溫馨提示×
您好,登錄后才能下訂單哦!
點擊 登錄注冊 即表示同意《億速云用戶服務條款》
您好,登錄后才能下訂單哦!
Cisco Discovery Protocol
CDP:思科發現協議(CDP:Cisco Discovery Protocol),CDP 基本上是用來獲取直連設備的協議地址以及發現這些設備的平臺。支持ATM, Ethernet, FDDI, frame relay, HDLC, PPP, token ring.
CDP 協議能獲取如下信息:
1. cisco設備名字
2. cisco設備類型,型號
3. 設備運行IOS的version
4. 設備功能,Eg:路由器,交換機或是其他
5. 三層接口地址
6. 設備獲取cdp信息來源
Eg:
Router#show cdp neighbors detail
-------------------------
Device ID: R1
Entry address(es):
IP address: 12.12.12.1
Platform: Cisco 7206VXR, Capabilities: Router
Interface: FastEthernet1/0, Port ID (outgoing port): FastEthernet1/0
Holdtime : 166 sec
Version :
Cisco IOS Software, 7200 Software (C7200-ADVENTERPRISEK9-M), Version 12.4(20)T, RELEASE SOFTWARE (fc3)
Technical Support: http://www.cisco.com/techsupport
Copyright (c) 1986-2008 by Cisco Systems, Inc.
Compiled Fri 11-Jul-08 04:22 by prod_rel_team
advertisement version: 2
Duplex: full
禁用CDP協議:邊界路由器一般都需要關閉該功能
Router(config)#no cdp run--------全局模式下,對所有接口生效
Router(config-if)#no cdp enable-------------接口模式下禁用,針對當前接口
==============================================================================TCP and UDP Small Servers
關閉TCP和UDP的一些無用的小服務,這些小服務的端口小于19,通常用在以前的UNIX環境中,如chargen,daytime等。
Eg:
R1#telnet 12.12.12.1 daytime
Trying 12.12.12.1, 13 ... Open
Saturday, July 7, 2012 23:57:19-UTC
[Connection to 12.12.12.1 closed by foreign host]
Router(config)#no service tcp-small-servers
Router(config)#no service udp-small-servers
R1#telnet 12.12.12.1 daytime
Trying 12.12.12.1, 13 ...
% Connection refused by remote host
思科IOS 默認是關閉的服務TCP小型服務器
==============================================================================
常用在UNIX中,用來確定誰登陸到設備上,現在被E-mail和messenger取代。
Eg:
Router#telnet 12.12.12.1 finger
Trying 12.12.12.1, 79 ... Open
Line User Host(s) Idle Location
0 con 0 idle 00:00:02
* 2 vty 0 idle 00:00:00 12.12.12.2
Interface User Mode Idle Peer Address
[Connection to 12.12.12.1 closed by foreign host]
R1(config)# no ip finger
R1(config)#no service finger
Router#telnet 12.12.12.1 finger
Trying 12.12.12.1, 79 ...
% Connection refused by remote host
在絕大多數的IOS版本中,該特性默認是禁用的,無論如何建議禁用該特性。
==============================================================================
一個設備發送一個請求到Ident接口(TCP 113), 目標會回答一個身份識別,如host名稱或者設備名稱。
Router(config)# no ip identd
通過telnet 113端口測試設備是否啟用了該服務:
Router#telnet 12.12.12.1 113
Trying 12.12.12.1, 113 ... Open
IdentD默認情況下是禁用的。
===============================================================
ip source-routing欺騙類似ARP***:A在內網, B,C在外網,A信任B, C想訪問A上的數據.... 于是它修改了自己的源IP地址,告訴A自己是B... 并加入源路由信息,記下了來時的路徑這樣A按數據來的路返回給了C。
如果 no 了 ip source-route A發出的包會自己去尋找B,這樣,C還是得不到想要的。
默認情況下該特性是開啟的,禁用該特性:
Router(config)# no ip source-route
==============================================================================
路由能提供FTP和TFTP的功能,通過該功能可以從一臺路由器copy Ios到另一條路由器。強烈建議禁止此功能。
默認情況該功能是禁止的,禁止命令:Router(config)# no ftp-server enable
==============================================================================
驗證路由器是否有啟用web服務:
Router#telnet 12.12.12.1 80 -------------------------ISP一般都會封掉80端口,需確認HTTP服務是否指定到了其它端口。
Trying 12.12.12.1, 80 ... Open
Router#telnet 12.12.12.1 443
Trying 12.12.12.1, 443 ... Open
禁用web服務進程:
Router(config)# no ip http server
Router(config)# no ip http secure-server
Router#telnet 12.12.12.1 80
Trying 12.12.12.1, 80 ...
% Connection refused by remote host
Router#telnet 12.12.12.1 443
Trying 12.12.12.1, 443 ...
% Connection refused by remote host
==============================================================================
在路由器上禁用snmp需執行如下操作:
Remove the default community strings from your router's configuration
Disable SNMP traps and the system shutdown feature
Disable the SNMP service
確認路由器是否啟用了SNMP:
Router# show running-config | include snmp
Building configuration...
snmp-server community public RO
snmp-server community private RW
Router#
在路由器上禁用SNMP服務:
Eg:
Router(config)# no snmp-server community public RO
Router(config)# no snmp-server community private RW
Router(config)# no snmp-server enable traps
Router(config)# no snmp-server system-shutdown
Router(config)# no snmp-server trap-auth
Router(config)# no snmp-server
Eg:
Router# show snmp
%SNMP agent not enabled
默認情況下,該服務是關閉的
=============================================================================
路由器使用DNS解析域名:
Router(config)#ip domain-name cisco.com
Router(config)#ip name-server 202.96.128.86
Router(config)#ip domain-lookup
在路由器上禁止DNS查詢:
Router(config)# no ip domain-lookup
==============================================================================
BootP通常用在無盤網絡環境中,為工作站提供ip地址。
目前BootP在網絡環境中使用得很少
沒有認證機制,任何人都能對BootP服務的路由器提出請求,容易遭遇Dos***
禁用BootP服務:
Router(config)# no ip bootp server
==============================================================================
DHCP服務在IOS中默認都是禁止的,禁用命令:
Router(config)# no service dhcp------------禁止路由器充當Dhcp server或提供Dhcp中繼服務
==============================================================================
PAD服務一般用在X.25網絡中為遠端站點提供可靠連接,PAD服務提供對異步設備(terminals, IC-card readers, 和computers to public/private X.25 networks)的支持。
Router(config)# no service pad
=============================================================================
Router(config)# no boot network-------------------------------------關閉路由器通過TFTP加載IOS啟動
Router(config)# no service config-------------------------關閉路由器加載IOS成功后通過TFTP加載配置文件
==============================================================================
IOS中Proxy ARP缺省是打開的,通過在接口下no ip proxy-arp關閉
通過show ip interface查看接口是否使用了Proxy ARP。
Eg:
Router#show ip interface fastEthernet 1/0
FastEthernet1/0 is up, line protocol is up
Internet address is 12.12.12.1/24
Broadcast address is 255.255.255.255
Address determined by setup command
MTU is 1500 bytes
Helper address is not set
Directed broadcast forwarding is disabled
Outgoing access list is not set
Inbound access list is not set
Proxy ARP is disabled
Local Proxy ARP is disabled
==============================================================================
不同于本地廣播,直連廣播是能夠被路由的,某些DoS***通過在網絡中泛洪直連廣播來***網絡。
查看是否啟用了直連廣播:Router# show ip interface
Eg:
Router#show ip interface fastEthernet 1/0
FastEthernet1/0 is up, line protocol is up
Internet address is 12.12.12.1/24
Broadcast address is 255.255.255.255
Address determined by setup command
MTU is 1500 bytes
Helper address is not set
Directed broadcast forwarding is disabled
禁用接口上的直連廣播:
Router(config-if)# no ip directed-broadcast
==============================================================================
網絡***能夠通過如下三種icmp messages***或勘察網絡:
ICMP unreachables
ICMP redirects
ICMP mask replies
禁用ICMP:
Router(config-if)# no ip unreachable
Router(config-if)# no ip redirect
Router(config-if)# no ip mask-reply
Eg:
Router#show ip interface ethernet 1/0
Ethernet1/0 is up, line protocol is up
Internet address is 12.12.12.1/24
Broadcast address is 255.255.255.255
Address determined by setup command
MTU is 1500 bytes
Helper address is not set
Directed broadcast forwarding is disabled
Outgoing access list is not set
Inbound access list is not set
Proxy ARP is enabled
Local Proxy ARP is disabled
Security level is default
Split horizon is enabled
ICMP redirects are always sent
ICMP unreachables are always sent
ICMP mask replies are never sent
==============================================================================
MOP協議廣泛應用在DEC設備中,主要有一下幾個功能:
1. 上傳或下載的系統軟件
2. 遠程測試
3. 問題故障診斷
關閉路由器對二層DECnet協議的支持:
Router(config)# interface type [slot_#/]port_#
Router(config-if)# no mop enable
==============================================================================
在關閉某些服務之前應了解網絡中是否要只用這些服務,以免關閉后出現意想不到的問題。
參考:
Cisco Router Firewall Security By Richard A. Deal
免責聲明:本站發布的內容(圖片、視頻和文字)以原創、轉載和分享為主,文章觀點不代表本網站立場,如果涉及侵權請聯系站長郵箱:is@yisu.com進行舉報,并提供相關證據,一經查實,將立刻刪除涉嫌侵權內容。
