配置路由器使用Cisco AutoSecure 实验过程:R1#auto secure --- AutoSecure Configuration ---*** AutoSecure configuration enhances the security ofthe router, but it will not make it absolutely resistantto all security attacks ***AutoSecure will modify the configuration of your device.All configuration changes will be shown. For a detailedexplanation of how the configuration changes enhance securityand any possible side effects, please refer to Cisco.com forAutosecure documentation.At any prompt you may enter '?' for help.Use ctrl-c to abort this session at any prompt.Gathering information about the router for AutoSecureIs this router connected to internet? [no]: yesEnter the number of interfaces facing the internet [1]: Interface IP-Address OK? Method Status ProtocolFastEthernet0/0 unassigned YES unset administratively down down Ethernet1/0 unassigned YES unset administratively down down Ethernet1/1 unassigned YES unset administratively down down Ethernet1/2 unassigned YES unset administratively down down Ethernet1/3 unassigned YES unset administratively down down Enter the interface name that is facing the internet: FastEthernet0/0Securing Management plane services...Disabling service fingerDisabling service padDisabling udp & tcp small serversEnabling service password encryptionEnabling service tcp-keepalives-inEnabling service tcp-keepalives-outDisabling the cdp protocolDisabling the bootp serverDisabling the http serverDisabling the finger serviceDisabling source routingDisabling gratuitous arpHere is a sample Security Banner to be shownat every access to device. Modify it to suit yourenterprise requirements.Authorized Access only This system is the property of So-&-So-Enterprise. UNAUTHORIZED ACCESS TO THIS DEVICE IS PROHIBITED. You must have explicit permission to access this device. All activities performed on this device are logged. Any violations of access policy will result in disciplinary action.Enter the security banner {Put the banner betweenk and k, where k is any character}:k www.norvel.com.cn kEnable secret is either not configured or is the same as enable passwordEnter the new enable secret: Confirm the enable secret : Enter the new enable password: Choose a password that's different from secretEnter the new enable password: % Password too short - must be at least 6 characters. Password configuration failedEnter the new enable password: Confirm the enable password:Configuration of local user databaseEnter the username: suyajuncnEnter the password: Confirm the password: Configuring AAA local authenticationConfiguring Console, Aux and VTY lines forlocal authentication, exec-timeout, and transportSecuring device against Login AttacksConfigure the following parametersBlocking Period when Login Attack detected: Device not secured against 'login attacks'. Configure SSH server? [yes]: yesEnter the domain-name: blog.norvel.com.cnConfiguring interface specific AutoSecure servicesDisabling the following ip services on all interfaces: no ip redirects no ip proxy-arp no ip unreachables no ip directed-broadcast no ip mask-replyDisabling mop on Ethernet interfacesSecuring Forwarding plane services...Enabling CEF (This might impact the memory requirements for your platform)Enabling unicast rpf on all interfaces connectedto internetConfigure CBAC Firewall feature? [yes/no]: yesThis is the configuration generated:no service fingerno service padno service udp-small-serversno service tcp-small-serversservice password-encryptionservice tcp-keepalives-inservice tcp-keepalives-outno cdp runno ip bootp serverno ip http serverno ip fingerno ip source-routeno ip gratuitous-arpsno ip identdbanner motd ^C www.norvel.com.cn ^Csecurity passwords min-length 6security authentication failure rate 10 logenable secret 5 $1$Bjbb$u54FP6qoSwpVXyBs6PBmY.enable password 7 095F5B10180F021C0802username suyajuncn password 7 0100131D5A0113012242aaa new-modelaaa authentication login local_auth localline con 0 login authentication local_auth exec-timeout 5 0 transport output telnetline aux 0 login authentication local_auth exec-timeout 10 0 transport output telnetline vty 0 4 login authentication local_auth transport input telnetip domain-name blog.norvel.com.cncrypto key generate rsa general-keys modulus 1024ip ssh time-out 60ip ssh authentication-retries 2line vty 0 4 transport input ssh telnetservice timestamps debug datetime msec localtime show-timezoneservice timestamps log datetime msec localtime show-timezonelogging facility local2logging trap debuggingservice sequence-numberslogging console criticallogging bufferedinterface FastEthernet0/0 no ip redirects no ip proxy-arp no ip unreachables no ip directed-broadcast no ip mask-reply no mop enabledinterface Ethernet1/0 no ip redirects no ip proxy-arp no ip unreachables no ip directed-broadcast no ip mask-reply no mop enabledinterface Ethernet1/1 no ip redirects no ip proxy-arp no ip unreachables no ip directed-broadcast no ip mask-reply no mop enabledinterface Ethernet1/2 no ip redirects no ip proxy-arp no ip unreachables no ip directed-broadcast no ip mask-reply no mop enabledinterface Ethernet1/3 no ip redirects no ip proxy-arp no ip unreachables no ip directed-broadcast no ip mask-reply no mop enabledip cefaccess-list 100 permit udp any any eq bootpcinterface FastEthernet0/0 ip verify unicast source reachable-via rx allow-default 100ip inspect audit-trailip inspect dns-timeout 7ip inspect tcp idle-time 14400ip inspect udp idle-time 1800ip inspect name autosec_inspect cuseeme timeout 3600ip inspect name autosec_inspect ftp timeout 3600ip inspect name autosec_inspect http timeout 3600ip inspect name autosec_inspect rcmd timeout 3600ip inspect name autosec_inspect realaudio timeout 3600ip inspect name autosec_inspect smtp timeout 3600ip inspect name autosec_inspect tftp timeout 30ip inspect name autosec_inspect udp timeout 15ip inspect name autosec_inspect tcp timeout 3600ip access-list extended autosec_firewall_acl permit udp any any eq bootpc deny ip any anyinterface FastEthernet0/0 ip inspect autosec_inspect out ip access-group autosec_firewall_acl in!end Apply this configuration to running-config? [yes]: yesApplying the config generated to running-configThe name for the keys will be: R1.blog.norvel.com.cn% The key modulus size is 1024 bits% Generating 1024 bit RSA keys, keys will be non-exportable...[OK]R1#R1#R1#R1#R1#R1#show runBuilding configuration...Current configuration : 3069 bytes!upgrade fpd autoversion 12.4no service padservice tcp-keepalives-inservice tcp-keepalives-outservice timestamps debug datetime msec localtime show-timezoneservice timestamps log datetime msec localtime show-timezoneservice password-encryptionservice sequence-numbers!hostname R1!boot-start-markerboot-end-marker!security authentication failure rate 10 logsecurity passwords min-length 6logging console criticalenable secret 5 $1$Bjbb$u54FP6qoSwpVXyBs6PBmY.enable password 7 095F5B10180F021C0802! aaa new-model!!aaa authentication login local_auth local!!aaa session-id commonno ip source-routeno ip gratuitous-arpsip cef!!!!no ip bootp serverno ip domain lookupip domain name blog.norvel.com.cnip inspect audit-trailip inspect udp idle-time 1800ip inspect dns-timeout 7ip inspect tcp idle-time 14400ip inspect name autosec_inspect cuseeme timeout 3600ip inspect name autosec_inspect ftp timeout 3600ip inspect name autosec_inspect http timeout 3600ip inspect name autosec_inspect rcmd timeout 3600ip inspect name autosec_inspect realaudio timeout 3600ip inspect name autosec_inspect smtp timeout 3600ip inspect name autosec_inspect tftp timeout 30ip inspect name autosec_inspect udp timeout 15ip inspect name autosec_inspect tcp timeout 3600ip auth-proxy max-nodata-conns 3ip admission max-nodata-conns 3!multilink bundle-name authenticated!! !!username suyajuncn password 7 0100131D5A0113012242archive log config logging enable hidekeys! !!!ip ssh time-out 60ip ssh authentication-retries 2!!!!interface FastEthernet0/0 no ip address ip access-group autosec_firewall_acl in ip verify unicast source reachable-via rx allow-default 100 no ip redirects no ip unreachables no ip proxy-arp ip inspect autosec_inspect out shutdown duplex half no mop enabled!interface Ethernet1/0 no ip address no ip redirects no ip unreachables no ip proxy-arp shutdown duplex half no mop enabled!interface Ethernet1/1 no ip address no ip redirects no ip unreachables no ip proxy-arp shutdown duplex half no mop enabled!interface Ethernet1/2 no ip address no ip redirects no ip unreachables no ip proxy-arp shutdown duplex half no mop enabled!interface Ethernet1/3 no ip address no ip redirects no ip unreachables no ip proxy-arp shutdown duplex half no mop enabled!ip forward-protocol ndno ip http serverno ip http secure-server! !!ip access-list extended autosec_firewall_acl permit udp any any eq bootpc deny ip any any!logging alarm informationallogging trap debugginglogging facility local2access-list 100 permit udp any any eq bootpcno cdp run!!!control-plane!! !gatekeeper shutdown!banner motd ^C ^C!line con 0 exec-timeout 5 0 logging synchronous login authentication local_auth transport output telnet stopbits 1line aux 0 login authentication local_auth transport output telnet stopbits 1line vty 0 4 login authentication local_auth transport input telnet ssh!!end R1#
