免费观看又色又爽又黄的小说免费_美女福利视频国产片_亚洲欧美精品_美国一级大黄大色毛片

強(qiáng)化路由器IOS安全-禁用不必要的服務(wù)

Cisco Discovery Protocol

創(chuàng)新互聯(lián)公司-專(zhuān)業(yè)網(wǎng)站定制、快速模板網(wǎng)站建設(shè)、高性?xún)r(jià)比蘇家屯網(wǎng)站開(kāi)發(fā)、企業(yè)建站全套包干低至880元,成熟完善的模板庫(kù),直接使用。一站式蘇家屯網(wǎng)站制作公司更省心,省錢(qián),快速模板網(wǎng)站建設(shè)找我們,業(yè)務(wù)覆蓋蘇家屯地區(qū)。費(fèi)用合理售后完善,10多年實(shí)體公司更值得信賴(lài)。

CDP:思科發(fā)現(xiàn)協(xié)議(CDP:Cisco Discovery Protocol),CDP基本上是用來(lái)獲取直連設(shè)備的協(xié)議地址以及發(fā)現(xiàn)這些設(shè)備的平臺(tái)。支持ATM, Ethernet, FDDI, frame relay, HDLC, PPP, token ring.

CDP協(xié)議能獲取如下信息:

1.    cisco設(shè)備名字

2.    cisco設(shè)備類(lèi)型,型號(hào)

3.    設(shè)備運(yùn)行IOS的version

4.    設(shè)備功能,Eg:路由器,交換機(jī)或是其他

5.    三層接口地址

6.    設(shè)備獲取cdp信息來(lái)源

 

Eg:

Router#show cdp neighbors detail

-------------------------

Device ID: R1

Entry address(es):

  IP address: 12.12.12.1

Platform: Cisco 7206VXR,  Capabilities: Router

Interface: FastEthernet1/0,  Port ID (outgoing port): FastEthernet1/0

Holdtime : 166 sec

 

Version :

Cisco IOS Software, 7200 Software (C7200-ADVENTERPRISEK9-M), Version 12.4(20)T, RELEASE SOFTWARE (fc3)

Technical Support: http://www.cisco.com/techsupport

Copyright (c) 1986-2008 by Cisco Systems, Inc.

Compiled Fri 11-Jul-08 04:22 by prod_rel_team

 

advertisement version: 2

Duplex: full

 

禁用CDP協(xié)議:邊界路由器一般都需要關(guān)閉該功能

Router(config)#no cdp run--------全局模式下,對(duì)所有接口生效

 

Router(config-if)#no cdp enable-------------接口模式下禁用,針對(duì)當(dāng)前接口

 

==============================================================================TCP and UDP Small Servers

 

關(guān)閉TCP和UDP的一些無(wú)用的小服務(wù),這些小服務(wù)的端口小于19,通常用在以前的UNIX環(huán)境中,如chargen,daytime等。

Eg:

R1#telnet 12.12.12.1 daytime

Trying 12.12.12.1, 13 ... Open

Saturday, July 7, 2012 23:57:19-UTC

 

[Connection to 12.12.12.1 closed by foreign host]

 

Router(config)#no service tcp-small-servers

Router(config)#no service udp-small-servers

R1#telnet 12.12.12.1 daytime

Trying 12.12.12.1, 13 ...

% Connection refused by remote host

 

思科IOS 默認(rèn)是關(guān)閉的服務(wù)TCP小型服務(wù)器

==============================================================================

Finger

常用在UNIX中,用來(lái)確定誰(shuí)登陸到設(shè)備上,現(xiàn)在被E-mail和messenger取代。

Eg:

Router#telnet 12.12.12.1 finger

Trying 12.12.12.1, 79 ... Open

 

    Line       User       Host(s)              Idle       Location

   0 con 0                idle                 00:00:02  

*  2 vty 0                idle                 00:00:00 12.12.12.2

 

  Interface    User               Mode         Idle     Peer Address

 

[Connection to 12.12.12.1 closed by foreign host]

 

R1(config)# no ip finger

R1(config)#no service finger

 

Router#telnet 12.12.12.1 finger

Trying 12.12.12.1, 79 ...

% Connection refused by remote host

 

在絕大多數(shù)的IOS版本中,該特性默認(rèn)是禁用的,無(wú)論如何建議禁用該特性。

 

==============================================================================

IdentD

一個(gè)設(shè)備發(fā)送一個(gè)請(qǐng)求到Ident接口(TCP 113), 目標(biāo)會(huì)回答一個(gè)身份識(shí)別,如host名稱(chēng)或者設(shè)備名稱(chēng)。

Router(config)# no ip identd

 

通過(guò)telnet 113端口測(cè)試設(shè)備是否啟用了該服務(wù):

Router#telnet 12.12.12.1 113

Trying 12.12.12.1, 113 ... Open

 

IdentD默認(rèn)情況下是禁用的。

 

 

 

=============================================================== 

IP Source Routing

 ip source-routing欺騙類(lèi)似ARP***:A在內(nèi)網(wǎng), B,C在外網(wǎng),A信任B, C想訪(fǎng)問(wèn)A上的數(shù)據(jù)....于是它修改了自己的源IP地址,告訴A自己是B...并加入源路由信息,記下了來(lái)時(shí)的路徑這樣A按數(shù)據(jù)來(lái)的路返回給了C。

 如果 no了 ip source-route A發(fā)出的包會(huì)自己去尋找B,這樣,C還是得不到想要的。

 

默認(rèn)情況下該特性是開(kāi)啟的,禁用該特性:
Router(config)# no ip source-route

 

==============================================================================

FTP and TFTP

路由能提供FTP和TFTP的功能,通過(guò)該功能可以從一臺(tái)路由器copy Ios到另一條路由器。強(qiáng)烈建議禁止此功能。

 
默認(rèn)情況該功能是禁止的,禁止命令:Router(config)# no ftp-server enable

 

==============================================================================

HTTP/HTTPS

驗(yàn)證路由器是否有啟用web服務(wù):

Router#telnet 12.12.12.1 80 -------------------------ISP一般都會(huì)封掉80端口,需確認(rèn)HTTP服務(wù)是否指定到了其它端口。

Trying 12.12.12.1, 80 ... Open

 

Router#telnet 12.12.12.1 443

Trying 12.12.12.1, 443 ... Open

 

禁用web服務(wù)進(jìn)程:

Router(config)# no ip http server
 
Router(config)# no ip http secure-server

 

Router#telnet 12.12.12.1 80

Trying 12.12.12.1, 80 ...

% Connection refused by remote host

 

Router#telnet 12.12.12.1 443

Trying 12.12.12.1, 443 ...

% Connection refused by remote host

 

==============================================================================

SNMP

在路由器上禁用snmp需執(zhí)行如下操作:

Remove the default community strings from your router's configuration

Disable SNMP traps and the system shutdown feature

Disable the SNMP service

確認(rèn)路由器是否啟用了SNMP:
Router# show running-config | include snmp
 
Building configuration...
 
snmp-server community public RO
 
snmp-server community private RW
 
Router#
 

 

在路由器上禁用SNMP服務(wù):
Eg:
Router(config)# no snmp-server community public RO
Router(config)# no snmp-server community private RW
Router(config)# no snmp-server enable traps
Router(config)# no snmp-server system-shutdown
Router(config)# no snmp-server trap-auth
Router(config)# no snmp-server

 

Eg:
Router# show snmp
 
%SNMP agent not enabled
默認(rèn)情況下,該服務(wù)是關(guān)閉的

 

=============================================================================

Name Resolution

路由器使用DNS解析域名:

Router(config)#ip domain-name cisco.com    

Router(config)#ip name-server 202.96.128.86

Router(config)#ip domain-lookup

 

在路由器上禁止DNS查詢(xún):

Router(config)# no ip domain-lookup

 

==============================================================================

BootP

BootP通常用在無(wú)盤(pán)網(wǎng)絡(luò)環(huán)境中,為工作站提供ip地址。

目前BootP在網(wǎng)絡(luò)環(huán)境中使用得很少

沒(méi)有認(rèn)證機(jī)制,任何人都能對(duì)BootP服務(wù)的路由器提出請(qǐng)求,容易遭遇Dos***

 

禁用BootP服務(wù):

Router(config)# no ip bootp server

 

==============================================================================

DHCP

DHCP服務(wù)在IOS中默認(rèn)都是禁止的,禁用命令:

Router(config)# no service dhcp------------禁止路由器充當(dāng)Dhcp server或提供Dhcp中繼服務(wù)

 

==============================================================================

PAD

PAD服務(wù)一般用在X.25網(wǎng)絡(luò)中為遠(yuǎn)端站點(diǎn)提供可靠連接,PAD服務(wù)提供對(duì)異步設(shè)備(terminals, IC-card readers, 和computers to public/private X.25 networks)的支持。

 

Router(config)# no service pad

 

=============================================================================

關(guān)閉自動(dòng)加載:

Router(config)#  no boot network-------------------------------------關(guān)閉路由器通過(guò)TFTP加載IOS啟動(dòng)
Router(config)#  no service config-------------------------關(guān)閉路由器加載IOS成功后通過(guò)TFTP加載配置文件

 

==============================================================================

Proxy ARP

IOS中Proxy ARP缺省是打開(kāi)的,通過(guò)在接口下no ip proxy-arp關(guān)閉

通過(guò)show ip interface查看接口是否使用了Proxy ARP。

Eg:

Router#show ip interface fastEthernet 1/0

FastEthernet1/0 is up, line protocol is up

  Internet address is 12.12.12.1/24

  Broadcast address is 255.255.255.255

  Address determined by setup command

  MTU is 1500 bytes

  Helper address is not set

  Directed broadcast forwarding is disabled

  Outgoing access list is not set

  Inbound  access list is not set

  Proxy ARP is disabled

  Local Proxy ARP is disabled

 

==============================================================================

Directed Broadcasts

不同于本地廣播,直連廣播是能夠被路由的,某些DoS***通過(guò)在網(wǎng)絡(luò)中泛洪直連廣播來(lái)***網(wǎng)絡(luò)。

查看是否啟用了直連廣播:Router# show ip interface

Eg:

Router#show ip interface fastEthernet 1/0

FastEthernet1/0 is up, line protocol is up

  Internet address is 12.12.12.1/24

  Broadcast address is 255.255.255.255

  Address determined by setup command

  MTU is 1500 bytes

  Helper address is not set

  Directed broadcast forwarding is disabled

 

禁用接口上的直連廣播:

Router(config-if)# no ip directed-broadcast

 

==============================================================================

ICMP Messages

網(wǎng)絡(luò)***能夠通過(guò)如下三種icmp messages***或勘察網(wǎng)絡(luò):

ICMP unreachables

ICMP redirects

ICMP mask replies

 

禁用ICMP:

Router(config-if)# no ip unreachable

Router(config-if)# no ip redirect
Router(config-if)# no ip mask-reply
 
Eg:
Router#show ip interface ethernet 1/0
Ethernet1/0 is up, line protocol is up
  Internet address is 12.12.12.1/24
  Broadcast address is 255.255.255.255
  Address determined by setup command
  MTU is 1500 bytes
  Helper address is not set
  Directed broadcast forwarding is disabled
  Outgoing access list is not set
  Inbound  access list is not set
  Proxy ARP is enabled
  Local Proxy ARP is disabled
  Security level is default
  Split horizon is enabled
  ICMP redirects are always sent
  ICMP unreachables are always sent
  ICMP mask replies are never sent

 

==============================================================================

 

Maintenance Operation Protocol

MOP協(xié)議廣泛應(yīng)用在DEC設(shè)備中,主要有一下幾個(gè)功能:

1. 上傳或下載的系統(tǒng)軟件

2. 遠(yuǎn)程測(cè)試

3. 問(wèn)題故障診斷

 

關(guān)閉路由器對(duì)二層DECnet協(xié)議的支持:

Router(config)# interface type [slot_#/]port_#
Router(config-if)# no mop enable
 
==============================================================================

在關(guān)閉某些服務(wù)之前應(yīng)了解網(wǎng)絡(luò)中是否要只用這些服務(wù),以免關(guān)閉后出現(xiàn)意想不到的問(wèn)題。

參考:

Cisco Router Firewall Security  By Richard A. Deal

當(dāng)前題目:強(qiáng)化路由器IOS安全-禁用不必要的服務(wù)
轉(zhuǎn)載源于:http://m.newbst.com/article42/ijpphc.html

成都網(wǎng)站建設(shè)公司_創(chuàng)新互聯(lián),為您提供軟件開(kāi)發(fā)ChatGPT品牌網(wǎng)站制作移動(dòng)網(wǎng)站建設(shè)網(wǎng)頁(yè)設(shè)計(jì)公司網(wǎng)站策劃

廣告

聲明:本網(wǎng)站發(fā)布的內(nèi)容(圖片、視頻和文字)以用戶(hù)投稿、用戶(hù)轉(zhuǎn)載內(nèi)容為主,如果涉及侵權(quán)請(qǐng)盡快告知,我們將會(huì)在第一時(shí)間刪除。文章觀(guān)點(diǎn)不代表本網(wǎng)站立場(chǎng),如需處理請(qǐng)聯(lián)系客服。電話(huà):028-86922220;郵箱:631063699@qq.com。內(nèi)容未經(jīng)允許不得轉(zhuǎn)載,或轉(zhuǎn)載時(shí)需注明來(lái)源: 創(chuàng)新互聯(lián)

成都app開(kāi)發(fā)公司