- 论坛徽章:
- 0
|
27.3. 透明IOS防火墙
提问 配置路由器作为2层防火墙
回答
首先配置Integrated Routing and Bridging (IRB)的支持
Router1#configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
Router1(config)#bridge 1 protocol ieee
Router1(config)#interface FastEthernet0/0
Router1(config-if)#bridge-group 1
Router1(config-if)#interface FastEthernet0/1
Router1(config-if)#bridge-group 1
Router1(config-if)#exit
Router1(config)#bridge irb
Router1(config)#bridge 1 route ip
Router1(config)#interface BVI1
Router1(config-if)#ip address 172.25.1.101 255.255.255.0
Router1(config-if)#no shutdown
Router1(config-if)#end
Router1#
然后配置防火墙的检查规则和ACL
Router1#configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
Router1(config)#ip inspect name OREILLY tcp
Router1(config)#interface FastEthernet0/0
Router1(config-if)#ip inspect OREILLY in
Router1(config-if)#exit
Router1(config)#access-list 111 deny tcp any host 172.25.1.102 eq 23
Router1(config)#access-list 111 permit ip any any
Router1(config)#access-list 112 deny ip any any
Router1(config)#interface FastEthernet0/0
Router1(config-if)#ip access-group 111 in
Router1(config-if)#interface FastEthernet0/1
Router1(config-if)#ip access-group 112 in
Router1(config-if)#end
Router1#
注释 从12.3(7)T开始支持这种2层防火墙或者说透明防火墙的支持,这样可以透明于网络不需要做地址的更改,采用了CBAC的方式来过滤
27.4. 防止拒绝服务攻击
提问 通过对半开放连接的限制来防范拒绝服务攻击
回答
Router1#configure terminal
Router1(config)#access-list 109 permit ip any host 192.168.99.2
Router1(config)#ip tcp intercept list 109
Router1(config)#ip tcp intercept max-incomplete high 10
Router1(config)#ip tcp intercept one-minute high 15
Router1(config)#ip tcp intercept max-incomplete low 5
Router1(config)#ip tcp intercept one-minute low 10
Router1(config)#end
Router1#
注释 除了上述的配置以外还可以对丢弃模式等进行控制
Router1(config)#ip tcp intercept drop-mode random
Router1(config)#ip tcp intercept watch-timeout 15
Router1(config)#ip tcp intercept mode watch
比较有用的一个统计命令
Router1#show tcp intercept statistics
Intercepting new connections using access-list 109
9 incomplete, 1 established connections (total 10)
8 connection requests per minute
Router1#
27.5. 在非标准端口检查应用
提问 检查非标准端口的应用
回答
Router1#configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
Router1(config)#ip port-map http port tcp 8000
Router1(config)#end
Router1#
注释 也可以将PAM应用于特定的地址
Router1#configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
Router1(config)#access-list 22 permit host 10.1.2.14
Router1(config)#ip port-map http port 8080 list 22
Router1(config)#end
Router1#
Router1#show ip port-map http
Default mapping: http tcp port 80 system defined
Default mapping: http tcp port 8000 user defined
Host specific: http tcp port 8080 in list 22 user defined
27.6. 入侵监测和预防
提问 利用内置的入侵监测软件来防范攻击
回答
12.3(T之前叫IDS
Router1#configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
Router1(config)#access-list 21 deny 192.168.100.205
Router1(config)#access-list 21 permit any
Router1(config)#ip audit notify log
Router1(config)#ip audit info action alarm drop reset
Router1(config)#ip audit attack action alarm drop reset
Router1(config)#ip audit smtp spam 10
Router1(config)#ip audit signature 1107 disable
Router1(config)#ip audit signature 2004 disable
Router1(config)#ip audit name COOKBOOK info list 21 action alarm drop reset
Router1(config)#ip audit name COOKBOOK attack list 21 action alarm drop reset
Router1(config)#interface FastEthernet0/0
Router1(config-if)#ip audit COOKBOOK in
Router1(config-if)#exit
Router1(config)#end
Router1#
以后叫IPS
Router1#configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
Router1(config)#access-list 21 deny 192.168.100.205
Router1(config)#access-list 21 permit any
Router1(config)#ip ips name NEOSHI list 21
Router1(config)#ip ips signature 4050 disable
Router1(config)#ip ips fail closed
Router1(config)#interface FastEthernet0/0
Router1(config-if)#ip ips NEOSHI in
Router1(config-if)#exit
Router1(config)#end
Router1#
注释 Router1#show ip ips statistics
Signature statistics [process switch:fast switch]
signature 4050:0 packets checked: [0:85]
Interfaces configured for ips 1
Session creations since subsystem startup or last reset 0
Current session counts (estab/half-open/terminating) [0:0:0]
Maxever session counts (estab/half-open/terminating) [0:0:0]
Last session created never
Last statistic reset never
27.7. 登录密码重试锁定
提问 防止对登录密码的暴力破解
回答
Router1#configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
Router1(config)#username kwiley password test123
Router1(config)#aaa new-model
Router1(config)#aaa authentication login local_auth local
Router1(config)#aaa local authentication attempts max-fail 6
Router1(config)#line vty 0 4
Router1(config-line)#login authentication local_auth
Router1(config-line)#end
Router1#
注释 12.3(14)T以后开始可以限制对登录密码的尝试限定,解除锁定使用Router1#clear aaa local user lockout username kwiley 当然要防止黑客利用才方法对合法用户名进行故意的锁定攻击
27.8. 认证代理(Authentication Proxy)
提问 对单个用户进行认证和授权的访问控制
回答
Router1#configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
Router1(config)#aaa new-model
Router1(config)#aaa authorization auth-proxy default local
Router1(config)#ip auth-proxy auth-proxy-banner http
Router1(config)#ip auth-proxy name HTTPPROXY http
Router1(config)#ip admission auth-proxy-banner http
Router1(config)#interface FastEthernet0/0
Router1(config-if)#ip auth-proxy HTTPPROXY
Router1(config-if)#ip http server
Router1(config)#ip http authentication local
Router1(config)#end
Router1#
注释 此认证代理可以截取用户的访问请求,然后用户可以在任何地方输入认证信息后访问,查看当前的认证缓存
Router1#show ip auth-proxy cache
Authentication Proxy Cache
Client Name ijbrown, Client IP 172.25.1.52, Port 4224, timeout 60, Time Remaining 53, state ESTAB |
|