1、路由器安全配置速查表来源: FUMTEK Blog 作者: FUMTEKSpecific Recommendations: Router Access1. Shut down unneeded services on the router. Servers that are not running cannot break. Also, more memory and processor slots are available. Start by running the show proc command on the router, then turn off clearly unneede
2、d facilities and services. Some servers that should almost always be turned off and the corresponding commands to disable them are listed below. Small services (echo, discard, chargen, etc.) no service tcp-small-servers no service udp-small-servers BOOTP - no ip bootp server Finger - no service fing
3、er HTTP - no ip http server SNMP - no snmp-server2. Shut down unneeded services on the routers. These services allow certain packets to pass through the router, or send special packets, or are used for remote router configuration. Some services that should almost always be turned off and the corresp
4、onding commands todisable them are listed below. CDP - no cdp run Remote config. - no service config Source routing - no ip source-route3. The interfaces on the router can be made more secure by using certain commands in the Configure Interface mode. These commands should be applied to every interfa
5、ce. Unused interfaces - shutdown No Smurf attacks - no ip directed-broadcast Mask replies - no ip mask-reply Ad-hoc routing - no ip proxy-arp4. The console line, the auxiliary line and the virtual terminal lines on the router can be made more secure in the Configure Line mode. The console line and t
6、he virtual terminal lines should be secured as shown below. The Aux line should be disabled, as shown below, if it is not being used. Console Line - line con 0exec-timeout 5 0login Auxiliary Line - line aux 0no execexec-timeout 0 10transport input none VTY lines - line vty 0 4exec-timeout 5 0logintr
7、ansport input telnet ssh5. Passwords can be configured more securely as well. Configure the Enable Secret password, which is protected with an MD5-based algorithm. Also, configure passwords for the console line, the auxiliary line and the virtual terminal lines. Provide basic protection for the user
8、 and line passwords using the service passwordencryption command. See examples below. Enable secret - enable secret 0 2manyRt3s Console Line - line con 0password Soda-4-jimmY Auxiliary Line - line aux 0password Popcorn-4-sara VTY Lines - line vty 0 4password Dots-4-georg3 Basic protection - service
9、password-encryption6. Consider adopting SSH, if your router supports it, for all remote administration. 7. Protect your router configuration file from unauthorized disclosure.Specific Recommendations: Access Lists1. Always start an access-list definition with the privileged command no access-list nn
10、n to clear out any previous versions of access list number nnn.fumtek(config)# no access-list 51fumtek(config)# access-list 51 permit host 14.2.9.6fumtek(config)# access-list 51 deny any log2. Log access list port messages properly. To ensure that logs contain correct port number information, use th
11、e port range arguments shown below at the end of an access list.access-list 106 deny udp any range 1 65535 any range 1 65535 logaccess-list 106 deny tcp any range 1 65535 any range 1 65535 logaccess-list 106 deny ip any any logThe last line is necessary to ensure that rejected packets of protocols o
12、ther than TCP and UDP are properly logged. 3. Enforce traffic address restrictions using access lists. On a border router, allow only internal addresses to enter the router from the internal interfaces, and allow only traffic destined for internal addresses to enter the router from the outside (exte
13、rnal interfaces).Block illegal addresses at the outgoing interfaces. Besides preventing an attacker from using the router to attack other sites, it helps identify poorly configured internal hosts or networks. This approach may not be feasible for complicated networks. RFC 2827fumtek(config)# no acce
14、ss-list 101fumtek(config)# access-list 101 permit ip 14.2.6.0 0.0.0.255 anyfumtek(config)# access-list 101 deny ip any any logfumtek(config)# no access-list 102fumtek(config)# access-list 102 permit ip any 14.2.6.0 0.0.0.255fumtek(config)# access-list 102 deny ip any any logfumtek(config)# interface
15、 eth 1fumtek(config-if)# ip access-group 101 infumtek(config-if)# exitfumtek(config)# interface eth 0fumtek(config-if)# ip access-group 101 outfumtek(config-if)# ip access-group 102 in4. Block packets coming from the outside (untrusted network) that are obviously fake or have source or destination a
16、ddresses that are reserved, for example networks 0.0.0.0/8, 10.0.0.0/8, 169.254.0.0/16, 172.16.0.0/20, 192.168.0.0/16. This protection should be part of the overall traffic filtering at the interface attached to the external,untrusted network. RFC 19185. Block incoming packets that claim to have a s
17、ource address of any internal (trusted) networks. This impedes TCP sequence number guessing and other attacks. Incorporate this protection into the access lists applied to interfaces facing any untrusted networks. 6. Drop incoming packets with loopback addresses, network 127.0.0.0/8. These packets c
18、annot be real. 7. If the network doesnt need IP multicast, then block multicast packets.8. Block broadcast packets. (Note that this may block DHCP and BOOTP services, but these services should not be used on external interfaces and certainlyshouldnt cross border routers.) 9. A number of remote probe
19、s and attacks use ICMP echo, redirect, and mask request messages, block them. (A superior but more difficult approach is to permit only necessary ICMP packet types.)The example below shows one way to implement these recommendations.North(config)# no access-list 107North(config)# ! block our internal
20、 addressesNorth(config)# access-list 107 deny ip 14.2.0.0 0.0.255.255 any logNorth(config)# access-list 107 deny ip 14.1.0.0 0.0.255.255 any logNorth(config)# ! block special/reserved addressesNorth(config)# access-list 107 deny ip 127.0.0.0 0.255.255.255 any logNorth(config)# access-list 107 deny i
21、p 0.0.0.0 0.255.255.255 any logNorth(config)# access-list 107 deny ip 10.0.0.0 0.255.255.255 any logNorth(config)# access-list 107 deny ip 169.254.0.0 0.0.255.255 any logNorth(config)# access-list 107 deny ip 172.16.0.0 0.15.255.255 any logNorth(config)# access-list 107 deny ip 192.168.0.0 0.0.255.2
22、55 any logNorth(config)# ! block multicast (if not used)North(config)# access-list 107 deny ip 224.0.0.0 15.255.255.255 anyNorth(config)# ! block some ICMP message typesNorth(config)# access-list 107 deny icmp any any redirect logNorth(config)# access-list 107 deny icmp any any echo logNorth(config)
23、# access-list 107 deny icmp any any mask-request logNorth(config)# access-list 107 permit ip any 14.2.0.0 0.0.255.255North(config)# access-list 107 permit ip any 14.1.0.0 0.0.255.255North(config)# interface Eth 0/0North(config-if)# description External interfaceNorth(config-if)# ip access-group 107
24、in10. Block incoming packets that claim to have the same destination and source address (i.e. a Land attack on the router itself). Incorporate this protection into the access list used to restrict incoming traffic into each interface, using a rule like the one shown below. access-list 102 deny ip ho
25、st 14.1.1.250host 14.1.1.250 loginterface Eth 0/1ip address 14.1.1.250 255.255.0.0ip access-group 102 in11. Configure an access list for the virtual terminal lines to control Telnet access. See example commands below. South(config)# no access-list 92South(config)# access-list 92 permit 14.2.10.1Sout
26、h(config)# access-list 92 permit 14.2.9.1South(config)# line vty 0 4South(config-line)# access-class 92 inSpecific Recommendations: Logging & Debugging1. Turn on the routers logging capability, and use it to log errors and blocked packets to an internal (trusted) syslog host. Make sure that the rout
27、er blocks syslog traffic from untrusted networks. See example commands below.Central(config)# logging onCentral(config)# logging 14.2.9.1Central(config)# logging bufferedCentral(config)# logging console criticalCentral(config)# logging trap informationalCentral(config)# logging facility local12. Con
28、figure the router to include time information in the logging. Configure at least two different NTP servers to ensure availability of good time information. This will allow an administrator to trace network attacks more accurately. See example commands below.East(config)# service timestamps log datet
29、ime localtime show-timezone msecEast(config)# clock timezone GMT 0East(config)# ntp server 14.1.1.250East(config)# ntp server 14.2.9.13. If your network requires SNMP, then configure an SNMP ACL and hard-to-guess SNMP community strings. The example commands below show how to remove the default commu
30、nity strings and set a better read-only community string, with an ACL. East(config)# no snmp community public roEast(config)# no snmp community private rwEast(config)# no access-list 51East(config)# access-list 51 permit 14.2.9.1East(config)# snmp community BTRl8+never ro 51Router Security Checklist
31、This security checklist is designed to help you review your router security configuration, and remind you of any security area you might have missed. Router security policy written, approved, distributed. Router IOS version checked and up to date. Router configuration kept off-line, backed up, acces
32、s to it limited. Router configuration is well-documented, commented. Router users and passwords configured and maintained. Password encryption in use, enable secret in use. Enable secret difficult to guess, knowledge of it strictly limited. (if not, change the enable secret immediately). Access rest
33、rictions imposed on Console, Aux, VTYs. Unneeded network servers and facilities disabled. Necessary network services configured correctly (e.g. DNS) Unused interfaces and VTYs shut down or disabled. Risky interface services disabled. Port and protocol needs of the network identified and checked. Acc
34、ess lists limit traffic to identified ports and protocols. Access lists block reserved and inappropriate addresses. Static routes configured where necessary. Routing protocols configured to use integrity mechanisms. Logging enabled and log recipient hosts identified and configured. Routers time of day set accurately, maintained with NTP. Logging set to include consistent time information. Logs checked, reviewed, archived in accordance with local policy. SNMP disabled or enabled with good community strings and ACLs.
