In addition to Weibo, there is also WeChat
Please pay attention
WeChat public account
Shulou
2025-04-03 Update From: SLTechnology News&Howtos shulou NAV: SLTechnology News&Howtos > Network Security >
Share
Shulou(Shulou.com)06/01 Report--
R1 (conf) # no cdp run # shuts down the CDP protocol on the border router to prevent illegal users from detecting the internal network through CDP
R1 (conf) # no service tcp-small-service # echo 17; chargen 19; daytime 13
R1 (conf) # no service udp-small-service # shuts down low port services, such as preventing * from sending traffic to chargen service ports, consuming CPU resources, and preventing DoS***.
R1 (conf) # no ip finger # shuts down FINGER to prevent * users logging in via finger to check the router
R1 (conf) # no ip identd # identD allows remote devices to query a TCP port for identification purposes, port number is 113
R1 (conf) # no ip source-route # closes the IP source path to prevent * * from bypassing the firewall by using IP source route selection
R1 (conf) # no ftp-server enable # turns off the FTP-SERVER function to prevent the establishment of a FTP server on the router
R1 (conf) # no ip bootp server # prevents * * from starting as Boot through the router
R1 (conf) # no service pad # PAD (packet assembler/disassemble) for X.25 network
R1 (conf) # no boot network # forbids starting as TFTP through the router
R1 (conf) # no service config # turn off server settings
R1 (conf) # no ip proxy-arp # there is a case in which the ARP agent should not be turned off: when the router side remotely accesses the IPSec × × connection, the local device has to go through the × × × remote defense client, and the router responds to the arp request from the local device. In this case, the APR agent function should be turned on.
R1 (conf) # no ip directed-broadcast # Dos*** uses broadcast direction to flood specific networks or subnets *
R1 (conf) # no ip unreachable # * * uses DoS*** to cause the router to generate ICMP unreachable messages
R1 (conf) # no ip redirect # * * may use the ip redirection method to make the route generate a loop route, resulting in a network paralysis.
R1 (conf) # no ip mask-reply # uses the subnet message request function to * broadcast DoS*** subnets directionally
-
ACL parameter description:
Precedence: filter specific priority levels, ranging from 0 to 7. IP packet headers usually classify traffic for quality of service (Quality of Service, Qos) and queue purposes.
Dscp: filter the differentiated Services Code (Differentiated Services Code Point,DSCP) value in the IP packet header to filter
Tos: filter the service type domain in the IP packet header for QoS implementation
Log: used to record control bars, internal caches or system logs, including TCP, UDP or ICMP, source port number and destination port number, etc.
Log-input: the recorded information includes the input interface of the received packet and the layer 2 source address in the packet
ACL example:
Access-list 100 permit tcp any host 200.1.1.2 eq 25 # any traffic can send E-mail traffic to 200.1.1.2
Access-list 100 permit tcp any eq 25 host 200.1.1.2 established # internal E-mail server sends mail to an external server and receives a reply. Established is the TCP traffic sent by the user will be allowed to return, but this parameter will create a loophole on the border router, that is, * it can be modified and carried out by using the TCP tag bits such as ACK\ FIN\ PSH\ RST\ SYS of the returned data.
Using ip accounting access-violations to do IP statistics under the interface
-
Use PAM and ACL to restrict CBAC review
R1 (config) # ip port-map http port 8080 list 1
R1 (config) # access-list permit 192.168.100.2
R1 (config) # ip port-map http port 8090 list 2
R1 (config) # access-list permit 192.168.100.3
-
Use ACL to deal with TCP SYN floods
R1 (config) # ip access-list extended tcp-syn-flood
R1 (config-ext-nacl) # permit tcp any 200.1.1.0 0.0.0.255 establised
R1 (config-ext-nacl) # permit tcp any host 200.1.1.11 eq 25
R1 (config-ext-acl) # deny ip any any
R1 (config) # interface g0bin1
R1 (config-if) # ip access-group tcp-syn-flood in
This example ACL cannot prevent the E-mail server TCP SYN flood, which should be reviewed in conjunction with CBAC.
-
* Dos***,Fraggle that uses ACL to block Smurf and Fraggle,Smurf for icmp echo (echo) uses UDP echo *
R1 (config) # ip access-list extended Smurf-fraggle
R1 (config-ext-nacl) # deny icmp any any echo
R1 (config-ext-nacl) # deny icmp any any echo-reply
R1 (config-ext-nacl) # deny udp any any echo
R1 (config-ext-nacl) # deny udp any any echo-reply
R1 (config-ext-acl) # deny ip any any
R1 (config) # interface g0bin1
R1 (config-if) # ip access-group Smurf-fraggle in
R1 (config-if) # ip access-group Smurf-fraggle out
-
Filter icmp, traceroute, RPC, SQL
R1 (config) # ip access-list extended ICMP-IN-OUT
R1 (config-ext-nacl) # deny icmp any any echo
R1 (config-ext-nacl) # deny icmp any any redirect
R1 (config-ext-nacl) # deny icmp any any mask-request
R1 (config-ext-nacl) # permit icmp any host 200.1.1.5 echo-reply
R1 (config-ext-nacl) # deny icmp any any echo-reply
R1 (config-ext-nacl) # permit icmp any 200.1.1.0 0.0.0.255
R1 (config-ext-nacl) # deny udp any any range 32400 34400 # filter Traceroute
R1 (config-ext-nacl) # deny tcp any any eq 514 # filter RPC
R1 (config-ext-nacl) # deny udp any any eq 1434 # filter SQL
R1 (config-ext-nacl) # deny tcp any any eq 1433 # filter SQL
R1 (config-ext-nacl) # deny tcp any any eq 445 # filter SMB
R1 (config-ext-acl) # deny ip any any
R1 (config) # interface g0bin1
R1 (config-if) # ip access-group CMP-IN-OUT in
R1 (config-if) # ip access-group CMP-IN-OUT out
-
Filter Trinoo
R1 (config) # ip access-list extended trinoo
R1 (config-ext-nacl) # deny tcp any any eq 1524
R1 (config-ext-nacl) # deny tcp any any eq 1524
R1 (config-ext-nacl) # deny udp any any eq 1524
R1 (config-ext-nacl) # deny tcp any any eq 27665
R1 (config-ext-nacl) # deny tcp any any eq 27665
R1 (config-ext-nacl) # deny tcp any any eq 31335
R1 (config-ext-nacl) # deny tcp any any eq 31335
R1 (config-ext-acl) # deny ip any any
R1 (config) # interface g0bin1
R1 (config-if) # ip access-group trinoo in
R1 (config-if) # ip access-group trinoo out
-
Filter DCOM connections and * take advantage of defects in Microsoft's RPC code. Microsoft found a vulnerability in the distributed object module (Distributed Component Object Module,DCOM). The port used by DCOM is 135139 445
R1 (config) # ip access-list extended Deny_RPC
R1 (config-ext-nacl) # deny tcp any any eq 135
R1 (config-ext-nacl) # deny udp any any eq 135
R1 (config-ext-nacl) # deny tcp any any eq 139
R1 (config-ext-nacl) # deny udp any any eq 139
R1 (config-ext-nacl) # deny tcp any any eq 445
R1 (config-ext-nacl) # deny udp any any eq 445
R1 (config-ext-nacl) # deny udp any any eq 593
R1 (config-ext-nacl) # deny udp any any eq 4444
R1 (config-ext-nacl) # permit ip any any
R1 (config) # interface g0bin1
R1 (config-if) # ip access-group Deny_RPC in
-
Use CBAC to block DoS***
R1 (config) # ip inspect tcp synwait-time 20
R1 (config) # ip inspect tcp idle-time 60
R1 (config) # ip inspect udp idle-time 20
R1 (config) # ip inspect max-incomplete high 400
R1 (config) # ip inspect max-incomplete low 300
R1 (config) # ip inspect one-minute high 600
R1 (config) # ip inspect one-minute low 500
R1 (config) # ip inspect tcp max-incomplete host 300 block-time 0
Set up a simple audit configuration for CBAC
R1 (config) # ip access-list extended extended_acl
R1 (config-ext-nacl) # deny tcp any any log
R1 (config-ext-nacl) # deny udp any any log
R1 (config-ext-nacl) # deny icmp any any log
R1 (config-ext-nacl) # permit ip any any
R1 (config) # ip inspect name cbac-example tcp
R1 (config) # ip inspect name cbac-example udp
R1 (config) # ip inspect name cbac-example icmp
R1 (config) # interface g0bin1
R1 (config-if) # ip access-group extended_acl
R1 (config-if) # ipinspect cbac-example in
-
Use CBAC to block DoS***
R1 (config) # ip inspect tcp synwait-time 20
R1 (config) # ip inspect tcp idle-time 60
R1 (config) # ip inspect udp idle-time 20
R1 (config) # ip inspect max-incomplete high 400
R1 (config) # ip inspect max-incomplete low 300
R1 (config) # ip inspect one-minute high 600
R1 (config) # ip inspect one-minute low 500
R1 (config) # ip inspect tcp max-incomplete host 300 block-time 0
-
Use TCP to intercept servers inside the reserve.
R1 (config) # access-list 100 tcp permit tcp any host 192.168.1.1 eq 80
R1 (config) # access-list 100 tcp permit tcp any host 192.168.1.2 eq25
R1 (config) # ip tcp intercept list 100
R1 (config) # ip tcp intercept mode watch
R1 (config) # ip tcp intercept watch-timeout 20
R1 (config) # ip tcp intercept connection-time 120
R1 (config) # ip tcp intercept max-incomplete high 600
R1 (config) # ip tcp intercept min-incomplete low 500
R1 (config) # ip tcp intercept one-minute high 800
R1 (config) # ip tcp intercept one-minute low 600
Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.
Views: 247
*The comments in the above article only represent the author's personal views and do not represent the views and positions of this website. If you have more insights, please feel free to contribute and share.
Continue with the installation of the previous hadoop.First, install zookooper1. Decompress zookoope
"Every 5-10 years, there's a rare product, a really special, very unusual product that's the most un
© 2024 shulou.com SLNews company. All rights reserved.