一、、登陆策略
-----------------------------------
登录尝试
local-aaa-user wrong-password retry-interval 5 retry-time 3 block-time 5
密码有效期
local-aaa-user password policy administrator password expire 0
登录超时
aaa] local-user admin idle-timeout 15 0 (15分0秒无操作后超时)
源地址限制
user-interface vty 0
authentication-mode aaa
user-interface vty 1 4
acl 2000 inbound
authentication-mode aaa
user-interface vty 16 20
//acl 2000为限制源地址的acl
二、SSH
--------------------------------------
1、创建rsa本地密钥对与创建账号
[Huawei]rsa local-key-pair create
The key name will be: Huawei_Host
The range of public key size is (512 ~ 2048).
NOTES: If the key modulus is greater than 512,
it will take a few minutes.
Input the bits in the modulus[default = 512]:
Generating keys...
2)华为交换机上面创建账号
aaa
local-user admin password cipher TKG40##Y,C!NZPO3JBXBHA!!
local-user admin privilege level 15
local-user admin service-type ssh
2、开启ssh服务以及ssh用户:
stelnet server enable
ssh user admin
ssh user admin authentication-type password
ssh user admin service-type stelnet
3
3、VTY下添加设置:
[Huawei]user-interface vty 0 4
[Huawei-ui-vty0-4]authentication-mode aaa
[Huawei-ui-vty0-4]protocol inbound ssh
三、Syslog
------------------------------------
进入用户视图
system-view
#指定发送消息基本,表示从level 0-7 都发送
info-center source default channel 2 log level debugging
#指定从哪个接口发送
info-center loghost source *******
#指定远程syslog服务器ip
info-center loghost 10.0.13.114
四、禁止ing
-------------------------------------
限制终端到交换机的ping
system-view
[HUAWEI] cpu-defend policy icmp
[HUAWEI-cpu-defend-policy-1] deny packet-type icmp
[HUAWEI-cpu-defend-policy-1] quit
[HUAWEI] cpu-defend-policy icmp global
————
最好用:
undo icmp type 8 code 0 receive
五、改密操作
---------------------------------------
aaa]
aaa]local-user admin password irreversible-cipher xxxxxxxx.
//xxxxxxxx为自定义密码
六、NTP配置
---------------------------------------
配置设备作为NTP服务器
单播客户端/服务器模式
# 配置NTP主时钟,层数为2
<HUAWEI> system-view
[HUAWEI] ntp refclock-master 2
# 配置NTP认证功能,配置认证密钥并声明该密钥可信
[HUAWEI] ntp authentication enable
[HUAWEI] ntp authentication-keyid 42 authentication-mode md5 newplayer
[HUAWEI] ntp reliable authentication-keyid 42
# 开启NTP服务器功能
[HUAWEI] undo ntp-service disable
# 配置NTP认证功能,配置认证密钥并声明该密钥可信
<HUAWEI> system-view
[HUAWEI] ntp authentication enable
[HUAWEI] ntp authentication-keyid 42 authentication-mode md5 newplayer
[HUAWEI] ntp reliable authentication-keyid 42
# 为NTP单播客户端指定NTP单播服务器,并指定使用密钥ID 42加密
[HUAWEI] ntp unicast-server 10.1.1.1 authentication-keyid 42
七、ARP防攻击
----------------------------------------
固定ip-mac
arp static IP MAC
系统视图或接口视图下执行
arp anti-attack entry-check { fixed-all | send-ack } enable
配置ARP表项固化功能
八、黑洞mac(用于封禁特定mac主机)
----------------------------------------
mac-address blackhole c03f-d502-8a3f
---------------------------------------------------------------------
Thanks
----------------------------------------------------------------------