cisco Auto Secure configure
来源:互联网 发布:besiege mac 下载 编辑:程序博客网 时间:2024/04/30 11:47
r4#auto secure
--- AutoSecure Configuration ---
*** AutoSecure configuration enhances the security of
the router, but it will not make it absolutely resistant
to all security attacks ***
AutoSecure will modify the configuration of your device.
All configuration changes will be shown. For a detailed
explanation of how the configuration changes enhance security
and any possible side effects, please refer to Cisco.com for
Autosecure documentation.
At any prompt you may enter '?' for help.
Use ctrl-c to abort this session at any prompt.
Gathering information about the router for AutoSecure
Is this router connected to internet? [no]: yes
Enter the number of interfaces facing the internet [1]: 1
Interface IP-Address OK? Method Status Protocol
Ethernet0/0 unassigned YES unset administratively down down
Serial0/0 unassigned YES unset administratively down down
TokenRing0/0 unassigned YES unset administratively down down
Serial0/1 unassigned YES unset administratively down down
Ethernet3/0 unassigned YES unset administratively down down
TokenRing3/0 unassigned YES unset administratively down down
Enter the interface name that is facing the internet: e0/0
Invalid interface name
Enter the interface name that is facing the internet: ethernet0/0
Securing Management plane services...
Disabling service finger
Disabling service pad
Disabling udp & tcp small servers
Enabling service password encryption
Enabling service tcp-keepalives-in
Enabling service tcp-keepalives-out
Disabling the cdp protocol
Disabling the bootp server
Disabling the http server
Disabling the finger service
Disabling source routing
Disabling gratuitous arp
Here is a sample Security Banner to be shown
at every access to device. Modify it to suit your
enterprise requirements.
Authorized Access only
This system is the property of So-&-So-Enterprise.
UNAUTHORIZED ACCESS TO THIS DEVICE IS PROHIBITED.
You must have explicit permission to access this
device. All activities performed on this device
are logged. Any violations of access policy will result
in disciplinary action.
Enter the security banner {Put the banner between
k and k, where k is any character}:
test banner
Enable secret is either not configured or
is the same as enable password
Enter the new enable secret:
% Password too short - must be at least 6 characters. Password configuration failed
Enter the new enable secret:
Confirm the enable secret :
Enter the new enable password:
% Password too short - must be at least 6 characters. Password configuration failed
Enter the new enable password:
Confirm the enable password:
Configuration of local user database
Enter the username: peter
Enter the password:
% Password too short - must be at least 6 characters. Password configuration failed
Enter the password:
Confirm the password:
Configuring AAA local authentication
Configuring Console, Aux and VTY lines for
local authentication, exec-timeout, and transport
Securing device against Login Attacks
Configure the following parameters
Blocking Period when Login Attack detected: 10
Maximum Login failures with the device: 5
Maximum time period for crossing the failed login attempts: 3
Configure SSH server? [yes]: yes
Enter the domain-name: tcy.com
Configuring interface specific AutoSecure services
Disabling the following ip services on all interfaces:
no ip redirects
no ip proxy-arp
no ip unreachables
no ip directed-broadcast
no ip mask-reply
Disabling mop on Ethernet interfaces
Securing Forwarding plane services...
Enabling CEF (This might impact the memory requirements for your platform)
Enabling unicast rpf on all interfaces connected
to internet
Configure CBAC Firewall feature? [yes/no]: yes
This is the configuration generated:
no service finger
no service pad
no service udp-small-servers
no service tcp-small-servers
service password-encryption
service tcp-keepalives-in
service tcp-keepalives-out
no cdp run
no ip bootp server
no ip http server
no ip finger
no ip source-route
no ip gratuitous-arps
no ip identd
banner motd ^Ces^C
security passwords min-length 6
security authentication failure rate 10 log
enable secret 5 $1$hnYF$ZH5UG7lZ2DEZxb21bPEYn0
enable password 7 044F0E151B35495D1D
username peter password 7 131512060E1E55
aaa new-model
aaa authentication login local_auth local
line con 0
login authentication local_auth
exec-timeout 5 0
transport output telnet
line aux 0
login authentication local_auth
exec-timeout 10 0
transport output telnet
line vty 0 4
login authentication local_auth
transport input telnet
login block-for 10 attempts 5 within 3
ip domain-name tcy.com
crypto key generate rsa general-keys modulus 1024
ip ssh time-out 60
ip ssh authentication-retries 2
line vty 0 4
transport input ssh telnet
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
logging facility local2
logging trap debugging
service sequence-numbers
logging console critical
logging buffered
interface Ethernet0/0
no ip redirects
no ip proxy-arp
no ip unreachables
no ip directed-broadcast
no ip mask-reply
no mop enabled
interface Serial0/0
no ip redirects
no ip proxy-arp
no ip unreachables
no ip directed-broadcast
no ip mask-reply
interface TokenRing0/0
no ip redirects
no ip proxy-arp
no ip unreachables
no ip directed-broadcast
no ip mask-reply
interface Serial0/1
no ip redirects
no ip proxy-arp
no ip unreachables
no ip directed-broadcast
no ip mask-reply
interface Ethernet3/0
no ip redirects
no ip proxy-arp
no ip unreachables
no ip directed-broadcast
no ip mask-reply
no mop enabled
interface TokenRing3/0
no ip redirects
no ip proxy-arp
no ip unreachables
no ip directed-broadcast
no ip mask-reply
ip cef
access-list 100 permit udp any any eq bootpc
interface Ethernet0/0
ip verify unicast source reachable-via rx allow-default 100
ip inspect audit-trail
ip inspect dns-timeout 7
ip inspect tcp idle-time 14400
ip inspect udp idle-time 1800
ip inspect name autosec_inspect cuseeme timeout 3600
ip inspect name autosec_inspect ftp timeout 3600
ip inspect name autosec_inspect http timeout 3600
ip inspect name autosec_inspect rcmd timeout 3600
ip inspect name autosec_inspect realaudio timeout 3600
ip inspect name autosec_inspect smtp timeout 3600
ip inspect name autosec_inspect tftp timeout 30
ip inspect name autosec_inspect udp timeout 15
ip inspect name autosec_inspect tcp timeout 3600
ip access-list extended autosec_firewall_acl
permit udp any any eq bootpc
deny ip any any
interface Ethernet0/0
ip inspect autosec_inspect out
ip access-group autosec_firewall_acl in
!
end
Apply this configuration to running-config? [yes]: yes
Applying the config generated to running-config
The name for the keys will be: r4.tcy.com
% The key modulus size is 1024 bits
% Generating 1024 bit RSA keys, keys will be non-exportable...[OK]
*Apr 1 20:37:07.580: %SSH-5-ENABLED: SSH 1.99 has been enabled
--- AutoSecure Configuration ---
*** AutoSecure configuration enhances the security of
the router, but it will not make it absolutely resistant
to all security attacks ***
AutoSecure will modify the configuration of your device.
All configuration changes will be shown. For a detailed
explanation of how the configuration changes enhance security
and any possible side effects, please refer to Cisco.com for
Autosecure documentation.
At any prompt you may enter '?' for help.
Use ctrl-c to abort this session at any prompt.
Gathering information about the router for AutoSecure
Is this router connected to internet? [no]: yes
Enter the number of interfaces facing the internet [1]: 1
Interface IP-Address OK? Method Status Protocol
Ethernet0/0 unassigned YES unset administratively down down
Serial0/0 unassigned YES unset administratively down down
TokenRing0/0 unassigned YES unset administratively down down
Serial0/1 unassigned YES unset administratively down down
Ethernet3/0 unassigned YES unset administratively down down
TokenRing3/0 unassigned YES unset administratively down down
Enter the interface name that is facing the internet: e0/0
Invalid interface name
Enter the interface name that is facing the internet: ethernet0/0
Securing Management plane services...
Disabling service finger
Disabling service pad
Disabling udp & tcp small servers
Enabling service password encryption
Enabling service tcp-keepalives-in
Enabling service tcp-keepalives-out
Disabling the cdp protocol
Disabling the bootp server
Disabling the http server
Disabling the finger service
Disabling source routing
Disabling gratuitous arp
Here is a sample Security Banner to be shown
at every access to device. Modify it to suit your
enterprise requirements.
Authorized Access only
This system is the property of So-&-So-Enterprise.
UNAUTHORIZED ACCESS TO THIS DEVICE IS PROHIBITED.
You must have explicit permission to access this
device. All activities performed on this device
are logged. Any violations of access policy will result
in disciplinary action.
Enter the security banner {Put the banner between
k and k, where k is any character}:
test banner
Enable secret is either not configured or
is the same as enable password
Enter the new enable secret:
% Password too short - must be at least 6 characters. Password configuration failed
Enter the new enable secret:
Confirm the enable secret :
Enter the new enable password:
% Password too short - must be at least 6 characters. Password configuration failed
Enter the new enable password:
Confirm the enable password:
Configuration of local user database
Enter the username: peter
Enter the password:
% Password too short - must be at least 6 characters. Password configuration failed
Enter the password:
Confirm the password:
Configuring AAA local authentication
Configuring Console, Aux and VTY lines for
local authentication, exec-timeout, and transport
Securing device against Login Attacks
Configure the following parameters
Blocking Period when Login Attack detected: 10
Maximum Login failures with the device: 5
Maximum time period for crossing the failed login attempts: 3
Configure SSH server? [yes]: yes
Enter the domain-name: tcy.com
Configuring interface specific AutoSecure services
Disabling the following ip services on all interfaces:
no ip redirects
no ip proxy-arp
no ip unreachables
no ip directed-broadcast
no ip mask-reply
Disabling mop on Ethernet interfaces
Securing Forwarding plane services...
Enabling CEF (This might impact the memory requirements for your platform)
Enabling unicast rpf on all interfaces connected
to internet
Configure CBAC Firewall feature? [yes/no]: yes
This is the configuration generated:
no service finger
no service pad
no service udp-small-servers
no service tcp-small-servers
service password-encryption
service tcp-keepalives-in
service tcp-keepalives-out
no cdp run
no ip bootp server
no ip http server
no ip finger
no ip source-route
no ip gratuitous-arps
no ip identd
banner motd ^Ces^C
security passwords min-length 6
security authentication failure rate 10 log
enable secret 5 $1$hnYF$ZH5UG7lZ2DEZxb21bPEYn0
enable password 7 044F0E151B35495D1D
username peter password 7 131512060E1E55
aaa new-model
aaa authentication login local_auth local
line con 0
login authentication local_auth
exec-timeout 5 0
transport output telnet
line aux 0
login authentication local_auth
exec-timeout 10 0
transport output telnet
line vty 0 4
login authentication local_auth
transport input telnet
login block-for 10 attempts 5 within 3
ip domain-name tcy.com
crypto key generate rsa general-keys modulus 1024
ip ssh time-out 60
ip ssh authentication-retries 2
line vty 0 4
transport input ssh telnet
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
logging facility local2
logging trap debugging
service sequence-numbers
logging console critical
logging buffered
interface Ethernet0/0
no ip redirects
no ip proxy-arp
no ip unreachables
no ip directed-broadcast
no ip mask-reply
no mop enabled
interface Serial0/0
no ip redirects
no ip proxy-arp
no ip unreachables
no ip directed-broadcast
no ip mask-reply
interface TokenRing0/0
no ip redirects
no ip proxy-arp
no ip unreachables
no ip directed-broadcast
no ip mask-reply
interface Serial0/1
no ip redirects
no ip proxy-arp
no ip unreachables
no ip directed-broadcast
no ip mask-reply
interface Ethernet3/0
no ip redirects
no ip proxy-arp
no ip unreachables
no ip directed-broadcast
no ip mask-reply
no mop enabled
interface TokenRing3/0
no ip redirects
no ip proxy-arp
no ip unreachables
no ip directed-broadcast
no ip mask-reply
ip cef
access-list 100 permit udp any any eq bootpc
interface Ethernet0/0
ip verify unicast source reachable-via rx allow-default 100
ip inspect audit-trail
ip inspect dns-timeout 7
ip inspect tcp idle-time 14400
ip inspect udp idle-time 1800
ip inspect name autosec_inspect cuseeme timeout 3600
ip inspect name autosec_inspect ftp timeout 3600
ip inspect name autosec_inspect http timeout 3600
ip inspect name autosec_inspect rcmd timeout 3600
ip inspect name autosec_inspect realaudio timeout 3600
ip inspect name autosec_inspect smtp timeout 3600
ip inspect name autosec_inspect tftp timeout 30
ip inspect name autosec_inspect udp timeout 15
ip inspect name autosec_inspect tcp timeout 3600
ip access-list extended autosec_firewall_acl
permit udp any any eq bootpc
deny ip any any
interface Ethernet0/0
ip inspect autosec_inspect out
ip access-group autosec_firewall_acl in
!
end
Apply this configuration to running-config? [yes]: yes
Applying the config generated to running-config
The name for the keys will be: r4.tcy.com
% The key modulus size is 1024 bits
% Generating 1024 bit RSA keys, keys will be non-exportable...[OK]
*Apr 1 20:37:07.580: %SSH-5-ENABLED: SSH 1.99 has been enabled
- cisco Auto Secure configure
- cisco radius configure
- Cisco IGMP filter Configure
- Cisco dynamic VPN configure!
- cisco l2tp LNS configure!(
- configure cisco EtherChannel
- Cisco VLAN map configure!
- cisco PPP configure
- cisco configure 配置管理工具
- cisco NAC Appliance & cisco secure acs
- Configure Secure FTP, with VSFTPD
- 转载:secure CRT auto log
- configure modem on cisco router
- cisco and fortigate OSPF configure
- cisco ios feature : Auto secrure
- Configuring Secure Shell on Cisco IOS Routers
- Cisco Secure Firewall Services Module (FWSM)
- 启动Cisco AnyConnet Secure Moblity Agent服务
- c#.net常用的小函数和方法集
- 2950 SSH、AutoQos、802.1x with VLAN等配置实例
- DataGrid突出现实当前页码
- 生成xml文档
- C#代码规范(范例)
- cisco Auto Secure configure
- php导出excel
- 远程TELNET的路由器启用NAGLE
- 服务质量Qos-Quality of service
- ipv6 6to4 tunnel config
- 如何使用# ## ... _ _VA_ARGS_ _
- AS5300语音网关配置
- FTTB+NAT+DHCP+pppoe+CBAC+vpn client+AAA
- Windows操作系统下面利用C++语言进行内存共享程序的编写