用autosecure加强CISCO路由器安全 二
在模拟路由器上使用不交互模式
{IOS (tm) 7200 Software (C7200-JS-M), Version 12.3(20), RELEASE SOFTWARE (fc2)}
实际配置之后输出如下:
Router#auto se
Router#auto secure ?
forwarding Secure Forwarding Plane
management Secure Management Plane
no-interact Non-interactive session of AutoSecure
<cr>
Router#auto secure ?
forwarding Secure Forwarding Plane
management Secure Management Plane
no-interact Non-interactive session of AutoSecure
<cr>
Router#auto secure no-
Router#auto secure no-interact
--- AutoSecure Configuration ---
Router#auto secure no-interact
--- AutoSecure Configuration ---
*** AutoSecure configuration enhances the security of
the router, but it will not make it absolutely resistant
to all security attacks ***
the router, but it will not make it absolutely resistant
to all security attacks ***
AutoSecure will modify the configuration of your device.
All configuration changes will be shown. For a detailed
explanation of how the configuration changes enhance security
and any possible side effects, please refer to Cisco.com for
Autosecure documentation.
All configuration changes will be shown. For a detailed
explanation of how the configuration changes enhance security
and any possible side effects, please refer to Cisco.com for
Autosecure documentation.
Securing Management plane services...
Disabling service finger
Disabling service pad
Disabling udp & tcp small servers
Enabling service password encryption
Enabling service tcp-keepalives-in
Enabling service tcp-keepalives-out
Disabling the cdp protocol
Disabling service pad
Disabling udp & tcp small servers
Enabling service password encryption
Enabling service tcp-keepalives-in
Enabling service tcp-keepalives-out
Disabling the cdp protocol
Disabling the bootp server
Disabling the http server
Disabling the finger service
Disabling source routing
Disabling gratuitous arp
Disabling the http server
Disabling the finger service
Disabling source routing
Disabling gratuitous arp
Configuring interface specific AutoSecure services
Disabling the following ip services on all interfaces:
Disabling the following ip services on all interfaces:
no ip redirects
no ip proxy-arp
no ip unreachables
no ip directed-broadcast
no ip mask-reply
Disabling mop on Ethernet interfaces
no ip proxy-arp
no ip unreachables
no ip directed-broadcast
no ip mask-reply
Disabling mop on Ethernet interfaces
Securing Forwarding plane services...
Enabling CEF (This might impact the memory requirements for your platform)
This is the configuration generated:
no service finger
no service pad
no service udp-small-servers
no service tcp-small-servers
service password-encryption
service tcp-keepalives-in
service tcp-keepalives-out
no cdp run
no ip bootp server
no ip http server
no ip finger
no ip source-route
no ip gratuitous-arps
no ip identd
security passwords min-length 6
security authentication failure rate 10 log
service timestamps debug datetime localtime show-timezone msec
service timestamps log datetime localtime show-timezone msec
logging facility local2
logging trap debugging
service sequence-numbers
logging console critical
no service pad
no service udp-small-servers
no service tcp-small-servers
service password-encryption
service tcp-keepalives-in
service tcp-keepalives-out
no cdp run
no ip bootp server
no ip http server
no ip finger
no ip source-route
no ip gratuitous-arps
no ip identd
security passwords min-length 6
security authentication failure rate 10 log
service timestamps debug datetime localtime show-timezone msec
service timestamps log datetime localtime show-timezone msec
logging facility local2
logging trap debugging
service sequence-numbers
logging console critical
logging buffered
int FastEthernet0/0
no ip redirects
no ip proxy-arp
no ip unreachables
no ip directed-broadcast
no ip mask-reply
no mop enabled
int Serial1/0
no ip redirects
no ip proxy-arp
no ip unreachables
no ip directed-broadcast
no ip mask-reply
int Serial1/1
no ip redirects
no ip proxy-arp
no ip unreachables
no ip directed-broadcast
no ip mask-reply
int Serial1/2
no ip redirects
no ip proxy-arp
no ip unreachables
no ip directed-broadcast
no ip mask-reply
int Serial1/3
no ip redirects
no ip proxy-arp
no ip unreachables
no ip directed-broadcast
no ip mask-reply
int Serial2/0
no ip redirects
no ip proxy-arp
no ip unreachables
no ip directed-broadcast
no ip mask-reply
int Serial2/1
no ip redirects
no ip proxy-arp
no ip unreachables
no ip directed-broadcast
no ip mask-reply
int Serial2/2
no ip redirects
no ip proxy-arp
no ip unreachables
no ip directed-broadcast
no ip mask-reply
int Serial2/3
no ip redirects
no ip proxy-arp
no ip unreachables
no ip directed-broadcast
no ip mask-reply
int ATM3/0
no ip redirects
no ip proxy-arp
no ip unreachables
no ip directed-broadcast
no ip mask-reply
ip cef
!
end
Applying the config generated to running-config
int FastEthernet0/0
no ip redirects
no ip proxy-arp
no ip unreachables
no ip directed-broadcast
no ip mask-reply
no mop enabled
int Serial1/0
no ip redirects
no ip proxy-arp
no ip unreachables
no ip directed-broadcast
no ip mask-reply
int Serial1/1
no ip redirects
no ip proxy-arp
no ip unreachables
no ip directed-broadcast
no ip mask-reply
int Serial1/2
no ip redirects
no ip proxy-arp
no ip unreachables
no ip directed-broadcast
no ip mask-reply
int Serial1/3
no ip redirects
no ip proxy-arp
no ip unreachables
no ip directed-broadcast
no ip mask-reply
int Serial2/0
no ip redirects
no ip proxy-arp
no ip unreachables
no ip directed-broadcast
no ip mask-reply
int Serial2/1
no ip redirects
no ip proxy-arp
no ip unreachables
no ip directed-broadcast
no ip mask-reply
int Serial2/2
no ip redirects
no ip proxy-arp
no ip unreachables
no ip directed-broadcast
no ip mask-reply
int Serial2/3
no ip redirects
no ip proxy-arp
no ip unreachables
no ip directed-broadcast
no ip mask-reply
int ATM3/0
no ip redirects
no ip proxy-arp
no ip unreachables
no ip directed-broadcast
no ip mask-reply
ip cef
!
end
Applying the config generated to running-config
配置完成后用show running-config 可以看到一下结果:
Router#config t
Enter configuration commands, one per line. End with CNTL/Z.
Router(config)#hostname R1
R1(config)#exit
R1#show run
R1#show running-config
Building configuration...
Enter configuration commands, one per line. End with CNTL/Z.
Router(config)#hostname R1
R1(config)#exit
R1#show run
R1#show running-config
Building configuration...
Current configuration : 1995 bytes
!
version 12.3
no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
service password-encryption
service sequence-numbers
!
hostname R1
!
boot-start-marker
boot-end-marker
!
security authentication failure rate 10 log
security passwords min-length 6
logging console critical
!
no aaa new-model
ip subnet-zero
no ip source-route
no ip gratuitous-arps
!
!
!
no ip bootp server
ip cef
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
interface FastEthernet0/0
no ip address
no ip redirects
no ip unreachables
no ip proxy-arp
shutdown
duplex half
no mop enabled
!
interface Serial1/0
no ip address
no ip redirects
no ip unreachables
no ip proxy-arp
shutdown
serial restart-delay 0
!
interface Serial1/1
no ip address
no ip redirects
no ip unreachables
no ip proxy-arp
shutdown
serial restart-delay 0
!
interface Serial1/2
no ip address
no ip redirects
no ip unreachables
no ip proxy-arp
shutdown
serial restart-delay 0
!
interface Serial1/3
no ip address
no ip redirects
no ip unreachables
no ip proxy-arp
shutdown
serial restart-delay 0
!
interface Serial2/0
no ip address
no ip redirects
no ip unreachables
no ip proxy-arp
shutdown
serial restart-delay 0
!
interface Serial2/1
no ip address
no ip redirects
no ip unreachables
no ip proxy-arp
shutdown
serial restart-delay 0
!
interface Serial2/2
no ip address
no ip redirects
no ip unreachables
no ip proxy-arp
shutdown
serial restart-delay 0
!
interface Serial2/3
no ip address
no ip redirects
no ip unreachables
no ip proxy-arp
shutdown
serial restart-delay 0
!
interface ATM3/0
no ip address
no ip redirects
no ip unreachables
no ip proxy-arp
shutdown
no atm ilmi-keepalive
!
ip classless
no ip http server
!
!
logging trap debugging
logging facility local2
no cdp run
!
version 12.3
no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
service password-encryption
service sequence-numbers
!
hostname R1
!
boot-start-marker
boot-end-marker
!
security authentication failure rate 10 log
security passwords min-length 6
logging console critical
!
no aaa new-model
ip subnet-zero
no ip source-route
no ip gratuitous-arps
!
!
!
no ip bootp server
ip cef
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
interface FastEthernet0/0
no ip address
no ip redirects
no ip unreachables
no ip proxy-arp
shutdown
duplex half
no mop enabled
!
interface Serial1/0
no ip address
no ip redirects
no ip unreachables
no ip proxy-arp
shutdown
serial restart-delay 0
!
interface Serial1/1
no ip address
no ip redirects
no ip unreachables
no ip proxy-arp
shutdown
serial restart-delay 0
!
interface Serial1/2
no ip address
no ip redirects
no ip unreachables
no ip proxy-arp
shutdown
serial restart-delay 0
!
interface Serial1/3
no ip address
no ip redirects
no ip unreachables
no ip proxy-arp
shutdown
serial restart-delay 0
!
interface Serial2/0
no ip address
no ip redirects
no ip unreachables
no ip proxy-arp
shutdown
serial restart-delay 0
!
interface Serial2/1
no ip address
no ip redirects
no ip unreachables
no ip proxy-arp
shutdown
serial restart-delay 0
!
interface Serial2/2
no ip address
no ip redirects
no ip unreachables
no ip proxy-arp
shutdown
serial restart-delay 0
!
interface Serial2/3
no ip address
no ip redirects
no ip unreachables
no ip proxy-arp
shutdown
serial restart-delay 0
!
interface ATM3/0
no ip address
no ip redirects
no ip unreachables
no ip proxy-arp
shutdown
no atm ilmi-keepalive
!
ip classless
no ip http server
!
!
logging trap debugging
logging facility local2
no cdp run
!
!
!
!
!
!
!
gatekeeper
shutdown
!
!
line con 0
stopbits 1
line aux 0
line vty 0 4
!
!
end
!
!
!
!
!
!
gatekeeper
shutdown
!
!
line con 0
stopbits 1
line aux 0
line vty 0 4
!
!
end
转载于:https://blog.51cto.com/wangxiang2010/143076