-
[CISCO/구문실습] Auto Secure 명령 사용공부/패킷 트레이서 2023. 11. 6. 20:14
Auto Secure란?
- 라우터 및 스위치에서 보안을 강화하는데 사용되는 명령어
- 네트워크 장비의 보안을 강화하기 위해 여러 보안 기능을 자동으로 설정
- 보안에 취약한 서비스 비활성화
- SNMP 보안 강화
- IP Source Routing 비활성화
- CDP(Cisco Discovery Protocol) 보안 강화
- TCP 및 UDP Socket 플러딩 방지를 위한 간단한 접근 목록 구성
AutoSecure를 사용하여 라우터를 잠급니다.
- 이 구문 검사기에서는 AutoSecure를 사용하여 R1을 보호합니다.
Serial0/0/0을 인터넷을 향하는 인터페이스로 구성합니다. - 참고: 인터페이스 이름은 대소문자를 구분합니다.
- #Unauthorized Access is Prohibited!#을 사용하여 motd 배너를 만듭니다.
- 라우터에 액세스하기 위해 로컬 사용자 이름 Admin01과 암호 Admin01pa55를 만듭니다.
- 30초 이내에 로그인 시도가 2회 실패할 경우 60초 로그인 종료를 구성합니다.
- SSH 서버의 도메인 이름으로 example.com 을 사용합니다.
- CBAC 방화벽을 구성하지 마십시오.
- AutoSecure의 구성을 running-config에 적용합니다.
R1#auto secure --- AutoSecure Configuration --- *** AutoSecure configuration enhances the security of the router, but it will not make it absolutely resistant to all security attacks *** AutoSecure will modify the configuration of your device. All configuration changes will be shown. For a detailed explanation of how the configuration changes enhance security and any possible side effects, please refer to Cisco.com for AutoSecure documentation. At any prompt you may enter '?' for help. Use ctrl-c to abort this session at any prompt. Gathering information about the router for AutoSecure Is this router connected to Internet? [no]#yes // 라우터는 인터넷에 연결되어 있는가? Enter the number of interfaces facing the internet [1]#1 // 인터넷과 연결된 인터페이스 수 Interface IP-Address OK? Method Status Protocol Embedded-Service-Engine0/0 unassigned YES unset administratively down down GigabitEthernet0/0 unassigned YES unset administratively down down GigabitEthernet0/1 192.168.1.1 YES manual up up Serial0/0/0 10.1.1.1 YES manual up up Serial0/0/1 unassigned YES unset administratively down down Enter the interface name that is facing the internet#Serial0/0/0 // 인터넷과 연결된 인터페이스 입력 Securing Management plane services... Disabling service finger Disabling service pad Disabling udp & tcp small servers Enabling service password encryption Enabling service tcp-keepalives-in Enabling service tcp-keepalives-out Disabling the cdp protocol Disabling the bootp server Disabling the http server Disabling the finger service Disabling source routing Disabling gratuitous arp Here is a sample Security Banner to be shown at every access to device. Modify it to suit your enterprise requirements. Authorized Access only This system is the property of So-&-So-Enterprise. UNAUTHORIZED ACCESS TO THIS DEVICE IS PROHIBITED. You must have explicit permission to access this device. All activities performed on this device are logged. Any violations of access policy will result in disciplinary action. Enter the security banner {Put the banner between k and k, where k is any character}: // 보안 배너 입력 {배너를 다음 사이에 넣으십시오 // k와 k, 여기서 k는 임의의 문자입니다: ##Unauthorized Access is Prohibited!# Configuration of local user database Enter the username#Admin01 // 유저 이름 Enter the password#Admin01pa55 // 패스워드 Confirm the password#Admin01pa55 // 패스워드 확인 Configuring AAA local authentication Configuring console, Aux and vty lines for local authentication, exec-timeout, transport Securing device against Login Attacks Configure the following parameters Blocking Period when Login Attack detected#60 // 로그인이 시도되면 차단할 시간 Maximum Login failures with the device#2 // 로그인 시도 횟수 Maximum time period for crossing the failed login attempts#30 // 실패한 로그인 시도 시간 Configure SSH server? [yes]#yes // ssh server를 연결할 것인가? Enter the domain-name#example.com // 도메인 이름 입력 Configuring interface specific AutoSecure services Disabling the following ip services on all interfaces: no ip redirects no ip proxy-arp no ip unreachables no ip directed-broadcast no ip mask-reply Disabling mop on Ethernet interfaces Securing Forwarding plane services... Enabling unicast rpf on all interfaces connected to internet Configure CBAC Firewall feature? [yes/no]#no // CBAC 방화벽을 구성할 것인가? This is the configuration generated: no service finger no service pad no service udp-small-servers no service tcp-small-servers service password-encryption service tcp-keepalives-in service tcp-keepalives-out no cdp run no ip bootp server no ip http server no ip finger no ip source-route no ip gratuitous-arps no ip identd banner motd ^CUnauthorized Access is PROHIBITED^C security passwords min-length 6 security authentication failure rate 10 log username Admin01 password 7 15330F010D247B7538326077 aaa new-model aaa authentication login local_auth local line console 0 login authentication local_auth exec-timeout 5 0 transport output telnet line aux 0 login authentication local_auth exec-timeout 10 0 transport output telnet line vty 0 4 login authentication local_auth transport input telnet line tty 1 2 login authentication local_auth exec-timeout 15 0 login block-for 60 attempts 2 within 30 ip domain-name ccnasecurity.com crypto key generate rsa general-keys modulus 1024 ip ssh time-out 60 ip ssh authentication-retries 2 line vty 0 4 transport input ssh telnet service timestamps debug datetime msec localtime show-timezone service timestamps log datetime msec localtime show-timezone logging facility local2 logging trap debugging service sequence-numbers logging console critical logging buffered interface Embedded-Service-Engine0/0 no ip redirects no ip proxy-arp no ip unreachables no ip directed-broadcast no ip mask-reply no mop enabled interface GigabitEthernet0/0 no ip redirects no ip proxy-arp no ip unreachables no ip directed-broadcast no ip mask-reply no mop enabled interface GigabitEthernet0/1 no ip redirects no ip proxy-arp no ip unreachables no ip directed-broadcast no ip mask-reply no mop enabled interface Serial0/0/0 no ip redirects no ip proxy-arp no ip unreachables no ip directed-broadcast no ip mask-reply interface Serial0/0/1 no ip redirects no ip proxy-arp no ip unreachables no ip directed-broadcast no ip mask-reply access-list 100 permit udp any any eq bootpc interface Serial0/0/0 ip verify unicast source reachable-via rx allow-default 100 ! end Apply this configuration to running-config? [yes]#yes // running-config에 이 구성을 적용하시겠습니까? Applying the config generated to running-config The name for the keys will be: R1.ccnasecurity.com % The key modulus size is 1024 bits % Generating 1024 bit RSA keys, keys will be non-exportable... [OK] (elapsed time was 3 seconds) R1# 000046: *Dec 30 22:44:35.503 UTC: %AUTOSEC-1-MODIFIED: AutoSecure configuration has been Modified on this device
'공부 > 패킷 트레이서' 카테고리의 다른 글
[패킷트레이서/실습] OSPF 라우팅 (2) 2023.11.09 [CISCO/구문실습] OSPF SHA 라우팅 프로토콜 인증 // 미작성 (2) 2023.11.06 [CISCO/구문실습] R2에서 Superview 구성 (2) 2023.11.06 [CISCO/구문실습] R2의 VIEW 구성 (2) 2023.11.06 [CISCO/구문실습] R2에서 Privilege Level 구성 (0) 2023.11.06