前两天在路由器试用了一个命令:auto secure,这个命令用起来比较方便,而且可以关闭一些不安全的服务和启用一些安全的服务。然后对这个命令做了一个总结。(注:好像ios版本为:12.3(1)以上才支持使用)
总结如下:
1、关闭一些全局的不安全服务如下:
finger
pad
small servers
bootp
http service
identification service
cdp
ntp
source routing
2、开启一些全局的安全服务如下:
password-encryption service
tuning of scheduler interval/allocation
tcp synwait-time
tcp-keepalives-in and tcp-kepalives-out
spd configuration
no ip unreachables for null 0
3、关闭接口的一些不安全服务如下:
icmp
proxy-arp
directed broadcast
disables mop service
disables icmp unreachables
disables icmp mask reply messages.
4、提供日志安全如下:
enables sequence numbers & timestamp
provides a console log
sets log buffered size
provides an interactive dialogue to configure the logging server ip address.
5、保护访问路由器如下:
checks for a banner and provides facility to add text to automatically configure:
login and password
transport input & output
exec-timeout
local aaa
ssh timeout and ssh authentication-retries to minimum number
enable only ssh and scp for access and file transfer to/from the router
6、保护转发forwarding plane
enables cisco express forwarding (cef) or distributed cef on the router, when available
anti-spoofing
blocks all iana reserved ip address blocks
blocks private address blocks if customer desires
installs a default route to null 0, if a default route is not being used
configures tcp intercept for connection-timeout, if tcp intercept feature is available and the user is interested
starts interactive configuration for cbac on interfaces facing the internet, when using a cisco ios firewall image,
enables netflow on software forwarding platforms