[imtoken手机钱包app下载]网络通信专区

Access-list 120 remark TCP intercept ACL
！*
cisco has enabled routers by default to now act as DHCP clients by default, this is really not a necessary service to have running so shut if off. Also given the issues with TCP&UDP Small Server make sure they are off!  “Chargen”  is character generator service that is used to  generate a stream of characters for diagnostic purposes. The “echo” service merely echos back everything that is sent to it 。Pointing the  “Chargen” service at the “echo” service creates a loop which causes an enormous amount of traffic to be generated and will eventually overwhelm the router`s cpu and ram resources, thus we have the makings o
Ip flow-export source loopback0
CEF is  an advanced， layer 3 switching technology inside a router。It defines the fastest method by which a cisco router forwards packets form ingress to egress interfaces。 The ip cef command enables CEF globally，not all router support CEF so check your docs。
Logging rate-limit ？

With the ACLs，it is important to log the attempts or activity of naughty folks。Thus，the implicit drop all normal entry at the end of every ACL is replaced with an explicit drop all that logs the attempt。You may wish to keep a second list （eg 2011）that does not log。During an attack， the additional logging can impact the performance of the router。Simply copy and paste access-list 2010，remove the log-input keyword， and name  it access-list 2011。Then when an attack rages，you can replace access-list 2010 on the internet-facing interface with access-list 2011。Thus aoolwing the router to concentrate on defending against the attack。
Access-list 2010 deny ip 6.6.6.0 0.0.0.255 any log-input
Hp-device-disc access-list 30 deny host 224.0.1.60  log
Ip classless
Access-list 2010 deny ip 2.0.0.0 0.255.255.255 any log-input
Aaa authentication enable default group tacacs+ enable
no ip source-route
!*
！*

！*
No ip source-route
Rate-limit  input access-group 150 2010000 250000 250000 conform-action transmit exceed-actioin drop
TCP intercept helps prevent SYN-flooding attacks by intercepting and validating TCP connection requests。In intercept mode， the TCP intercept software intercepts TCP synchronization （SYN）
Access-list 30 permit 224.0.0.0 15.255.255.255 log
！*
Access-list 2010 permit ip any 224.0.0.0 15.255.255.255

！*

log anything interesting to the syslog server。Capture all of logging output sent from the loopback interface，which makes ID of this router in the various places recording data easy and uniform to identify。
Interface ethernet2/1

！*
Rate limiting traffic to protect the router and by default your infrastructure is extremely important。The values maybe tweaked to meet your needs but in general we recommend the following。Allow udp to use no more than 2 MB/s of pipe。

Description unprotected interface ,facing towards internet
Ip subnet-zero

！*




export our netflow data to our netflow server，7.7.7.5。Netflow provides some statistics that can be of use when tracing back to the true source of a spoofed attack。We also use the source as the loopback interface which is a best practice。
No ip proxy-arp
block access to the router from everyone except from the network  mgmt server or the firewall and then only if SSH（port 22） or telnet  is used，we will log every successful access as well。Of course we will also any denied access attempts。This also serves to create an audit trail of all access to the router through the use of extended ACLs are used to log some additional data。
The following static routes will black hole networks that are not supposed to be routable on the public internet。Be very careful about enabling these when running tcp intercept 。tcp intercept command directs the router to act as a TCP socket proxy。 When the router receives the SYN packet the router （instead of destination）initially responds with the SYN|ACK。 This is where the interaction between tcp intercept and black hole routes causes a problem。If you create black hole routes for all bogon ranges and point them to the null device，and if someone launches a syn flood form a bogon range，then the router will send the SYN|ACK to the null device。The router isn`t clueful enough to realize it has done this，and the TCP intercept queue begins to built quite quickly。The timeout aren`t ，by default ，aggressive enough to work through this problem。
ip multicast boundary 30
Rate-limit ACLs for UDP，ICMP，multicast

Exception protocol ftp

Access-list 160 permit ICMP any any
Interface ethernet2/0

why these services are still on by default AND in IOS is anyone`s guess however for the security of your network and sanity turn them off。
Service tcp-keepalive-in
Access-list 2010 remark Anti-bogon ACL
Enable secret 〈password〉
！*
keep flow data for analysis。If possible export it to a cflowd server。
no ip redirects
Access-list 160 remark CAR-icmp ACL
Apply our template ACL ，more on what this ACL is covering later in the configuration，but applying it is crucial to its success。
Exception dump 7.7.7.5

Block SNMP access from any location to the router，except the server，which Is our network mgmt/syslog server in our template and of course log anyone else that tries to access SNMP info on the router。
service sequence-numbers
set the time zone properly。It is best to standardize on one time zone for all routers and servers，thus making problem tracking easier。
no ip directed-broadcast
No service tcp-small-servers
！*

Access-list 105 remark VTY access

Access-list 105 deny ip any any log-input
Service timestamps log datetime msec show-timezone localtime
！*
Ip multicast boundary 30
Access-list 100 permit tcp host 7.7.7.5 host 0.0.0.0 range 22 23 log-input
No ip unreachable
！*
Interface null0
Ip tcp intercept connection-timeout 60
Access-list 2010 deny ip any any log-input
Aaa accounting commands 15 default stop–only  group tacacs+
！*
Packets from clients to servers that match an extended list 。 The router responds， if it is a valid connection they are allowed to communicate。
Ip tcp intercept ont-minute high 6000
Source routing allows the path to be specified in a packet this could allow the packet to bypass firewalls，etc。。。disable this feature！
Multicast filter out obviously naughty or needless traffic access-list 30 is the multicast filtering ACL。

!*
Access-list 20 permit 7.7.7.5
Access-list 20 deny any log
No ip unreachables

/*John nagle`s algorithm (RFC 896) helps alleviate the small-packet problem  in TCP. The  effect is to accumulate characters into larger chunks, and pace them out to the network at a rate matchi ng the round-trip time of the given connection. Keepalives ensure that no tcp connections via  the router get hung.
！*

Access-list 2010 deny ip 172.16.0.0 0.15.255.255 any log-input
Aaa accounting network default stop-only group tacacs+
Clock timezone GMT 0
！*
Snmp-server community 〈〉 RO 20
Logging trap debugging

Aaa accounting exec default stop-only group tacacs+
！*
！*
No ip redirects
No service dhcp
no ip source-route
Aaa authentication login default group tacacs+  local-case
No ip mask-reply
Service tcp-keepalive-out
No ip domain-lookup
No ip finger
！*
No service pad

Ms-srvloc access-list 30 deny host 224.0.1.22  log
ip accounting access-violations





No ip http server
Ms-ds access-list 30 deny host 224.0.1.24  log

!*

No ip bootp server
Access-list 105 permit tcp host 7.7.7.8 host 0.0.0.0 range 22 23 log-input
Ip ftp password 〈password〉
Warning – The internet sometimes changes without notice to check the validty of this list prior to implementing it。
Ntp update-calendar
hostname OSPF-Rocks
Introduce ourselves with an appropriately stern banner that reflect the level of security and monitoring applied to our network。It is also important to set the expectations of everyone accessing the router as well as what will happen if attacks are made against it。While we are just showing the message of the Day banner it is recommended that you apply the same banner to the console port，aux port，aaa login，and whenever a user exec mode。
No ip unreachables

configure the loopback0 interface as the source of our log massage。This is often used for routing protocols as well since as a logical interface does not go down thus it is very reliable。Assign an IP address that uniquely identifies this router。One trick is to allocate a netblock for use as the router loopback netblock。
SNMP is very important for network management，particularly when in conjunction with mrtg to track usage statistics。To keep SNMP access even more secure treat the community string as a password –keep is difficult to guess by using caps，lowercase and numbers all together。Then include the ACL that we created to further increase security。Notice that we do not allow SNMP read/write。
！*
Access-list 170 remark CAR-multicast ACL
Access-list 170 permit ip any 224.0.0.0 15.255.255.255
if you allow multicast in your network or participate in the MBONE，，the following multicast filtering steps will help to ensure a secure multicast environment。These must be applied per interface。
！*
configure and thus activate the null0 interface as a place to send naughty packets。This becomes the “roach motel ” for packets – they can route in ，but they  can`t route out。
No ip proxy-arp

！*


Ip address 6.6.6.254 255.255.255.0
Ip tcp intercept list 120
synchronize the routers clock with a local （trusted and authenticated ）NTP server。The secret  key must be the same on both the router and the NTP server。Remember that NTP is slow to get going properly，it`s a cisco thing， so be patient。
Access-list 115 remark Anti-spoofing ACL
Do I really need to explain why you should not use the built-in web server ？ sometimes cisco takes the web to far， it`s a router  Jim！
！*
logging is a must in almost every case so turn it on！ Plus with all the logging we doing in this configuration it might be a good idea to rate limit the log messages sent per second to not overwhelm your server， as  when you  are logging ACLs the entries can climb rapidly！
Ip tcp intercept one-minute low 1500
IOS will watch and manage a TCP connection for 24 hours after no activity ， why？ Who knows？ Regardless it should be changed。
Access-list 2010 deny icmp any any fragments log-input
！*
！*
Disables the sending of ICMP redirect messages to learn routes，let the hackers wonder！
Access-list 100 permit tcp host 6.6.6.1 host 0.0.0.0 range 22 23 log-input
Tacacs-server host 7.7.7.5
Ms-srvloc-da access-list 30 deny host 224.0.1.35  log
Access-list 2010 deny ip 7.7.7.0 0.0.0.255 any log-input
Access-list 2010 permit ip any 7.7.7.0 0.0.0.255
！*

Configure an ACL for TCP intercept。This will protect the hosts on the intranet from SYN floods。
！*
Logging 7.7.7.5
Locally scoped  access-list 30 deny 239.0.0.0 0.255.255.255 log
Ip cef
ip route-cache flow
！*
Access-list 150 remark CAR-udp ACL

Deny any packets from the FRC 1918，IANA reserved，test，multicast as a source，and loopback netblock to block attacks from commonly spoofed IP addresses。
Access-list 2010 deny ip 1.0.0.0 0.255.255.255 any log-input
No cdp run
not all servers are bad， in fact this new entry to the service category is quite useful， essentially by enabling it your syslog entries will be numbered to ensure they are not tampered with to hide hacking from you ！Cisco helps us with our servers， aren`t they nice ？
！*
Link local access-list 30 deny 224.0.0.0 0.0.0.255 log
disables the sending of ICMP protocol unreachable and host unreachable messages and once again there is no reason to allow icmp to educate hackers about your network。
！*

ip accounting access-violations
Description protected interface，facing towards DMZ
！*
Ip access-group 2010 in

Ip route-cache flow
Ip access-group 115 in
！*

转载地址：

Access-list 2010 deny ip 192.168.0.0 0.0.255.255 any log-input
!*
enables ip accounting with the ability to identify ip traffic that fails ip access lists allowing your router to log all naughty businee，be sure to check it ！
ip directed broadcasts are dropped；they are not forwarded。Dropping ip directed broadcast makes routers less susceptible to denial-of-service attacks
!*
！*
Username 〈username〉 password 〈password〉
Access-list 100 remark VTY access
。。。。。
keep half-open sockets open only 10 seconds instead of the default 30 seconds all the while waiting for a response 。
Ip ftp username rooter
Sgi-dogfight access-list 30 deny host 224.0.1.2  log

Ntp server 7.7.7.5
Ip flow-export destination 7.7.7.5 2055

Allows us to user the low subnets and go classless which are areas that have not typically been used。
Permit all other multicast traffic
Tacacs-sever key OSPF-rock2
Access-list 115 permit ip host 6.6.6.1 any
！*
ip tcp intercept watch-timeout 10
use TACACS+ for AAA。 Ensure that the local account is case-sensitive，thus making brute-force attacks less effective。
Access-list 100 deny ip any any log-input

Disables the sending of ICMP mask reply messages。The default for cisco routers is not to do this but it never hurts to input the command anyway just to be sure。
Access-list 115 deny ip any any log-input
Whenever a message is sent to the console port of the router this results in cpu interrupt to delivered and considering the level of logging we have going on ， disable console logging until needed。
Do not share cisco discovery protocol information from your secure router it`s just not wise，because CDP contains crucial bits of information about your network topology，device configuration，network devices in use， ip addresses，etc。this command disabled CDP globally。If you require CDP on an interface，use cdp run and disable cdp on the internet-facing interface。In other words use CDP only on interfaces where it is needed，never globally！
if we are using reverse path forwarding ，comment out the ACL bellow。
Ip route 1.0.0.0 255.0.0.0 null0
Aaa new-model
！*



！*
Access-list 115 permit ip 7.7.7.0 0.0.0.255 any
Service password-encryption
No enable password

Logging 7.7.7.5
No logging console
Ip verify unicast reverse-path
In the event that tacacs+ fails，use case-sensitive local authentication instead。Keeps the hackers guessing，and the router more secure， remembers security is all about layers of defense。
Rwhod  access-list 30 deny host 224.0.1.3  log
！*


！*
Don`t pretend to be something you`re not。
no ip mask-reply
Exception core-file secure-router01-core
Ntp authentication-key 6767 md5 〈secret-key〉

Ip flow-export version 5 origin-as

Access-list 120 permit tcp any 7.7.7.0 0.0.0.255
！*

Ip address 10.10.10.10 255.255.255.255
！*
！*

！

Int loopback0
！*
Of course the most secure password type is enable secret so use it with some CAPITAL letters and some NUMBER as well， it makes brute force attacks harder。


！*
Aaa authorization commands 15 default group tacacs+ local
Ip verify unicast reverse-path
Logging source-interface loopback0
These commands determine when tcp intercept should deactivate or activate ， in this case 1500 and respectively，the defaults are not very realistic at 900 and 1100
Service timestamps debug datetime msec show-timezone localtime


No ip redirects

f a very serious Denail of Service Attack. The easiest way to prevent this kind of attack from happening is to disable these services on the router。The commands to do so are “no tcp-smallservers” disable echo，chargen，discard and daytime；“no udp-smallservers” disables echo， chargen and discard。
no ip directed-broadcast

Access-list 2010 deny ip 10.0.0.0 0.255.255.255 any log-input

！*
no ip unreachables
！*
No service udp-small-servers

Access-list 150 permit udp any any
Logging buffered 16384 debugging
Ntp authenticate
Access-list 20 remark SNMP ACL
Banner motd %
Catch core dump in case of a router crash； very important with a “security router” as an attack may have been successful so it`s good to know what happened。We have configured our network management server beyond our firewall to accept ftp connections from the router。 Make sure you give the core dump files a unique name。

Service nagle
Ip address 5.5.5.254 255.255.255.0
Leave one vty safe for emergency access ，just in case。The host 7.7.7.8 is a secure host in the NOC。If all the VTY are occupied，this leaves one VTY availables and logging is also happening。
Do we run cef verify？ Yes If the data path is symmetric。No if the data path is asymmetric。Use the ip verify unicast reverse-path interface command on the input interface on the router at the upstream end of the connection。This feature examines each packet received as input on that interface。If the source ip address does not have a route in the cef tables that points back to the same interface on which the packet arrived，the router droops the packet。
！*
configure an ACL that prevents spoofing from within our network，which recognizes and protects against a hacker gaining access to network via some other means。This ACL assumes that we need to access the internet only from the 7.7.7.0/24 network。If you have additional network behind 7.7.7.0/24 ，then add them into this ACL。
no ip arp-proxy
Provide timestamps in all debug messages and log entries down to the millisecond, make sure your router clock is set properly! The service password-encryption ‘ command provides minimal security for user, line ,ppp, radius and assorted other passwords and keys that must be stored in the Ios configuration file。The command causes passwords in the config file to be encrypted  with a reversible encryption that keeps people from finding your passwords by glancing at your  configurations.