Cisco Discovery Protocol
創(chuàng)新互聯(lián)公司-專(zhuān)業(yè)網(wǎng)站定制、快速模板網(wǎng)站建設(shè)、高性?xún)r(jià)比蘇家屯網(wǎng)站開(kāi)發(fā)、企業(yè)建站全套包干低至880元,成熟完善的模板庫(kù),直接使用。一站式蘇家屯網(wǎng)站制作公司更省心,省錢(qián),快速模板網(wǎng)站建設(shè)找我們,業(yè)務(wù)覆蓋蘇家屯地區(qū)。費(fèi)用合理售后完善,10多年實(shí)體公司更值得信賴(lài)。
CDP:思科發(fā)現(xiàn)協(xié)議(CDP:Cisco Discovery Protocol),CDP基本上是用來(lái)獲取直連設(shè)備的協(xié)議地址以及發(fā)現(xiàn)這些設(shè)備的平臺(tái)。支持ATM, Ethernet, FDDI, frame relay, HDLC, PPP, token ring.
CDP協(xié)議能獲取如下信息:
1. cisco設(shè)備名字
2. cisco設(shè)備類(lèi)型,型號(hào)
3. 設(shè)備運(yùn)行IOS的version
4. 設(shè)備功能,Eg:路由器,交換機(jī)或是其他
5. 三層接口地址
6. 設(shè)備獲取cdp信息來(lái)源
Eg:
Router#show cdp neighbors detail
-------------------------
Device ID: R1
Entry address(es):
IP address: 12.12.12.1
Platform: Cisco 7206VXR, Capabilities: Router
Interface: FastEthernet1/0, Port ID (outgoing port): FastEthernet1/0
Holdtime : 166 sec
Version :
Cisco IOS Software, 7200 Software (C7200-ADVENTERPRISEK9-M), Version 12.4(20)T, RELEASE SOFTWARE (fc3)
Technical Support: http://www.cisco.com/techsupport
Copyright (c) 1986-2008 by Cisco Systems, Inc.
Compiled Fri 11-Jul-08 04:22 by prod_rel_team
advertisement version: 2
Duplex: full
禁用CDP協(xié)議:邊界路由器一般都需要關(guān)閉該功能
Router(config)#no cdp run--------全局模式下,對(duì)所有接口生效
Router(config-if)#no cdp enable-------------接口模式下禁用,針對(duì)當(dāng)前接口
==============================================================================TCP and UDP Small Servers
關(guān)閉TCP和UDP的一些無(wú)用的小服務(wù),這些小服務(wù)的端口小于19,通常用在以前的UNIX環(huán)境中,如chargen,daytime等。
Eg:
R1#telnet 12.12.12.1 daytime
Trying 12.12.12.1, 13 ... Open
Saturday, July 7, 2012 23:57:19-UTC
[Connection to 12.12.12.1 closed by foreign host]
Router(config)#no service tcp-small-servers
Router(config)#no service udp-small-servers
R1#telnet 12.12.12.1 daytime
Trying 12.12.12.1, 13 ...
% Connection refused by remote host
思科IOS 默認(rèn)是關(guān)閉的服務(wù)TCP小型服務(wù)器
==============================================================================
常用在UNIX中,用來(lái)確定誰(shuí)登陸到設(shè)備上,現(xiàn)在被E-mail和messenger取代。
Eg:
Router#telnet 12.12.12.1 finger
Trying 12.12.12.1, 79 ... Open
Line User Host(s) Idle Location
0 con 0 idle 00:00:02
* 2 vty 0 idle 00:00:00 12.12.12.2
Interface User Mode Idle Peer Address
[Connection to 12.12.12.1 closed by foreign host]
R1(config)# no ip finger
R1(config)#no service finger
Router#telnet 12.12.12.1 finger
Trying 12.12.12.1, 79 ...
% Connection refused by remote host
在絕大多數(shù)的IOS版本中,該特性默認(rèn)是禁用的,無(wú)論如何建議禁用該特性。
==============================================================================
一個(gè)設(shè)備發(fā)送一個(gè)請(qǐng)求到Ident接口(TCP 113), 目標(biāo)會(huì)回答一個(gè)身份識(shí)別,如host名稱(chēng)或者設(shè)備名稱(chēng)。
Router(config)# no ip identd
通過(guò)telnet 113端口測(cè)試設(shè)備是否啟用了該服務(wù):
Router#telnet 12.12.12.1 113
Trying 12.12.12.1, 113 ... Open
IdentD默認(rèn)情況下是禁用的。
===============================================================
ip source-routing欺騙類(lèi)似ARP***:A在內(nèi)網(wǎng), B,C在外網(wǎng),A信任B, C想訪(fǎng)問(wèn)A上的數(shù)據(jù)....于是它修改了自己的源IP地址,告訴A自己是B...并加入源路由信息,記下了來(lái)時(shí)的路徑這樣A按數(shù)據(jù)來(lái)的路返回給了C。
如果 no了 ip source-route A發(fā)出的包會(huì)自己去尋找B,這樣,C還是得不到想要的。
默認(rèn)情況下該特性是開(kāi)啟的,禁用該特性:
Router(config)# no ip source-route
==============================================================================
路由能提供FTP和TFTP的功能,通過(guò)該功能可以從一臺(tái)路由器copy Ios到另一條路由器。強(qiáng)烈建議禁止此功能。
默認(rèn)情況該功能是禁止的,禁止命令:Router(config)# no ftp-server enable
==============================================================================
驗(yàn)證路由器是否有啟用web服務(wù):
Router#telnet 12.12.12.1 80 -------------------------ISP一般都會(huì)封掉80端口,需確認(rèn)HTTP服務(wù)是否指定到了其它端口。
Trying 12.12.12.1, 80 ... Open
Router#telnet 12.12.12.1 443
Trying 12.12.12.1, 443 ... Open
禁用web服務(wù)進(jìn)程:
Router(config)# no ip http server
Router(config)# no ip http secure-server
Router#telnet 12.12.12.1 80
Trying 12.12.12.1, 80 ...
% Connection refused by remote host
Router#telnet 12.12.12.1 443
Trying 12.12.12.1, 443 ...
% Connection refused by remote host
==============================================================================
在路由器上禁用snmp需執(zhí)行如下操作:
Remove the default community strings from your router's configuration
Disable SNMP traps and the system shutdown feature
Disable the SNMP service
確認(rèn)路由器是否啟用了SNMP:
Router# show running-config | include snmp
Building configuration...
snmp-server community public RO
snmp-server community private RW
Router#
在路由器上禁用SNMP服務(wù):
Eg:
Router(config)# no snmp-server community public RO
Router(config)# no snmp-server community private RW
Router(config)# no snmp-server enable traps
Router(config)# no snmp-server system-shutdown
Router(config)# no snmp-server trap-auth
Router(config)# no snmp-server
Eg:
Router# show snmp
%SNMP agent not enabled
默認(rèn)情況下,該服務(wù)是關(guān)閉的
=============================================================================
路由器使用DNS解析域名:
Router(config)#ip domain-name cisco.com
Router(config)#ip name-server 202.96.128.86
Router(config)#ip domain-lookup
在路由器上禁止DNS查詢(xún):
Router(config)# no ip domain-lookup
==============================================================================
BootP通常用在無(wú)盤(pán)網(wǎng)絡(luò)環(huán)境中,為工作站提供ip地址。
目前BootP在網(wǎng)絡(luò)環(huán)境中使用得很少
沒(méi)有認(rèn)證機(jī)制,任何人都能對(duì)BootP服務(wù)的路由器提出請(qǐng)求,容易遭遇Dos***
禁用BootP服務(wù):
Router(config)# no ip bootp server
==============================================================================
DHCP服務(wù)在IOS中默認(rèn)都是禁止的,禁用命令:
Router(config)# no service dhcp------------禁止路由器充當(dāng)Dhcp server或提供Dhcp中繼服務(wù)
==============================================================================
PAD服務(wù)一般用在X.25網(wǎng)絡(luò)中為遠(yuǎn)端站點(diǎn)提供可靠連接,PAD服務(wù)提供對(duì)異步設(shè)備(terminals, IC-card readers, 和computers to public/private X.25 networks)的支持。
Router(config)# no service pad
=============================================================================
Router(config)# no boot network-------------------------------------關(guān)閉路由器通過(guò)TFTP加載IOS啟動(dòng)
Router(config)# no service config-------------------------關(guān)閉路由器加載IOS成功后通過(guò)TFTP加載配置文件
==============================================================================
IOS中Proxy ARP缺省是打開(kāi)的,通過(guò)在接口下no ip proxy-arp關(guān)閉
通過(guò)show ip interface查看接口是否使用了Proxy ARP。
Eg:
Router#show ip interface fastEthernet 1/0
FastEthernet1/0 is up, line protocol is up
Internet address is 12.12.12.1/24
Broadcast address is 255.255.255.255
Address determined by setup command
MTU is 1500 bytes
Helper address is not set
Directed broadcast forwarding is disabled
Outgoing access list is not set
Inbound access list is not set
Proxy ARP is disabled
Local Proxy ARP is disabled
==============================================================================
不同于本地廣播,直連廣播是能夠被路由的,某些DoS***通過(guò)在網(wǎng)絡(luò)中泛洪直連廣播來(lái)***網(wǎng)絡(luò)。
查看是否啟用了直連廣播:Router# show ip interface
Eg:
Router#show ip interface fastEthernet 1/0
FastEthernet1/0 is up, line protocol is up
Internet address is 12.12.12.1/24
Broadcast address is 255.255.255.255
Address determined by setup command
MTU is 1500 bytes
Helper address is not set
Directed broadcast forwarding is disabled
禁用接口上的直連廣播:
Router(config-if)# no ip directed-broadcast
==============================================================================
網(wǎng)絡(luò)***能夠通過(guò)如下三種icmp messages***或勘察網(wǎng)絡(luò):
ICMP unreachables
ICMP redirects
ICMP mask replies
禁用ICMP:
Router(config-if)# no ip unreachable
Router(config-if)# no ip redirect
Router(config-if)# no ip mask-reply
Eg:
Router#show ip interface ethernet 1/0
Ethernet1/0 is up, line protocol is up
Internet address is 12.12.12.1/24
Broadcast address is 255.255.255.255
Address determined by setup command
MTU is 1500 bytes
Helper address is not set
Directed broadcast forwarding is disabled
Outgoing access list is not set
Inbound access list is not set
Proxy ARP is enabled
Local Proxy ARP is disabled
Security level is default
Split horizon is enabled
ICMP redirects are always sent
ICMP unreachables are always sent
ICMP mask replies are never sent
==============================================================================
MOP協(xié)議廣泛應(yīng)用在DEC設(shè)備中,主要有一下幾個(gè)功能:
1. 上傳或下載的系統(tǒng)軟件
2. 遠(yuǎn)程測(cè)試
3. 問(wèn)題故障診斷
關(guān)閉路由器對(duì)二層DECnet協(xié)議的支持:
Router(config)# interface type [slot_#/]port_#
Router(config-if)# no mop enable
==============================================================================
在關(guān)閉某些服務(wù)之前應(yīng)了解網(wǎng)絡(luò)中是否要只用這些服務(wù),以免關(guān)閉后出現(xiàn)意想不到的問(wèn)題。
參考:
Cisco Router Firewall Security By Richard A. Deal
當(dāng)前題目:強(qiáng)化路由器IOS安全-禁用不必要的服務(wù)
轉(zhuǎn)載源于:http://m.newbst.com/article42/ijpphc.html
成都網(wǎng)站建設(shè)公司_創(chuàng)新互聯(lián),為您提供軟件開(kāi)發(fā)、ChatGPT、品牌網(wǎng)站制作、移動(dòng)網(wǎng)站建設(shè)、網(wǎng)頁(yè)設(shè)計(jì)公司、網(wǎng)站策劃
聲明:本網(wǎng)站發(fā)布的內(nèi)容(圖片、視頻和文字)以用戶(hù)投稿、用戶(hù)轉(zhuǎn)載內(nèi)容為主,如果涉及侵權(quán)請(qǐng)盡快告知,我們將會(huì)在第一時(shí)間刪除。文章觀(guān)點(diǎn)不代表本網(wǎng)站立場(chǎng),如需處理請(qǐng)聯(lián)系客服。電話(huà):028-86922220;郵箱:631063699@qq.com。內(nèi)容未經(jīng)允許不得轉(zhuǎn)載,或轉(zhuǎn)載時(shí)需注明來(lái)源: 創(chuàng)新互聯(lián)