设为首页收藏本站
开启辅助访问 切换到窄版

a我考网

 找回密码
 立即注册

QQ登录

只需一步,快速开始

扫一扫,访问微社区

我考网»我考网社区 计算机考试 思科认证 CCNA指导:路由器常用ACL和一些简单防护简介
返回列表 发新帖
查看: 124|回复: 1

[CCNA] CCNA指导:路由器常用ACL和一些简单防护简介

[复制链接]
会计考友
发表于 2012-8-3 20:28:11 | 显示全部楼层 |阅读模式
 1 IP欺骗简单防护。如过滤非公有地址访问内部网络。过滤自己内部网络地址;回环地址(127.0.0.0/8);RFC1918私有地址;DHCP自定义地址 (169.254.0.0/16);科学文档作者测试用地址(192.0.2.0/24);不用的组播地址(224.0.0.0/4);SUN公司的古老的测试地址(20.20.20.0/24;204.152.64.0/23);全网络地址(0.0.0.0/8)。6 C( J$ x2 |* @8 D6 p  k* Z
  Router(Config)# access-list 100 deny ip 127.0.0.0 0.255.255.255 any
$ a# x4 c( |+ e0 g0 e& E! X% C0 c  Router(Config)# access-list 100 deny ip 192.168.0.0 0.0.255.255 any
. |. y0 M- f+ P. s" e/ K  Router(Config)# access-list 100 deny ip 172.16.0.0 0.15.255.255 any+ w% u3 T3 v9 \! y
  Router(Config)# access-list 100 deny ip 10.0.0.0 0.255.255.255 any* @9 j6 b* D+ k
  Router(Config)# access-list 100 deny ip 169.254.0.0 0.0.255.255 any
9 s) e6 [6 }/ y" D* m( Z  Router(Config)# access-list 100 deny ip 192.0.2.0 0.0.0.255 any2 I2 J+ E( d1 j
  Router(Config)# access-list 100 deny ip 224.0.0.0 15.255.255.255 any- r( J* B  _* U6 I2 H) F2 Z* r: f
  Router(Config)# access-list 100 deny ip 20.20.20.0 0.0.0.255 any
  v: k% U& p# B5 X; V  Router(Config)# access-list 100 deny ip 204.152.64.0 0.0.2.255 any
- }2 i9 V  ]/ l7 t* v% O  Router(Config)# access-list 100 deny ip 0.0.0.0 0.255.255.255 any9 s4 _9 R' U, Q6 e3 L- ]# ]
  Router(Config)# access-list 100 permit ip any any7 h2 N3 X* s5 U: C( ~
  Router(Config-if)# ip access-group 100 in0 r" b+ A$ Z5 {4 t
  2 建议采用访问列表控制流出内部网络的地址必须是属于内部网络的。(可选)如:# O: F8 `( b4 I( z. w$ \
  Router(Config)# no access-list 101
, k! G6 d3 x& v8 L: p  Router(Config)# access-list 101 permit ip 192.168.0.0 0.0.255.255 any3 m; S* F3 w% V  u: I: C3 k
  Router(Config)# access-list 101 deny ip any any
2 T' ^. g. l8 |+ h" ^" \$ n0 _  x  Router(Config)# interface eth 0/1
7 L0 q* s+ `5 T. J  Router(Config-if)# description “internet Ethernet”# m, y4 ^0 i' ^! H8 r: i
  Router(Config-if)# ip address 192.168.0.254 255.255.255.0+ B. D% I  C$ |5 [2 H2 E5 ?
  Router(Config-if)# ip access-group 101 in; m+ G0 t. z- ?& R' J5 A
  其他可选项:9 _8 W8 D& j! J
  1、 建议启用SSH,废弃掉Telnet。但只有支持并带有IPSec特征集的IOS才支持SSH。并且IOS12.0-IOS12.2仅支持SSH-V1。如下配置SSH服务的例子:* [; u3 y9 j' R3 k' B
  Router(Config)# config t8 i& e, M3 q& J! E) ~
  Router(Config)# no access-list 227 D/ ?5 V. |1 U1 v8 `
  Router(Config)# access-list 22 permit 192.168.0.221 |* [/ I; d1 l" h7 N' V; E
  Router(Config)# access-list deny any- F0 U/ J6 \: N2 Y. g% H7 p* J
  Router(Config)# username test privilege 10
1 Z) m2 e; @8 ^( G( b  ! 设置SSH的超时间隔和尝试登录次数
2 t: e( |4 \- B  Router(Config)# ip ssh timeout 908 `. `; O4 @1 c7 v/ F5 Q
  Router(Config)# ip ssh anthentication-retries 2
6 p: t! o1 G% G  Router(Config)# line vty 0 4" j' r5 k/ {$ G- W4 c7 B
  Router(Config-line)# access-class 22 in  w8 `8 |1 `# a. a1 O  t# z
  Router(Config-line)# transport input ssh# n, Y7 X& Q8 p$ A( j8 T. }5 S# M& y' `
  Router(Config-line)# login local
% N4 s1 r. N0 |; j3 R8 p( t  Router(Config-line)# exit
5 ?7 ?7 v8 B4 a; r; m2 A  !启用SSH服务,生成RSA密钥对。
4 {. l+ E. ]8 F7 l8 c; S  Router(Config)# crypto key generate rsa' m( P, K/ [/ k6 E0 k8 m; |0 G2 Y
  The name for the keys will be: router.xxx% i: v* p5 x4 d) x: ^' s$ j! ]6 \' [
  Choose the size of the key modulus in the range of 360 to 2048 for your General Purpose Keys .Choosing a key modulus greater than 512 may take a few minutes.
8 g( D- B  P8 Y4 |  How many bits in the modulus【512】: 20485 z6 [& p' T4 h# {
  Generating RSA Keys...
( x* l( a5 |5 p. w$ F  Router(Config)#7 f) n" h) f/ u7 P/ _# H) |$ z  T0 H
  2、 TCP SYN的防范。如:
: i# p) Y- u% ]  A: 通过访问列表防范。% m! X% q) s+ n( e' h$ o* \; \
  Router(Config)# no access-list 106$ ]  `% |+ F6 G
  Router(Config)# access-list 106 permit tcp any 192.168.0.0 0.0.0.255 established+ \, S2 f; t. P! A/ [4 _4 q( o
  Router(Config)# access-list 106 deny ip any any" J, e5 n5 @3 n- {0 @8 n
  Router(Config)# interface eth 0/2- ^% l" Q0 f* R: |
  Router(Config-if)# description “external Ethernet”
# z( `* Q- c6 D  I+ J/ ]3 W, B  Router(Config-if)# ip address 192.168.1.254 255.255.255.0
0 p% Q5 I. x- E- i- R0 i  Router(Config-if)# ip access-group 106 in
回复

使用道具 举报

会计考友
 楼主| 发表于 2012-8-3 20:28:12 | 显示全部楼层

CCNA指导:路由器常用ACL和一些简单防护简介

  B:通过TCP截取防范。(这会给路由器产生一定负载)$ f, b/ G9 L) M7 y
  Router(Config)# ip tcp intercept list 107
7 W- R1 K) q. k9 D. H  Router(Config)# access-list 107 permit tcp any 192.168.0.0 0.0.0.2552 d7 @9 _7 u, Y4 T0 g. d' H: h
  Router(Config)# access-list 107 deny ip any any% |2 E2 e! _, w: a4 x( t
  Router(Config)# interface eth0  y4 r2 p* R( K5 u9 J7 J) m: F0 W2 u- Q
  Router(Config)# ip access-group 107 in%26lt;/P%26gt;%26lt;P%26gt;3、 LAND.C 进攻的防范。3 \- |9 K0 j& Y; ?. f9 d
  Router(Config)# access-list 107 deny ip host 192.168.1.254 host 192.168.1.254
0 D' p8 p/ }; d2 b  Router(Config)# access-list 107 permit ip any any+ k6 u' ]% X& Z/ b) ]  W
  Router(Config)# interface eth 0/28 t1 g: X" e$ J
  Router(Config-if)# ip address 192.168.1.254 255.255.255.0
8 ?4 O% B4 U) U; A, {; g2 n# z  Router(Config-if)# ip access-group 107 in%26lt;/P%26gt;%26lt;P%26gt;4、 Smurf进攻的防范。
6 d( j+ v% Z1 {- ~  Router(Config)# access-list 108 deny ip any host 192.168.1.255
" h- @; H. a( E. L; j4 R  Router(Config)# access-list 108 deny ip any host 192.168.1.0
2 h% _0 M5 }+ p/ k7 Y$ m; b8 e  Router(Config)# access-list 108 permit ip any any
3 v# x9 B! E9 ]0 N" m. W% a9 c  Router(Config-if)# ip access-group 108 in
7 e. [3 \5 ]5 V/ O" p; W+ n& u- N6 q  5、 ICMP协议的安全配置。对于进入ICMP流,我们要禁止ICMP协议的ECHO、Redirect、Mask request。也需要禁止TraceRoute命令的探测。对于流出的ICMP流,我们可以允许ECHO、Parameter Problem、Packet too big。还有TraceRoute命令的使用。
: B  s6 a5 Q3 p% h3 Z  ! outbound ICMP Control5 {8 X/ r7 q& V! J. A
  Router(Config)# access-list 110 deny icmp any any echo& O* i# Z8 U; a/ a& L% @$ y
  Router(Config)# access-list 110 deny icmp any any redirect+ h; ~, H0 H' P, j
  Router(Config)# access-list 110 deny icmp any any mask-request7 O& d, a5 Z1 c
  Router(Config)# access-list 110 permit icmp any any
8 s$ }. K9 O9 T4 q; q1 h- ]  ! Inbound ICMP Control% \  [1 s# b9 D( q5 T8 ^1 f* n
  Router(Config)# access-list 111 permit icmp any any echo- z" |) ~. [* [7 ^/ i) a
  Router(Config)# access-list 111 permit icmp any any Parameter-problem
  k* a# u% Z4 J$ f  Router(Config)# access-list 111 permit icmp any any packet-too-big7 w$ l6 u/ J6 Q" Z- C5 B
  Router(Config)# access-list 111 permit icmp any any source-quench
# Z2 v: B: R9 m& W- r5 S6 Z  Router(Config)# access-list 111 deny icmp any any
; b4 e6 ]' w1 O) R5 P  ! Outbound TraceRoute Control
/ W) @% k) O$ g- D9 `- k  Router(Config)# access-list 112 deny udp any any range 33400 34400
  U7 T+ q& q2 s$ h& O( [  ! Inbound TraceRoute Control
! K0 N% m2 z. Q7 ^3 M  Router(Config)# access-list 112 permit udp any any range 33400 34400 %26lt;/P%26gt;%26lt;P%26gt;
; U. E. }0 x- j9 X' u' p7 M$ [3 n* |  6、 DDoS(Distributed Denial of Service)的防范。; Z* A6 M4 T2 M
  ! The TRINOO DDoS system0 K8 v3 k5 d- R9 E2 N" z& |2 ?5 T
  Router(Config)# access-list 113 deny tcp any any eq 27665 </p>  Router(Config)# access-list 113 deny udp any any eq 31335
' [% ]+ q  I6 Y; ^7 |( p5 ~/ U5 J  Router(Config)# access-list 113 deny udp any any eq 27444
! H8 H3 J6 C, W* j( N4 l$ V( I+ _# j  ! The Stacheldtraht DDoS system+ W* d) `& x! E) g* t- G
  Router(Config)# access-list 113 deny tcp any any eq 16660
, C* m' }3 S, S% s* `. z0 L  Router(Config)# access-list 113 deny tcp any any eq 65000
4 T9 y! u+ O  k: Q  Z  ! The TrinityV3 System
. E: k1 \8 K7 v- Y  Router(Config)# access-list 113 deny tcp any any eq 33270
* w, F& ]* |" I8 ?% f9 ?1 c  Router(Config)# access-list 113 deny tcp any any eq 391684 P7 @, Q- T# N8 _! J5 m1 E
  ! The SubSeven DDoS system and some Variants
4 r% @0 X: X2 v  Router(Config)# access-list 113 deny tcp any any range 6711 6712: z2 Y( l( o. b
  Router(Config)# access-list 113 deny tcp any any eq 6776
; o( Q7 ^* y# b: l! R. H  Router(Config)# access-list 113 deny tcp any any eq 6669' [8 P! c$ C/ u! P9 L; J( B
  Router(Config)# access-list 113 deny tcp any any eq 22228 t% J1 U( O5 h! w$ M6 s
  Router(Config)# access-list 113 deny tcp any any eq 7000
+ F  m  T( W- @) Y5 R5 A4 b& Z# f  Router(Config)# access-list 113 permit ip any any4 X5 t1 ]2 s+ _, @+ R
  Router(Config-if)# ip access-group 113 in
0 c4 h0 L7 a! h/ ]  Q6 t  7、 Sql蠕虫的防范' N$ ]7 A6 r. ~, X0 `# T
  Router(Config)# access-list 114 deny udp any any eq 1434
8 O3 A# h: ]! J9 ]7 i7 R  Router(Config)# access-list 114 permit ip any any
6 Y  I! F+ [: m* J1 [* B  Router(Config-if)# ip access-group 114 in
回复 支持 反对

使用道具 举报

返回列表 发新帖
高级模式
B Color Image Link Quote Code Smilies
您需要登录后才可以回帖 登录 | 立即注册

本版积分规则

Archiver|手机版|小黑屋|Woexam.Com ( 湘ICP备18023104号 )

GMT+8, 2024-4-30 00:26 , Processed in 0.179414 second(s), 23 queries .

Powered by Discuz! X3.4 Licensed

© 2001-2017 Comsenz Inc.

快速回复 返回顶部 返回列表