|
|
|
|
|
Net130.com
|
|
路由器安全配置速查表(二)
|
http://www.net130.com 发布日期:2004-12-1
|
浏览次数:
|
|
|
作者:FUMTEK 出处:FUMTEK Blog
|
9. A number of remote probes and attacks use ICMP echo, redirect, and mask request messages, block them. (A superior but more difficult approach is to permit only necessary ICMP packet types.)
The example below shows one way to implement these recommendations.
North(config)# no access-list 107
North(config)# ! block our internal addresses
North(config)# access-list 107 deny ip 14.2.0.0 0.0.255.255 any log
North(config)# access-list 107 deny ip 14.1.0.0 0.0.255.255 any log
North(config)# ! block special/reserved addresses
North(config)# access-list 107 deny ip 127.0.0.0 0.255.255.255 any log
North(config)# access-list 107 deny ip 0.0.0.0 0.255.255.255 any log
North(config)# access-list 107 deny ip 10.0.0.0 0.255.255.255 any log
North(config)# access-list 107 deny ip 169.254.0.0 0.0.255.255 any log
North(config)# access-list 107 deny ip 172.16.0.0 0.15.255.255 any log
North(config)# access-list 107 deny ip 192.168.0.0 0.0.255.255 any log
North(config)# ! block multicast (if not used)
North(config)# access-list 107 deny ip 224.0.0.0 15.255.255.255 any
North(config)# ! block some ICMP message types
North(config)# access-list 107 deny icmp any any redirect log
North(config)# access-list 107 deny icmp any any echo log
North(config)# access-list 107 deny icmp any any mask-request log
North(config)# access-list 107 permit ip any 14.2.0.0 0.0.255.255
North(config)# access-list 107 permit ip any 14.1.0.0 0.0.255.255
North(config)# interface Eth 0/0
North(config-if)# description External interface
North(config-if)# ip access-group 107 in
10. Block incoming packets that claim to have the same destination and source address (i.e. a ‘Land’ attack on the router itself). Incorporate this protection into the access list used to restrict incoming traffic into each interface, using a rule like the one shown below.
access-list 102 deny ip host 14.1.1.250
host 14.1.1.250 log
interface Eth 0/1
ip address 14.1.1.250 255.255.0.0
ip access-group 102 in
11. Configure an access list for the virtual terminal lines to control Telnet access. See example commands below.
South(config)# no access-list 92
South(config)# access-list 92 permit 14.2.10.1
South(config)# access-list 92 permit 14.2.9.1
South(config)# line vty 0 4
South(config-line)# access-class 92 in
| 热点文章 | ||
|
|
||
 |
|
|
·ActualTest 642-831 v05.02.05
·ActualTest 642-821 v04.27.05
·Actualtest 642-811 v04.26.05
·OSPF笔记