1. Trang chủ
  2. Thể loại khác

Lab 1 ISCW ppsx

60 266 0
Lab 1 ISCW ppsx

Đang tải... (xem toàn văn)

Tài liệu hạn chế xem trước, để xem đầy đủ mời bạn chọn Tải xuống

Thông tin tài liệu

Đặng Quang Minh, CCIE#11897 Lab ISCW Sơ đồ mạng Nhóm thực tập gồm hai học viên Để thực lab này, bạn học viên cần có phần mềm sau: Ethereal FoundStone SuperScan Kiwi Syslog Deamon BluePortScan NetCat Jolt2 SmartWhois SolarWinds Engineer Edition v88 Các yêu cầu thực sau: Gắn cáp theo sơ đồ hình vẽ Kết nốI R1 R2 dùng serial hay Ethernet Router R2 có cổng Ethernet kết nốI vào mạng LAN phòng LAB tạI VnPro Ví dụ cổng cổng E0 PC1 kết nốI trực tiếp vào router R1 hay thông qua switch Cấu hình địa IP cho mạng hình vẽ Gán default gateway PC1 10.1.1.1 Sau cấu hình hồn tất bước 2, kiểm tra kết cách lệnh sau: Lab Hardening Cisco Device Đặng Quang Minh, CCIE#11897 R1#show ip int brief Interface IP-Address OK? Method Status Protocol Thực cấu hình routing, dùng static route Hãy cấu hình cho PC1 truy cập Internet web Ví dụ, từ PC1, vào web site vnpro.org Cấu hình phần routing sau: R2(config)#ip route 10.1.1.0 255.255.255.0 10.1.2.1 R2(config)#ip route 0.0.0.0 0.0.0.0 10.215.219.254 Trên R1 cấu hình routing sau: R1(config)#ip route 0.0.0.0 0.0.0.0 10.1.2.2 Để router ping server dùng tên, bạn cấu hình thêm DNS server R2(config)#ip name-server 203.162.4.190 Hoặc dùng cách khác khai báo DNS server máy trạm PC1, PC2 Lab Hardening Cisco Device Đặng Quang Minh, CCIE#11897 Để Internet, cấu hình NAT R2 Chú ý định cổng inside outside phù hợp Trong cấu hình đây, cổng F0/1 cổng kết nốI bên Internet Đây cổng kết nối vào LAN VnPro R2(config)#access-list permit 10.1.1.0 0.0.0.255 R2(config)#access-list permit 10.1.2.0 0.0.0.255 R2(config)#ip nat inside source list interface F0/1 overload Thử nghiệm scan port Tác vụ thực đồng thòi PC1 PC2 Cài đặt phần mềm SuperScan PC1 PC2 Chọn nút Scan Hãy kiểm tra có máy tồn mạng.Mỗi máy có port mở Đặc biệt, kiểm tra port mở router R1 R2 Đối với PC2, bạn kết nối vào LAN VnPro, dùng tính Windows Enumeration để xem thông tin máy WinXP LAN Hãy thử nghiệm cách share thư mực máy đích Dùng chức Windows Enumeration để tìm thư mục share Thử nghiệm phần mềm BluePortScan Lab Hardening Cisco Device Đặng Quang Minh, CCIE#11897 Chạy phần mềm BluePortScan từ máy PC1 PC2 Hãy nhập vào dãy địa cần scan Cài đặt dịch vụ Syslog Lưu giữ log phổ biến Các thông tin thường lưu bao gồm trạng thái cổng, thông báo bảo mật trạng thái môi trường ….Dưới cấu hình log tiêu biểu.Thực cấu hình R1 R2 logging buffered 16384 logging trap debugging logging facility local7 logging 169.222.32.1 < Syslog facility on syslog server < IP address of your syslog server để thiết lập syslog daemon 4.3 BSD Unix, dùng dòng sai file /etc/syslog.conf: local7.debugging /usr/adm/logs/cisco.log Chú ý rằng, bạn phảI thay địa 169.222.32.1 địa Syslog server thực sơ đồ mạng Nếu bạn dùng PC1 Syslog server cho R1, bạn phảI dùng câu lệnh: R1(config)#logging 10.1.1.2 Lab Hardening Cisco Device Đặng Quang Minh, CCIE#11897 lMặc định, log message khơng có nhãn thời gian Nếu muốn gán thêm nhãn thời gian cho dòng log, thêm vào lệnh sau: service timestamps debug datetime localtime show-timezone msec service timestamps log datetime localtime show-timezone msec Lúc này, kết thơng điệp có dạng: Jul 27 15:53:23.235 AEST: %SYS-5-CONFIG_I: Configured from console by philip on console Các thông số lệnh: - debug: Tất thông tin debug gán nhãn thờI gian - log: Tất thông tin log gán nhãn thờI gian - datetime: ngày thông điệp - localtime: thờI gian dùng local (không phảI UTC) - show-timezone: timezone - msec: thờI gian xác đến mili giây Cũng định địa IP cho log message logging source-interface loopback0 Phân tích liệu SYSLOG: Dưới công cụ phần mềm dùng để phân tích syslog Cisco Resource Manager Private I Crystal Reports http://www.cisco.com/warp/public/734/crm/index.shtml http://www.4privatei.com/ http://www.seagatesoftware.com/crystalreports/ Ví dụ cấu hình Trong ví dụ này, router R2 định địa chí 150.50.17.5 logging server Các thơng điệp gửI có nhãn thờI gian đính kèm Tất log message gửI logging server có 15000 bytes cache R2 Router 2: Current configuration : 761 bytes ! version 12.1 service timestamps debug datetime msec localtime show-timezone service timestamps log datetime msec localtime show-timezone no service password-encryption ! hostname R2 Lab Hardening Cisco Device Đặng Quang Minh, CCIE#11897 ! logging buffered 15000 debugging ! clock timezone CST -6 clock summer-time CDT recurring ip subnet-zero no ip finger ! interface Loopback0 ip address 200.0.0.2 255.255.255.255 ! interface Ethernet0 ip address 150.50.17.2 255.255.255.0 ! ip classless ip http server ! logging trap debugging logging 10.215.219.X ! X địa PC2 ! end Trên PC1, cài đặt phần mềm Kiwi Syslog sau Lab Hardening Cisco Device Đặng Quang Minh, CCIE#11897 Chọn I Agree Lab Hardening Cisco Device Đặng Quang Minh, CCIE#11897 Chọn Install Application Sau chọn Next Sau chọn Destination Folder Lab Hardening Cisco Device Đặng Quang Minh, CCIE#11897 Chọn Finish Lab Hardening Cisco Device Đặng Quang Minh, CCIE#11897 Sau cài xong phần mềm, bạn chạy Kiwi Syslog Deamon Hãy thử bật debug lên kiểm tra log messages có xuất syslog server hay khơng R1#debug ip packet detail IP packet debugging is on (detailed) Thử nghiệm phần mềm SmartWhois Lab Hardening Cisco Device Đặng Quang Minh, CCIE#11897 no ip mask-reply no mop enabled interface FastEthernet0/1 no ip redirects no ip proxy-arp no ip unreachables no ip directed-broadcast no ip mask-reply no mop enabled interface Serial0/1/0 no ip redirects no ip proxy-arp no ip unreachables no ip directed-broadcast no ip mask-reply interface Serial0/2/0 no ip redirects no ip proxy-arp no ip unreachables no ip directed-broadcast no ip mask-reply ip cef access-list compiled ip access-list extended autosec_iana_reserved_block deny ip 1.0.0.0 0.255.255.255 any deny ip 2.0.0.0 0.255.255.255 any deny ip 5.0.0.0 0.255.255.255 any deny ip 7.0.0.0 0.255.255.255 any deny ip 23.0.0.0 0.255.255.255 any deny ip 27.0.0.0 0.255.255.255 any deny ip 31.0.0.0 0.255.255.255 any deny ip 36.0.0.0 0.255.255.255 any deny ip 37.0.0.0 0.255.255.255 any deny ip 39.0.0.0 0.255.255.255 any deny ip 41.0.0.0 0.255.255.255 any deny ip 42.0.0.0 0.255.255.255 any deny ip 49.0.0.0 0.255.255.255 any deny ip 50.0.0.0 0.255.255.255 any deny ip 58.0.0.0 0.255.255.255 any deny ip 59.0.0.0 0.255.255.255 any deny ip 60.0.0.0 0.255.255.255 any deny ip 70.0.0.0 0.255.255.255 any deny ip 71.0.0.0 0.255.255.255 any deny ip 72.0.0.0 0.255.255.255 any deny ip 73.0.0.0 0.255.255.255 any deny ip 74.0.0.0 0.255.255.255 any deny ip 75.0.0.0 0.255.255.255 any deny ip 76.0.0.0 0.255.255.255 any deny ip 77.0.0.0 0.255.255.255 any deny ip 78.0.0.0 0.255.255.255 any deny ip 79.0.0.0 0.255.255.255 any deny ip 83.0.0.0 0.255.255.255 any deny ip 84.0.0.0 0.255.255.255 any deny ip 85.0.0.0 0.255.255.255 any deny ip 86.0.0.0 0.255.255.255 any deny ip 87.0.0.0 0.255.255.255 any Lab Hardening Cisco Device Đặng Quang Minh, CCIE#11897 deny ip 88.0.0.0 0.255.255.255 any deny ip 89.0.0.0 0.255.255.255 any deny ip 90.0.0.0 0.255.255.255 any deny ip 91.0.0.0 0.255.255.255 any deny ip 92.0.0.0 0.255.255.255 any deny ip 93.0.0.0 0.255.255.255 any deny ip 94.0.0.0 0.255.255.255 any deny ip 95.0.0.0 0.255.255.255 any deny ip 96.0.0.0 0.255.255.255 any deny ip 97.0.0.0 0.255.255.255 any deny ip 98.0.0.0 0.255.255.255 any deny ip 99.0.0.0 0.255.255.255 any deny ip 100.0.0.0 0.255.255.255 any deny ip 101.0.0.0 0.255.255.255 any deny ip 102.0.0.0 0.255.255.255 any deny ip 103.0.0.0 0.255.255.255 any deny ip 104.0.0.0 0.255.255.255 any deny ip 105.0.0.0 0.255.255.255 any deny ip 106.0.0.0 0.255.255.255 any deny ip 107.0.0.0 0.255.255.255 any deny ip 108.0.0.0 0.255.255.255 any deny ip 109.0.0.0 0.255.255.255 any deny ip 110.0.0.0 0.255.255.255 any deny ip 111.0.0.0 0.255.255.255 any deny ip 112.0.0.0 0.255.255.255 any deny ip 113.0.0.0 0.255.255.255 any deny ip 114.0.0.0 0.255.255.255 any deny ip 115.0.0.0 0.255.255.255 any deny ip 116.0.0.0 0.255.255.255 any deny ip 117.0.0.0 0.255.255.255 any deny ip 118.0.0.0 0.255.255.255 any deny ip 119.0.0.0 0.255.255.255 any deny ip 120.0.0.0 0.255.255.255 any deny ip 121.0.0.0 0.255.255.255 any deny ip 122.0.0.0 0.255.255.255 any deny ip 123.0.0.0 0.255.255.255 any deny ip 124.0.0.0 0.255.255.255 any deny ip 125.0.0.0 0.255.255.255 any deny ip 126.0.0.0 0.255.255.255 any deny ip 197.0.0.0 0.255.255.255 any deny ip 201.0.0.0 0.255.255.255 any permit ip any any remark This acl might not be up to date Visit www.iana.org/assignments/ipv4-address-space for update list exit ip access-list extended autosec_private_block deny ip 10.0.0.0 0.255.255.255 any deny ip 172.16.0.0 0.15.255.255 any deny ip 192.168.0.0 0.0.255.255 any permit ip any any exit ip access-list extended autosec_complete_bogon deny ip 1.0.0.0 0.255.255.255 any deny ip 2.0.0.0 0.255.255.255 any deny ip 5.0.0.0 0.255.255.255 any Lab Hardening Cisco Device Đặng Quang Minh, CCIE#11897 deny deny deny deny deny deny deny deny deny deny deny deny deny deny deny deny deny deny deny deny deny deny deny deny deny deny deny deny deny deny deny deny deny deny deny deny deny deny deny deny deny deny deny deny deny deny deny deny deny deny deny deny deny deny deny deny ip ip ip ip ip ip ip ip ip ip ip ip ip ip ip ip ip ip ip ip ip ip ip ip ip ip ip ip ip ip ip ip ip ip ip ip ip ip ip ip ip ip ip ip ip ip ip ip ip ip ip ip ip ip ip ip 7.0.0.0 0.255.255.255 any 23.0.0.0 0.255.255.255 any 27.0.0.0 0.255.255.255 any 31.0.0.0 0.255.255.255 any 36.0.0.0 0.255.255.255 any 37.0.0.0 0.255.255.255 any 39.0.0.0 0.255.255.255 any 41.0.0.0 0.255.255.255 any 42.0.0.0 0.255.255.255 any 49.0.0.0 0.255.255.255 any 50.0.0.0 0.255.255.255 any 58.0.0.0 0.255.255.255 any 59.0.0.0 0.255.255.255 any 60.0.0.0 0.255.255.255 any 70.0.0.0 0.255.255.255 any 71.0.0.0 0.255.255.255 any 72.0.0.0 0.255.255.255 any 73.0.0.0 0.255.255.255 any 74.0.0.0 0.255.255.255 any 75.0.0.0 0.255.255.255 any 76.0.0.0 0.255.255.255 any 77.0.0.0 0.255.255.255 any 78.0.0.0 0.255.255.255 any 79.0.0.0 0.255.255.255 any 83.0.0.0 0.255.255.255 any 84.0.0.0 0.255.255.255 any 85.0.0.0 0.255.255.255 any 86.0.0.0 0.255.255.255 any 87.0.0.0 0.255.255.255 any 88.0.0.0 0.255.255.255 any 89.0.0.0 0.255.255.255 any 90.0.0.0 0.255.255.255 any 91.0.0.0 0.255.255.255 any 92.0.0.0 0.255.255.255 any 93.0.0.0 0.255.255.255 any 94.0.0.0 0.255.255.255 any 95.0.0.0 0.255.255.255 any 96.0.0.0 0.255.255.255 any 97.0.0.0 0.255.255.255 any 98.0.0.0 0.255.255.255 any 99.0.0.0 0.255.255.255 any 100.0.0.0 0.255.255.255 any 101.0.0.0 0.255.255.255 any 102.0.0.0 0.255.255.255 any 103.0.0.0 0.255.255.255 any 104.0.0.0 0.255.255.255 any 105.0.0.0 0.255.255.255 any 106.0.0.0 0.255.255.255 any 107.0.0.0 0.255.255.255 any 108.0.0.0 0.255.255.255 any 109.0.0.0 0.255.255.255 any 110.0.0.0 0.255.255.255 any 111.0.0.0 0.255.255.255 any 112.0.0.0 0.255.255.255 any 113.0.0.0 0.255.255.255 any 114.0.0.0 0.255.255.255 any Lab Hardening Cisco Device Đặng Quang Minh, CCIE#11897 deny deny deny deny deny deny deny deny deny deny deny deny deny deny ip ip ip ip ip ip ip ip ip ip ip ip ip ip 115.0.0.0 116.0.0.0 117.0.0.0 118.0.0.0 119.0.0.0 120.0.0.0 121.0.0.0 122.0.0.0 123.0.0.0 124.0.0.0 125.0.0.0 126.0.0.0 197.0.0.0 201.0.0.0 0.255.255.255 0.255.255.255 0.255.255.255 0.255.255.255 0.255.255.255 0.255.255.255 0.255.255.255 0.255.255.255 0.255.255.255 0.255.255.255 0.255.255.255 0.255.255.255 0.255.255.255 0.255.255.255 any any any any any any any any any any any any any any deny ip 10.0.0.0 0.255.255.255 any deny ip 172.16.0.0 0.15.255.255 any deny ip 192.168.0.0 0.0.255.255 any deny ip 224.0.0.0 15.255.255.255 any deny ip 240.0.0.0 15.255.255.255 any deny ip 0.0.0.0 0.255.255.255 any deny ip 169.254.0.0 0.0.255.255 any deny ip 192.0.2.0 0.0.0.255 any deny ip 127.0.0.0 0.255.255.255 any permit ip any any remark This acl might not be up to date Visit www.iana.org/assignments/ipv4-address-space for update list exit interface FastEthernet0/1 ip access-group autosec_complete_bogon in exit access-list 100 permit udp any any eq bootpc interface FastEthernet0/1 ip verify unicast source reachable-via rx allow-default 100 ip inspect audit-trail ip inspect dns-timeout ip inspect tcp idle-time 14400 ip inspect udp idle-time 1800 ip inspect name autosec_inspect cuseeme timeout 3600 ip inspect name autosec_inspect ftp timeout 3600 ip inspect name autosec_inspect http timeout 3600 ip inspect name autosec_inspect rcmd timeout 3600 ip inspect name autosec_inspect realaudio timeout 3600 ip inspect name autosec_inspect smtp timeout 3600 ip inspect name autosec_inspect tftp timeout 30 ip inspect name autosec_inspect udp timeout 15 ip inspect name autosec_inspect tcp timeout 3600 ip access-list extended autosec_firewall_acl permit udp any any eq bootpc deny ip any any interface FastEthernet0/1 ip inspect autosec_inspect out ! end Lab Hardening Cisco Device Đặng Quang Minh, CCIE#11897 Router hỏI bạn có muốn áp dụng cấu hình hay khơng Apply this configuration to running-config? [yes]: Applying the config generated to running-config The name for the keys will be: Demo.vnpro.org % The key modulus size is 1024 bits % Generating 1024 bit RSA keys [OK] Demo#sh run Building configuration Current configuration : 9519 bytes ! version 12.3 no service pad service tcp-keepalives-in service tcp-keepalives-out service timestamps debug datetime msec localtime show-timezone service timestamps log datetime msec localtime show-timezone service password-encryption service sequence-numbers ! hostname Demo ! boot-start-marker boot-end-marker ! security authentication failure rate 10 log security passwords min-length logging buffered 4096 debugging logging console critical enable secret $1$nEyq$HlTuZIiDeOChLt4arodSI0 enable password 075E731F1A5C4F52 aaa new-model ! ! aaa authentication login local_auth local ! aaa session-id common ! resource policy ! mmi polling-interval 60 no mmi auto-configure no mmi pvc mmi snmp-timeout 180 ip subnet-zero no ip source-route no ip gratuitous-arps ip cef ! ! no ip dhcp use vrf connected ! Lab Hardening Cisco Device Đặng Quang Minh, CCIE#11897 ! no ip bootp server ip domain name vnpro.org ip ssh time-out 60 ip ssh authentication-retries ip inspect audit-trail ip inspect udp idle-time 1800 ip inspect dns-timeout ip inspect tcp idle-time 14400 ip inspect name autosec_inspect cuseeme timeout 3600 ip inspect name autosec_inspect ftp timeout 3600 ip inspect name autosec_inspect http timeout 3600 ip inspect name autosec_inspect rcmd timeout 3600 ip inspect name autosec_inspect realaudio timeout 3600 ip inspect name autosec_inspect smtp timeout 3600 ip inspect name autosec_inspect tftp timeout 30 ip inspect name autosec_inspect udp timeout 15 ip inspect name autosec_inspect tcp timeout 3600 no ip ips deny-action ips-interface login block-for attempts within ! no ftp-server write-enable ! username vnpro password 025756085F5359 archive log config logging enable ! ! no crypto isakmp ccm ! interface FastEthernet0/0 ip address 192.168.1.1 255.255.255.0 no ip redirects no ip unreachables no ip proxy-arp duplex auto speed auto no mop enabled ! interface FastEthernet0/1 ip address dhcp ip access-group autosec_complete_bogon in ip verify unicast source reachable-via rx allow-default 100 no ip redirects no ip unreachables no ip proxy-arp ip inspect autosec_inspect out duplex auto speed auto no mop enabled ! ip classless ! ! no ip http server Lab Hardening Cisco Device Đặng Quang Minh, CCIE#11897 no ip http secure-server ! ip access-list extended autosec_complete_bogon deny ip 1.0.0.0 0.255.255.255 any deny ip 2.0.0.0 0.255.255.255 any deny ip 5.0.0.0 0.255.255.255 any deny ip 7.0.0.0 0.255.255.255 any deny ip 23.0.0.0 0.255.255.255 any deny ip 27.0.0.0 0.255.255.255 any deny ip 31.0.0.0 0.255.255.255 any deny ip 36.0.0.0 0.255.255.255 any deny ip 37.0.0.0 0.255.255.255 any deny ip 39.0.0.0 0.255.255.255 any deny ip 41.0.0.0 0.255.255.255 any deny ip 42.0.0.0 0.255.255.255 any deny ip 49.0.0.0 0.255.255.255 any deny ip 50.0.0.0 0.255.255.255 any deny ip 58.0.0.0 0.255.255.255 any deny ip 59.0.0.0 0.255.255.255 any deny ip 60.0.0.0 0.255.255.255 any deny ip 70.0.0.0 0.255.255.255 any deny ip 71.0.0.0 0.255.255.255 any deny ip 72.0.0.0 0.255.255.255 any deny ip 73.0.0.0 0.255.255.255 any deny ip 74.0.0.0 0.255.255.255 any deny ip 75.0.0.0 0.255.255.255 any deny ip 76.0.0.0 0.255.255.255 any deny ip 77.0.0.0 0.255.255.255 any deny ip 78.0.0.0 0.255.255.255 any deny ip 79.0.0.0 0.255.255.255 any deny ip 83.0.0.0 0.255.255.255 any deny ip 84.0.0.0 0.255.255.255 any deny ip 85.0.0.0 0.255.255.255 any deny ip 86.0.0.0 0.255.255.255 any deny ip 87.0.0.0 0.255.255.255 any deny ip 88.0.0.0 0.255.255.255 any deny ip 89.0.0.0 0.255.255.255 any deny ip 90.0.0.0 0.255.255.255 any deny ip 91.0.0.0 0.255.255.255 any deny ip 92.0.0.0 0.255.255.255 any deny ip 93.0.0.0 0.255.255.255 any deny ip 94.0.0.0 0.255.255.255 any deny ip 95.0.0.0 0.255.255.255 any deny ip 96.0.0.0 0.255.255.255 any deny ip 97.0.0.0 0.255.255.255 any deny ip 98.0.0.0 0.255.255.255 any deny ip 99.0.0.0 0.255.255.255 any deny ip 100.0.0.0 0.255.255.255 any deny ip 101.0.0.0 0.255.255.255 any deny ip 102.0.0.0 0.255.255.255 any deny ip 103.0.0.0 0.255.255.255 any deny ip 104.0.0.0 0.255.255.255 any deny ip 105.0.0.0 0.255.255.255 any deny ip 106.0.0.0 0.255.255.255 any deny ip 107.0.0.0 0.255.255.255 any deny ip 108.0.0.0 0.255.255.255 any Lab Hardening Cisco Device Đặng Quang Minh, CCIE#11897 deny ip 109.0.0.0 0.255.255.255 any deny ip 110.0.0.0 0.255.255.255 any deny ip 111.0.0.0 0.255.255.255 any deny ip 112.0.0.0 0.255.255.255 any deny ip 113.0.0.0 0.255.255.255 any deny ip 114.0.0.0 0.255.255.255 any deny ip 115.0.0.0 0.255.255.255 any deny ip 116.0.0.0 0.255.255.255 any deny ip 117.0.0.0 0.255.255.255 any deny ip 118.0.0.0 0.255.255.255 any deny ip 119.0.0.0 0.255.255.255 any deny ip 120.0.0.0 0.255.255.255 any deny ip 121.0.0.0 0.255.255.255 any deny ip 122.0.0.0 0.255.255.255 any deny ip 123.0.0.0 0.255.255.255 any deny ip 124.0.0.0 0.255.255.255 any deny ip 125.0.0.0 0.255.255.255 any deny ip 126.0.0.0 0.255.255.255 any deny ip 197.0.0.0 0.255.255.255 any deny ip 201.0.0.0 0.255.255.255 any deny ip 10.0.0.0 0.255.255.255 any deny ip 172.16.0.0 0.15.255.255 any deny ip 192.168.0.0 0.0.255.255 any deny ip 224.0.0.0 15.255.255.255 any deny ip 240.0.0.0 15.255.255.255 any deny ip 0.0.0.0 0.255.255.255 any deny ip 169.254.0.0 0.0.255.255 any deny ip 192.0.2.0 0.0.0.255 any deny ip 127.0.0.0 0.255.255.255 any permit ip any any remark This acl might not be up to date Visit www.iana.org/assignments/ipv4-address-space for update list ip access-list extended autosec_firewall_acl permit udp any any eq bootpc deny ip any any ip access-list extended autosec_iana_reserved_block deny ip 1.0.0.0 0.255.255.255 any deny ip 2.0.0.0 0.255.255.255 any deny ip 5.0.0.0 0.255.255.255 any deny ip 7.0.0.0 0.255.255.255 any deny ip 23.0.0.0 0.255.255.255 any deny ip 27.0.0.0 0.255.255.255 any deny ip 31.0.0.0 0.255.255.255 any deny ip 36.0.0.0 0.255.255.255 any deny ip 37.0.0.0 0.255.255.255 any deny ip 39.0.0.0 0.255.255.255 any deny ip 41.0.0.0 0.255.255.255 any deny ip 42.0.0.0 0.255.255.255 any deny ip 49.0.0.0 0.255.255.255 any deny ip 50.0.0.0 0.255.255.255 any deny ip 58.0.0.0 0.255.255.255 any deny ip 59.0.0.0 0.255.255.255 any deny ip 60.0.0.0 0.255.255.255 any deny ip 70.0.0.0 0.255.255.255 any deny ip 71.0.0.0 0.255.255.255 any deny ip 72.0.0.0 0.255.255.255 any Lab Hardening Cisco Device Đặng Quang Minh, CCIE#11897 deny ip 73.0.0.0 0.255.255.255 any deny ip 74.0.0.0 0.255.255.255 any deny ip 75.0.0.0 0.255.255.255 any deny ip 76.0.0.0 0.255.255.255 any deny ip 77.0.0.0 0.255.255.255 any deny ip 78.0.0.0 0.255.255.255 any deny ip 79.0.0.0 0.255.255.255 any deny ip 83.0.0.0 0.255.255.255 any deny ip 84.0.0.0 0.255.255.255 any deny ip 85.0.0.0 0.255.255.255 any deny ip 86.0.0.0 0.255.255.255 any deny ip 87.0.0.0 0.255.255.255 any deny ip 88.0.0.0 0.255.255.255 any deny ip 89.0.0.0 0.255.255.255 any deny ip 90.0.0.0 0.255.255.255 any deny ip 91.0.0.0 0.255.255.255 any deny ip 92.0.0.0 0.255.255.255 any deny ip 93.0.0.0 0.255.255.255 any deny ip 94.0.0.0 0.255.255.255 any deny ip 95.0.0.0 0.255.255.255 any deny ip 96.0.0.0 0.255.255.255 any deny ip 97.0.0.0 0.255.255.255 any deny ip 98.0.0.0 0.255.255.255 any deny ip 99.0.0.0 0.255.255.255 any deny ip 100.0.0.0 0.255.255.255 any deny ip 101.0.0.0 0.255.255.255 any deny ip 102.0.0.0 0.255.255.255 any deny ip 103.0.0.0 0.255.255.255 any deny ip 104.0.0.0 0.255.255.255 any deny ip 105.0.0.0 0.255.255.255 any deny ip 106.0.0.0 0.255.255.255 any deny ip 107.0.0.0 0.255.255.255 any deny ip 108.0.0.0 0.255.255.255 any deny ip 109.0.0.0 0.255.255.255 any deny ip 110.0.0.0 0.255.255.255 any deny ip 111.0.0.0 0.255.255.255 any deny ip 112.0.0.0 0.255.255.255 any deny ip 113.0.0.0 0.255.255.255 any deny ip 114.0.0.0 0.255.255.255 any deny ip 115.0.0.0 0.255.255.255 any deny ip 116.0.0.0 0.255.255.255 any deny ip 117.0.0.0 0.255.255.255 any deny ip 118.0.0.0 0.255.255.255 any deny ip 119.0.0.0 0.255.255.255 any deny ip 120.0.0.0 0.255.255.255 any deny ip 121.0.0.0 0.255.255.255 any deny ip 122.0.0.0 0.255.255.255 any deny ip 123.0.0.0 0.255.255.255 any deny ip 124.0.0.0 0.255.255.255 any deny ip 125.0.0.0 0.255.255.255 any deny ip 126.0.0.0 0.255.255.255 any deny ip 197.0.0.0 0.255.255.255 any deny ip 201.0.0.0 0.255.255.255 any permit ip any any remark This acl might not be up to date Visit www.iana.org/assignments/ipv4-address-space for update list Lab Hardening Cisco Device Đặng Quang Minh, CCIE#11897 ip access-list extended autosec_private_block deny ip 10.0.0.0 0.255.255.255 any deny ip 172.16.0.0 0.15.255.255 any deny ip 192.168.0.0 0.0.255.255 any permit ip any any ! logging trap debugging logging facility local2 access-list 100 permit udp any any eq bootpc access-list compiled no cdp run ! control-plane ! banner motd ^CThis config is for user VnPro^C ! line exec-timeout login authentication local_auth transport output telnet line aux exec-timeout 15 login authentication local_auth transport output telnet line vty login authentication local_auth transport input telnet ssh ! warm-reboot end Demo# Demo#sh ip access-lists Extended IP access list 100 (Compiled) 10 permit udp any any eq bootpc Extended IP access list autosec_complete_bogon (Compiled) 10 deny ip 1.0.0.0 0.255.255.255 any 20 deny ip 2.0.0.0 0.255.255.255 any 30 deny ip 5.0.0.0 0.255.255.255 any 40 deny ip 7.0.0.0 0.255.255.255 any 50 deny ip 23.0.0.0 0.255.255.255 any 60 deny ip 27.0.0.0 0.255.255.255 any 70 deny ip 31.0.0.0 0.255.255.255 any 80 deny ip 36.0.0.0 0.255.255.255 any 90 deny ip 37.0.0.0 0.255.255.255 any 100 deny ip 39.0.0.0 0.255.255.255 any 110 deny ip 41.0.0.0 0.255.255.255 any 120 deny ip 42.0.0.0 0.255.255.255 any 130 deny ip 49.0.0.0 0.255.255.255 any 140 deny ip 50.0.0.0 0.255.255.255 any 150 deny ip 58.0.0.0 0.255.255.255 any 160 deny ip 59.0.0.0 0.255.255.255 any 170 deny ip 60.0.0.0 0.255.255.255 any 180 deny ip 70.0.0.0 0.255.255.255 any 190 deny ip 71.0.0.0 0.255.255.255 any 200 deny ip 72.0.0.0 0.255.255.255 any Lab Hardening Cisco Device Đặng Quang Minh, CCIE#11897 210 220 230 240 250 260 270 280 290 300 310 320 330 340 350 360 370 380 390 400 410 420 430 440 450 460 470 480 490 500 510 520 530 540 550 560 570 580 590 600 610 620 630 640 650 660 670 680 690 700 710 720 730 740 750 760 deny deny deny deny deny deny deny deny deny deny deny deny deny deny deny deny deny deny deny deny deny deny deny deny deny deny deny deny deny deny deny deny deny deny deny deny deny deny deny deny deny deny deny deny deny deny deny deny deny deny deny deny deny deny deny deny ip ip ip ip ip ip ip ip ip ip ip ip ip ip ip ip ip ip ip ip ip ip ip ip ip ip ip ip ip ip ip ip ip ip ip ip ip ip ip ip ip ip ip ip ip ip ip ip ip ip ip ip ip ip ip ip 73.0.0.0 0.255.255.255 any 74.0.0.0 0.255.255.255 any 75.0.0.0 0.255.255.255 any 76.0.0.0 0.255.255.255 any 77.0.0.0 0.255.255.255 any 78.0.0.0 0.255.255.255 any 79.0.0.0 0.255.255.255 any 83.0.0.0 0.255.255.255 any 84.0.0.0 0.255.255.255 any 85.0.0.0 0.255.255.255 any 86.0.0.0 0.255.255.255 any 87.0.0.0 0.255.255.255 any 88.0.0.0 0.255.255.255 any 89.0.0.0 0.255.255.255 any 90.0.0.0 0.255.255.255 any 91.0.0.0 0.255.255.255 any 92.0.0.0 0.255.255.255 any 93.0.0.0 0.255.255.255 any 94.0.0.0 0.255.255.255 any 95.0.0.0 0.255.255.255 any 96.0.0.0 0.255.255.255 any 97.0.0.0 0.255.255.255 any 98.0.0.0 0.255.255.255 any 99.0.0.0 0.255.255.255 any 100.0.0.0 0.255.255.255 any 101.0.0.0 0.255.255.255 any 102.0.0.0 0.255.255.255 any 103.0.0.0 0.255.255.255 any 104.0.0.0 0.255.255.255 any 105.0.0.0 0.255.255.255 any 106.0.0.0 0.255.255.255 any 107.0.0.0 0.255.255.255 any 108.0.0.0 0.255.255.255 any 109.0.0.0 0.255.255.255 any 110.0.0.0 0.255.255.255 any 111.0.0.0 0.255.255.255 any 112.0.0.0 0.255.255.255 any 113.0.0.0 0.255.255.255 any 114.0.0.0 0.255.255.255 any 115.0.0.0 0.255.255.255 any 116.0.0.0 0.255.255.255 any 117.0.0.0 0.255.255.255 any 118.0.0.0 0.255.255.255 any 119.0.0.0 0.255.255.255 any 120.0.0.0 0.255.255.255 any 121.0.0.0 0.255.255.255 any 122.0.0.0 0.255.255.255 any 123.0.0.0 0.255.255.255 any 124.0.0.0 0.255.255.255 any 125.0.0.0 0.255.255.255 any 126.0.0.0 0.255.255.255 any 197.0.0.0 0.255.255.255 any 201.0.0.0 0.255.255.255 any 10.0.0.0 0.255.255.255 any (279 matches) 172.16.0.0 0.15.255.255 any 192.168.0.0 0.0.255.255 any Lab Hardening Cisco Device Đặng Quang Minh, CCIE#11897 770 deny ip 224.0.0.0 15.255.255.255 any 780 deny ip 240.0.0.0 15.255.255.255 any 790 deny ip 0.0.0.0 0.255.255.255 any (3 matches) 800 deny ip 169.254.0.0 0.0.255.255 any 810 deny ip 192.0.2.0 0.0.0.255 any 820 deny ip 127.0.0.0 0.255.255.255 any 830 permit ip any any Extended IP access list autosec_firewall_acl (Compiled) 10 permit udp any any eq bootpc 20 deny ip any any Extended IP access list autosec_iana_reserved_block (Compiled) 10 deny ip 1.0.0.0 0.255.255.255 any 20 deny ip 2.0.0.0 0.255.255.255 any 30 deny ip 5.0.0.0 0.255.255.255 any 40 deny ip 7.0.0.0 0.255.255.255 any 50 deny ip 23.0.0.0 0.255.255.255 any 60 deny ip 27.0.0.0 0.255.255.255 any 70 deny ip 31.0.0.0 0.255.255.255 any 80 deny ip 36.0.0.0 0.255.255.255 any 90 deny ip 37.0.0.0 0.255.255.255 any 100 deny ip 39.0.0.0 0.255.255.255 any 110 deny ip 41.0.0.0 0.255.255.255 any 120 deny ip 42.0.0.0 0.255.255.255 any 130 deny ip 49.0.0.0 0.255.255.255 any 140 deny ip 50.0.0.0 0.255.255.255 any 150 deny ip 58.0.0.0 0.255.255.255 any 160 deny ip 59.0.0.0 0.255.255.255 any 170 deny ip 60.0.0.0 0.255.255.255 any 180 deny ip 70.0.0.0 0.255.255.255 any 190 deny ip 71.0.0.0 0.255.255.255 any 200 deny ip 72.0.0.0 0.255.255.255 any 210 deny ip 73.0.0.0 0.255.255.255 any 220 deny ip 74.0.0.0 0.255.255.255 any 230 deny ip 75.0.0.0 0.255.255.255 any 240 deny ip 76.0.0.0 0.255.255.255 any 250 deny ip 77.0.0.0 0.255.255.255 any 260 deny ip 78.0.0.0 0.255.255.255 any 270 deny ip 79.0.0.0 0.255.255.255 any 280 deny ip 83.0.0.0 0.255.255.255 any 290 deny ip 84.0.0.0 0.255.255.255 any 300 deny ip 85.0.0.0 0.255.255.255 any 310 deny ip 86.0.0.0 0.255.255.255 any 320 deny ip 87.0.0.0 0.255.255.255 any 330 deny ip 88.0.0.0 0.255.255.255 any 340 deny ip 89.0.0.0 0.255.255.255 any 350 deny ip 90.0.0.0 0.255.255.255 any 360 deny ip 91.0.0.0 0.255.255.255 any 370 deny ip 92.0.0.0 0.255.255.255 any 380 deny ip 93.0.0.0 0.255.255.255 any 390 deny ip 94.0.0.0 0.255.255.255 any 400 deny ip 95.0.0.0 0.255.255.255 any 410 deny ip 96.0.0.0 0.255.255.255 any 420 deny ip 97.0.0.0 0.255.255.255 any 430 deny ip 98.0.0.0 0.255.255.255 any 440 deny ip 99.0.0.0 0.255.255.255 any 450 deny ip 100.0.0.0 0.255.255.255 any Lab Hardening Cisco Device Đặng Quang Minh, CCIE#11897 460 deny ip 101.0.0.0 0.255.255.255 any 470 deny ip 102.0.0.0 0.255.255.255 any 480 deny ip 103.0.0.0 0.255.255.255 any 490 deny ip 104.0.0.0 0.255.255.255 any 500 deny ip 105.0.0.0 0.255.255.255 any 510 deny ip 106.0.0.0 0.255.255.255 any 520 deny ip 107.0.0.0 0.255.255.255 any 530 deny ip 108.0.0.0 0.255.255.255 any 540 deny ip 109.0.0.0 0.255.255.255 any 550 deny ip 110.0.0.0 0.255.255.255 any 560 deny ip 111.0.0.0 0.255.255.255 any 570 deny ip 112.0.0.0 0.255.255.255 any 580 deny ip 113.0.0.0 0.255.255.255 any 590 deny ip 114.0.0.0 0.255.255.255 any 600 deny ip 115.0.0.0 0.255.255.255 any 610 deny ip 116.0.0.0 0.255.255.255 any 620 deny ip 117.0.0.0 0.255.255.255 any 630 deny ip 118.0.0.0 0.255.255.255 any 640 deny ip 119.0.0.0 0.255.255.255 any 650 deny ip 120.0.0.0 0.255.255.255 any 660 deny ip 121.0.0.0 0.255.255.255 any 670 deny ip 122.0.0.0 0.255.255.255 any 680 deny ip 123.0.0.0 0.255.255.255 any 690 deny ip 124.0.0.0 0.255.255.255 any 700 deny ip 125.0.0.0 0.255.255.255 any 710 deny ip 126.0.0.0 0.255.255.255 any 720 deny ip 197.0.0.0 0.255.255.255 any 730 deny ip 201.0.0.0 0.255.255.255 any 740 permit ip any any Extended IP access list autosec_private_block (Compiled) 10 deny ip 10.0.0.0 0.255.255.255 any 20 deny ip 172.16.0.0 0.15.255.255 any 30 deny ip 192.168.0.0 0.0.255.255 any 40 permit ip any any Extended IP access list sl_def_acl (Compiled) 10 deny tcp any any eq telnet log 20 deny tcp any any eq www log 30 deny tcp any any eq 22 log 40 permit ip any any log Demo#sh tcp ? Line number aux Auxiliary line brief Brief display console Primary terminal line intercept Intercept display statistics TCP protocol statistics tcb TCB address tty Terminal controller vty Virtual terminal x/y Slot/Port for Modems x/y/z Slot/Subslot/Port for Modems | Output modifiers Demo#sh tcp tty % Incomplete command Lab Hardening Cisco Device Đặng Quang Minh, CCIE#11897 Demo#sh tcp tty ? Line number Demo#sh tcp tty Demo#sh tcp sta Demo#sh tcp statistics Rcvd: Total, no port checksum error, bad offset, too short packets (0 bytes) in sequence dup packets (0 bytes) partially dup packets (0 bytes) out-of-order packets (0 bytes) packets (0 bytes) with data after window packets after close window probe packets, window update packets dup ack packets, ack packets with unsend data ack packets (0 bytes) Sent: Total, urgent packets control packets (including retransmitted) data packets (0 bytes) data packets (0 bytes) retransmitted data packets (0 bytes) fastretransmitted ack only packets (0 delayed) window probe packets, window update packets Connections initiated, connections accepted, connections established Connections closed (including dropped, embryonic dropped) Total rxmt timeout, connections dropped in rxmt timeout Keepalive timeout, keepalive probe, Connections dropped in keepalive Demo#sh tcp ? Line number aux Auxiliary line brief Brief display console Primary terminal line intercept Intercept display statistics TCP protocol statistics tcb TCB address tty Terminal controller vty Virtual terminal x/y Slot/Port for Modems x/y/z Slot/Subslot/Port for Modems | Output modifiers Demo#sh tcp Demo#sh cdp ? entry Information for specific neighbor entry interface CDP interface status and configuration neighbors CDP neighbor entries traffic CDP statistics | Output modifiers Lab Hardening Cisco Device Đặng Quang Minh, CCIE#11897 Demo#sh cdp % CDP is not enabled Demo# Demo#sh ip ? access-lists List IP access lists accounting The active IP accounting database admission Network Admission Control information aliases IP alias table arp IP ARP table as-path-access-list List AS path access lists auth-proxy Authentication Proxy information bgp BGP information cache IP fast-switching route cache casa display casa information cef Cisco Express Forwarding community-list List community-list ddns Dynamic DNS dfp DFP information dhcp Show items in the DHCP database director Director agent dns Show DNS zone information drp Director response protocol dvmrp DVMRP information eigrp IP-EIGRP show commands extcommunity-list List extended-community list flow NetFlow switching More-helper-address helper-address table host-list Host list http HTTP information igmp IGMP information inspect CBAC (Context Based Access Control) information interface IP interface status and configuration ips IPS (Intrusion Prevention System) information irdp ICMP Router Discovery Protocol local IP local options masks Masks associated with a network mcache IP multicast fast-switching cache mobile IP Mobility information mpacket Display possible duplicate multicast packets mrm IP Multicast Routing Monitor information mroute IP multicast routing table msdp Multicast Source Discovery Protocol (MSDP) mtag IP Multicast Tagswitching TIB multicast Multicast global information nat IP NAT information nbar Network-Based Application Recognition nhrp NHRP information ospf OSPF information pgm PGM Reliable Transport Protocol pim PIM information policy Policy routing policy-list List IP Policy list port-map Port to Application Mapping (PAM) information prefix-list List IP prefix lists Lab Hardening Cisco Device ... 90/8, 91/ 8, 92/8, 93/8, 94/8, 95/8, 96/8, 97/8, 98/8, 99/8, 10 0/8, 10 1/8, 10 2/8, 10 3/8, 10 4/8, 10 5/8, 10 6/8, 10 7/8, 10 8/8, 10 9/8, 11 0/8, 11 1/8, 11 2/8, 11 3/8, 11 4/8, 11 5/8, 11 6/8, 11 7/8, 11 8/8, 11 9/8,... 90/8, 91/ 8, 92/8, 93/8, 94/8, 95/8, 96/8, 97/8, 98/8, 99/8, 10 0/8, 10 1/8, 10 2/8, 10 3/8, 10 4/8, 10 5/8, 10 6/8, 10 7/8, 10 8/8, 10 9/8, 11 0/8, 11 1/8, 11 2/8, 11 3/8, 11 4/8, 11 5/8, 11 6/8, 11 7/8, 11 8/8, 11 9/8,... ip ip ip ip ip ip ip ip ip ip 11 5.0.0.0 11 6.0.0.0 11 7.0.0.0 11 8.0.0.0 11 9.0.0.0 12 0.0.0.0 12 1.0.0.0 12 2.0.0.0 12 3.0.0.0 12 4.0.0.0 12 5.0.0.0 12 6.0.0.0 19 7.0.0.0 2 01. 0.0.0 0.255.255.255 0.255.255.255

Ngày đăng: 25/07/2014, 07:21

Xem thêm: Lab 1 ISCW ppsx, Lab 1 ISCW ppsx

Từ khóa liên quan

Mục lục

  • Lab 1 ISCW

Tài liệu cùng người dùng

  • Đang cập nhật ...

Tài liệu liên quan