免费无码视频在哪里看|国产亚洲视频在线观看|一本久道久综合久久鬼色|国产免费av片在线观看|亚洲日韩在线精品国偷产拍|国产精品动漫自慰一二三区|亚洲毛片av一区二区三区|8AV国产精品爽爽Va在线观看

熱門服務(wù)中心 English

返回頂部

思科CNNA中文教程 - 第三章用戶訪問(wèn)和權(quán)限管理(下)

  3.12 部署B(yǎng)anners

  提問(wèn) 設(shè)置登錄時(shí)顯示的警示性信息

  回答

  Router1#configure terminal

  Enter configuration commands,one per line.End with CNTL/Z.

  Router1(config)#banner exec #This is an exec banner #

  Router1(config)#banner login #This is a login banner #

  Router1(config)#banner motd $ This is a motd banner $

  Router1(config)#end

  Router1#

  注釋 不用使用welcome之類的字樣,下面是一個(gè)FBI的路由器登錄banner作參考

  Router1(config)#banner login #

  Enter TEXT message.End with the character '#'.

  +-------------------------------------------------------------+

  | WARNING |

  | ------------ |

  | This system is solely for the use of authorized users for official |

  |purposes. You have no expectation of privacy in its use and to |

  | ensure that the system is functioning properly,individuals using |

  |this computer system are subject to having all of their activities |

  |monitored and recorded by system personnel.Use of this system|

  |evidences an express consent to such montoring and agreement that |

  |if such monitoring reveals eidence of possible abuse of criminal |

  |activity,system personnel may provide the results of such |

  |monitoring to appropriate officials. |

  +--------------------------------------------------------------|

  #

  Router1(config)#end

  Router1# 

  3.13 在特定端口禁用Banners顯示

  提問(wèn) aux口用于modem連接,為了避免出現(xiàn)問(wèn)題希望關(guān)閉banner顯示

  回答

  Router1#configure terminal

  Enter configuration commands,one per line.End with CNTL/Z.

  Router1(config)#line aux 0

  Router1(config-line)#no motd-banner

  Router1(config-line)#no exec-banner

  Router1(config-line)#exit

  Router1(config)#end

  Router1#

  注釋

  3.14 禁用Line登錄

  提問(wèn) 禁止在AUX或者Line端口進(jìn)行設(shè)備登錄

  回答

  Router1#configure terminal

  Enter configuration commands,one per line.End with CNTL/Z.

  Router1(config)#line aux 0

  Router1(config-line)#transport input none

  Router1(config-line)#no exec

  Router1(config-line)#exec-timeout 0 1

  Router1(config-line)#no password

  Router1(config-line)#exit

  Router1(config)#end

  Router1#

  Router1#configure terminal

  Enter configuration commands,one per line.End with CNTL/Z.

  Router1(config)#access-list 98 deny any log

  Router1(config)#line vty 0 4

  Router1(config-line)#transport input none

  Router1(config-line)#exec-timeout 0 1

  Router1(config-line)#no exec

  Router1(config-line)#access-class 98 in

  Router1(config-line)#exit

  Router1(config)#end

  Router1#

  注釋 無(wú)

  3.15 為管理員保留特定的登錄端口

  提問(wèn) 防止所有的登錄端口都被占用,為管理員留一個(gè)后門

  回答

  Router1#configure terminal

  Enter configuration commands,one per line.End with CNTL/Z.

  Router1(config)#access-list 9 permit 172.25.1.1

  Router1(config)#line vty 4

  Router1(config-line)#access-class 9 in

  Router1(config-line)#exit

  Router1(config)#end

  Router1#

  或者

  Router1#confgiure terminal

  Enter configuration commands,one per line.End with CNTL/Z.

  Router1(config)#access-list 9 permit 172.25.1.1

  Router1(config)#line vty 5 7

  Router1(config-line)#rotary 25

  Router1(config-line)#access-class 9 in

  Router1(config-line)#exit

  Router1(config)#end

  Router1#

  注釋在使用第二種rotary命令時(shí)就相應(yīng)的改變登錄時(shí)的端口號(hào)碼,不是缺省的23,而是3000+rotary的號(hào)碼25=3025

思科CNNA中文教程 - 第三章用戶訪問(wèn)和權(quán)限管理(下)

  3.16 限制特定地址的Telnet登錄

  提問(wèn) 只允許特定的機(jī)器進(jìn)行Telnet登錄

  回答

  Router1#configure terminal

  Enter configuraion commands,one per line.End with CNTL/Z.

  Router1(config)#access-list 99 permit 172.25.1.0 0.0.0.255

  Router1(config)#access-list 99 deny any log

  Router1(config)#line vty 0 4

  Router1(config-line)#access-class 99 in

  Router1(config-line)#exit

  Router1(config)#end

  Router1#

  注釋 無(wú)

  3.17 對(duì)Telnet訪問(wèn)進(jìn)行日志記錄

  提問(wèn) 記錄每次telnet的日志

  回答

  Router1#configure terminal

  Enter configuration commands,one per line.End with CNTL/Z.

  Router1(config)#access-list 90 permit any log

  Router1(config)#line vty 0 4

  Router1(config-line)#access-class 90 in

  Router1(config-line)#exit

  Router1(config)#end

  Router1#

  注釋 需要注意的是不管登錄成功還是失敗,在日志中都是顯示的permitted:

  %SEC-6-IPACCESSLOGS:list 90 permitted 172.25.1.1 1 packet

  3.18 設(shè)置發(fā)起Telnet的源地址

  提問(wèn) 有時(shí)對(duì)端設(shè)備有安全設(shè)置只允許特定的地址發(fā)起telnet請(qǐng)求

  回答

  Router1#configure terminal

  Enter configuration commands,one per line.End with CNTL/Z.

  Router1(config)#ip telnet source-interface loopback0

  Router1(config)#end

  Router1#

  或者

  Router1#telnet 172.25.1.5 /source-interface loopback0

  注釋 缺省情況路由器會(huì)使用到目的地所使用的端口來(lái)做Telnet的源地址

  3.19 自動(dòng)登錄

  注釋 使用腳本略去,其實(shí)用SecueCRT很容易設(shè)定

  3.20 使用SSH登錄

  提問(wèn) 啟用SSH這種加密的登錄方式

  回答

  Router1#configure terminal

  Enter configuration commands,one per line.End with CNTL/Z.

  Router1(config)#hostname Router1

  Router1(config)#ip domain-name neoshi.net

  Router1(config)#crypto key generate rsa

  The name for the keys will be:Router1.oreilly.com

  Choose the size of the key modulus in the greator than 512 may take

  General Purpose Keys.Choosing a key modulus greater than 512 nay take

  a few minutes.

  How many bits in the modulus[512]:1024

  Generating RSA keys...

  [OK]

  Router1(config)#

  Jun 27 15:04:15:%SSH-5-ENABLED:SSH 1.5 has been enabled

  Router1(config)#ip ssh time-out 120

  Router1(config)#ip ssh quthentication-retries 4

  Router1(config)#end

  Router1#

  注釋 從IOS12.3(4)T開(kāi)始支持SSH v2,之前只支持v1,首先要確認(rèn)你的IOS版本,然后確認(rèn)支持安全特性3DES,才能開(kāi)啟SSH特性

  <!--[if !supportLists]-->       <!--[endif]-->
   
      3.21. 改變IOS命令的特權(quán)等級(jí)

  提問(wèn) 修改特定IOS命令的特權(quán)等級(jí)

  回答

  Router1#configure terminal

  Enter configuration commands,one per line.End with CNTL/Z.

  Router1(config)#privilege exec level 1 show startup-config

  Router1(config)#end

  Router1#

  注釋 缺省情況路由器支持16種特權(quán)等級(jí),命令一般歸屬于0,1和15三種特權(quán)等級(jí),在特權(quán)等級(jí)0 下面只支持disable,enable,exit,help,和logout命令,1下面不能對(duì)配置進(jìn)行修改,15就是enable的特權(quán)等級(jí)

  3.22 基于用戶的賦予不同的特權(quán)等級(jí)

  回答

  Router1#configure terminal

  Enter configuration commands,one per line.End with CNTL/Z.

  Router1(config)#aaa new-model

  Router1(config)aaa authentication login default local

  Router1(config)#aaa authorization exec default local

  Router1(config)#username neoshi privilege 10 password ioscookbook

  Router1(config)#privilege exec level 10 show ip route

  Router1(config)#privilege exec level 1 show ip

  Router1(config)#privilege exec level 1 show

  Router1(config)#end

  Router1#

  注釋 通常的0,1和15三種等級(jí)彈性不足,可以定義更多的等級(jí)給不同的用戶

  <!--[if !supportLists]-->3.22 <!--[endif]-->基于端口的特權(quán)等級(jí)

  提問(wèn) 根據(jù)登錄的不同端口自動(dòng)賦予特定的特權(quán)等級(jí)

  回答

  Router1#configure terminal

  Enter configuration commands,one per line.End with CNTL/Z.

  Router1(config)#line aux 0

  Router1(config-line)#privilege level 5

  Router1(config-line)#exit

  Router1(config)#privilege exec level 5 show ip route

  Router1(config)#privilege exec level 1 show ip

  Router1(config)#privilege exec level 1 show

  Router1(config)#end

  Router1#



400-0806-056