cisco路由器安全防护( 二 ) _云知道

Router(Config)# ip tcp intercept list 107
Router(Config)# access-list 107 permit tcp any 192.168.0.0 0.0.0.255
Router(Config)# access-list 107 deny ip any any log
Router(Config)# interface eth0
Router(Config)# ip access-group 107 in
2、LAND.C 进攻的防范。
Router(Config)# access-list 107 deny ip host 192.168.1.254 host 192.168.1.254 log
Router(Config)# access-list permit ip any any
Router(Config)# interface eth 0/2
Router(Config-if)# ip address 192.168.1.254 255.255.255.0
Router(Config-if)# ip access-group 107 in
3、Smurf攻击的防范。
Router(Config-if)#no ip directed-broadcast
Router(Config)# access-list 108 deny ip any host 192.168.1.255 log
Router(Config)# access-list 108 deny ip any host 192.168.1.0 log
4、ICMP协议的安全配置。对于进入ICMP流，我们要禁止ICMP协议的ECHO、Redirect、Mask request 。也需要禁止TraceRoute命令的探测。对于流出的ICMP流，我们可以答应ECHO、Parameter Problem、Packet too big 。还有TraceRoute命令的使用。
! outbound ICMP Control
Router(Config)# access-list 110 deny icmp any any echo log
Router(Config)# access-list 110 deny icmp any any redirect log
Router(Config)# access-list 110 deny icmp any any mask-request log
Router(Config)# access-list 110 permit icmp any any
! Inbound ICMP Control
Router(Config)# access-list 111 permit icmp any any echo
Router(Config)# access-list 111 permit icmp any any Parameter-problem
Router(Config)# access-list 111 permit icmp any any packet-too-big
Router(Config)# access-list 111 permit icmp any any source-quench
Router(Config)# access-list 111 deny icmp any any log
! Outbound TraceRoute Control
Router(Config)# access-list 112 deny udp any any range 33400 34400
! Inbound TraceRoute Control
Router(Config)# access-list 112 permit udp any any range 33400 34400
5.DDoS(Distributed Denial of Service)的防范。
! The TRINOO DDoS system
Router(Config)# access-list 113 deny tcp any any eq 27665 log
Router(Config)# access-list 113 deny udp any any eq 31335 log
Router(Config)# access-list 113 deny udp any any eq 27444 log
! The Stacheldtraht DDoS system
Router(Config)# access-list 113 deny tcp any any eq 16660 log
Router(Config)# access-list 113 deny tcp any any eq 65000 log
! The TrinityV3 System
Router(Config)# access-list 113 deny tcp any any eq 33270 log
Router(Config)# access-list 113 deny tcp any any eq 39168 log
! The SubSeven DDoS system and some Variants
Router(Config)# access-list 113 deny tcp any any range 6711 6712 log
Router(Config)# access-list 113 deny tcp any any eq 6776 log
Router(Config)# access-list 113 deny tcp any any eq 6669 log
Router(Config)# access-list 113 deny tcp any any eq 2222 log
Router(Config)# access-list 113 deny tcp any any eq 7000 log
四、路由器防止病毒的安全配置
1、用于控制Nachi蠕虫的扫描
access-list 110 deny icmp any any echo
2、用于控制Blaster蠕虫的传播
access-list 110 deny tcp any any eq 4444
access-list 110 deny udp any any eq 69
3、用于控制Blaster蠕虫的扫描和攻击
access-list 110 deny tcp any any eq 135
access-list 110 deny udp any any eq 135
access-list 110 deny tcp any any eq 139
access-list 110 deny udp any any eq 139
access-list 110 deny tcp any any eq 445
access-list 110 deny udp any any eq 445
access-list 110 deny tcp any any eq 593
access-list 110 deny udp any any eq 593
4、用于控制 Slammer 蠕虫的传播
access-list 110 deny udp any any eq 1434
access-list 110 permit ip any any
5、关闭可能存在的漏洞
access-list 101 deny ip 127.0.0.0 0.255.255.255 any
access-list 101 deny ip 172.16.0.0 0.240.255.255 any

cisco路由器安全防护( 二 )

推荐阅读

孕前检查注意事项下面就来告诉大家

云南旅游景点介绍

为啥芒果吃起来味道怪怪的?

拼多多畅销榜怎么上

我国春小麦和冬小麦的区别

西安胸科医院网上挂号官网

教你如何化淡妆

啤酒喝多少会醉正常人喝几瓶啤酒会醉

轻描淡写的反义词

适合冬天吃的菜谱都有哪些菜

基础医学，请问基础医学出来主要从事哪方面工作

酸奶发酵了19个小时还能喝吗

小兔怎么养才会胖点儿呢视频小兔怎么养才会胖点儿呢

青岛第一城loft房价,33城房价涨幅倒数第一

兰花叶子烂心怎么回事

务虚会为什么叫务虚