CISCO 防御沖擊波方法

2019-11-05 00:09:24

字體：大中小

供稿：網(wǎng)友

　　! --- block TFTP
　　
　　access-list 115 deny udp any any eq 69
　　
　　! --- block W32.Blaster related PRotocols
　　
　　access-list 115 deny tcp any any eq 135
　　access-list 115 deny udp any any eq 135
　　
　　! --- block other vulnerable MS protocols
　　
　　access-list 115 deny udp any any eq 137
　　access-list 115 deny udp any any eq 138
　　access-list 115 deny tcp any any eq 139
　　access-list 115 deny udp any any eq 139
　　access-list 115 deny tcp any any eq 445
　　access-list 115 deny tcp any any eq 593
　　
　　! --- block remote access due to W32.Blaster
　　
　　access-list 115 deny tcp any any eq 4444
　　
　　! --- Allow all other traffic -- insert
　　! --- other existing access-list entries here
　　
　　access-list 115 permit ip any any
　　
　　interface
　　
　　ip access-group 115 in
　　ip access-group 115 out
　　
　　另外，阻止非法地址的命令是:
　　
　　Router(config)# interface
　　Router(if-config)# no ip unreachables
　　
　　假如此命令不能禁止，可參考下面這個(gè)命令:
　　
　　Elab(config)# ip icmp rate-limit unreachable
　　VACL on the CatOS
　　
　　! --- block TFTP
　　set security acl ip BLASTER deny udp any any eq 69
　　
　　! --- block vulnerable MS protocols
　　! --- Blaster related
　　set security acl ip BLASTER deny tcp any any eq 135
　　set security acl ip BLASTER deny udp any any eq 135
　　
　　! --- Non-blaster related
　　
　　set security acl ip BLASTER deny tcp any any eq 137
　　set security acl ip BLASTER deny udp any any eq 137
　　set security acl ip BLASTER deny tcp any any eq 138
　　set security acl ip BLASTER deny udp any any eq 138
　　set security acl ip BLASTER deny tcp any any eq 139
　　set security acl ip BLASTER deny udp any any eq 139
　　set security acl ip BLASTER deny tcp any any eq 593
　　
　　! --- block remote access due to W32.Blaster
　　
　　set security acl ip BLASTER deny tcp any any eq 4444
　　
　　! --- Allow all other traffic
　　! --- insert other existing access-list entries here
　　
　　set security acl ip BLASTER permit any any
　　
　　! -- applies both inbound and outbound
　　
　　commit security acl BLASTER
　　set security acl map BLASTER
　　PIX
　　
　　access-list acl_inside deny udp any any eq 69
　　access-list acl_inside deny tcp any any eq 135
　　access-list acl_inside deny udp any any eq 135
　　access-list acl_inside deny tcp any any eq 137
　　access-list acl_inside deny udp any any eq 137
　　access-list acl_inside deny tcp any any eq 138
　　access-list acl_inside deny udp any any eq 138
　　access-list acl_inside deny tcp any any eq 139
　　access-list acl_inside deny udp any any eq 139
　　access-list acl_inside deny tcp any any eq 445
　　access-list acl_inside deny tcp any any eq 593
　　access-list acl_inside deny tcp any any eq 4444
　　!
--- insert previously configured acl statements here,
　　! --- or permit all other traffic out
　　
　　access-list acl_inside permit ip any any
　　
　　access-group acl_inside in interface inside

上一篇：思科詮釋下一代存儲(chǔ)網(wǎng)絡(luò)

下一篇：Cisco Pix 的常見(jiàn)問(wèn)題大整理