3.12 部署Banners
提問 設置登錄時顯示的警示性信息
回答
Router1#configure terminal
Enter configuration commands,one per line.End with CNTL/Z.
Router1(config)#banner exec #This is an exec banner #
Router1(config)#banner login #This is a login banner #
Router1(config)#banner motd $ This is a motd banner $
Router1(config)#end
Router1#
注釋 不用使用welcome之類的字樣,下面是一個FBI的路由器登錄banner作參考
Router1(config)#banner login #
Enter TEXT message.End with the character '#'.
+-------------------------------------------------------------+
| WARNING |
| ------------ |
| This system is solely for the use of authorized users for official |
|purposes. You have no expectation of privacy in its use and to |
| ensure that the system is functioning properly,individuals using |
|this computer system are subject to having all of their activities |
|monitored and recorded by system personnel.Use of this system|
|evidences an express consent to such montoring and agreement that |
|if such monitoring reveals eidence of possible abuse of criminal |
|activity,system personnel may provide the results of such |
|monitoring to appropriate officials. |
+--------------------------------------------------------------|
#
Router1(config)#end
Router1#
3.13 在特定端口禁用Banners顯示
提問 aux口用于modem連接,為了避免出現問題希望關閉banner顯示
回答
Router1#configure terminal
Enter configuration commands,one per line.End with CNTL/Z.
Router1(config)#line aux 0
Router1(config-line)#no motd-banner
Router1(config-line)#no exec-banner
Router1(config-line)#exit
Router1(config)#end
Router1#
注釋
3.14 禁用Line登錄
提問 禁止在AUX或者Line端口進行設備登錄
回答
Router1#configure terminal
Enter configuration commands,one per line.End with CNTL/Z.
Router1(config)#line aux 0
Router1(config-line)#transport input none
Router1(config-line)#no exec
Router1(config-line)#exec-timeout 0 1
Router1(config-line)#no password
Router1(config-line)#exit
Router1(config)#end
Router1#
Router1#configure terminal
Enter configuration commands,one per line.End with CNTL/Z.
Router1(config)#access-list 98 deny any log
Router1(config)#line vty 0 4
Router1(config-line)#transport input none
Router1(config-line)#exec-timeout 0 1
Router1(config-line)#no exec
Router1(config-line)#access-class 98 in
Router1(config-line)#exit
Router1(config)#end
Router1#
注釋 無
3.15 為管理員保留特定的登錄端口
提問 防止所有的登錄端口都被占用,為管理員留一個后門
回答
Router1#configure terminal
Enter configuration commands,one per line.End with CNTL/Z.
Router1(config)#access-list 9 permit 172.25.1.1
Router1(config)#line vty 4
Router1(config-line)#access-class 9 in
Router1(config-line)#exit
Router1(config)#end
Router1#
或者
Router1#confgiure terminal
Enter configuration commands,one per line.End with CNTL/Z.
Router1(config)#access-list 9 permit 172.25.1.1
Router1(config)#line vty 5 7
Router1(config-line)#rotary 25
Router1(config-line)#access-class 9 in
Router1(config-line)#exit
Router1(config)#end
Router1#
注釋在使用第二種rotary命令時就相應的改變登錄時的端口號碼,不是缺省的23,而是3000+rotary的號碼25=3025
3.16 限制特定地址的Telnet登錄
提問 只允許特定的機器進行Telnet登錄
回答
Router1#configure terminal
Enter configuraion commands,one per line.End with CNTL/Z.
Router1(config)#access-list 99 permit 172.25.1.0 0.0.0.255
Router1(config)#access-list 99 deny any log
Router1(config)#line vty 0 4
Router1(config-line)#access-class 99 in
Router1(config-line)#exit
Router1(config)#end
Router1#
注釋 無
3.17 對Telnet訪問進行日志記錄
提問 記錄每次telnet的日志
回答
Router1#configure terminal
Enter configuration commands,one per line.End with CNTL/Z.
Router1(config)#access-list 90 permit any log
Router1(config)#line vty 0 4
Router1(config-line)#access-class 90 in
Router1(config-line)#exit
Router1(config)#end
Router1#
注釋 需要注意的是不管登錄成功還是失敗,在日志中都是顯示的permitted:
%SEC-6-IPACCESSLOGS:list 90 permitted 172.25.1.1 1 packet
3.18 設置發起Telnet的源地址
提問 有時對端設備有安全設置只允許特定的地址發起telnet請求
回答
Router1#configure terminal
Enter configuration commands,one per line.End with CNTL/Z.
Router1(config)#ip telnet source-interface loopback0
Router1(config)#end
Router1#
或者
Router1#telnet 172.25.1.5 /source-interface loopback0
注釋 缺省情況路由器會使用到目的地所使用的端口來做Telnet的源地址
3.19 自動登錄
注釋 使用腳本略去,其實用SecueCRT很容易設定
3.20 使用SSH登錄
提問 啟用SSH這種加密的登錄方式
回答
Router1#configure terminal
Enter configuration commands,one per line.End with CNTL/Z.
Router1(config)#hostname Router1
Router1(config)#ip domain-name neoshi.net
Router1(config)#crypto key generate rsa
The name for the keys will be:Router1.oreilly.com
Choose the size of the key modulus in the greator than 512 may take
General Purpose Keys.Choosing a key modulus greater than 512 nay take
a few minutes.
How many bits in the modulus[512]:1024
Generating RSA keys...
[OK]
Router1(config)#
Jun 27 15:04:15:%SSH-5-ENABLED:SSH 1.5 has been enabled
Router1(config)#ip ssh time-out 120
Router1(config)#ip ssh quthentication-retries 4
Router1(config)#end
Router1#
注釋 從IOS12.3(4)T開始支持SSH v2,之前只支持v1,首先要確認你的IOS版本,然后確認支持安全特性3DES,才能開啟SSH特性
<!--[if !supportLists]--> <!--[endif]-->
3.21. 改變IOS命令的特權等級
提問 修改特定IOS命令的特權等級
回答
Router1#configure terminal
Enter configuration commands,one per line.End with CNTL/Z.
Router1(config)#privilege exec level 1 show startup-config
Router1(config)#end
Router1#
注釋 缺省情況路由器支持16種特權等級,命令一般歸屬于0,1和15三種特權等級,在特權等級0 下面只支持disable,enable,exit,help,和logout命令,1下面不能對配置進行修改,15就是enable的特權等級
3.22 基于用戶的賦予不同的特權等級
回答
Router1#configure terminal
Enter configuration commands,one per line.End with CNTL/Z.
Router1(config)#aaa new-model
Router1(config)aaa authentication login default local
Router1(config)#aaa authorization exec default local
Router1(config)#username neoshi privilege 10 password ioscookbook
Router1(config)#privilege exec level 10 show ip route
Router1(config)#privilege exec level 1 show ip
Router1(config)#privilege exec level 1 show
Router1(config)#end
Router1#
注釋 通常的0,1和15三種等級彈性不足,可以定義更多的等級給不同的用戶
<!--[if !supportLists]-->3.22 <!--[endif]-->基于端口的特權等級
提問 根據登錄的不同端口自動賦予特定的特權等級
回答
Router1#configure terminal
Enter configuration commands,one per line.End with CNTL/Z.
Router1(config)#line aux 0
Router1(config-line)#privilege level 5
Router1(config-line)#exit
Router1(config)#privilege exec level 5 show ip route
Router1(config)#privilege exec level 1 show ip
Router1(config)#privilege exec level 1 show
Router1(config)#end
Router1#
- 北京機房搬遷改造公司,系統集成有哪些公司?-2019-11-04
- 如何打造一個安全的網絡環境?政府要做到這四點-2019-11-04
- 北京辦公室網絡布線,綜合布線施工價格-2019-11-04
- 深信服產品專業上網行為管理,安全設備有保障-2019-11-04
- 兩年內網絡安全市場規模將達千億級別?來看看詳細分析-2019-11-04
- 北京炫億時代專業機房設備除塵,機房網絡改造-2019-11-04
- 企業如何保障移動辦公的安全性?移動辦公存在的七大安-2019-11-01
- 北京深信服AC-1000-A400產品租賃購買,專業IT上網行為管理-2019-11-01
- 互聯網企業軟件開發如何才能沒有漏洞?專業工程師給出-2019-11-01
- 如何避免APP的“越權”行為?要靠制定相關法律法規-2019-11-01
企業通訊
