CCNP 筆記本

2009 年 02 月 09 日

CCNP-ISCW Module 05 Cisco Device Harding (2)

Filed under: CCNP-ISCW Module 05 — nkongkimo @ 06:33:44

IOS Unused 的服務

Service Description Default Disable 備註
Router Interface If cable accidentally or maliciously connected Disabled (config-if)#shutdown 不必要的介面建議要關掉
BOOTP server Service is rarely needed in modern networks
*與DHCP功能相似,封包與DHCP相同
Enabled (config-if)#no ip bootp server *bootp須手動指定mac與IP的關係
*可以使用此功能來網路開機
*到server走68/UDP
*到client走67/UDP
CDP Unless needed inside the network,disable globally or per interface Enabled (config)# no cdp run
整個關閉

(config-if)# no cdp enable  介面關閉

Cisco預設開啟,若不需要可關閉
Config auto loading Permits router to automatically load a config file from a network server. Remain disabled when not needed Disabled

(config)# no service config

開機時找尋設備的設定檔並載入

FTP server Allows router to act as an FTP server. Remain disabled when not needed Disabled (config)# no ftp-server enable *router也是一台server,但功能較陽春,只支援匿名登入。
TFTP server Allows router to act as an TFTP server. Remain disabled when not needed Disabled (config)# no tftp-server file-sys:image-name *router也是一台server,但功能較陽春

NTP service

Correct time important for logging. Disable if not needed or restrict to only devices that require NTP  

(config)# no ntp server ip-address

*NTP對時的協定,建議要有一台Router當作校時的主機。
*不建議全關掉
PAD
(Packet Assem Disassem)
Allows access to X.25 PAD commands. Rarely needed in modern networks. Disable Enabled

(config)# no service pad

*目前已無X.25的服務,可直接關閉
TCP and UDP minor services Small servers (daemons) used for diagnostics. Rarely used. Disabled Enabled (before 11.3)
Disabled (11.3 and later)
(config)# no service tcp-small server
(config)# no service udp-small server
*檢查網路設備的介面是否正常
*不實用故可關閉。
Maint. Oper. Protocol (MOP) DEC maintenance protocol, rarely used. Disable Enabled
(most Ethernet interfaces)
(config-if)# no mop enabled *在Ethernet之前的網路
*目前已無此服務,可直接關閉

 

SNMP If not used, disable. If needed, restrict access using ACL and use SNMPv3

Enabled

(config)# no snmp-server enabled *要有限制的開放,不可全部開放
*建議ACL限制存取的範圍
HTTP Config and Monitoring ADM uses HTTP (HTTPS). If not used, disable. If needed, restrict access with ACLs and use HTTPS

Device dependent

(config)# no ip http sever
(config)# no ip http secure-server

*要有限制的開放,不可全部開放
*建議ACL限制存取的範圍

DNS Cisco routers use 255.255.255.255 as default add to reach DNS server. If not use disable or explicitly set DNS server Enabled (config)# no ip domain-lookup
(config)# ip domain-name
*建議關閉
ICMP Redirects Disable if not needed Enabled

(config)# no ip icmp redirect

*不要讓route自己去決定client端連上來的路徑
*建議關閉

IP Source Routing

Rarely used, disable

Enabled

(config)# no source-route

*是封包中的option欄位,可以讓client變更自己的路由,造成無法管理
*建議關閉

Finger Service

Finger protocol (port 79) retrieves list of users from a network device (show users). Should be disabled when not needed

Enabled

(config)# no service finger

*與who的指令一樣
*建議關閉
ICMP unreach

Should be disabled.

Enabled

(config-if)# no ip unreachables *避免被port scan
*建議關閉
ICMP mask reply Disable on interfaces to untrusted networks Disabled (config)# no ip maskreply *Router會回應自己遮罩是多少
*建議關閉

IP directed broadcast

Unicast until it reaches router for that segment, than it becomes a broadcast. Should be disabled Enabled (before 12.0)
Disabled (12.0 and later)
(config)# no ip directed-broadcast *ping broadcast的位址在broadcast的電腦全部都會回應
*建議關閉

IP ID service

RFC 1413 reports the identity of the TCP connection initiator

Enabled

(config)# no ip identd

*建議關閉

TCP keepalives

Helps clean up TCP connections when a host has stopped processing TCP packets. Should be enabled to help prevent DoS attacks

Disabled

(config)# service tcp-keepalives-in

(config)# service tcp-keepalives-out

*TCP預設連線為30分鐘若都沒有動作會自動中斷連線

*建議啟動

Gratuitous ARP

Unless needed, disable

Enabled

(config)# no ip arp ratutous

*Gratuitous ARP會送出一個來源及目的地IP都是自己的封包,去告知區網內PC目前IP已經更換其他PC,使區網PC去更新ARP table。
*主要功能去偵測是否IP衝突
*在區域網中容易遭到攻
*建議關閉

Proxy ARP

Only used if router is acting as a layer 2 bridge. Should be disabled

Enabled

(config-if)# no ip arp proxy

*在區域網中容易遭到攻擊
*主要功能為代回主機IP資訊
*建議關閉
廣告

發表迴響 »

仍無迴響。

RSS feed for comments on this post. TrackBack URI

發表迴響

Please log in using one of these methods to post your comment:

WordPress.com 標誌

您的留言將使用 WordPress.com 帳號。 登出 /  變更 )

Google photo

您的留言將使用 Google 帳號。 登出 /  變更 )

Twitter picture

您的留言將使用 Twitter 帳號。 登出 /  變更 )

Facebook照片

您的留言將使用 Facebook 帳號。 登出 /  變更 )

連結到 %s

在 WordPress.com 建立免費網站或網誌.

%d 位部落客按了讚: