Cisco Discovery Protocol
10年积累的网站制作、
做网站经验,可以快速应对客户对网站的新想法和需求。提供各种问题对应的解决方案。让选择我们的客户得到更好、更有力的网络服务。我虽然不认识你,你也不认识我。但先网站策划后付款的网站建设流程,更有
刚察免费网站建设让你可以放心的选择与我们合作。
CDP:思科发现协议(CDP:Cisco Discovery Protocol),CDP 基本上是用来获取直连设备的协议地址以及发现这些设备的平台。支持ATM, Ethernet, FDDI, frame relay, HDLC, PPP, token ring.
CDP 协议能获取如下信息:
1. cisco设备名字
2. cisco设备类型,型号
3. 设备运行IOS的version
4. 设备功能,Eg:路由器,交换机或是其他
5. 三层接口地址
6. 设备获取cdp信息来源
Eg:
Router#show cdp neighbors detail
-------------------------
Device ID: R1
Entry address(es):
IP address: 12.12.12.1
Platform: Cisco 7206VXR, Capabilities: Router
Interface: FastEthernet1/0, Port ID (outgoing port): FastEthernet1/0
Holdtime : 166 sec
Version :
Cisco IOS Software, 7200 Software (C7200-ADVENTERPRISEK9-M), Version 12.4(20)T, RELEASE SOFTWARE (fc3)
Technical Support: http://www.cisco.com/techsupport
Copyright (c) 1986-2008 by Cisco Systems, Inc.
Compiled Fri 11-Jul-08 04:22 by prod_rel_team
advertisement version: 2
Duplex: full
禁用CDP协议:边界路由器一般都需要关闭该功能
Router(config)#no cdp run--------全局模式下,对所有接口生效
Router(config-if)#no cdp enable-------------接口模式下禁用,针对当前接口
==============================================================================TCP and UDP Small Servers
关闭TCP和UDP的一些无用的小服务,这些小服务的端口小于19,通常用在以前的UNIX环境中,如chargen,daytime等。
Eg:
R1#telnet 12.12.12.1 daytime
Trying 12.12.12.1, 13 ... Open
Saturday, July 7, 2012 23:57:19-UTC
[Connection to 12.12.12.1 closed by foreign host]
Router(config)#no service tcp-small-servers
Router(config)#no service udp-small-servers
R1#telnet 12.12.12.1 daytime
Trying 12.12.12.1, 13 ...
% Connection refused by remote host
思科IOS 默认是关闭的服务TCP小型服务器
==============================================================================
Finger
常用在UNIX中,用来确定谁登陆到设备上,现在被E-mail和messenger取代。
Eg:
Router#telnet 12.12.12.1 finger
Trying 12.12.12.1, 79 ... Open
Line User Host(s) Idle Location
0 con 0 idle 00:00:02
* 2 vty 0 idle 00:00:00 12.12.12.2
Interface User Mode Idle Peer Address
[Connection to 12.12.12.1 closed by foreign host]
R1(config)# no ip finger
R1(config)#no service finger
Router#telnet 12.12.12.1 finger
Trying 12.12.12.1, 79 ...
% Connection refused by remote host
在绝大多数的IOS版本中,该特性默认是禁用的,无论如何建议禁用该特性。
==============================================================================
IdentD
一个设备发送一个请求到Ident接口(TCP 113), 目标会回答一个身份识别,如host名称或者设备名称。
Router(config)# no ip identd
通过telnet 113端口测试设备是否启用了该服务:
Router#telnet 12.12.12.1 113
Trying 12.12.12.1, 113 ... Open
IdentD默认情况下是禁用的。
===============================================================
IP Source Routing
ip source-routing欺骗类似ARP***:A在内网, B,C在外网,A信任B, C想访问A上的数据.... 于是它修改了自己的源IP地址,告诉A自己是B... 并加入源路由信息,记下了来时的路径这样A按数据来的路返回给了C。
如果 no 了 ip source-route A发出的包会自己去寻找B,这样,C还是得不到想要的。
默认情况下该特性是开启的,禁用该特性:
Router(config)# no ip source-route
==============================================================================
FTP and TFTP
路由能提供FTP和TFTP的功能,通过该功能可以从一台路由器copy Ios到另一条路由器。强烈建议禁止此功能。
默认情况该功能是禁止的,禁止命令:Router(config)# no ftp-server enable
==============================================================================
HTTP/HTTPS
验证路由器是否有启用web服务:
Router#telnet 12.12.12.1 80 -------------------------ISP一般都会封掉80端口,需确认HTTP服务是否指定到了其它端口。
Trying 12.12.12.1, 80 ... Open
Router#telnet 12.12.12.1 443
Trying 12.12.12.1, 443 ... Open
禁用web服务进程:
Router(config)# no ip http server
Router(config)# no ip http secure-server
Router#telnet 12.12.12.1 80
Trying 12.12.12.1, 80 ...
% Connection refused by remote host
Router#telnet 12.12.12.1 443
Trying 12.12.12.1, 443 ...
% Connection refused by remote host
==============================================================================
SNMP
在路由器上禁用snmp需执行如下操作:
Remove the default community strings from your router's configuration
Disable SNMP traps and the system shutdown feature
Disable the SNMP service
确认路由器是否启用了SNMP:
Router# show running-config | include snmp
Building configuration...
snmp-server community public RO
snmp-server community private RW
Router#
在路由器上禁用SNMP服务:
Eg:
Router(config)# no snmp-server community public RO
Router(config)# no snmp-server community private RW
Router(config)# no snmp-server enable traps
Router(config)# no snmp-server system-shutdown
Router(config)# no snmp-server trap-auth
Router(config)# no snmp-server
Eg:
Router# show snmp
%SNMP agent not enabled
默认情况下,该服务是关闭的
=============================================================================
Name Resolution
路由器使用DNS解析域名:
Router(config)#ip domain-name cisco.com
Router(config)#ip name-server 202.96.128.86
Router(config)#ip domain-lookup
在路由器上禁止DNS查询:
Router(config)# no ip domain-lookup
==============================================================================
BootP
BootP通常用在无盘网络环境中,为工作站提供ip地址。
目前BootP在网络环境中使用得很少
没有认证机制,任何人都能对BootP服务的路由器提出请求,容易遭遇Dos***
禁用BootP服务:
Router(config)# no ip bootp server
==============================================================================
DHCP
DHCP服务在IOS中默认都是禁止的,禁用命令:
Router(config)# no service dhcp------------禁止路由器充当Dhcp server或提供Dhcp中继服务
==============================================================================
PAD
PAD服务一般用在X.25网络中为远端站点提供可靠连接,PAD服务提供对异步设备(terminals, IC-card readers, 和computers to public/private X.25 networks)的支持。
Router(config)# no service pad
=============================================================================
关闭自动加载:
Router(config)# no boot network-------------------------------------关闭路由器通过TFTP加载IOS启动
Router(config)# no service config-------------------------关闭路由器加载IOS成功后通过TFTP加载配置文件
==============================================================================
Proxy ARP
IOS中Proxy ARP缺省是打开的,通过在接口下no ip proxy-arp关闭
通过show ip interface查看接口是否使用了Proxy ARP。
Eg:
Router#show ip interface fastEthernet 1/0
FastEthernet1/0 is up, line protocol is up
Internet address is 12.12.12.1/24
Broadcast address is 255.255.255.255
Address determined by setup command
MTU is 1500 bytes
Helper address is not set
Directed broadcast forwarding is disabled
Outgoing access list is not set
Inbound access list is not set
Proxy ARP is disabled
Local Proxy ARP is disabled
==============================================================================
Directed Broadcasts
不同于本地广播,直连广播是能够被路由的,某些DoS***通过在网络中泛洪直连广播来***网络。
查看是否启用了直连广播:Router# show ip interface
Eg:
Router#show ip interface fastEthernet 1/0
FastEthernet1/0 is up, line protocol is up
Internet address is 12.12.12.1/24
Broadcast address is 255.255.255.255
Address determined by setup command
MTU is 1500 bytes
Helper address is not set
Directed broadcast forwarding is disabled
禁用接口上的直连广播:
Router(config-if)# no ip directed-broadcast
==============================================================================
ICMP Messages
网络***能够通过如下三种icmp messages***或勘察网络:
ICMP unreachables
ICMP redirects
ICMP mask replies
禁用ICMP:
Router(config-if)# no ip unreachable
Router(config-if)# no ip redirect
Router(config-if)# no ip mask-reply
Eg:
Router#show ip interface ethernet 1/0
Ethernet1/0 is up, line protocol is up
Internet address is 12.12.12.1/24
Broadcast address is 255.255.255.255
Address determined by setup command
MTU is 1500 bytes
Helper address is not set
Directed broadcast forwarding is disabled
Outgoing access list is not set
Inbound access list is not set
Proxy ARP is enabled
Local Proxy ARP is disabled
Security level is default
Split horizon is enabled
ICMP redirects are always sent
ICMP unreachables are always sent
ICMP mask replies are never sent
==============================================================================
Maintenance Operation Protocol
MOP协议广泛应用在DEC设备中,主要有一下几个功能:
1. 上传或下载的系统软件
2. 远程测试
3. 问题故障诊断
关闭路由器对二层DECnet协议的支持:
Router(config)# interface type [slot_#/]port_#
Router(config-if)# no mop enable
==============================================================================
在关闭某些服务之前应了解网络中是否要只用这些服务,以免关闭后出现意想不到的问题。
参考:
Cisco Router Firewall Security By Richard A. Deal
另外有需要云服务器可以了解下创新互联scvps.cn,海内外云服务器15元起步,三天无理由+7*72小时售后在线,公司持有idc许可证,提供“云服务器、裸金属服务器、高防服务器、香港服务器、美国服务器、虚拟主机、免备案服务器”等云主机租用服务以及企业上云的综合解决方案,具有“安全稳定、简单易用、服务可用性高、性价比高”等特点与优势,专为企业上云打造定制,能够满足用户丰富、多元化的应用场景需求。
分享名称:强化路由器IOS安全-禁用不必要的服务-创新互联
文章起源:
http://cdkjz.cn/article/eohds.html
