设为首页收藏本站
开启辅助访问 切换到窄版

a我考网

 找回密码
 立即注册

QQ登录

只需一步,快速开始

扫一扫,访问微社区

我考网»我考网社区 计算机考试 思科认证 思科认证:路由器常用ACL和一些简单防护技巧
返回列表 发新帖
查看: 85|回复: 1

[其他] 思科认证:路由器常用ACL和一些简单防护技巧

[复制链接]
会计考友
发表于 2012-8-3 10:16:48 | 显示全部楼层 |阅读模式
1 IP棍骗简单防护。如过滤非公有地址访谒内部收集。过滤自己内部收集地址;回环地址(127.0.0.0/8);RFC1918私有地址;DHCP自界说地址 (169.254.0.0/16);科学文档作者测试用地址(192.0.2.0/24);不用的组播地址(224.0.0.0/4);SUN公司的古老的测试地址(20.20.20.0/24;204.152.64.0/23);全收集地址(0.0.0.0/8)。
$ V; }2 x& O0 F) ^& c1 z0 Y  Router(Config)# access-list 100 deny ip 127.0.0.0 0.255.255.255 any. ~8 w, l( k3 j- H' N
  Router(Config)# access-list 100 deny ip 192.168.0.0 0.0.255.255 any. u. L: D$ O8 @9 t5 {0 k7 U
  Router(Config)# access-list 100 deny ip 172.16.0.0 0.15.255.255 any
& a9 B1 R0 F" g2 ]- ^2 l  Router(Config)# access-list 100 deny ip 10.0.0.0 0.255.255.255 any
% }+ m2 I8 j2 v# B/ _7 c  Router(Config)# access-list 100 deny ip 169.254.0.0 0.0.255.255 any$ Y) h: [9 M2 v+ {3 ]
  Router(Config)# access-list 100 deny ip 192.0.2.0 0.0.0.255 any/ ?$ Q6 m  x. r; |! p1 j: `( n
  Router(Config)# access-list 100 deny ip 224.0.0.0 15.255.255.255 any  K% V$ s) @5 S5 K7 h
  Router(Config)# access-list 100 deny ip 20.20.20.0 0.0.0.255 any( y. K. i1 G/ B
  Router(Config)# access-list 100 deny ip 204.152.64.0 0.0.2.255 any
. `, P, p  I% `5 ?  Router(Config)# access-list 100 deny ip 0.0.0.0 0.255.255.255 any
9 z" ]; F9 r9 m- x5 w% V3 A  Router(Config)# access-list 100 permit ip any any
7 N& }- P3 i+ S5 R/ j4 u1 e  H( v  Router(Config-if)# ip access-group 100 in
* a" h9 k# X+ F6 @: V  2 建议采用访谒列表节制流出内部收集的地址必需是属于内部收集的。(可选)如:. O9 P2 ~) V% t$ V2 n
  Router(Config)# no access-list 101
0 M% L5 n9 q/ C% y8 G  Q: {5 p7 o  Router(Config)# access-list 101 permit ip 192.168.0.0 0.0.255.255 any: T6 b) o9 Z& [7 w1 |) j
  Router(Config)# access-list 101 deny ip any any. ?1 H( T/ F& _# A. q4 i% r
  Router(Config)# interface eth 0/1+ K6 @4 m7 Q) C* U( e
  Router(Config-if)# description “internet Ethernet”  V1 s2 e1 Q2 `5 n
  Router(Config-if)# ip address 192.168.0.254 255.255.255.0
* o( V  l3 f; r6 S2 n4 L/ G* M  Router(Config-if)# ip access-group 101 in3 D/ A2 z$ M6 j1 A* C
  其他可选项:
7 i' W0 z" C  h5 m6 j  1、 建议启用SSH,销毁失踪Telnet。但只有撑进场带有IPSec特征集的IOS才撑持SSH。而且IOS12.0-IOS12.2仅撑持SSH-V1。如下设置装备摆设SSH处事的例子:4 p) [" a# g" f# f/ k! E
  Router(Config)# config t
: ~& p5 |( ]. z7 W. j% L  Router(Config)# no access-list 22
9 v) I2 A* u7 d/ O& O* z- n1 E9 ?  Router(Config)# access-list 22 permit 192.168.0.22
. Q# e9 u5 f3 J( U  Router(Config)# access-list deny any; ^1 h( M- A' |
  Router(Config)# username test privilege 10& g) v" a- k. g: a, W
  ! 设置SSH的超时距离和考试考试登录次数  I2 O! {# N" w
  Router(Config)# ip ssh timeout 902 {9 N7 G5 w' V, w) X
  Router(Config)# ip ssh anthentication-retries 29 d6 n$ @1 d/ ?+ N$ I
  Router(Config)# line vty 0 4& B2 x7 x- J6 [, m
  Router(Config-line)# access-class 22 in: A+ I. t  w8 h3 N( ^+ T' _
  Router(Config-line)# transport input ssh
& }( X9 ]/ H) S: m  Router(Config-line)# login local* q; v* b$ [/ c9 O4 g' @6 S, u
  Router(Config-line)# exit# m* X* h$ E( m  J5 p
  !启用SSH处事,生成RSA密钥对。! |. @7 e% E3 D3 G; L4 h
  Router(Config)# crypto key generate rsa) C* W  L& a; P: E* e9 ]  n! s9 j
  The name for the keys will be: router.xxx
* U& s7 G) Z0 u4 P  Choose the size of the key modulus in the range of 360 to 2048 for your General Purpose Keys .Choosing a key modulus greater than 512 may take a few minutes.
( j8 |' ?3 i0 z; F: b  How many bits in the modulus【512】: 2048
& U( i' Y- r8 Z3 ?, a  Generating RSA Keys...
+ u* k; S: N0 j8 _& `% k  K! m  Router(Config)#
9 o2 y7 |+ Q) o  2、 TCP SYN的提防。如:
# d" P* J6 n  x  A: 经由过程访谒列表提防。
& ~8 S7 T9 I! T2 c  v+ L% I3 h+ ?  Router(Config)# no access-list 1066 S# d: `% c4 o/ h4 q$ q5 i
  Router(Config)# access-list 106 permit tcp any 192.168.0.0 0.0.0.255 established
: O+ B: s! {3 B0 r( I  Router(Config)# access-list 106 deny ip any any
2 G! W/ b6 w# K/ J5 Z' n  Router(Config)# interface eth 0/2
# C. R! j0 O4 t* `2 V, C2 m( f  Router(Config-if)# description “external Ethernet”
' b$ C2 {7 ^1 Z2 A4 [+ W  Router(Config-if)# ip address 192.168.1.254 255.255.255.08 ?- ~4 u4 i! |! n+ m. u: q
  Router(Config-if)# ip access-group 106 in
7 C8 R/ b# s5 o  B:经由过程TCP进取提防。(这会给路由器发哨兵然负载)' Y  \7 l1 ^; S* m/ f! N5 a
  Router(Config)# ip tcp intercept list 107/ O0 I' T  H; ?5 x# _
  Router(Config)# access-list 107 permit tcp any 192.168.0.0 0.0.0.255) T' E- P0 x8 k7 N
  Router(Config)# access-list 107 deny ip any any
2 t% P4 P7 J  Z/ p# G  ?& w/ ]  Router(Config)# interface eth0( F9 A# U- z* D. p7 ?0 q
  Router(Config)# ip access-group 107 in%26lt;/P%26gt;%26lt;P%26gt;3、 LAND.C 进攻的提防。/ c# Q- F1 M, n3 f
  Router(Config)# access-list 107 deny ip host 192.168.1.254 host 192.168.1.254
/ \, t0 [' W: _  O6 O  Router(Config)# access-list 107 permit ip any any" @4 G  r% Z9 B  S2 d
  Router(Config)# interface eth 0/2
+ R' _8 x. H0 a  Router(Config-if)# ip address 192.168.1.254 255.255.255.05 t$ s& Q" J+ t; y3 f
  Router(Config-if)# ip access-group 107 in%26lt;/P%26gt;%26lt;P%26gt;4、 Smurf进攻的提防。$ j/ n# P* a* M1 ?" ?" T% ~$ c+ @
  Router(Config)# access-list 108 deny ip any host 192.168.1.255
. B$ W, m# f% i- q3 s7 }  Router(Config)# access-list 108 deny ip any host 192.168.1.0
+ D$ C$ `: P- G  Router(Config)# access-list 108 permit ip any any
; M: Z5 o9 `& j! @2 ?% N! ^  Router(Config-if)# ip access-group 108 in
回复

使用道具 举报

会计考友
 楼主| 发表于 2012-8-3 10:16:49 | 显示全部楼层

思科认证:路由器常用ACL和一些简单防护技巧

  5、 ICMP和谈的平安设置装备摆设。对于进入ICMP流,我们要禁止ICMP和谈的ECHO、Redirect、Mask request。也需要禁止TraceRoute呼吁的探测。对于流出的ICMP流,我们可以许可ECHO、Parameter Problem、Packet too big。还有TraceRoute呼吁的使用。+ ?3 I% K0 U1 X; Y
  ! outbound ICMP Control- |6 ^4 Q2 F) H4 a! A9 n) q6 x
  Router(Config)# access-list 110 deny icmp any any echo7 f% D0 z( a) p$ X5 k' o
  Router(Config)# access-list 110 deny icmp any any redirect
) p- G! r  S! r2 p  Router(Config)# access-list 110 deny icmp any any mask-request
- v6 P% }, [3 n; p2 j2 h* T" P  Router(Config)# access-list 110 permit icmp any any' b4 u+ I  G  ]- b( f, i& p0 \
  ! Inbound ICMP Control9 D6 y1 J' V( q4 [3 n$ q
  Router(Config)# access-list 111 permit icmp any any echo% D- T( _2 w6 j
  Router(Config)# access-list 111 permit icmp any any Parameter-problem3 k! B, e+ b4 v
  Router(Config)# access-list 111 permit icmp any any packet-too-big9 I6 y+ d7 J! p  _
  Router(Config)# access-list 111 permit icmp any any source-quench
0 m1 G& o* o8 m2 N+ C4 G' t  Router(Config)# access-list 111 deny icmp any any
+ t% n& J8 M: h5 [4 u, [  ! Outbound TraceRoute Control
4 j4 B! P# t) m% C  Router(Config)# access-list 112 deny udp any any range 33400 34400
. X7 B* i- y& m' @! o+ f0 h; A1 b  ! Inbound TraceRoute Control7 X' ?, j0 F$ h, B2 z. b# i3 _
  Router(Config)# access-list 112 permit udp any any range 33400 34400 %26lt;/P%26gt;%26lt;P%26gt;) N# X* }& z0 b: t6 g7 u7 B+ W
  6、 DDoS(Distributed Denial of Service)的提防。
; S9 [/ w: _7 M5 t  ! The TRINOO DDoS system& e2 H# }- }) t  g0 e0 `7 I
  Router(Config)# access-list 113 deny tcp any any eq 27665 </p> Router(Config)# access-list 113 deny udp any any eq 31335
$ R5 t! c9 [; h  Router(Config)# access-list 113 deny udp any any eq 27444/ u8 `; r" x# r) Y1 }( e1 e
  ! The Stacheldtraht DDoS system' l$ f0 r) z2 T& h6 L# v5 ^
  Router(Config)# access-list 113 deny tcp any any eq 16660
* K  d+ X; ~: I& F# F0 U  Router(Config)# access-list 113 deny tcp any any eq 65000! q- B( V2 }( @. h, o+ \
  ! The TrinityV3 System, w" D* g0 Y6 l4 t- N
  Router(Config)# access-list 113 deny tcp any any eq 33270  w8 V' p) |) G9 ~8 ^$ J
  Router(Config)# access-list 113 deny tcp any any eq 391687 Z) p4 w1 o+ p# e7 v& s
  ! The SubSeven DDoS system and some Variants- x7 K+ k( o  s. F, V
  Router(Config)# access-list 113 deny tcp any any range 6711 6712+ {2 G% T- |$ o8 n* V
  Router(Config)# access-list 113 deny tcp any any eq 6776
+ p5 B2 f- G/ N% d& E# z( a  Router(Config)# access-list 113 deny tcp any any eq 6669
* o9 R5 m/ z' D$ F, e0 A% E  Router(Config)# access-list 113 deny tcp any any eq 2222# s. G. I7 x8 f& n! L, d* r
  Router(Config)# access-list 113 deny tcp any any eq 70001 W+ ~8 L5 V" {
  Router(Config)# access-list 113 permit ip any any
8 l* @9 s3 W, Z: c7 U& E  Router(Config-if)# ip access-group 113 in
$ \2 r! |; ^4 r$ }  7、 Sql蠕虫的提防
* H. B# l) A, a2 ?( O  Router(Config)# access-list 114 deny udp any any eq 14343 u! N$ A0 N" D3 s0 C3 d
  Router(Config)# access-list 114 permit ip any any0 ~& }1 g1 y0 A8 c7 e
  Router(Config-if)# ip access-group 114 in
回复 支持 反对

使用道具 举报

返回列表 发新帖
高级模式
B Color Image Link Quote Code Smilies
您需要登录后才可以回帖 登录 | 立即注册

本版积分规则

Archiver|手机版|小黑屋|Woexam.Com ( 湘ICP备18023104号 )

GMT+8, 2024-5-16 16:57 , Processed in 0.131354 second(s), 23 queries .

Powered by Discuz! X3.4 Licensed

© 2001-2017 Comsenz Inc.

快速回复 返回顶部 返回列表