Безопасная конфигурация для маршрутизатора Cisco
Безопасная конфигурация для маршрутизатора Cisco
Конфигурация маршрутизатора Cisco заданная по умолчанию далека от того, чтобы быть безопасным. Хотя есть много 'шаблонов безопасности', доступных в Интернете, многие из них устаревшие и не используют возможности IOS версии 12.4T.
General config
Lines
Interfaces
NTP
Basic control plane for DOS protection
Valid for 12.4.15T, will be changed in 12.4.16T release.
General config
Код
configuration mode exclusive auto expire 600
hostname Router
no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec
service timestamps log datetime msec localtime show-timezone year
service password-encryption
service sequence-numbers
no service dhcp
logging buffered 64000 informational
logging persistent url flash:/LOG size 4096000 filesize 64000
no logging console
no logging monitor
logging origin-id hostname
logging source-interface Loopback0
logging count
logging x.x.x.x
logging y.y.y.y
aaa new-model
aaa local authentication attempts max-fail 10
aaa authentication login default local
aaa authentication enable default enable
aaa authorization console
aaa authorization exec default local
username user privilege 1 secret 5 <MD5>
username admin privilege 15 secret 5 <MD5>
enable secret 5 <MD5>
no ip source-route
ip options drop
ip cef
ip dhcp bootp ignore
no ip bootp server
no ip domain lookup
memory reserve critical 16000
secure boot-image
warm-reboot count 10
archive
log config
logging enable
logging size 1000
hidekeys
path flash:/ARCHIVE/config
write-memory
no ip http server
no ip http secure-server
no cdp run
hostname Router
no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec
service timestamps log datetime msec localtime show-timezone year
service password-encryption
service sequence-numbers
no service dhcp
logging buffered 64000 informational
logging persistent url flash:/LOG size 4096000 filesize 64000
no logging console
no logging monitor
logging origin-id hostname
logging source-interface Loopback0
logging count
logging x.x.x.x
logging y.y.y.y
aaa new-model
aaa local authentication attempts max-fail 10
aaa authentication login default local
aaa authentication enable default enable
aaa authorization console
aaa authorization exec default local
username user privilege 1 secret 5 <MD5>
username admin privilege 15 secret 5 <MD5>
enable secret 5 <MD5>
no ip source-route
ip options drop
ip cef
ip dhcp bootp ignore
no ip bootp server
no ip domain lookup
memory reserve critical 16000
secure boot-image
warm-reboot count 10
archive
log config
logging enable
logging size 1000
hidekeys
path flash:/ARCHIVE/config
write-memory
no ip http server
no ip http secure-server
no cdp run
Lines
Код
line con 0
exec-timeout 60 0
logging synchronous
transport preferred none
transport output none
line aux 0
exec-timeout 60 0
logging synchronous
transport preferred none
transport output none
line vty 0 n
no exec
transport input none
transport output none
exec-timeout 60 0
logging synchronous
transport preferred none
transport output none
line aux 0
exec-timeout 60 0
logging synchronous
transport preferred none
transport output none
line vty 0 n
no exec
transport input none
transport output none
Interfaces
Код
interface Null0
no ip unreachables
interface Loopback0
no ip redirects
no ip unreachables
no ip proxy-arp
interface FastEthernet0/0
no ip redirects
no ip proxy-arp
no mop enabled
no cdp enabled
no ip unreachables
interface Loopback0
no ip redirects
no ip unreachables
no ip proxy-arp
interface FastEthernet0/0
no ip redirects
no ip proxy-arp
no mop enabled
no cdp enabled
NTP
Код
ntp authentication-key 1 md5 <MD5> 7
ntp authenticate
ntp trusted-key 1
ntp source Loopback0
ntp update-calendar
ntp server x.x.x.x key 1
ntp server y.y.y.y key 1
ntp authenticate
ntp trusted-key 1
ntp source Loopback0
ntp update-calendar
ntp server x.x.x.x key 1
ntp server y.y.y.y key 1
Basic control plane for DOS protection
Valid for 12.4.15T, will be changed in 12.4.16T release.
Код
class-map match-any CPPR_HOST_CRITICAL
match protocol bgp
class-map match-any CPPR_HOST_ICMP
match protocol icmp
class-map match-any CPPR_HOST_NORMAL
match protocol ntp
match protocol ssh
match protocol sntp
class-map match-any CPPR_HOST_IP
match protocol ip
class-map match-any CPPR_TRANSIT_CRITICAL
match protocol ospf
match protocol bgp
class-map match-any CPPR_TRANSIT_IP
match protocol ip
class-map match-any CPPR_CEF-EXCEPTION_CRITICAL
match protocol arp
class-map match-any CPPR_CEF-EXCEPTION_IP
match protocol ip
policy-map CPPR_HOST
class CPPR_HOST_CRITICAL
class CPPR_HOST_ICMP
police 128000
class CPPR_HOST_NORMAL
police 512000
class CPPR_HOST_IP
drop
policy-map CPPR_TRANSIT
class CPPR_TRANSIT_CRITICAL
class CPPR_TRANSIT_IP
police 512000
policy-map CPPR_CEF-EXCEPTION
class CPPR_CEF-EXCEPTION_CRITICAL
class CPPR_CEF-EXCEPTION_IP
police 512000
control-plane host
service-policy input CPPR_HOST
control-plane transit
service-policy input CPPR_TRANSIT
control-plane cef-exception
service-policy input CPPR_CEF-EXCEPTION
match protocol bgp
class-map match-any CPPR_HOST_ICMP
match protocol icmp
class-map match-any CPPR_HOST_NORMAL
match protocol ntp
match protocol ssh
match protocol sntp
class-map match-any CPPR_HOST_IP
match protocol ip
class-map match-any CPPR_TRANSIT_CRITICAL
match protocol ospf
match protocol bgp
class-map match-any CPPR_TRANSIT_IP
match protocol ip
class-map match-any CPPR_CEF-EXCEPTION_CRITICAL
match protocol arp
class-map match-any CPPR_CEF-EXCEPTION_IP
match protocol ip
policy-map CPPR_HOST
class CPPR_HOST_CRITICAL
class CPPR_HOST_ICMP
police 128000
class CPPR_HOST_NORMAL
police 512000
class CPPR_HOST_IP
drop
policy-map CPPR_TRANSIT
class CPPR_TRANSIT_CRITICAL
class CPPR_TRANSIT_IP
police 512000
policy-map CPPR_CEF-EXCEPTION
class CPPR_CEF-EXCEPTION_CRITICAL
class CPPR_CEF-EXCEPTION_IP
police 512000
control-plane host
service-policy input CPPR_HOST
control-plane transit
service-policy input CPPR_TRANSIT
control-plane cef-exception
service-policy input CPPR_CEF-EXCEPTION