Router#auto secure 自动安全

####################################
密码
Boston(config)#security passwords min-length 10        强制最小长度密码
Boston(config)#service password-encryption          加密所有密码
Boston(config)#no service password-recovery       阻止console访问ROMMON
设置失败比率，前提AAA
Boston(config)#security authentication failure rate 10 log      配置允许一定数量的不成功的登陆尝试，默认允许10次登陆失败在15秒延迟初始前，超过时产生系统日志消息
Boston(config)#login block-for 100 attempts 2 within 100     用指定周期配置一定数量尝试登陆失败后，阻止访问。减轻DOS攻击
Boston(config)#login quiet-mode access-class myacl       指定一个ACL应用到路由器当它转换到一个静止模式
Boston(config)#login delay 30            配置延时在连续登陆尝试之间，减轻字典攻击，如果没有设置，默认延时是一秒
Boston(config)#show login      显示登陆参数和失败

设置超时
Boston(config)#line console 0
Boston(config-line)#exec-timeout 3 30  终止无动作的console,aux连接在3分30秒后

设置多特权级别
Boston(config)#privilege exec level 2 ping
Boston(config)#enable secret level 2 Patriot      设置多特权级别

配置banner消息
Boston(config)#banner motd % WARNING: You are connected to (hostname) on the Cisco Systems, Incorporated network. Unauthorized access and use of this network will be vigorously prosecuted. %

配置基于角色的命令行
Boston(config)#aaa new-model
Boston(config)#exit
Boston#enable view
Boston(config)#parser view monitor_view
Boston(config-view)#password 5 hErMeNe%GiLdE!
Boston(config-view)#commands exec include show version   增加命令或接口到view
Boston(config)#parser view monitor_audit
Boston(config-view)#password 5 AnA6TaSiA$
Boston(config-view)#view monitor_view
Boston(config-view)#view audit_view       增加view到一个superview
show parser view [all]
debug parser view

配置文件的安全
Boston(config)#secure boot-image     开启IOS image恢复
Boston(config)#secure boot-config    存储主要引导设置的安全copy在一个持久存储体
show secure bootset         显示配置回复状态和主要引导设置文件名

 

##############################################
用ACL减轻威胁与攻击

access-list 10 permit 192.168.3.0 0.0.0.255                          基于源
access-list 101 permit tcp 172.31.9.0 0.0.0.255 any eq 80           基于几个属性：协议类型、IP、端口

过滤网络传输减轻威胁
IP地址哄骗减轻：内部
R2(config)#access-list 150 deny ip 10.2.1.0 0.0.0.255 any log
R2(config)#access-list 150 deny ip 127.0.0.0 0.255.255.255 any log
R2(config)#access-list 150 deny ip 0.0.0.0 0.255.255.255 any log
R2(config)#access-list 150 deny ip 172.16.0.0 0.15.255.255 any log
R2(config)#access-list 150 deny ip 192.168.0.0 0.0.255.255 any log
R2(config)#access-list 150 deny ip 224.0.0.0 15.255.255.255 any log
R2(config)#access-list 150 deny ip host 255.255.255.255 any log
R2(config)#access-list 150 permit ip any 10.2.1.0 0.0.0.255
R2(config)#interface e0/0
R2(config-if)#ip access-group 150 in
R2(config-if)#exit

IP地址哄骗减轻：外部
R2(config)#access-list 105 permit ip 10.2.1.0 0.0.0.255 any
R2(config)#access-list 105 deny ip any any log
R2(config)#interface e0/1
R2(config-if)#ip access-group 105 in
R2(config-if)#end

Dos tcp syn攻击减轻用阻止外部访问
R2(config)#access-list 109 permit tcp any 10.2.1.0 0.0.0.255 established
R2(config)#access-list 109 deny ip any any log
R2(config)#interface e0/0
R2(config-if)#ip access-group 109 in
R2(config-if)#end

Dos tcp syn攻击减轻用TCP截取
R2(config)#ip tcp intercept list 110
R2(config)#access-list 110 permit tcp any 10.2.1.0 0.0.0.255
R2(config)#access-list 110 deny ip any any
R2(config)#interface e0/0
R2(config-if)#ip access-group 110 in
R2(config-if)#end

no ip directed-broadcast
R2(config)#access-list 111 deny ip any host 10.2.1.255 log
R2(config)#access-list 111 permit ip any 10.2.1.0 0.0.0.255 log
R2(config)#access-list 112 deny ip any host 10.1.1.255 log
R2(config)#access-list 112 permit ip any 10.1.1.0 0.0.0.255 log
R2(config)#interface e0/0
R2(config-if)#ip access-group 111 in
R2(config-if)#end
R2(config)#interface e0/1
R2(config-if)#ip access-group 112 in
R2(config-if)#end

过滤内部ICMP消息
access-list 112 deny icmp any any echo log
access-list 112 deny icmp any any redirect log
access-list 112 deny icmp any any mask-request log
access-list 112 permit icmp any 10.2.1.0 0.0.0.255
(access-list 112 permit icmp host 10.0.0.138 host 10.0.0.101
access-list 112 permit icmp host 10.0.0.101 host 10.0.0.138)
R2(config)#interface e0/0
R2(config-if)#ip access-group 112 in
R2(config-if)#end

过滤外部ICMP消息
R2(config)#access-list 114 permit icmp 10.2.1.0 0.0.0.255 any echo
R2(config)#access-list 114 permit icmp 10.2.1.0 0.0.0.255 any parameter-problem
R2(config)#access-list 114 permit icmp 10.2.1.0 0.0.0.255 any packet-too-big
R2(config)#access-list 114 permit icmp 10.2.1.0 0.0.0.255 any source-quench
R2(config)#access-list 114 deny icmp any any log
R2(config)#interface e0/1
R2(config-if)#ip access-group 114 in
R2(config-if)#end

Filtering UDP Traceroute Messages
R2(config)#access-list 120 deny udp any any range 33400 34400 log
R2(config)#access-list 120 permit ip any 10.1.1.0 0.0.0.255 log
R2(config)#interface e0/1
R2(config-if)#ip access-group 120 in
R2(config-if)#end

减轻分布式dos攻击

#############################################################################

为安全管理报告配置SSH服务
Austin2#configure terminal
Austin2(config)#ip domain-name cisco.com
Austin2(config)#crypto key generate rsa general-keys modulus 1024

Sept 22 13:20:45: %SSH-5-ENABLED: SSH 1.5 has been enabled

Austin2(config)#ip ssh timeout 120
Austin2(config)#ip ssh authentication-retries 4
Austin2(config)#line vty 0 4
Austin2(config-line)#no transport input telnet
Austin2(config-line)#transport input ssh
Austin2(config-line)#end

日志
R3(config)#logging 10.0.0.110   主机
R3(config)#logging trap informational    等级
R3(config)#logging source-interface fa0/0   源接口
R3(config)#logging on  开启
10.0.0.110安装客户端

SNMP

NTP

 

 

#############################################################################

 

AAA
Router(config)#aaa new-model
Router(config)#tacacs-server host 192.168.229.76 single-connection
Router(config)#tacacs-server key share1

Router(config)#radius-server host 192.178.229.76
Router(config)#radius-server key shared1

Router(config)#aaa authentication login default group tacacs+ local line
Router#debug aaa authentication
router(config)#aaa authorization exec default group radius local none
Router#debug aaa authorization
R2(config)#aaa accounting exec default start-stop group tacacs+
Router#debug aaa accounting

 

#############################################################################

防火墙
包过滤
Router(config)# access-list 100 permit tcp any 16.1.1.0  0.0.0.255 established
Router(config)# access-list 100 deny ip any any log
Router(config)# interface Serial0/0
Router(config-if)# ip access-group 100 in
Router(config-if)# end

 

防火墙的执行
从命令行配置防火墙

Router(config)#logging on
Router(config)#logging host 10.0.0.3
Router(config)#ip inspect audit-trail     用系统日志开启审计追踪的传输信息
Router(config)#no ip inspect alert-off    开启实时警报

Router(config)#ip inspect name FWRULE smtp alert on audit-trail on timeout 300
Router(config)#ip inspect name FWRULE ftp alert on audit-trail on timeout 300

Router(config)#interface e0/0
Router(config-if)#ip inspect FWRULE in   应用检查规则到接口的in方向

show ip inspect name inspection-name
show ip inspect config
show ip inspect interfaces
show ip inspect session [detail]
show ip inspect statistics
show ip inspect all              显示检查，接口配置，会话和统计

debug ip inspect function-trace
debug ip inspect object-creation
debug ip inspect object-deletion
debug ip inspect events
debug ip inspect timers
debug ip inspect detail   全局调试
debug ip inspect protocol   指定协议调试

基本与高级防火墙向导
2接口
3接口
SDM