溫馨提示×

溫馨提示×

您好,登錄后才能下訂單哦!

密碼登錄×
登錄注冊×
其他方式登錄
點擊 登錄注冊 即表示同意《億速云用戶服務條款》

強化路由器IOS安全-禁用不必要的服務

發(fā)布時間:2020-06-19 18:03:32 來源:網(wǎng)絡 閱讀:1522 作者:luosongtao 欄目:移動開發(fā)

Cisco Discovery Protocol

CDP:思科發(fā)現(xiàn)協(xié)議(CDPCisco Discovery Protocol,CDP 基本上是用來獲取直連設備的協(xié)議地址以及發(fā)現(xiàn)這些設備的平臺。支持ATM, Ethernet, FDDI, frame relay, HDLC, PPP, token ring.

CDP 協(xié)議能獲取如下信息:

1.     cisco設備名字

2.     cisco設備類型,型號

3.     設備運行IOSversion

4.     設備功能,Eg:路由器,交換機或是其他

5.     三層接口地址

6.     設備獲取cdp信息來源

 

Eg:

Router#show cdp neighbors detail

-------------------------

Device ID: R1

Entry address(es):

  IP address: 12.12.12.1

Platform: Cisco 7206VXR,  Capabilities: Router

Interface: FastEthernet1/0,  Port ID (outgoing port): FastEthernet1/0

Holdtime : 166 sec

 

Version :

Cisco IOS Software, 7200 Software (C7200-ADVENTERPRISEK9-M), Version 12.4(20)T, RELEASE SOFTWARE (fc3)

Technical Support: http://www.cisco.com/techsupport

Copyright (c) 1986-2008 by Cisco Systems, Inc.

Compiled Fri 11-Jul-08 04:22 by prod_rel_team

 

advertisement version: 2

Duplex: full

 

禁用CDP協(xié)議:邊界路由器一般都需要關閉該功能

Router(config)#no cdp run--------全局模式下,對所有接口生效

 

Router(config-if)#no cdp enable-------------接口模式下禁用,針對當前接口

 

==============================================================================TCP and UDP Small Servers

 

關閉TCPUDP的一些無用的小服務,這些小服務的端口小于19,通常用在以前的UNIX環(huán)境中,如chargen,daytime等。

Eg

R1#telnet 12.12.12.1 daytime

Trying 12.12.12.1, 13 ... Open

Saturday, July 7, 2012 23:57:19-UTC

 

[Connection to 12.12.12.1 closed by foreign host]

 

Router(config)#no service tcp-small-servers

Router(config)#no service udp-small-servers

R1#telnet 12.12.12.1 daytime

Trying 12.12.12.1, 13 ...

% Connection refused by remote host

 

思科IOS 默認是關閉的服務TCP小型服務器

==============================================================================

Finger

常用在UNIX中,用來確定誰登陸到設備上,現(xiàn)在被E-mailmessenger取代。

Eg

Router#telnet 12.12.12.1 finger

Trying 12.12.12.1, 79 ... Open

 

    Line       User       Host(s)              Idle       Location

   0 con 0                idle                 00:00:02  

*  2 vty 0                idle                 00:00:00 12.12.12.2

 

  Interface    User               Mode         Idle     Peer Address

 

[Connection to 12.12.12.1 closed by foreign host]

 

R1(config)# no ip finger

R1(config)#no service finger

 

Router#telnet 12.12.12.1 finger

Trying 12.12.12.1, 79 ...

% Connection refused by remote host

 

在絕大多數(shù)的IOS版本中,該特性默認是禁用的,無論如何建議禁用該特性。

 

==============================================================================

IdentD

一個設備發(fā)送一個請求到Ident接口(TCP 113), 目標會回答一個身份識別,如host名稱或者設備名稱。

Router(config)# no ip identd

 

通過telnet 113端口測試設備是否啟用了該服務:

Router#telnet 12.12.12.1 113

Trying 12.12.12.1, 113 ... Open

 

IdentD默認情況下是禁用的。

 

 

 

=============================================================== 

IP Source Routing

 ip source-routing欺騙類似ARP***:A在內(nèi)網(wǎng), B,C在外網(wǎng),A信任B, C想訪問A上的數(shù)據(jù).... 于是它修改了自己的源IP地址,告訴A自己是B... 并加入源路由信息,記下了來時的路徑這樣A按數(shù)據(jù)來的路返回給了C。

 如果 no  ip source-route A發(fā)出的包會自己去尋找B,這樣,C還是得不到想要的。

 

默認情況下該特性是開啟的,禁用該特性:
Router(config)# no ip source-route

 

==============================================================================

FTP and TFTP

路由能提供FTPTFTP的功能,通過該功能可以從一臺路由器copy Ios到另一條路由器。強烈建議禁止此功能。

 
默認情況該功能是禁止的,禁止命令:Router(config)# no ftp-server enable

 

==============================================================================

HTTP/HTTPS

驗證路由器是否有啟用web服務:

Router#telnet 12.12.12.1 80 -------------------------ISP一般都會封掉80端口,需確認HTTP服務是否指定到了其它端口。

Trying 12.12.12.1, 80 ... Open

 

Router#telnet 12.12.12.1 443

Trying 12.12.12.1, 443 ... Open

 

禁用web服務進程:

Router(config)# no ip http server
 
Router(config)# no ip http secure-server

 

Router#telnet 12.12.12.1 80

Trying 12.12.12.1, 80 ...

% Connection refused by remote host

 

Router#telnet 12.12.12.1 443

Trying 12.12.12.1, 443 ...

% Connection refused by remote host

 

==============================================================================

SNMP

在路由器上禁用snmp需執(zhí)行如下操作:

Remove the default community strings from your router's configuration

Disable SNMP traps and the system shutdown feature

Disable the SNMP service

確認路由器是否啟用了SNMP
Router# show running-config | include snmp
 
Building configuration...
 
snmp-server community public RO
 
snmp-server community private RW
 
Router#
 

 

在路由器上禁用SNMP服務:
Eg
Router(config)# no snmp-server community public RO
Router(config)# no snmp-server community private RW
Router(config)# no snmp-server enable traps
Router(config)# no snmp-server system-shutdown
Router(config)# no snmp-server trap-auth
Router(config)# no snmp-server

 

Eg
Router# show snmp
 
%SNMP agent not enabled
默認情況下,該服務是關閉的

 

=============================================================================

Name Resolution

路由器使用DNS解析域名:

Router(config)#ip domain-name cisco.com    

Router(config)#ip name-server 202.96.128.86

Router(config)#ip domain-lookup

 

在路由器上禁止DNS查詢:

Router(config)# no ip domain-lookup

 

==============================================================================

BootP

BootP通常用在無盤網(wǎng)絡環(huán)境中,為工作站提供ip地址。

目前BootP在網(wǎng)絡環(huán)境中使用得很少

沒有認證機制,任何人都能對BootP服務的路由器提出請求,容易遭遇Dos***

 

禁用BootP服務:

Router(config)# no ip bootp server

 

==============================================================================

DHCP

DHCP服務在IOS中默認都是禁止的,禁用命令:

Router(config)# no service dhcp------------禁止路由器充當Dhcp server或提供Dhcp中繼服務

 

==============================================================================

PAD

PAD服務一般用在X.25網(wǎng)絡中為遠端站點提供可靠連接,PAD服務提供對異步設備(terminals, IC-card readers, computers to public/private X.25 networks)的支持。

 

Router(config)# no service pad

 

=============================================================================

關閉自動加載:

Router(config)#  no boot network-------------------------------------關閉路由器通過TFTP加載IOS啟動
Router(config)#  no service config-------------------------關閉路由器加載IOS成功后通過TFTP加載配置文件

 

==============================================================================

Proxy ARP

IOSProxy ARP缺省是打開的,通過在接口下no ip proxy-arp關閉

通過show ip interface查看接口是否使用了Proxy ARP

Eg

Router#show ip interface fastEthernet 1/0

FastEthernet1/0 is up, line protocol is up

  Internet address is 12.12.12.1/24

  Broadcast address is 255.255.255.255

  Address determined by setup command

  MTU is 1500 bytes

  Helper address is not set

  Directed broadcast forwarding is disabled

  Outgoing access list is not set

  Inbound  access list is not set

  Proxy ARP is disabled

  Local Proxy ARP is disabled

 

==============================================================================

Directed Broadcasts

不同于本地廣播,直連廣播是能夠被路由的,某些DoS***通過在網(wǎng)絡中泛洪直連廣播來***網(wǎng)絡。

查看是否啟用了直連廣播:Router# show ip interface

Eg

Router#show ip interface fastEthernet 1/0

FastEthernet1/0 is up, line protocol is up

  Internet address is 12.12.12.1/24

  Broadcast address is 255.255.255.255

  Address determined by setup command

  MTU is 1500 bytes

  Helper address is not set

  Directed broadcast forwarding is disabled

 

禁用接口上的直連廣播:

Router(config-if)# no ip directed-broadcast

 

==============================================================================

ICMP Messages

網(wǎng)絡***能夠通過如下三種icmp messages***或勘察網(wǎng)絡:

ICMP unreachables

ICMP redirects

ICMP mask replies

 

禁用ICMP

Router(config-if)# no ip unreachable

Router(config-if)# no ip redirect
Router(config-if)# no ip mask-reply
 
Eg
Router#show ip interface ethernet 1/0
Ethernet1/0 is up, line protocol is up
  Internet address is 12.12.12.1/24
  Broadcast address is 255.255.255.255
  Address determined by setup command
  MTU is 1500 bytes
  Helper address is not set
  Directed broadcast forwarding is disabled
  Outgoing access list is not set
  Inbound  access list is not set
  Proxy ARP is enabled
  Local Proxy ARP is disabled
  Security level is default
  Split horizon is enabled
  ICMP redirects are always sent
  ICMP unreachables are always sent
  ICMP mask replies are never sent

 

==============================================================================

 

Maintenance Operation Protocol

MOP協(xié)議廣泛應用在DEC設備中,主要有一下幾個功能:

1.  上傳或下載的系統(tǒng)軟件

2.  遠程測試

3.  問題故障診斷

 

關閉路由器對二層DECnet協(xié)議的支持:

Router(config)# interface type [slot_#/]port_#
Router(config-if)# no mop enable
 
==============================================================================

在關閉某些服務之前應了解網(wǎng)絡中是否要只用這些服務,以免關閉后出現(xiàn)意想不到的問題。

參考:

Cisco Router Firewall Security   By Richard A. Deal

向AI問一下細節(jié)

免責聲明:本站發(fā)布的內(nèi)容(圖片、視頻和文字)以原創(chuàng)、轉載和分享為主,文章觀點不代表本網(wǎng)站立場,如果涉及侵權請聯(lián)系站長郵箱:is@yisu.com進行舉報,并提供相關證據(jù),一經(jīng)查實,將立刻刪除涉嫌侵權內(nèi)容。

AI