1、IP欺騙簡(jiǎn)單防護(hù)。如過(guò)濾非公有地址訪問(wèn)內(nèi)部網(wǎng)絡(luò)。過(guò)濾自己內(nèi)部網(wǎng)絡(luò)地址;回環(huán)地址(127.0.0.0/8);RFC1918私有地址;DHCP自定義地址 (169.254.0.0/16);科學(xué)文檔作者測(cè)試用地址(192.0.2.0/24);不用的組播地址(224.0.0.0/4);SUN公司的古老的測(cè)試地址(20.20.20.0/24;204.152.64.0/23);全網(wǎng)絡(luò)地址(0.0.0.0/8)。
Router(Config)# access-list 100 deny ip 127.0.0.0 0.255.255.255 any
Router(Config)# access-list 100 deny ip 192.168.0.0 0.0.255.255 any
Router(Config)# access-list 100 deny ip 172.16.0.0 0.15.255.255 any
Router(Config)# access-list 100 deny ip 10.0.0.0 0.255.255.255 any
Router(Config)# access-list 100 deny ip 169.254.0.0 0.0.255.255 any
Router(Config)# access-list 100 deny ip 192.0.2.0 0.0.0.255 any
Router(Config)# access-list 100 deny ip 224.0.0.0 15.255.255.255 any
Router(Config)# access-list 100 deny ip 20.20.20.0 0.0.0.255 any
Router(Config)# access-list 100 deny ip 204.152.64.0 0.0.2.255 any
Router(Config)# access-list 100 deny ip 0.0.0.0 0.255.255.255 any
Router(Config)# access-list 100 permit ip any any
Router(Config-if)# ip access-group 100 in |
2、建議采用訪問(wèn)列表控制流出內(nèi)部網(wǎng)絡(luò)的地址必須是屬于內(nèi)部網(wǎng)絡(luò)的。(可選)如:
Router(Config)# no access-list 101
Router(Config)# access-list 101 permit ip 192.168.0.0 0.0.255.255 any
Router(Config)# access-list 101 deny ip any any
Router(Config)# interface eth 0/1
Router(Config-if)# description “internet Ethernet”
Router(Config-if)# ip address 192.168.0.254 255.255.255.0
Router(Config-if)# ip access-group 101 in |
其他可選項(xiàng):
建議啟用SSH,廢棄掉Telnet.但只有支持并帶有IPSec特征集的IOS才支持SSH.并且IOS12.0-IOS12.2僅支持SSH-V1.如下配置SSH服務(wù)的例子:
Router(Config)# no access-list 101
Router(Config)# access-list 101 permit ip 192.168.0.0 0.0.255.255 any
Router(Config)# access-list 101 deny ip any any
Router(Config)# interface eth 0/1
Router(Config-if)# description “internet Ethernet”
Router(Config-if)# ip address 192.168.0.254 255.255.255.0
Router(Config-if)# ip access-group 101 in Router(Config)# config t
Router(Config)# no access-list 22
Router(Config)# access-list 22 permit 192.168.0.22
Router(Config)# access-list deny any
Router(Config)# username test privilege 10 **** |
! 設(shè)置SSH的超時(shí)間隔和嘗試登錄次數(shù)
Router(Config)# ip ssh timeout 90
Router(Config)# ip ssh anthentication-retries 2
Router(Config)# line vty 0 4
Router(Config-line)# access-class 22 in
Router(Config-line)# transport input ssh
Router(Config-line)# login local
Router(Config-line)# exit |
!啟用SSH服務(wù),生成RSA密鑰對(duì)。
Router(Config)# crypto key generate rsa
The name for the keys will be: router.xxx
Choose the size of the key modulus in the range of 360 to 2048
for your General Purpose Keys .
Choosing a key modulus greater than 512 may take a few minutes.
How many bits in the modulus[512]: 2048
Generating RSA Keys...
Router(Config)# |
