Cisco系统加固手册.doc

中国电信IP网安全系统工程（网络安全评估及加固项目）江苏节点 Cisco网络设备系统加固手册 (V1.0)加固编号加固内容操作步骤备注CD-001使用FTP替代TFTPRouter(Config)#ip ftp username tomRouter(Config)#ip ftp password g00dpa55w0rdRouter#copy startup-config ftp:CD-002CONSOLE口的访问控制Router# config tEnter configuration commands, one per line. End with CNTL/Z.Router(config)# line con 0Router(config-line)# transport input noneRouter(config-line)# login localRouter(config-line)# exec-timeout 5 0Router(config-line)# exitRouter(config)#CD-003AUX口的访问控制Router# config tEnter configuration commands, one per line. End with CNTL/Z.Router(config)# line aux 0Router(config-line)# transport input noneAdvanced Security ServicesRouter(config-line)# login localRouter(config-line)# exec-timeout 0 1Router(config-line)# no execRouter(config-line)# exitCD-004VTY口的访问控制Router# config tEnter configuration commands, one per line. End with CNTL/Z.Router(config)# no access-list 90Router(config)# access-list 90 deny any logRouter(config)# line vty 0 4Router(config-line)# access-class 90 inRouter(config-line)# transport input noneRouter(config-line)# login localRouter(config-line)# exec-timeout 0 1Router(config-line)# no execRouter(config-line)# endRouter#CD-005权限分级策略Router(config)# privilege exec level 15 connectRouter(config)# privilege exec level 15 telnetRouter(config)# privilege exec level 15 rloginRouter(config)# privilege exec level 15 show ip access-listsRouter(config)# privilege exec level 15 show access-listsRouter(config)# privilege exec level 15 show loggingRouter(config)# privilege exec level 1 show ipCD-006特权模式强密码设置Router# config tEnter configuration commands, one per line. End with CNTL/Z.Router(config)# enable secret 2-mAny-rOUtEsRouter(config)# no enable passwordRouter(config)# endRouter#CD-007管理员单独帐号的设置Router# config tEnter configuration commands, one per line. End with CNTL/Z.Router(config)# username rsmith password 3d-zirc0niaRouter(config)# username rsmith privilege 1Router(config)# username bjones password 2B-or-3BRouter(config)# username bjones privilege 1Router(config)# no username brianRouter(config)# endRouter#CD-008禁用CDP协议Router# config tEnter configuration commands, one per line. End with CNTL/Z.Router(config)# no cdp runRouter(config)# exitRouter# show cdp% CDP is not enabledRouter#CD-009禁用TCP和UDP Small服务若成功连接，那么TCP-SMALL SERVER就在运行Router# connect 50 daytimeTrying 50, 13 . OpenMonday, April 3, 2003 11:48:39-EDTConnection to 50 closed by foreign hostRouter# config tEnter configuration commands, one per line. End with CNTL/Z.Router(config)# no service tcp-small-serversRouter(config)# no service udp-small-serversRouter(config)# exitRouter# connect 50 daytimeTrying 50, 13 .% Connection refused by remote hostRouter#CD-010禁用Finger服务Router# connect 50 fingerTrying 50, 79 . OpenThis is the ROUTER router; access restricted.Line User Host(s) Idle Location130 vty 0 00:00:00 goldfish*131 vty 1 idle 00:00:00 RouterConnection to 50 closed by foreign hostRouter# config tEnter configuration commands, one per line. End with CNTL/Z.Router(config)# no ip fingerRouter(config)# no service fingerRouter(config)# exitRouter# connect 50 fingerTrying 50, 79 .% Connection refused by remote hostRouter#CD-011禁用HTTP服务Router# config tEnter configuration commands, one per line. End with CNTL/Z.Router(config)# no ip http serverRouter(config)# exitRouter# connect 50 wwwTrying 50, 80 .% Connection refused by remote hostRouter#Router# config tEnter configuration commands, one per line. End with CNTL/Z.添加web管理用户，然后开启http认证Router(config)# username nzWeb priv 15 password 0 C5-A1rCarg0Router(config)# ip http auth local为web访问创建IP访问列表Router(config)# no access-list 29Router(config)# access-list 29 permit host 8Router(config)# access-list 29 permit 55Router(config)# access-list 29 deny any应用访问列表然后启动http服务Router(config)# ip http access-class 29Router(config)# ip http serverRouter(config)# exitRouter#CD-012禁用IP Source Routing服务Router(config)# no ip source-routeRouter(config)#CD-013禁用ARP-Proxy服务Router# show ip interface briefInterface IP-Address OK? Method Status ProtocolEthernet0/0 50 YES NVRAM up upEthernet0/1 50 YES NVRAM up upEthernet0/2 unassigned YES unset down downEthernet0/3 unassigned YES unset down downRouter# config tEnter configuration commands, one per line. End with CNTL/Z.Router(config)# interface eth 0/0Router(config-if)# no ip proxy-arpRouter(config-if)# exitRouter(config)# interface eth 0/1Router(config-if)# no ip proxy-arpRouter(config-if)# exitRouter(config)# interface eth 0/2Router(config-if)# no ip proxy-arpRouter(config-if)# exitAdvanced Security ServicesRouter(config)# interface eth 0/3Router(config-if)# no ip proxy-arpRouter(config-if)# endRouter#CD-014禁用IP Directed BroadcastRouter(config)# no ip directed-broadcastCD-015禁用ICMP协议的IP Unreachables,Redirects,Mask RepliesRouter# config tEnter configuration commands, one per line. End with CNTL/Z.Router(config)# interface eth 0/0Router(config-if)# no ip unreachableRouter(config-if)# no ip redirectRouter(config-if)# no ip mask-replyRouter(config-if)# endRouter#CD-016禁止NTP服务Router# show ip interface briefInterface IP-Address OK? Method Status ProtocolEthernet0/0 0 YES NVRAM up upEthernet1/0 50 YES NVRAM up upRouter# config tEnter configuration commands, one per line. End with CNTL/Z.Router(config)# interface eth 0/0Router(config-if)# ntp disableRouter(config-if)# exitRouter(config)# interface eth 1/0Router(config-if)# ntp disableRouter(config-if)# endRouter Security Configuration GuideRouter#CD-017SNMP服务的设置Router# show running-config | include snmpBuilding configuration.snmp-server community public ROsnmp-server community admin RWRouter#Router# config tEnter configuration commands, one per line. End with CNTL/Z.清除旧的团体字串Router(config)# no snmp-server community public RORouter(config)# no snmp-server community admin RWRouter(config)#使用访问控制列表Router(config)# no access-list 70Router(config)# access-list 70 deny anyRouter(config)# snmp-server community MoreHardPublic Ro 70Router(config)#禁用陷阱和系统关闭特性Router(config)# no snmp-server enable trapsRouter(config)# no snmp-server system-shutdownRouter(config)# no snmp-server trap-authRouter(config)#s禁用SNMP服务Router(config)# no snmp-serverRouter(config)# endCD-018禁用DNS服务Router# config tEnter configuration commands, one per line. End with CNTL/Z.Router(config)# no ip domain-lookupRouter(config)# no ip name-server Router(config)# endCD-019启用IP Unicast Reverse-Path VerificationRouter# config t启用CEFRouter(Config)# ip cef启用Unicast Reverse-Path VerificationRouter(Config)# interface eth0/1Router(Config)# ip verify unicast reverse-pathCD-020设置Console和Buffered Logging设置console logging为level 5 (notify)Router(config)# logging console notificationRouter(config)# exitRouter# config tEnter configuration commands, one per line. End with CNTL/Z在information level设置16K日志缓冲Router(config)# logging buffered 16000 information在日志信息中启用时间标记Router(config)# service timestamp log date msec local show-timezoneRouter(config)# exitRouter# show loggingRouter Security Configuration GuideSyslog logging: enabled (0 messages dropped,1 flushes,0 overruns)Console logging: level critical, 0 messages loggedBuffer logging: level informational, 1 messages loggedTrap logging: level debugging, 332 message lines loggedLogging to , 302 message lines loggedLog Buffer (16000 bytes):Mar 28 11:31:22 EST: %SYS-5-CONFIG_I: Configured from console byvty0 ()Router#CD-021设置Terminal Line日志Router# show usersLine User Host(s) Idle Location*130 vty 0 bob idle 00:00:00 Router# config tEnter configuration commands, one per line. End with CNTL/Z.设置monitor记录级别为level 6Router(config)# logging monitor informationRouter(config)# exit使该会话接收日志消息Router# terminal monitorRouter# config tEnter configuration commands, one per line. End with CNTL/Z.Router(config)# interface eth 0/1shutdown命令将会记录一个信息，lever 5Router(config-if)# shutdownRouter(config-if)#Mar 28 15:55:29 EST: %LINK-5-CHANGED: Interface Ethernet0/1,changed state to administratively downCD-022设置Syslog日志Router#Router# config tEnter configuration commands, one per line. End with CNTL/Z.Router(config)# logging trap informationRouter(config)# logging Router(config)# logging facility local6Router(config)# logging source-interface loopback0Router(config)# exitRouter# show loggingSyslog logging: enabled (0 messages dropped, 11 flushes, 0overruns)Console logging: level notifications, 35 messages loggedMonitor logging: level debugging, 35 messages loggedBuffer logging: level informational, 31 messages loggedLogging to , 28 message lines logged.Router#在syslog服务器做以下设置（以Unix和Linux的syslog为例）：/etc/syslog.conf# Save router messages to routers.loglocal6.debug /var/log/routers.logCD-023设置SNMP Trap日志Router# config tEnter configuration commands, one per line. End with CNTL/Z.Router(config)# logging trap informationRouter(config)# snmp-server host traps pu81!(Router(config)# snmp-server trap-source loopback0Router(config)# snmp-server enable traps syslogRouter(config)# exitRouter#CD-024IPv4包处理网络接口拒绝服务漏洞防护Router(Config)# access-list 101 deny 53 any anyRouter(Config)# access-list 101 deny 55 any any Router(Config)# access-list 101 deny 77 any anyRouter(Config)# access-list 101 deny 103 any anyRouter(Config)# access-list 101 permit ip any anyCD-025IP欺骗的简单防护Router(Config)# access-list 100 deny ip 55 any logRouter(Config)# access-list 100 deny ip 55 any log Router(Config)# access-list 100 deny ip 55 any logRouter(Config)# access-list 100 deny ip 55 any logRouter(Config)# access-list 100 deny ip 55 any logRouter(Config)# access-list 100 deny ip 55 any logRouter(Config)# access-list 100 deny ip 55 any logRouter(Config)#access-list 100 deny ip 55 any Router(Config)# access-list 100 deny ip 55 any logRouter(Config)# access-list 100 deny ip 55 any logRouter(Config)# access-list 100 deny ip 55 any logCD-026对流出地址加以限制Router(Config)# no access-list 101Router(Config)# access-list 101 permit ip 55 anyRouter(Config)# access-list 101 deny ip any any logRouter(Config)# interface eth 0/1Router(Config-if)# description “internet Ethernet”Router(Config-if)# ip address 54 Router(Config-if)# ip access-group 101 inCD-027TCP SYN的防范A:访问列表防范Router(Config)# no access-list 106 Router(Config)# access-list 106 permit tcp any 55 establishedRouter(Config)# access-list 106 deny ip any any logRouter(Config)# interface eth 0/2Router(Config-if)# description “external Ethernet”Router(Config-if)# ip address 54 Router(Config-if)# ip access-group 106 inB:TCP截获防范Router(Config)# ip tcp intercept list 107Router(Config)# access-list 107 permit tcp any 55Router(Config)# access-list 107 deny ip any any logRouter(Config)# interface eth0Router(Config)# ip access-group 107 inCD-028ICMP协议的安全配置入站ICMP控制Router(Config)# access-list 110 deny icmp any any echo logRouter(Config)# access-list 110 deny icmp any any redirect logRouter(Config)# access-list 110 deny icmp any any mask-request logRouter(Config)# access-list 110 permit icmp any any 入站ICMP控制Router(Config)# access-list 111 permit icmp any any echoRouter(Config)# ac