| > 前两天在路由器试用了一个命令:auto secure,这个命令用起来比较方便,而且可以关闭一些不安全的服务和启用一些安全的服务。然后对这个命令做了一个总结。(注:好像ios版本为:12.3(1)以上才支持使用) 总结如下: 1、关闭一些全局的不安全服务如下: Finger PAD Small Servers Bootp HTTP service Identification Service CDP NTP Source Routing 2、开启一些全局的安全服务如下: Password-encryption service Tuning of scheduler interval/allocation TCP synwait-time TCP-keepalives-in and tcp-kepalives-out SPD configuration No ip unreachables for null 0 3、关闭接口的一些不安全服务如下: ICMP Proxy-Arp Directed Broadcast Disables MOP service Disables icmp unreachables Disables icmp mask reply messages. 4、提供日志安全如下: Enables sequence numbers & timestamp Provides a console log Sets log buffered size Provides an interactive dialogue to configure the logging server ip address. 5、保护访问路由器如下: Checks for a banner and provides facility to add text to automatically configure: Login and password Transport input & output Exec-timeout Local AAA SSH timeout and ssh authentication-retries to minimum number Enable only SSH and SCP for access and file transfer to/from the router 6、保护转发Forwarding Plane Enables Cisco Express Forwarding (CEF) or distributed CEF on the router, when available Anti-spoofing Blocks all IANA reserved IP address blocks Blocks private address blocks if customer desires Installs a default route to NULL 0, if a default route is not being used Configures TCP intercept for connection-timeout, if TCP intercept feature is available and the user is interested Starts interactive configuration for CBAC on interfaces facing the Internet, when using a Cisco IOS Firewall image, Enables NetFlow on software forwarding platforms |
