配置路由器使用Cisco AutoSecure 实验过程: R1#auto secure — AutoSecure Configuration — *** AutoSecure configuration enhances the security of the router, but it will not make it absolutely resistant to all security attacks *** AutoSecure will modify the configuration of your device. All configuration changes will be shown. For a detailed explanation of how the configuration changes enhance security and any possible side effects, please refer to Cisco.com for Autosecure documentation. At any prompt you may enter ‘?’ for help. Use ctrl-c to abort this session at any prompt. Gathering information about the router for AutoSecure Is this router connected to internet? [no]: yes Enter the number of interfaces facing the internet [1]: Interface IP-Address OK? Method Status Protocol FastEthernet0/0 unassigned YES unset administratively down down Ethernet1/0 unassigned YES unset administratively down down Ethernet1/1 unassigned YES unset administratively down down Ethernet1/2 unassigned YES unset administratively down down Ethernet1/3 unassigned YES unset administratively down down Enter the interface name that is facing the internet: FastEthernet0/0 Securing Management plane services… Disabling service finger Disabling service pad Disabling udp & tcp small servers Enabling service password encryption Enabling service tcp-keepalives-in Enabling service tcp-keepalives-out Disabling the cdp protocol Disabling the bootp server Disabling the http server Disabling the finger service Disabling source routing Disabling gratuitous arp Here is a sample Security Banner to be shown at every access to device. Modify it to suit your enterprise requirements. Authorized Access only This system is the property of So-&-So-Enterprise. UNAUTHORIZED ACCESS TO THIS DEVICE IS PROHIBITED. You must have explicit permission to access this device. All activities performed on this device are logged. Any violations of access policy will result in disciplinary action. Enter the security banner {Put the banner between k and k, where k is any character}: k www.norvel.com.cn k Enable secret is either not configured or is the same as enable password Enter the new enable secret: Confirm the enable secret : Enter the new enable password: Choose a password that’s different from secret Enter the new enable password: % Password too short – must be at least 6 characters. Password configuration failed Enter the new enable password: Confirm the enable password: Configuration of local user database Enter the username: suyajuncn Enter the password: Confirm the password: Configuring AAA local authentication Configuring Console, Aux and VTY lines for local authentication, exec-timeout, and transport Securing device against Login Attacks Configure the following parameters Blocking Period when Login Attack detected: Device not secured against ‘login attacks’. Configure SSH server? [yes]: yes Enter the domain-name: blog.norvel.com.cn Configuring interface specific AutoSecure services Disabling the following ip services on all interfaces: no ip redirects no ip proxy-arp no ip unreachables no ip directed-broadcast no ip mask-reply Disabling mop on Ethernet interfaces Securing Forwarding plane services… Enabling CEF (This might impact the memory requirements for your platform) Enabling unicast rpf on all interfaces connected to internet Configure CBAC Firewall feature? [yes/no]: yes This is the configuration generated: no service finger no service pad no service udp-small-servers no service tcp-small-servers service password-encryption service tcp-keepalives-in service tcp-keepalives-out no cdp run no ip bootp server no ip http server no ip finger no ip source-route no ip gratuitous-arps no ip identd banner motd ^C www.norvel.com.cn ^C security passwords min-length 6 security authentication failure rate 10 log enable secret 5 $1$Bjbb$u54FP6qoSwpVXyBs6PBmY. enable password 7 095F5B10180F021C0802 username suyajuncn password 7 0100131D5A0113012242 aaa new-model aaa authentication login local_auth local line con 0 login authentication local_auth exec-timeout 5 0 transport output telnet line aux 0 login authentication local_auth exec-timeout 10 0 transport output telnet line vty 0 4 login authentication local_auth transport input telnet ip domain-name blog.norvel.com.cn crypto key generate rsa general-keys modulus 1024 ip ssh time-out 60 ip ssh authentication-retries 2 line vty 0 4 transport input ssh telnet service timestamps debug datetime msec localtime show-timezone service timestamps log datetime msec localtime show-timezone logging facility local2 logging trap debugging service sequence-numbers logging console critical logging buffered interface FastEthernet0/0 no ip redirects no ip proxy-arp no ip unreachables no ip directed-broadcast no ip mask-reply no mop enabled interface Ethernet1/0 no ip redirects no ip proxy-arp no ip unreachables no ip directed-broadcast no ip mask-reply no mop enabled interface Ethernet1/1 no ip redirects no ip proxy-arp no ip unreachables no ip directed-broadcast no ip mask-reply no mop enabled interface Ethernet1/2 no ip redirects no ip proxy-arp no ip unreachables no ip directed-broadcast no ip mask-reply no mop enabled interface Ethernet1/3 no ip redirects no ip proxy-arp no ip unreachables no ip directed-broadcast no ip mask-reply no mop enabled ip cef access-list 100 permit udp any any eq bootpc interface FastEthernet0/0 ip verify unicast source reachable-via rx allow-default 100 ip inspect audit-trail ip inspect dns-timeout 7 ip inspect tcp idle-time 14400 ip inspect udp idle-time 1800 ip inspect name autosec_inspect cuseeme timeout 3600 ip inspect name autosec_inspect ftp timeout 3600 ip inspect name autosec_inspect http timeout 3600 ip inspect name autosec_inspect rcmd timeout 3600 ip inspect name autosec_inspect realaudio timeout 3600 ip inspect name autosec_inspect smtp timeout 3600 ip inspect name autosec_inspect tftp timeout 30 ip inspect name autosec_inspect udp timeout 15 ip inspect name autosec_inspect tcp timeout 3600 ip access-list extended autosec_firewall_acl permit udp any any eq bootpc deny ip any any interface FastEthernet0/0 ip inspect autosec_inspect out ip access-group autosec_firewall_acl in ! end Apply this configuration to running-config? [yes]: yes Applying the config generated to running-config The name for the keys will be: R1.blog.norvel.com.cn % The key modulus size is 1024 bits % Generating 1024 bit RSA keys, keys will be non-exportable…[OK] R1# R1# R1# R1# R1# R1#show run Building configuration… Current configuration : 3069 bytes ! upgrade fpd auto version 12.4 no service pad service tcp-keepalives-in service tcp-keepalives-out service timestamps debug datetime msec localtime show-timezone service timestamps log datetime msec localtime show-timezone service password-encryption service sequence-numbers ! hostname R1 ! boot-start-marker boot-end-marker ! security authentication failure rate 10 log security passwords min-length 6 logging console critical enable secret 5 $1$Bjbb$u54FP6qoSwpVXyBs6PBmY. enable password 7 095F5B10180F021C0802 ! aaa new-model ! ! aaa authentication login local_auth local ! ! aaa session-id common no ip source-route no ip gratuitous-arps ip cef ! ! ! ! no ip bootp server no ip domain lookup ip domain name blog.norvel.com.cn ip inspect audit-trail ip inspect udp idle-time 1800 ip inspect dns-timeout 7 ip inspect tcp idle-time 14400 ip inspect name autosec_inspect cuseeme timeout 3600 ip inspect name autosec_inspect ftp timeout 3600 ip inspect name autosec_inspect http timeout 3600 ip inspect name autosec_inspect rcmd timeout 3600 ip inspect name autosec_inspect realaudio timeout 3600 ip inspect name autosec_inspect smtp timeout 3600 ip inspect name autosec_inspect tftp timeout 30 ip inspect name autosec_inspect udp timeout 15 ip inspect name autosec_inspect tcp timeout 3600 ip auth-proxy max-nodata-conns 3 ip admission max-nodata-conns 3 ! multilink bundle-name authenticated ! ! ! ! username suyajuncn password 7 0100131D5A0113012242 archive log config logging enable hidekeys ! ! ! ! ip ssh time-out 60 ip ssh authentication-retries 2 ! ! ! ! interface FastEthernet0/0 no ip address ip access-group autosec_firewall_acl in ip verify unicast source reachable-via rx allow-default 100 no ip redirects no ip unreachables no ip proxy-arp ip inspect autosec_inspect out shutdown duplex half no mop enabled ! interface Ethernet1/0 no ip address no ip redirects no ip unreachables no ip proxy-arp shutdown duplex half no mop enabled ! interface Ethernet1/1 no ip address no ip redirects no ip unreachables no ip proxy-arp shutdown duplex half no mop enabled ! interface Ethernet1/2 no ip address no ip redirects no ip unreachables no ip proxy-arp shutdown duplex half no mop enabled ! interface Ethernet1/3 no ip address no ip redirects no ip unreachables no ip proxy-arp shutdown duplex half no mop enabled ! ip forward-protocol nd no ip http server no ip http secure-server ! ! ! ip access-list extended autosec_firewall_acl permit udp any any eq bootpc deny ip any any ! logging alarm informational logging trap debugging logging facility local2 access-list 100 permit udp any any eq bootpc no cdp run ! ! ! control-plane ! ! ! gatekeeper shutdown ! banner motd ^C ^C ! line con 0 exec-timeout 5 0 logging synchronous login authentication local_auth transport output telnet stopbits 1 line aux 0 login authentication local_auth transport output telnet stopbits 1 line vty 0 4 login authentication local_auth transport input telnet ssh ! ! end R1#
(免责声明:文章内容如涉及作品内容、版权和其它问题,请及时与我们联系,我们将在第一时间删除内容,文章内容仅供参考)
未经允许不得转载:本文采用知识共享 署名4.0国际许可协议 [BY-NC-SA] 进行授权!
路由网 »
配置路由器使用Cisco AutoSecure
陕公网安备41159202000202号
