نمایش نتایج: از شماره 1 تا 6 از مجموع 6
سپاس ها 5سپاس
  • 4 توسط shabake_karan
  • 1 توسط shabake_karan

موضوع: Template Config

  
  1. #1
    نام حقيقي: Saeed Alkhamiss

    عضو عادی
    تاریخ عضویت
    May 2006
    محل سکونت
    Ahvaz
    نوشته
    367
    سپاسگزاری شده
    69
    سپاسگزاری کرده
    9
    نوشته های وبلاگ
    5

    Template Config


    سلام دوستان عزيز
    من در يکی از پست ها از عزيزان يه چک ليست امنيتی واسه روتر خواستم که آقای منصو ری زحمت کشيدن يه نمونه کا نفيگ معرفی کردن تو اين نمونه کا نفيگ چند تا دستور استفاده شده که من نميدو نم آيا واقعاً لازم هست يا نيست چون تو اکثر کا نفيگ های cisco که تا بحال ديدم از اين دستورات هيچ استفاده نشده
    اين هم نمونه کا نفيگ و سو الا ت من




    service nagle
    service tcp-keepalives-in
    service tcp-keepalives-out
    ! Show copious timestamps in our logs
    service timestamps debug datetime msec show-timezone localtime
    service timestamps log datetime msec show-timezone localtime
    service password-encryption
    no service dhcp
    !
    hostname secure-router01
    !
    boot system flash slot0:rsp-pv-mz.121-5a.bin
    logging buffered 16384 debugging
    no logging console
    enable secret <PASSWORD>
    no enable password
    !
    ! Use TACACS+ for AAA. Ensure that the local account is
    ! case-sensitive, thus making brute-force attacks less
    ! effective.
    aaa new-model
    aaa authentication login default group tacacs+ local-case
    aaa authentication enable default group tacacs+ enable
    aaa authorization commands 15 default group tacacs+ local
    aaa accounting exec default stop-only group tacacs+
    aaa accounting commands 15 default stop-only group tacacs+
    aaa accounting network default stop-only group tacacs+
    tacacs-server host 7.7.7.5
    tacacs-server key cheezit
    !
    ! In the event that TACACS+ fails, use case-sensitve local
    ! authentication instead. Keeps the hackers guessing, and
    ! the router more secure.
    username <USERNAME> secret <PASSWORD>
    !
    ! Logging the commands run while at enable level access is
    ! a great way to track mistakes, security issues, etc.
    archive
    log config
    logging enable
    logging size 500
    notify syslog
    hidekeys
    !
    ! Ensure TCL doesn't use an initilizaion file where available. This won't show up in the
    ! config. It will break your router-based TCL scripts if
    ! if you use such, so use with care!
    no scripting tcl init
    no scripting tcl encdir
    !
    ! Enable the netflow top talkers feature.
    ! You can see the top N talkers (50 in this example) with the
    ! show ip flow top-talkers command. This is a handy
    ! utility to use during DDoS attacks and traffic issues. You
    ! can sort-by either packets or bytes, as you prefer.
    ip flow-top-talkers
    top 50
    sort-by packets
    !
    ! Don't run the HTTP server.
    no ip http server
    no ip http secure-server
    !
    ! Allow us to use the low subnet and go classless
    ip subnet-zero
    ip classless
    !
    ! Disable noxious services
    no service pad
    no ip source-route
    no ip finger
    no ip bootp server
    no ip domain-lookup
    !
    ! Catch crash dumps; very important with a "security router."
    ip ftp username rooter
    ip ftp password <PASSWORD>
    ! Give our core dump files a unique name.
    exception core-file secure-router01-core
    exception protocol ftp
    exception dump 7.7.7.5
    ! Fire up CEF for both performance and security.
    ip cef
    ! Set the timezone properly. It is best to standardize on one
    ! timezone for all routers, thus making problem tracking easier.
    clock timezone GMT 0
    ! Synchronize our clocks with a local (trusted and authenticated)
    ! NTP server. The SECRETKEY must be the same on both the router
    ! and the NTP server.
    ntp authentication-key 6767 md5 <SECRETKEY>
    ntp authenticate
    ntp update-calendar
    ntp server 7.7.7.5
    !
    ! Configure the loopback0 interface as the source of our log
    ! messages. This is often used for routing protocols as well.
    ! Select an IP address that uniquely identifies this router.
    ! One trick is to allocate a netblock for use as the router
    ! loopback netblock.
    int loopback0
    ip address 10.10.10.10 255.255.255.255
    no ip redirects
    no ip unreachables
    no ip proxy-arp
    !
    ! Configure null0 as a place to send naughty packets. This
    ! becomes the "roach motel" for packets -- they can route in,
    ! but they can't route out.
    interface null0
    no ip unreachables
    !
    interface Ethernet2/0
    description Unprotected interface, facing towards Internet
    ip address 5.5.5.254 255.255.255.0
    ! Do we run CEF verify? Yes if the data path is symmetric. No
    ! if the data path is asymmetric.
    ip verify unicast reverse-path
    ! Apply our template ACL
    ip access-group 2010 in
    ! Allow UDP to occupy no more than 2 Mb/s of the pipe.
    rate-limit input access-group 150 2010000 250000 250000 conform-action transmit exceed-action drop
    ! Allow ICMP to occupy no more than 500 Kb/s of the pipe.
    rate-limit input access-group 160 500000 62500 62500 conform-action transmit exceed-action drop
    ! Allow multicast to occupy no more than 5 Mb/s of the pipe.
    rate-limit input access-group 170 5000000 375000 375000 conform-action transmit exceed-action drop
    ! Don't send redirects.
    no ip redirects
    ! Don't send unreachables.
    ! NOTE WELL that this may break PMTU discovery.
    ! For example, if this router is edge for a VPN of any sort, you might need
    ! to enable ip unreachables
    ! A typical symptom is ping working but a larger transmission doesn't.
    no ip unreachables
    ! Don't propogate smurf attacks.
    no ip directed-broadcast
    ! Don't pretend to be something you're not. :-)
    no ip proxy-arp
    ! Do not reveal our netmask
    no ip mask-reply
    ! Log all naughty business.
    ip accounting access-violations
    ! If you allow multicast in your network or participate in the
    ! MBONE, the following multicast filtering steps will help to
    ! ensure a secure multicast environment. These must be applied
    ! per interface.
    ip multicast boundary 30
    !
    ! Keep flow data for analysis. If possible, export it to a
    ! cflowd server.
    ip route-cache flow
    !
    interface Ethernet2/1
    description Protected interface, facing towards DMZ
    ip address 6.6.6.254 255.255.255.0
    ! Do we run CEF verify? Yes if the data path is symmetric. No
    ! if the data path is asymmetric.
    ip verify unicast reverse-path
    ! If we are using RPF, comment out the ACL below.
    ip access-group 115 in
    no ip redirects
    no ip unreachables
    no ip directed-broadcast
    no ip proxy-arp
    ip accounting access-violations
    ip multicast boundary 30
    no ip mask-reply
    ip route-cache flow
    !
    ! Default route to the Internet (could be a routing
    ! protocol instead)
    ip route 0.0.0.0 0.0.0.0 5.5.5.1
    ! Route to network on the other side of the firewall
    ip route 7.7.7.0 255.255.255.0 6.6.6.1
    ! Black hole routes. Do not combine this with TCP Intercept
    ! in fact, don't use TCP Intercept at all
    ip route 1.0.0.0 255.0.0.0 null0
    ip route 2.0.0.0 255.0.0.0 null0
    ip route 5.0.0.0 255.0.0.0 null0
    ip route 10.0.0.0 255.0.0.0 null0
    ip route 14.0.0.0 255.0.0.0 null0
    ip route 23.0.0.0 255.0.0.0 null0
    ip route 27.0.0.0 255.0.0.0 null0
    ip route 31.0.0.0 255.0.0.0 null0
    ip route 36.0.0.0 255.0.0.0 null0
    ip route 37.0.0.0 255.0.0.0 null0
    ip route 39.0.0.0 255.0.0.0 null0
    ip route 42.0.0.0 255.0.0.0 null0
    ip route 46.0.0.0 255.0.0.0 null0
    ip route 49.0.0.0 255.0.0.0 null0
    ip route 50.0.0.0 255.0.0.0 null0
    ip route 100.0.0.0 255.0.0.0 null0
    ip route 101.0.0.0 255.0.0.0 null0
    ip route 102.0.0.0 255.0.0.0 null0
    ip route 103.0.0.0 255.0.0.0 null0
    ip route 104.0.0.0 255.0.0.0 null0
    ip route 105.0.0.0 255.0.0.0 null0
    ip route 106.0.0.0 255.0.0.0 null0
    ip route 107.0.0.0 255.0.0.0 null0
    ip route 108.0.0.0 255.0.0.0 null0
    ip route 109.0.0.0 255.0.0.0 null0
    ip route 110.0.0.0 255.0.0.0 null0
    ip route 111.0.0.0 255.0.0.0 null0
    ip route 127.0.0.0 255.0.0.0 null0
    ip route 169.254.0.0 255.255.0.0 null0
    ip route 172.16.0.0 255.240.0.0 null0
    ip route 175.0.0.0 255.0.0.0 null0
    ip route 176.0.0.0 255.0.0.0 null0
    ip route 177.0.0.0 255.0.0.0 null0
    ip route 178.0.0.0 255.0.0.0 null0
    ip route 179.0.0.0 255.0.0.0 null0
    ip route 180.0.0.0 255.0.0.0 null0
    ip route 181.0.0.0 255.0.0.0 null0
    ip route 182.0.0.0 255.0.0.0 null0
    ip route 183.0.0.0 255.0.0.0 null0
    ip route 184.0.0.0 255.0.0.0 null0
    ip route 185.0.0.0 255.0.0.0 null0
    ip route 192.0.2.0 255.255.255.0 null0
    ip route 192.168.0.0 255.255.0.0 null0
    ip route 197.0.0.0 255.0.0.0 null0
    ip route 223.0.0.0 255.0.0.0 null0
    !
    ! Export our NetFlow data to our NetFlow server, 7.7.7.5. NetFlow
    ! provides some statistics that can be of use when tracing the true
    ! source of a spoofed attack.
    ip flow-export source loopback0
    ip flow-export destination 7.7.7.5 2055
    ip flow-export version 5 origin-as
    !
    ! Log anything interesting to the loghost. Capture all of
    ! the logging output with FACILITY LOCAL5.
    logging trap debugging
    logging facility local5
    logging source-interface loopback0
    logging 7.7.7.5
    !
    ! With the ACLs, it is important to log the naughty folks.
    ! Thus, the implicit drop all ACL is replaced (augmented,
    ! actually) with an explicit drop all that logs the attempt.
    ! You may wish to keep a second list (e.g. 2011) that does not
    ! log. During an attack, the additional logging can impact the
    ! performance of the router. Simply copy and paste access-list 2010,
    ! remove the log-input keyword, and name it access-list 2011. Then
    ! when an attack rages, you can replace access-list 2010 on the
    ! Internet-facing interface with access-list 2011.
    !
    ! Block SNMP access to all but the loghost
    access-list 20 remark SNMP ACL
    access-list 20 permit 7.7.7.5
    access-list 20 deny any log
    !
    ! Multicast - filter out obviously naughty or needless traffic
    access-list 30 remark Multicast filtering ACL
    ! Link local
    access-list 30 deny 224.0.0.0 0.0.0.255 log
    ! Locally scoped
    access-list 30 deny 239.0.0.0 0.255.255.255 log
    ! sgi-dogfight
    access-list 30 deny host 224.0.1.2 log
    ! rwhod
    access-list 30 deny host 224.0.1.3 log
    ! ms-srvloc
    access-list 30 deny host 224.0.1.22 log
    ! ms-ds
    access-list 30 deny host 224.0.1.24 log
    ! ms-servloc-da
    access-list 30 deny host 224.0.1.35 log
    ! hp-device-disc
    access-list 30 deny host 224.0.1.60 log
    ! Permit all other multicast traffic
    access-list 30 permit 224.0.0.0 15.255.255.255 log
    !
    ! Block access to all but the loghost and the firewall, and log any
    ! denied access attempts. This also serves to create an audit trail
    ! of all access to the router. Extended ACLs are used to log some
    ! additional data.
    access-list 100 remark VTY Access ACL
    access-list 100 permit tcp host 7.7.7.5 host 0.0.0.0 range 22 23 log-input
    access-list 100 permit tcp host 6.6.6.1 host 0.0.0.0 range 22 23 log-input
    access-list 100 deny ip any any log-input
    !
    ! Leave one VTY safe for access, just in case. The host
    ! 7.7.7.8 is a secure host in the NOC. If all the VTYs are
    ! occupied, this leaves one VTY available.
    access-list 105 remark VTY Access ACL
    access-list 105 permit tcp host 7.7.7.8 host 0.0.0.0 range 22 23 log-input
    access-list 105 deny ip any any log-input
    !
    ! Configure an ACL that prevents spoofing from within our network.
    ! This ACL assumes that we need to access the Internet only from the
    ! 7.7.7.0/24 network. If you have additional networks behind
    ! 7.7.7.0/24, then add them into this ACL.
    access-list 115 remark Anti-spoofing ACL
    ! First, allow our intranet to access the Internet.
    access-list 115 permit ip 7.7.7.0 0.0.0.255 any
    ! Second, allow our firewall to access the Internet. This is useful
    ! for testing.
    access-list 115 permit ip host 6.6.6.1 any
    ! Now log all other such attempts.
    access-list 115 deny ip any any log-input
    !
    ! Rate limit (CAR) ACLs for UDP, ICMP, and multicast.
    access-list 150 remark CAR-UDP ACL
    access-list 150 permit udp any any
    access-list 160 remark CAR-ICMP ACL
    access-list 160 permit icmp any any
    access-list 170 remark CAR-Multicast ACL
    access-list 170 permit ip any 224.0.0.0 15.255.255.255
    !
    ! Deny any packets from the RFC 1918, IANA reserved, test,
    ! multicast as a source, and loopback netblocks to block
    ! attacks from commonly spoofed IP addresses.
    access-list 2010 remark Anti-bogon ACL
    ! Claims it came from the inside network, yet arrives on the
    ! outside (read: Internet) interface. Do not use this if CEF
    ! has been configured to take care of spoofing.
    ! access-list 2010 deny ip 6.6.6.0 0.0.0.255 any log-input
    ! access-list 2010 deny ip 7.7.7.0 0.0.0.255 any log-input
    ! Bogons
    access-list 2010 deny ip 0.0.0.0 0.255.255.255 any log-input
    access-list 2010 deny ip 1.0.0.0 0.255.255.255 any log-input
    access-list 2010 deny ip 2.0.0.0 0.255.255.255 any log-input
    access-list 2010 deny ip 5.0.0.0 0.255.255.255 any log-input
    access-list 2010 deny ip 10.0.0.0 0.255.255.255 any log-input
    access-list 2010 deny ip 14.0.0.0 0.255.255.255 any log-input
    access-list 2010 deny ip 23.0.0.0 0.255.255.255 any log-input
    access-list 2010 deny ip 27.0.0.0 0.255.255.255 any log-input
    access-list 2010 deny ip 31.0.0.0 0.255.255.255 any log-input
    access-list 2010 deny ip 36.0.0.0 0.255.255.255 any log-input
    access-list 2010 deny ip 37.0.0.0 0.255.255.255 any log-input
    access-list 2010 deny ip 39.0.0.0 0.255.255.255 any log-input
    access-list 2010 deny ip 42.0.0.0 0.255.255.255 any log-input
    access-list 2010 deny ip 46.0.0.0 0.255.255.255 any log-input
    access-list 2010 deny ip 49.0.0.0 0.255.255.255 any log-input
    access-list 2010 deny ip 50.0.0.0 0.255.255.255 any log-input
    access-list 2010 deny ip 100.0.0.0 0.255.255.255 any log-input
    access-list 2010 deny ip 101.0.0.0 0.255.255.255 any log-input
    access-list 2010 deny ip 102.0.0.0 0.255.255.255 any log-input
    access-list 2010 deny ip 103.0.0.0 0.255.255.255 any log-input
    access-list 2010 deny ip 104.0.0.0 0.255.255.255 any log-input
    access-list 2010 deny ip 105.0.0.0 0.255.255.255 any log-input
    access-list 2010 deny ip 106.0.0.0 0.255.255.255 any log-input
    access-list 2010 deny ip 107.0.0.0 0.255.255.255 any log-input
    access-list 2010 deny ip 108.0.0.0 0.255.255.255 any log-input
    access-list 2010 deny ip 109.0.0.0 0.255.255.255 any log-input
    access-list 2010 deny ip 110.0.0.0 0.255.255.255 any log-input
    access-list 2010 deny ip 111.0.0.0 0.255.255.255 any log-input
    access-list 2010 deny ip 127.0.0.0 0.255.255.255 any log-input
    access-list 2010 deny ip 169.254.0.0 0.0.255.255 any log-input
    access-list 2010 deny ip 172.16.0.0 0.15.255.255 any log-input
    access-list 2010 deny ip 175.0.0.0 0.255.255.255 any log-input
    access-list 2010 deny ip 176.0.0.0 0.255.255.255 any log-input
    access-list 2010 deny ip 177.0.0.0 0.255.255.255 any log-input
    access-list 2010 deny ip 178.0.0.0 0.255.255.255 any log-input
    access-list 2010 deny ip 179.0.0.0 0.255.255.255 any log-input
    access-list 2010 deny ip 180.0.0.0 0.255.255.255 any log-input
    access-list 2010 deny ip 181.0.0.0 0.255.255.255 any log-input
    access-list 2010 deny ip 182.0.0.0 0.255.255.255 any log-input
    access-list 2010 deny ip 183.0.0.0 0.255.255.255 any log-input
    access-list 2010 deny ip 184.0.0.0 0.255.255.255 any log-input
    access-list 2010 deny ip 185.0.0.0 0.255.255.255 any log-input
    access-list 2010 deny ip 192.0.2.0 0.0.0.255 any log-input
    access-list 2010 deny ip 192.168.0.0 0.0.255.255 any log-input
    access-list 2010 deny ip 197.0.0.0 0.255.255.255 any log-input
    access-list 2010 deny ip 223.0.0.0 0.255.255.255 any log-input
    access-list 2010 deny ip 224.0.0.0 31.255.255.255 any log-input
    ! Drop all ICMP fragments
    access-list 2010 deny icmp any any fragments log-input
    ! Allow IP access to the intranet (firewall filters specific ports)
    access-list 2010 permit ip any 7.7.7.0 0.0.0.255
    ! Allow multicast to enter. See also access-list 30 for more
    ! specific multicast rules.
    access-list 2010 permit ip any 224.0.0.0 15.255.255.255
    ! Our explicit (read: logged) drop all rule
    access-list 2010 deny ip any any log-input
    !
    ! Do not share CDP information, which contains key bits about our
    ! configuration, etc. This command disabled CDP globally. If you
    ! require CDP on an interface, use cdp run and disable cdp
    ! (no cdp enable) on the Internet-facing interface.
    no cdp run
    ! SNMP is VERY important, particularly with MRTG.
    ! Treat the COMMUNITY string as a password - keep it difficult to guess.
    snmp-server community <COMMUNITY> RO 20
    !
    ! Introduce ourselves with an appropriately stern banner.
    banner motd %
    Router foo. Access to this device or the attached
    networks is prohibited without express written permission.
    Violators will be prosecuted to the fullest extent of both civil
    and criminal law.
    We don't like you. Go away.
    %
    !
    line con 0
    exec-timeout 15 0
    transport input none
    line aux 0
    exec-timeout 15 0
    line vty 0 3
    access-class 100 in
    exec-timeout 15 0
    ! Enable SSH connectivity. This is much more secure than telnet.
    ! Obviously, you must have an IOS image that supports SSH, and don't
    ! forget to generate the key with crypto key generate rsa.
    transport input telnet ssh
    line vty 4
    access-class 105 in
    exec-timeout 15 0
    transport input telnet ssh
    دستور اتی که قرمز رنگ هستن نفهميدم چی هستن و به چه دردی ميخورند
    مثلهInterface Null0 چی و چرا اين همه رنجIP بهش Route شده و .....





    موضوعات مشابه:





  2. #2
    نام حقيقي: Iman Mansouri

    عضو غیر فعال شناسه تصویری shabake_karan
    تاریخ عضویت
    Apr 2006
    محل سکونت
    Tehran
    نوشته
    1,050
    سپاسگزاری شده
    369
    سپاسگزاری کرده
    12
    tcl script که یک نوع script نویسی روی روتر است بر اساس زبان TCL که خود با این روش اگر که شخصی بر اساس exploit یا تنطیمات غلط به طریقی دسترسی پیدا کنه به روتر به روتر ، با این فرمان شما tcl scipting رو غیر فعال می کنی که مثلا یک backdoor روی روتر درست نکنه.
    ip flow.. همه که بر اساس تکنولوژی net flow کار می کنه و یک نوع نوع روش accouting و network usage monitotring هست. اما اینجا برای شناسایی حملات DOS نوشته شده است. با استفاده از این فرمان می شه که کاربران پر مصرف رو دید. حتی نرم افزاری های حرفه ای هم برای netflow مثل netflow analyzer یا Orion Netflow Traffic Analyzer هم است.
    null0 یک interface مجازی هست بر روی روتر که به قول خودمونی " همون باقالی " است. شما می هر ترافیک رو که به nullo برفرستید (route) انگار که drop شده. با این تفاوت که در مقایسه با ACL از CPU Process استفاده کمتری استفاده می کنه چونکه اصلا وارد queuing , ... نمی شه. که این هم که همینجوری که نوشته ضذ Spoofing هست که براساس استاندارد 1819 است.


    nkm، aryagohar، webgard3 و 1 نفر دیگر سپاسگزاری کرده‌اند.

  3. #3
    نام حقيقي: Saeed Alkhamiss

    عضو عادی
    تاریخ عضویت
    May 2006
    محل سکونت
    Ahvaz
    نوشته
    367
    سپاسگزاری شده
    69
    سپاسگزاری کرده
    9
    نوشته های وبلاگ
    5

    Template Config

    سلام
    با تشکر فراوان از شما آقای منصوری عزيز
    نتيجه رو نه گفتين که من از اين دستورات استفاده کنم يا لازم نيست
    با تشکر






  4. #4
    نام حقيقي: Iman Mansouri

    عضو غیر فعال شناسه تصویری shabake_karan
    تاریخ عضویت
    Apr 2006
    محل سکونت
    Tehran
    نوشته
    1,050
    سپاسگزاری شده
    369
    سپاسگزاری کرده
    12
    نه می تونی استفاده نکنی. اگر که روتر قوی داری استفاده کن ولی .




  5. #5
    نام حقيقي: Saeed Alkhamiss

    عضو عادی
    تاریخ عضویت
    May 2006
    محل سکونت
    Ahvaz
    نوشته
    367
    سپاسگزاری شده
    69
    سپاسگزاری کرده
    9
    نوشته های وبلاگ
    5

    Template Config

    سلام
    آقای منصوری عزيز ولی چی؟؟؟؟




  6. #6
    نام حقيقي: Iman Mansouri

    عضو غیر فعال شناسه تصویری shabake_karan
    تاریخ عضویت
    Apr 2006
    محل سکونت
    Tehran
    نوشته
    1,050
    سپاسگزاری شده
    369
    سپاسگزاری کرده
    12
    بهتره که باشه اما نبود هم مهم نیست.



    saeedmcp سپاسگزاری کرده است.





کلمات کلیدی در جستجوها:

solarwinds.orion.network.config

مدیر نمونه IT منصوری

multicast

دستورات telnet

NetFlow Analyzer

Orion Network

برچسب برای این موضوع

مجوز های ارسال و ویرایش

  • شما نمی توانید موضوع جدید ارسال کنید
  • شما نمی توانید به پست ها پاسخ دهید
  • شما نمی توانید فایل پیوست ضمیمه کنید
  • شما نمی توانید پست های خود را ویرایش کنید
  •