3.12 部署B(yǎng)anners
提問(wèn) 設(shè)置登錄時(shí)顯示的警示性信息
回答
Router1#configure terminal
Enter configuration commands,one per line.End with CNTL/Z.
Router1(config)#banner exec #This is an exec banner #
Router1(config)#banner login #This is a login banner #
Router1(config)#banner motd $ This is a motd banner $
Router1(config)#end
Router1#
注釋 不用使用welcome之類的字樣,下面是一個(gè)FBI的路由器登錄banner作參考
Router1(config)#banner login #
Enter TEXT message.End with the character '#'.
+-------------------------------------------------------------+
| WARNING |
| ------------ |
| This system is solely for the use of authorized users for official |
|purposes. You have no expectation of privacy in its use and to |
| ensure that the system is functioning properly,individuals using |
|this computer system are subject to having all of their activities |
|monitored and recorded by system personnel.Use of this system|
|evidences an express consent to such montoring and agreement that |
|if such monitoring reveals eidence of possible abuse of criminal |
|activity,system personnel may provide the results of such |
|monitoring to appropriate officials. |
+--------------------------------------------------------------|
#
Router1(config)#end
Router1#
3.13 在特定端口禁用Banners顯示
提問(wèn) aux口用于modem連接,為了避免出現(xiàn)問(wèn)題希望關(guān)閉banner顯示
回答
Router1#configure terminal
Enter configuration commands,one per line.End with CNTL/Z.
Router1(config)#line aux 0
Router1(config-line)#no motd-banner
Router1(config-line)#no exec-banner
Router1(config-line)#exit
Router1(config)#end
Router1#
注釋
3.14 禁用Line登錄
提問(wèn) 禁止在AUX或者Line端口進(jìn)行設(shè)備登錄
回答
Router1#configure terminal
Enter configuration commands,one per line.End with CNTL/Z.
Router1(config)#line aux 0
Router1(config-line)#transport input none
Router1(config-line)#no exec
Router1(config-line)#exec-timeout 0 1
Router1(config-line)#no password
Router1(config-line)#exit
Router1(config)#end
Router1#
Router1#configure terminal
Enter configuration commands,one per line.End with CNTL/Z.
Router1(config)#access-list 98 deny any log
Router1(config)#line vty 0 4
Router1(config-line)#transport input none
Router1(config-line)#exec-timeout 0 1
Router1(config-line)#no exec
Router1(config-line)#access-class 98 in
Router1(config-line)#exit
Router1(config)#end
Router1#
注釋 無(wú)
3.15 為管理員保留特定的登錄端口
提問(wèn) 防止所有的登錄端口都被占用,為管理員留一個(gè)后門
回答
Router1#configure terminal
Enter configuration commands,one per line.End with CNTL/Z.
Router1(config)#access-list 9 permit 172.25.1.1
Router1(config)#line vty 4
Router1(config-line)#access-class 9 in
Router1(config-line)#exit
Router1(config)#end
Router1#
或者
Router1#confgiure terminal
Enter configuration commands,one per line.End with CNTL/Z.
Router1(config)#access-list 9 permit 172.25.1.1
Router1(config)#line vty 5 7
Router1(config-line)#rotary 25
Router1(config-line)#access-class 9 in
Router1(config-line)#exit
Router1(config)#end
Router1#
注釋在使用第二種rotary命令時(shí)就相應(yīng)的改變登錄時(shí)的端口號(hào)碼,不是缺省的23,而是3000+rotary的號(hào)碼25=3025
3.16 限制特定地址的Telnet登錄
提問(wèn) 只允許特定的機(jī)器進(jìn)行Telnet登錄
回答
Router1#configure terminal
Enter configuraion commands,one per line.End with CNTL/Z.
Router1(config)#access-list 99 permit 172.25.1.0 0.0.0.255
Router1(config)#access-list 99 deny any log
Router1(config)#line vty 0 4
Router1(config-line)#access-class 99 in
Router1(config-line)#exit
Router1(config)#end
Router1#
注釋 無(wú)
3.17 對(duì)Telnet訪問(wèn)進(jìn)行日志記錄
提問(wèn) 記錄每次telnet的日志
回答
Router1#configure terminal
Enter configuration commands,one per line.End with CNTL/Z.
Router1(config)#access-list 90 permit any log
Router1(config)#line vty 0 4
Router1(config-line)#access-class 90 in
Router1(config-line)#exit
Router1(config)#end
Router1#
注釋 需要注意的是不管登錄成功還是失敗,在日志中都是顯示的permitted:
%SEC-6-IPACCESSLOGS:list 90 permitted 172.25.1.1 1 packet
3.18 設(shè)置發(fā)起Telnet的源地址
提問(wèn) 有時(shí)對(duì)端設(shè)備有安全設(shè)置只允許特定的地址發(fā)起telnet請(qǐng)求
回答
Router1#configure terminal
Enter configuration commands,one per line.End with CNTL/Z.
Router1(config)#ip telnet source-interface loopback0
Router1(config)#end
Router1#
或者
Router1#telnet 172.25.1.5 /source-interface loopback0
注釋 缺省情況路由器會(huì)使用到目的地所使用的端口來(lái)做Telnet的源地址
3.19 自動(dòng)登錄
注釋 使用腳本略去,其實(shí)用SecueCRT很容易設(shè)定
3.20 使用SSH登錄
提問(wèn) 啟用SSH這種加密的登錄方式
回答
Router1#configure terminal
Enter configuration commands,one per line.End with CNTL/Z.
Router1(config)#hostname Router1
Router1(config)#ip domain-name neoshi.net
Router1(config)#crypto key generate rsa
The name for the keys will be:Router1.oreilly.com
Choose the size of the key modulus in the greator than 512 may take
General Purpose Keys.Choosing a key modulus greater than 512 nay take
a few minutes.
How many bits in the modulus[512]:1024
Generating RSA keys...
[OK]
Router1(config)#
Jun 27 15:04:15:%SSH-5-ENABLED:SSH 1.5 has been enabled
Router1(config)#ip ssh time-out 120
Router1(config)#ip ssh quthentication-retries 4
Router1(config)#end
Router1#
注釋 從IOS12.3(4)T開(kāi)始支持SSH v2,之前只支持v1,首先要確認(rèn)你的IOS版本,然后確認(rèn)支持安全特性3DES,才能開(kāi)啟SSH特性
<!--[if !supportLists]--> <!--[endif]-->
3.21. 改變IOS命令的特權(quán)等級(jí)
提問(wèn) 修改特定IOS命令的特權(quán)等級(jí)
回答
Router1#configure terminal
Enter configuration commands,one per line.End with CNTL/Z.
Router1(config)#privilege exec level 1 show startup-config
Router1(config)#end
Router1#
注釋 缺省情況路由器支持16種特權(quán)等級(jí),命令一般歸屬于0,1和15三種特權(quán)等級(jí),在特權(quán)等級(jí)0 下面只支持disable,enable,exit,help,和logout命令,1下面不能對(duì)配置進(jìn)行修改,15就是enable的特權(quán)等級(jí)
3.22 基于用戶的賦予不同的特權(quán)等級(jí)
回答
Router1#configure terminal
Enter configuration commands,one per line.End with CNTL/Z.
Router1(config)#aaa new-model
Router1(config)aaa authentication login default local
Router1(config)#aaa authorization exec default local
Router1(config)#username neoshi privilege 10 password ioscookbook
Router1(config)#privilege exec level 10 show ip route
Router1(config)#privilege exec level 1 show ip
Router1(config)#privilege exec level 1 show
Router1(config)#end
Router1#
注釋 通常的0,1和15三種等級(jí)彈性不足,可以定義更多的等級(jí)給不同的用戶
<!--[if !supportLists]-->3.22 <!--[endif]-->基于端口的特權(quán)等級(jí)
提問(wèn) 根據(jù)登錄的不同端口自動(dòng)賦予特定的特權(quán)等級(jí)
回答
Router1#configure terminal
Enter configuration commands,one per line.End with CNTL/Z.
Router1(config)#line aux 0
Router1(config-line)#privilege level 5
Router1(config-line)#exit
Router1(config)#privilege exec level 5 show ip route
Router1(config)#privilege exec level 1 show ip
Router1(config)#privilege exec level 1 show
Router1(config)#end
Router1#
- 北京炫億時(shí)代專業(yè)服務(wù)器運(yùn)輸,機(jī)房搬遷包裝以及倉(cāng)儲(chǔ)托
- 思科CISCO無(wú)線AP 啟動(dòng)加載不了ios
- 【云爍俱樂(lè)部分享會(huì)】第十二期 某游戲開(kāi)發(fā)公司內(nèi)部網(wǎng)
- 【云爍俱樂(lè)部分享會(huì)】第十一期 某政府網(wǎng)絡(luò)安全架構(gòu)方
- 【云爍俱樂(lè)部分享會(huì)】第九期 中小企業(yè)網(wǎng)絡(luò)搭建思路分
- 【云爍俱樂(lè)部分享會(huì)】第八期 某倉(cāng)庫(kù)無(wú)線覆蓋項(xiàng)目分享
- 【云爍俱樂(lè)部分享會(huì)】第七期 工程師網(wǎng)絡(luò)設(shè)備實(shí)操理論
- 【云爍俱樂(lè)部分享會(huì)】第六期 工程師百度無(wú)線覆蓋項(xiàng)目
- 【云爍俱樂(lè)部分享會(huì)】第五期 工程師項(xiàng)目分享會(huì)
- 【云爍俱樂(lè)部分享會(huì)】第四期 工程師項(xiàng)目分享會(huì)
熱門文章
- 北京機(jī)房搬遷改造公司,系統(tǒng)集成有哪些公司?-2019-11-04
- 如何打造一個(gè)安全的網(wǎng)絡(luò)環(huán)境?政府要做到這四點(diǎn)-2019-11-04
- 北京辦公室網(wǎng)絡(luò)布線,綜合布線施工價(jià)格-2019-11-04
- 深信服產(chǎn)品專業(yè)上網(wǎng)行為管理,安全設(shè)備有保障-2019-11-04
- 兩年內(nèi)網(wǎng)絡(luò)安全市場(chǎng)規(guī)模將達(dá)千億級(jí)別?來(lái)看看詳細(xì)分析-2019-11-04
- 北京炫億時(shí)代專業(yè)機(jī)房設(shè)備除塵,機(jī)房網(wǎng)絡(luò)改造-2019-11-04
- 企業(yè)如何保障移動(dòng)辦公的安全性?移動(dòng)辦公存在的七大安-2019-11-01
- 北京深信服AC-1000-A400產(chǎn)品租賃購(gòu)買,專業(yè)IT上網(wǎng)行為管理-2019-11-01
- 互聯(lián)網(wǎng)企業(yè)軟件開(kāi)發(fā)如何才能沒(méi)有漏洞?專業(yè)工程師給出-2019-11-01
- 如何避免APP的“越權(quán)”行為?要靠制定相關(guān)法律法規(guī)-2019-11-01