Cisco router security configuration simple program

xiaoxiao2021-03-06  106

Cisco router security configuration simple program

Create time: 2003-04-03

Article attribute: original

Article submission:

Bluesun (Yangtonuang_AT_163.com)

Cisco router security configuration simple program

Author: blushin

Auditor: Amy

E-mail: yangtonguang@163.com

Version 1.0

Date: 2002-12-15

First, the security configuration of router access control

1. Strictly control the administrator who can access the router. Any maintenance requires a record file.

2. It is recommended not to access the router remotely. Even if you need to remotely access the router, it is recommended to use the access control list and high-intensity password control.

3, strictly control the access of the CON port. Specific measures are:

A. If you can boot, you can cut off the physical line associated with the CON port.

B. You can change the default connection properties, such as modifying the baud rate (default is 96000, can be changed to other).

C, the access control list is used to control access to the CON port.

Router (config) # Access-list 1 permit 192.168.0.1

Router (config) #LINE CON 0

Router (config-line) #Transport Input None

Router (config-line) #login local

Router (config-line) # EXEC-TIMEOUTE 5 0

Router (config-line) # Access-Class 1 in

Router (config-line) #end

D, set high-strength passwords to the CON port.

4. If you do not use the AUX port, this port is prohibited. The default is not enabled. Forbidden:

Router (config) #line aux 0

Router (config-line) #Transport Input None

Router (config-line) #NO EXEC

5. It is recommended to use the right restriction strategy. Such as:

Router (config) # username Blushin Privilege 10 G00DPA55W0RD

Router (config) #Privilege Exec Level 10 Telnet

Router #Privilege Exec Level 10 show ip access-list

6. Set strong passwords for the entry of the privileged model. Do not set your password with Enable Password. And use the Enable Secret command to set. And to enable Service Password-Encryption.

7, control access to Vty. If you don't need a remote access, it is disabled. Set a strong password if needed. Since Vty is encrypted during the transmission of the network, it is necessary to strictly control it. Such as: set a strong password; control the concurrent number of connections; use the access list to strictly control the address of the accessed; you can use the AAA to set the user's access control.

8, iOS upgrades and backups, and backups of the configuration file recommendation using FTP instead of TFTP. Such as:

Router (config) #ip FTP Username Blushin

Router (config) #ip ftp password 4tppa55w0rd

Router # Copy Startup-Config FTP:

9. Timely upgrade and patch iOS software.

Second, router network service security configuration

1. Prohibit CDP (Cisco Discovery Protocol). Such as:

Router (config) #NO CDP Run

Router (config-if) # no cdp enable

2, prohibit other TCP, UDP Small services.

Router (config) # no service tcp-small-servers

Router # no service udp-samll-servers3, prohibiting the finger service.

Router (config) # no ip finger

Router (config) # no service finger

4. It is recommended to prohibit HTTP services.

Router (config) # no ip http server

If the HTTP service is enabled, it needs to be securely configured: set the username and password; use the access list to control. Such as:

Router (config) # Username Blushin Privilege 10 G00DPA55W0RD

Router (config) # ip http auth local

Router (config) # no access-list 10

Router (config) # Access-list 10 permit 192.168.0.1

Router (config) # Access-list 10 de Neny Any

Router (config) # ip http access-Class 10

Router (config) # ip http server

Router (config) # exit

5, prohibit BootP service.

Router (config) # no ip bootp server

It is forbidden to start and automatically download the initial profile from the network from the network.

Router (config) # no boot network

Router (config) # no servic config

6, prohibit IP Source Routing.

Router (config) # no ip Source-Route

7. It is recommended that if it is not necessary, it is disabled, the router defaults to open.

Router (config) # no ip proxy-ARP

ROUTER (config-if) # no ip proxy-arp

8, clear IP Directed Broadcast.

Router (config) # no ip Directed-Broadcast

9. Prohibit IP Classless.

Router (config) # no ip classless

10. IP Unreachables, Redirects, Mask Replies for ICMP protocols.

Router (config-if) # no ip unreacheables

Router (config-if) # no ip redirects

ROUTER (config-if) # no ip mask-reply

11. It is recommended to prohibit SNMP protocol services. The default configuration of some SNMP services must be deleted when prohibited. Or you need access to the list to filter. Such as:

Router (config) # no snmp-server community public ro

Router (config) # no snmp-server communication admin rw

Router (config) # no access-list 70

Router (config) # Access-list 70 de Neny

Router (config) # snmp-server community morehardpublic RO 70

Router (config) # no snmp-server enable traps

Router (config) # no snmp-server system-shutdown

Router (config) # no snmp-server trap-Anth

Router (config) # no SNMP-Server

Router (config) # end

12. If there is no need to prohibit WINS and DNS services.

Router (config) # no ip domain-lookup

If you need, you need to configure:

Router (config) # hostname RouterRouter (config) # ip name-server 202.102.134.96

13, clearly prohibiting the ports that are not used.

Router (config) # Interface Eth0 / 3

Router (config) # Shutdown

Third, router routing protocol security configuration

1. First prohibit the default ARP-Proxy, which is easy to cause confusion of the routing table.

Router # no ip proxy-ARP or

ROUTER (config-if) # no ip proxy-arp

2. Enable the authentication of the OSPF route protocol. The default OSPF authentication password is transfed in plaintext, and MD5 authentication is recommended. And set a certain strength key (Key, the relative router must have the same key).

Router (config) # Router OSPF 100

Router (config-router) # network 192.168.100.0 0.0.0.255 Area 100

! Enable MD5 authentication.

! area isa-id authentication enables authentication, which is a plain text password authentication.

! Area area-id authentication message-digest

Router (config-router) # area 100 Authentication Message-Digest

Router (config) # exit

Router (config) # Interface Eth0 / 1

! Enable the MD5 key Key to RouterOspfKey.

! IP OSPF Authentication-Key Key Enables authentication keys, but it will be expressly transmitted.

! IP OSPF Message-Digest-Key Key-ID (1-255) MD5 Key

Router (config-if) # ip ospf message-digest-key 1 md5 routerOspfKey

3, the authentication of the RIP protocol. Only RIP-V2 support, RIP-1 does not support. RIP-V2 is recommended. And use MD5 certification. Ordinary certification is also clearly transmitted.

Router (config) # Config Terminal

! Enable settings the key chain

Router (config) # Key Chain MykeychainName

Router (config-keychain) # kY 1

! Set the key string

Router (config-leychain-key) # key-string myfirstkeyString

Router (config-keyschain) # key 2

Router (config-keychain-key) # key-string mysecondKeystring

! Enable RIP-V2

Router (config) # Router RIP

Router (config-router) # Version 2

Router (config-router) # NetWork 192.168.100.0

Router (config) # Interface Eth0 / 1

! Use MD5 mode certification and select the configured keychain

Router (config-if) # ip rip authentication mode MD5

Router (config-if) # ip rip anthentative key-chain mykeychainname

4. Enabling the passive-interface command can disable ports that do not need to receive and forward routing information. It is recommended to enable Passive-Interface for ports that do not need routes. However, in the RIP protocol is only prohibited from forwarding routing, there is no prohibition of reception. In the OSPF protocol, it is forbidden to forward and receive routing information.

! RIP, prohibiting port 0/3 forwarding routing information ROUTER (config) # router rip

Router (config-router) # Passive-Interface Eth0 / 3

! In OSPF, the prohibition of port 0/3 receives and forwards routing information

Router (config) # Router OSPF 100

Router (config-router) # Passive-Interface Eth0 / 3

5. Enable access list filtering some garbage and malicious routing information, controlling the spam of the network.

Router (config) # Access-list 10 deny 192.168.1.0 0.0.0.255

Router (config) # Access-list 10 permit ANY

! Prohibition of routers receive routing information of the update 192.168.1.0 network

Router (config) # Router OSPF 100

Router (config-router) # distribute-list 10 in

! Prohibit router forwarding 192.168.1.0 network routing information

Router (config) # Router OSPF 100

Router (config-router) # distribute-list 10 out

6. It is recommended to enable ip unicast reverse-path verification. It can check the accuracy of the source IP address, so that certain IP spooling can be prevented. But it can only be used on the router that enables CEF (Cisco Express Forwarding).

Router # config t

! Enable CEF

Router # IP CEF

! Enable Unicast Reverse-Path Verification

Router (config) # Interface Eth0 / 1

Router (config) # i ip verify unicast reverse-path

Fourth, router audit security configuration

Five, other security configurations of routers

1. Timely upgrade iOS software and quickly install patch for iOS.

2, strictly seriously for the IOS for safe backup.

3. To make a secure backup for the configuration file of the router.

4. Buy a UPS device, or at least there must be redundant power.

5, have a complete router's security access and maintenance record log.

6. To set up sign in to Banner strictly. You must include a non-authorized user to prohibit login.

7. IP deceive is simple protection. Access the internal network as filtering non-public address. Filter your own internal network address; loop address (127.0.0.0.0); RFC1918 private address; DHCP custom address (169.254.0.0.0.0.0.04); scientific document author test address (192.0.2.0/24); unused multicast Address (224.0.0.0.0/4); SUN's ancient test address (20.20.20.0/24204.152.64.0/23); full network address (0.0.0.0.0/8).

Router (config) # Access-list 100 deny ip 192.168.0.0 0.0.0.255 Any log

Router (config) # Access-list 100 deny ip 127.0.0.0 0.255.255.255 Any log

Router (config) # Access-list 100 deny ip 192.168.0.0 0.0.255.255 Any log

Router (config) # Access-list 100 deny ip 172.16.0.0 0.15.255.255 Any log

Router (config) # Access-list 100 deny ip 10.0.0.0 0.255.255.255 Any log

Router (config) # Access-list 100 deny ip 169.254.0.0 0.0.255.255 Any logRouter # Access-list 100 deny ip 192.0.2.0 0.0.0.255 Any Log

Router (config) # Access-list 100 de Neny ip 224.0.0.0 15.255.255.255 Any

Router (config) # Access-list 100 deny ip 20.20.20.0 0.0.0.255 Any log

Router (config) # Access-list 100 deny ip 204.152.64.0 0.0.2.255 Any log

Router (config) # Access-list 100 deny ip 0.0.0.0 0.255.255.255 Any log

8. It is recommended to use access list to control the address that flows out of the internal network must be an internal network. Such as:

Router (config) # no access-list 101

Router (config) # Access-list 101 permit IP 192.168.0.0 0.0.0.255 Any

Router (config) # Access-list 101 deny ip Any Any log

Router (config) # Interface Eth 0/1

Router (config-if) # Description "Internet Ethernet"

Router (config-if) # ip address 192.168.0.254 255.255.255.0

ROUTER (config-if) # ip access-group 101 in

9. Prevention of TCP SYN. Such as:

A: Prevent the list of access.

Router (config) # no access-list 106

Router (config) # Access-list 106 permit TCP ANY 192.168.0.0 0.0.0.255 Establish

Router (config) # Access-list 106 deny ip Any Any log

Router (config) # Interface Eth 0/2

Router (config-if) # Description "External Ethernet"

Router (config-if) # ip address 192.168.1.254 255.255.255.0

ROUTER (config-if) # ip access-group 106 in

B: Defense through TCP. (This will generate a certain load to the router)

Router (config) # ip TCP Intercept List 107

Router (config) # Access-list 107 permit TCP ANY 192.168.0.0 0.0.0.255

Router (config) # Access-list 107 deny ip Any Any log

Router (config) # Interface Eth0

Router (config) # ip access-group 107 in

10, Land.c offensive.

Router (config) # Access-list 107 deny IP Host 192.168.1.254 Host 192.168.1.254 log

Router (config) # Access-list permit ip any Any

Router (config) # Interface Eth 0/2

Router (config-if) # ip address 192.168.1.254 255.255.255.0

Router (config-if) # ip access-group 107 in11, smurf offensive.

Router (config) # Access-list 108 deny ip any host 192.168.1.255 log

Router (config) # Access-list 108 deny ip Any Host 192.168.1.0 Log

12. Security configuration of the ICMP protocol. For entering ICMP streams, we must ban Echo, Redirect, Mask Request, ICMP protocol. It also needs to prohibit the probe of Traceroute commands. For ICMP streams that flow out, we can allow Echo, Parameter Problem, Packet TOO BIG. There is also the use of traceroute commands.

Outbound ICMP Control

Router (config) # Access-list 110 deny ICMP Any Any Echo log

Router (config) # Access-list 110 deny ICMP Any Any Redirect log

Router (config) # Access-list 110 deny ICMP Any Any Mask-Request Log

Router (config) # Access-list 110 permit ICMP Any Any

Inbound ICMP Control

Router (config) # Access-list 111 permit icmp any Any echo

Router (config) # Access-list 111 permit icmp any Any parameter-quhip

Router (config) # Access-list 111 permit icmp any Any packet-too-big

Router (config) # Access-list 111 permit icmp any Any Source-quench

Router (config) # access-list 111 deny ICMP Any Any Log

Outbound Traceroute Control

Router (config) # Access-list 112 deny udp any Any Range 33400 34400

Inbound Traceroute Control

Router (config) # access-list 112 permit udp any Any Range 33400 34400

13. Prevention of DDOS (Distributed Denial of Service).

! The trinoo ddos ​​system

Router (config) # Access-list 113 deny tcp Any Any EQ 27665 log

Router (config) # Access-list 113 deny udp any Any EQ 31335 LOG

Router (config) # access-list 113 deny udp any Any EQ 27444 log

The Stacheldtraht DDOS System

Router (config) # Access-list 113 deny TCP Any Any EQ 16660 LOG

Router (config) # Access-list 113 deny TCP Any Any EQ 65000 LOG

! THE TRINITYV3 SYSTEM

Router (config) # Access-list 113 deny TCP Any Any EQ 33270 LOG

Router (config) # Access-list 113 deny tcp Any Any EQ 39168 LOG

! The subseven ddos ​​system and some variantsrouter (config) # access-list 113 deny tcp any Any Range 6711 6712 LOG

Router (config) # Access-list 113 deny TCP Any Any EQ 6776 LOG

Router (config) # access-list 113 deny tcp Any Any EQ 6669 LOG

Router (config) # Access-list 113 deny TCP Any Any EQ 2222 LOG

Router (config) # Access-list 113 deny TCP ANY Any EQ 7000 LOG

13. It is recommended to enable SSH to discard Telnet. But only IOS supported and IPsec feature set supports SSH. And IOS12.0-iOS12.2 only supports SSH-V1. Examples of the SSH service are configured as follows:

Router (config) # Config T

Router (config) # no access-list 22

Router (config) # Access-list 22 permit 192.168.0.22

Router (config) # Access-list deny Any

Router (config) # Username Blushin Privilege 10 G00DPA55W0RD

! Set SSH's overt messages and attempt to log in

Router (config) # ip ssh Timeout 90

Router (config) # ip ssh anthentative-retries 2

Router (config) # line vty 0 4

Router (config-line) # Access-Class 22 in

Router (config-line) # Transport Input SSH

Router (config-line) # Login Local

Router (config-line) # exit

! Enable SSH service to generate RSA key pairs.

Router (config) # Crypto Key Generate RSA

The name for the keys will be: router.blushin.org

Choose the size of 360 to 2048 for your general purpose keys .chool .choosing a key modulus greater tour..

How Many Bits in The Modulus [512]: 2048

Generating RSA KEYS ...

[Ok]

Router (config) #

Sixth, router advanced security configuration

Attachment: Router Security Configuration Template ()

转载请注明原文地址:https://www.9cbs.com/read-124661.html

New Post(0)