用autosecure加强CISCO路由器安全 二

用autosecure加强CISCO路由器安全 二

在模拟路由器上使用不交互模式

{IOS (tm) 7200 Software (C7200-JS-M), Version 12.3(20),    RELEASE SOFTWARE (fc2)}

实际配置之后输出如下：

Router#auto se
Router#auto secure ?
  forwarding   Secure Forwarding Plane
  management   Secure Management Plane
  no-interact  Non-interactive session of AutoSecure
  <cr>

Router#auto secure no-
Router#auto secure no-interact
                --- AutoSecure Configuration ---

*** AutoSecure configuration enhances the security of
the router, but it will not make it absolutely resistant
to all security attacks ***

AutoSecure will modify the configuration of your device.
All configuration changes will be shown. For a detailed
explanation of how the configuration changes enhance security
and any possible side effects, please refer to Cisco.com for
Autosecure documentation.

Securing Management plane services...

Disabling service finger
Disabling service pad
Disabling udp & tcp small servers
Enabling service password encryption
Enabling service tcp-keepalives-in
Enabling service tcp-keepalives-out
Disabling the cdp protocol

Disabling the bootp server
Disabling the http server
Disabling the finger service
Disabling source routing
Disabling gratuitous arp

Configuring interface specific AutoSecure services
Disabling the following ip services on all interfaces:

 no ip redirects
 no ip proxy-arp
 no ip unreachables
 no ip directed-broadcast
 no ip mask-reply
Disabling mop on Ethernet interfaces

Securing Forwarding plane services...

Enabling CEF (This might impact the memory requirements for your platform)

This is the configuration generated:

no service finger
no service pad
no service udp-small-servers
no service tcp-small-servers
service password-encryption
service tcp-keepalives-in
service tcp-keepalives-out
no cdp run
no ip bootp server
no ip http server
no ip finger
no ip source-route
no ip gratuitous-arps
no ip identd
security passwords min-length 6
security authentication failure rate 10 log
service timestamps debug datetime localtime show-timezone msec
service timestamps log datetime localtime show-timezone msec
logging facility local2
logging trap debugging
service sequence-numbers
logging console critical

logging buffered
int FastEthernet0/0
 no ip redirects
 no ip proxy-arp
 no ip unreachables
 no ip directed-broadcast
 no ip mask-reply
 no mop enabled
int Serial1/0
 no ip redirects
 no ip proxy-arp
 no ip unreachables
 no ip directed-broadcast
 no ip mask-reply
int Serial1/1
 no ip redirects
 no ip proxy-arp
 no ip unreachables
 no ip directed-broadcast
 no ip mask-reply
int Serial1/2
 no ip redirects
 no ip proxy-arp
 no ip unreachables
 no ip directed-broadcast
 no ip mask-reply
int Serial1/3
 no ip redirects
 no ip proxy-arp
 no ip unreachables
 no ip directed-broadcast
 no ip mask-reply
int Serial2/0
 no ip redirects
 no ip proxy-arp
 no ip unreachables
 no ip directed-broadcast
 no ip mask-reply
int Serial2/1
 no ip redirects
 no ip proxy-arp
 no ip unreachables
 no ip directed-broadcast
 no ip mask-reply
int Serial2/2
 no ip redirects
 no ip proxy-arp
 no ip unreachables
 no ip directed-broadcast
 no ip mask-reply
int Serial2/3
 no ip redirects
 no ip proxy-arp
 no ip unreachables
 no ip directed-broadcast
 no ip mask-reply
int ATM3/0
 no ip redirects
 no ip proxy-arp
 no ip unreachables
 no ip directed-broadcast
 no ip mask-reply
ip cef
!
end

Applying the config generated to running-config

 

 

配置完成后用show running-config 可以看到一下结果：

Router#config t
Enter configuration commands, one per line.  End with CNTL/Z.
Router(config)#hostname R1
R1(config)#exit
R1#show run
R1#show running-config
Building configuration...

Current configuration : 1995 bytes
!
version 12.3
no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
service password-encryption
service sequence-numbers
!
hostname R1
!
boot-start-marker
boot-end-marker
!
security authentication failure rate 10 log
security passwords min-length 6
logging console critical
!
no aaa new-model
ip subnet-zero
no ip source-route
no ip gratuitous-arps
!
!
!
no ip bootp server
ip cef
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
interface FastEthernet0/0
 no ip address
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 shutdown
 duplex half
 no mop enabled
!
interface Serial1/0
 no ip address
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 shutdown
 serial restart-delay 0
!
interface Serial1/1
 no ip address
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 shutdown
 serial restart-delay 0
!        
interface Serial1/2
 no ip address
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 shutdown
 serial restart-delay 0
!
interface Serial1/3
 no ip address
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 shutdown
 serial restart-delay 0
!
interface Serial2/0
 no ip address
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 shutdown
 serial restart-delay 0
!
interface Serial2/1
 no ip address
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 shutdown
 serial restart-delay 0
!
interface Serial2/2
 no ip address
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 shutdown
 serial restart-delay 0
!
interface Serial2/3
 no ip address
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 shutdown
 serial restart-delay 0
!
interface ATM3/0
 no ip address
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 shutdown
 no atm ilmi-keepalive
!
ip classless
no ip http server
!
!
logging trap debugging
logging facility local2
no cdp run

!
!
!
!
!
!        
!
gatekeeper
 shutdown
!
!
line con 0
 stopbits 1
line aux 0
line vty 0 4
!
!
end

 

转载于:https://blog.51cto.com/wangxiang2010/143076