autosecure命令的使⽤
\"
在路由器试⽤了⼀个命令:auto secure,这个命令⽤起来⽐较⽅便,⽽且可以关闭⼀些不安全的服务和启⽤⼀些安全的服务。然后对这个命令做了⼀个总结。(注:好像ios版本为:12.3(1)以上才⽀持使⽤) 总结如下:
1、关闭⼀些全局的不安全服务如下: Finger PAD
Small Servers Bootp
HTTP service
Identification Service CDP NTP
Source Routing
2、开启⼀些全局的安全服务如下: Password-encryption service
Tuning of scheduler interval/allocation TCP synwait-time
TCP-keepalives-in and tcp-kepalives-out SPD configuration
No ip unreachables for null 0
3、关闭接⼝的⼀些不安全服务如下: ICMP Proxy-Arp
Directed Broadcast Disables MOP service
Disables icmp unreachables
Disables icmp mask reply messages.
4、提供⽇志安全如下:
Enables sequence numbers & timestamp Provides a console log Sets log buffered size
Provides an interactive dialogue to configure the logging server ip address. 5、保护访问路由器如下:
Checks for a banner and provides facility to add text to automatically configure: Login and password Transport input & output Exec-timeout Local AAA
SSH timeout and ssh authentication-retries to minimum number
Enable only SSH and SCP for access and file transfer to/from the router
6、保护转发Forwarding Plane
Enables Cisco Express Forwarding (CEF) or distributed CEF on the router, when available Anti-spoofing
Blocks all IANA reserved IP address blocks
Blocks private address blocks if customer desires
Installs a default route to NULL 0, if a default route is not being used
Configures TCP intercept for connection-timeout, if TCP intercept feature is available and the user is interested
Starts interactive configuration for CBAC on interfaces facing the Internet, when using a Cisco IOS Firewall image, Enables NetFlow on software forwarding platforms ⽂章录⼊:csh 责任编辑:csh
