路由器常用ACL和一些简单防护技巧

2014-6-3 09:40| 发布者: 谢晓新| 查看: 2279| 评论: 0 |来自: 青年人

1 IP欺骗简单防护。如过滤非公有地址访问内部网络。过滤自己内部网络地址;回环地址(127.0.0.0/8);RFC1918私有地址;DHCP自定义地址 (169.254.0.0/16);科学文档作者测试用地址(192.0.2.0/24);不用的组播地址(224.0.0.0/4);SUN公司的古老的测试地址(20.20.20.0/24;204.152.64.0/23);全网络地址(0.0.0.0/8)。
  Router(Config)# access-list 100 deny ip 127.0.0.0 0.255.255.255 any
  Router(Config)# access-list 100 deny ip 192.168.0.0 0.0.255.255 any
  Router(Config)# access-list 100 deny ip 172.16.0.0 0.15.255.255 any
  Router(Config)# access-list 100 deny ip 10.0.0.0 0.255.255.255 any
  Router(Config)# access-list 100 deny ip 169.254.0.0 0.0.255.255 any
  Router(Config)# access-list 100 deny ip 192.0.2.0 0.0.0.255 any
  Router(Config)# access-list 100 deny ip 224.0.0.0 15.255.255.255 any
  Router(Config)# access-list 100 deny ip 20.20.20.0 0.0.0.255 any
  Router(Config)# access-list 100 deny ip 204.152.64.0 0.0.2.255 any
  Router(Config)# access-list 100 deny ip 0.0.0.0 0.255.255.255 any
  Router(Config)# access-list 100 permit ip any any
  Router(Config-if)# ip access-group 100 in
  2 建议采用访问列表控制流出内部网络的地址必须是属于内部网络的。(可选)如:
  Router(Config)# no access-list 101
  Router(Config)# access-list 101 permit ip 192.168.0.0 0.0.255.255 any
  Router(Config)# access-list 101 deny ip any any
  Router(Config)# interface eth 0/1
  Router(Config-if)# description “internet Ethernet”
  Router(Config-if)# ip address 192.168.0.254 255.255.255.0
  Router(Config-if)# ip access-group 101 in
  其他可选项:
  1、 建议启用SSH,废弃掉Telnet。但只有支持并带有IPSec特征集的IOS才支持SSH。并且IOS12.0-IOS12.2仅支持SSH-V1。如下配置SSH服务的例子:
  Router(Config)# config t
  Router(Config)# no access-list 22
  Router(Config)# access-list 22 permit 192.168.0.22
  Router(Config)# access-list deny any
  Router(Config)# username test privilege 10
  ! 设置SSH的超时间隔和尝试登录次数
  Router(Config)# ip ssh timeout 90
  Router(Config)# ip ssh anthentication-retries 2
  Router(Config)# line vty 0 4
  Router(Config-line)# access-class 22 in
  Router(Config-line)# transport input ssh
  Router(Config-line)# login local
  Router(Config-line)# exit
  !启用SSH服务,生成RSA密钥对。
  Router(Config)# crypto key generate rsa
  The name for the keys will be: router.xxx
  Choose the size of the key modulus in the range of 360 to 2048 for your General Purpose Keys .Choosing a key modulus greater than 512 may take a few minutes.
  How many bits in the modulus【512】: 2048
  Generating RSA Keys...
  Router(Config)#
  2、 TCP SYN的防范。如:
  A: 通过访问列表防范。
  Router(Config)# no access-list 106
  Router(Config)# access-list 106 permit tcp any 192.168.0.0 0.0.0.255 established
  Router(Config)# access-list 106 deny ip any any
  Router(Config)# interface eth 0/2
  Router(Config-if)# description “external Ethernet”
  Router(Config-if)# ip address 192.168.1.254 255.255.255.0
  Router(Config-if)# ip access-group 106 in
  B:通过TCP截取防范。(这会给路由器产生一定负载)
  Router(Config)# ip tcp intercept list 107
  Router(Config)# access-list 107 permit tcp any 192.168.0.0 0.0.0.255
  Router(Config)# access-list 107 deny ip any any
  Router(Config)# interface eth0
  Router(Config)# ip access-group 107 in%26lt;/P%26gt;%26lt;P%26gt;3、 LAND.C 进攻的防范。
  Router(Config)# access-list 107 deny ip host 192.168.1.254 host 192.168.1.254
  Router(Config)# access-list 107 permit ip any any
  Router(Config)# interface eth 0/2
  Router(Config-if)# ip address 192.168.1.254 255.255.255.0
  Router(Config-if)# ip access-group 107 in%26lt;/P%26gt;%26lt;P%26gt;4、 Smurf进攻的防范。
  Router(Config)# access-list 108 deny ip any host 192.168.1.255
  Router(Config)# access-list 108 deny ip any host 192.168.1.0
  Router(Config)# access-list 108 permit ip any any
  Router(Config-if)# ip access-group 108 in
  5、 ICMP协议的安全配置。对于进入ICMP流,我们要禁止ICMP协议的ECHO、Redirect、Mask request。也需要禁止TraceRoute命令的探测。对于流出的ICMP流,我们可以允许ECHO、Parameter Problem、Packet too big。还有TraceRoute命令的使用。
  ! outbound ICMP Control
  Router(Config)# access-list 110 deny icmp any any echo
  Router(Config)# access-list 110 deny icmp any any redirect
  Router(Config)# access-list 110 deny icmp any any mask-request
  Router(Config)# access-list 110 permit icmp any any
  ! Inbound ICMP Control
  Router(Config)# access-list 111 permit icmp any any echo
  Router(Config)# access-list 111 permit icmp any any Parameter-problem
  Router(Config)# access-list 111 permit icmp any any packet-too-big
  Router(Config)# access-list 111 permit icmp any any source-quench
  Router(Config)# access-list 111 deny icmp any any
  ! Outbound TraceRoute Control
  Router(Config)# access-list 112 deny udp any any range 33400 34400
  ! Inbound TraceRoute Control
  Router(Config)# access-list 112 permit udp any any range 33400 34400 %26lt;/P%26gt;%26lt;P%26gt;
  6、 DDoS(Distributed Denial of Service)的防范。
  ! The TRINOO DDoS system
  Router(Config)# access-list 113 deny tcp any any eq 27665

 Router(Config)# access-list 113 deny udp any any eq 31335
  Router(Config)# access-list 113 deny udp any any eq 27444
  ! The Stacheldtraht DDoS system
  Router(Config)# access-list 113 deny tcp any any eq 16660
  Router(Config)# access-list 113 deny tcp any any eq 65000
  ! The TrinityV3 System
  Router(Config)# access-list 113 deny tcp any any eq 33270
  Router(Config)# access-list 113 deny tcp any any eq 39168
  ! The SubSeven DDoS system and some Variants
  Router(Config)# access-list 113 deny tcp any any range 6711 6712
  Router(Config)# access-list 113 deny tcp any any eq 6776
  Router(Config)# access-list 113 deny tcp any any eq 6669
  Router(Config)# access-list 113 deny tcp any any eq 2222
  Router(Config)# access-list 113 deny tcp any any eq 7000
  Router(Config)# access-list 113 permit ip any any
  Router(Config-if)# ip access-group 113 in
  7、 Sql蠕虫的防范
  Router(Config)# access-list 114 deny udp any any eq 1434
  Router(Config)# access-list 114 permit ip any any
  Router(Config-if)# ip access-group 114 in

<
>
在培训行业极度市场化的今天,在网络工程师鱼目混珠的时代,帆联科技扎根技术的理念从来没有改变,帆联科技从不提倡短线功利性考证培训,严格要求教师和学员,要为自己的未来做出辛苦的努力。一分辛劳,一份收获。

联系我们

南宁市大学东路162号东盟财经广场1402

0771-3185755(服务时间:9:00-17:30)

admin@sail-lab.net

在线咨询新浪微博官方微信官方微信

部门热线

前   台:0771-3185755
培训部:15994437962
认证部:15994437962
技术部:15578317196

培训服务 考试认证 校企合作 联系电话0771-3185755 返回顶部
返回顶部