(config)#ip tcp intercept mode watch
比較有用的一個(gè)統(tǒng)計(jì)命令
Router1#show tcp intercept statistics
Intercepting new connections using access-list 109
9 incomplete, 1 established connections (total 10)
8 connection requests per minute
Router1#
27.5. 在非標(biāo)準(zhǔn)端口檢查應(yīng)用
提問(wèn) 檢查非標(biāo)準(zhǔn)端口的應(yīng)用
回答
Router1#configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
Router1(config)#ip port-map http port tcp 8000
Router1(config)#end
Router1#
注釋 也可以將PAM應(yīng)用于特定的地址
Router1#configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
Router1(config)#access-list 22 permit host 10.1.2.14
Router1(config)#ip port-map http port 8080 list 22
Router1(config)#end
Router1#
Router1#show ip port-map http
Default mapping: http tcp port 80 system defined
Default mapping: http tcp port 8000 user defined
Host specific: http tcp port 8080 in list 22 user defined
27.6. 入侵監(jiān)測(cè)和預(yù)防
提問(wèn) 利用內(nèi)置的入侵監(jiān)測(cè)軟件來(lái)防范攻擊
回答
12.3(8)T之前叫IDS
Router1#configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
Router1(config)#access-list 21 deny 192.168.100.205
Router1(config)#access-list 21 permit any
Router1(config)#ip audit notify log
Router1(config)#ip audit info action alarm drop reset
Router1(config)#ip audit attack action alarm drop reset
Router1(config)#ip audit smtp spam 10
Router1(config)#ip audit signature 1107 disable
Router1(config)#ip audit signature 2004 disable
Router1(config)#ip audit name COOKBOOK info list 21 action alarm drop reset
Router1(config)#ip audit name COOKBOOK attack list 21 action alarm drop reset
Router1(config)#interface FastEthernet0/0
Router1(config-if)#ip audit COOKBOOK in
Router1(config-if)#exit
Router1(config)#end
Router1#
以后叫IPS
Router1#configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
Router1(config)#access-list 21 deny 192.168.100.205
Router1(config)#access-list 21 permit any
Router1(config)#ip ips name NEOSHI list 21
Router1(config)#ip ips signature 4050 disable
Router1(config)#ip ips fail closed
Router1(config)#interface FastEthernet0/0
Router1(config-if)#ip ips NEOSHI in
Router1(config-if)#exit
Router1(config)#end
Router1#
注釋 Router1#show ip ips statistics
Signature statistics [process switch:fast switch]
signature 4050:0 packets checked: [0:85]
Interfaces configured for ips 1
Session creations since subsystem startup or last reset 0
Current session counts (estab/half-open/terminating) [0:0:0]
Maxever session counts (estab/half-open/terminating) [0:0:0]
Last session created never
Last statistic reset never
27.7. 登錄密碼重試鎖定
提問(wèn) 防止對(duì)登錄密碼的暴力破解
回答
Router1#configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
Router1(config)#username kwiley password test123
Router1(config)#aaa new-model
Router1(config)#aaa authentication login local_auth local
Router1(config)#aaa local authentication attempts max-fail 6
Router1(config)#line vty 0 4
Router1(config-line)#login authentication local_auth
Router1(config-line)#end
Router1#
注釋 12.3(14)T以后開始可以限制對(duì)登錄密碼的嘗試限定,解除鎖定使用Router1#clear aaa local user lockout username kwiley 當(dāng)然要防止黑客利用才方法對(duì)合法用戶名進(jìn)行故意的鎖定攻擊
27.8. 認(rèn)證代理(Authentication Proxy)
提問(wèn) 對(duì)單個(gè)用戶進(jìn)行認(rèn)證和授權(quán)的訪問(wèn)控制
回答
Router1#configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
Router1(config)#aaa new-model
Router1(config)#aaa authorization auth-proxy default local
Router1(config)#ip auth-proxy auth-proxy-banner http
Router1(config)#ip auth-proxy name HTTPPROXY http
Router1(config)#ip admission auth-proxy-banner http
Router1(config)#interface FastEthernet0/0
Router1(config-if)#ip auth-proxy HTTPPROXY
Router1(config-if)#ip http server
Router1(config)#ip http authentication local
Router1(config)#end
Router1#
注釋 此認(rèn)證代理可以截取用戶的訪問(wèn)請(qǐng)求,然后用戶可以在任何地方輸入認(rèn)證信息后訪問(wèn),查看當(dāng)前的認(rèn)證緩存
Router1#show ip auth-proxy cache
Authentication Proxy Cache
Client Name ijbrown, Client IP 172.25.1.52, Port 4224, timeout 60, Time Remaining 53, state ESTAB
進(jìn)入討論組討論。新聞熱點(diǎn)
疑難解答
圖片精選
網(wǎng)友關(guān)注
