[CISCO/구문실습] Auto Secure 명령 사용

Auto Secure란?

• 라우터 및 스위치에서 보안을 강화하는데 사용되는 명령어
• 네트워크 장비의 보안을 강화하기 위해 여러 보안 기능을 자동으로 설정
• 보안에 취약한 서비스 비활성화
• SNMP 보안 강화
• IP Source Routing 비활성화
• CDP(Cisco Discovery Protocol) 보안 강화
• TCP 및 UDP Socket 플러딩 방지를 위한 간단한 접근 목록 구성

---

AutoSecure를 사용하여 라우터를 잠급니다.

• 이 구문 검사기에서는 AutoSecure를 사용하여 R1을 보호합니다.
  Serial0/0/0을 인터넷을 향하는 인터페이스로 구성합니다.
• 참고: 인터페이스 이름은 대소문자를 구분합니다.
  
• #Unauthorized Access is Prohibited!#을 사용하여 motd 배너를 만듭니다.
  
• 라우터에 액세스하기 위해 로컬 사용자 이름 Admin01과 암호 Admin01pa55를 만듭니다.
  
• 30초 이내에 로그인 시도가 2회 실패할 경우 60초 로그인 종료를 구성합니다.
  
• SSH 서버의 도메인 이름으로 example.com 을 사용합니다.
  
• CBAC 방화벽을 구성하지 마십시오.
  
• AutoSecure의 구성을 running-config에 적용합니다.

R1#auto secure
--- AutoSecure Configuration ---  
  
*** AutoSecure configuration enhances the security of  
the router, but it will not make it absolutely resistant  
to all security attacks ***  
  
AutoSecure will modify the configuration of your device.  
All configuration changes will be shown. For a detailed  
explanation of how the configuration changes enhance security  
and any possible side effects, please refer to Cisco.com for  
AutoSecure documentation.  
At any prompt you may enter '?' for help.  
Use ctrl-c to abort this session at any prompt.  
  
Gathering information about the router for AutoSecure
Is this router connected to Internet? [no]#yes
// 라우터는 인터넷에 연결되어 있는가?
Enter the number of interfaces facing the internet [1]#1
// 인터넷과 연결된 인터페이스 수
  
Interface                  IP-Address      OK? Method Status                Protocol
Embedded-Service-Engine0/0 unassigned      YES unset  administratively down down
GigabitEthernet0/0         unassigned      YES unset  administratively down down
GigabitEthernet0/1         192.168.1.1     YES manual up                    up  
Serial0/0/0                10.1.1.1        YES manual up                    up  
Serial0/0/1                unassigned      YES unset  administratively down down
Enter the interface name that is facing the internet#Serial0/0/0
// 인터넷과 연결된 인터페이스 입력
Securing Management plane services...

Disabling service finger
Disabling service pad
Disabling udp & tcp small servers
Enabling service password encryption
Enabling service tcp-keepalives-in
Enabling service tcp-keepalives-out
Disabling the cdp protocol

Disabling the bootp server
Disabling the http server
Disabling the finger service
Disabling source routing
Disabling gratuitous arp

Here is a sample Security Banner to be shown
at every access to device. Modify it to suit your
enterprise requirements.

Authorized Access only
  This system is the property of So-&-So-Enterprise.
  UNAUTHORIZED ACCESS TO THIS DEVICE IS PROHIBITED.
  You must have explicit permission to access this
  device. All activities performed on this device
  are logged. Any violations of access policy will result
  in disciplinary action.

Enter the security banner {Put the banner between  
k and k, where k is any character}:
// 보안 배너 입력 {배너를 다음 사이에 넣으십시오
// k와 k, 여기서 k는 임의의 문자입니다:
##Unauthorized Access is Prohibited!#
  
Configuration of local user database
Enter the username#Admin01
// 유저 이름
Enter the password#Admin01pa55
// 패스워드
Confirm the password#Admin01pa55
// 패스워드 확인
Configuring AAA local authentication  
Configuring console, Aux and vty lines for  
local authentication, exec-timeout, transport  
Securing device against Login Attacks  
Configure the following parameters
Blocking Period when Login Attack detected#60
// 로그인이 시도되면 차단할 시간
Maximum Login failures with the device#2
// 로그인 시도 횟수
Maximum time period for crossing the failed login attempts#30
// 실패한 로그인 시도 시간
Configure SSH server? [yes]#yes
// ssh server를 연결할 것인가?
Enter the domain-name#example.com
// 도메인 이름 입력
Configuring interface specific AutoSecure services
Disabling the following ip services on all interfaces:

 no ip redirects
 no ip proxy-arp
 no ip unreachables
 no ip directed-broadcast
 no ip mask-reply
Disabling mop on Ethernet interfaces

Securing Forwarding plane services...

Enabling unicast rpf on all interfaces connected
to internet  
Configure CBAC Firewall feature? [yes/no]#no
// CBAC 방화벽을 구성할 것인가?
This is the configuration generated:

no service finger
no service pad
no service udp-small-servers
no service tcp-small-servers
service password-encryption
service tcp-keepalives-in
service tcp-keepalives-out
no cdp run
no ip bootp server
no ip http server
no ip finger
no ip source-route
no ip gratuitous-arps
no ip identd
banner motd ^CUnauthorized Access is PROHIBITED^C
security passwords min-length 6
security authentication failure rate 10 log
username Admin01 password 7 15330F010D247B7538326077
aaa new-model
aaa authentication login local_auth local
line console 0
 login authentication local_auth
 exec-timeout 5 0
 transport output telnet
line aux 0
 login authentication local_auth
 exec-timeout 10 0
 transport output telnet
line vty 0 4
 login authentication local_auth
 transport input telnet
line tty 1 2
 login authentication local_auth
 exec-timeout 15 0
login block-for 60 attempts 2 within 30
ip domain-name ccnasecurity.com
crypto key generate rsa general-keys modulus 1024
ip ssh time-out 60
ip ssh authentication-retries 2
line vty 0 4
 transport input ssh telnet
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
logging facility local2
logging trap debugging
service sequence-numbers
logging console critical
logging buffered
interface Embedded-Service-Engine0/0
 no ip redirects
 no ip proxy-arp
 no ip unreachables
 no ip directed-broadcast
 no ip mask-reply
 no mop enabled
interface GigabitEthernet0/0
 no ip redirects
 no ip proxy-arp
 no ip unreachables
 no ip directed-broadcast
 no ip mask-reply
 no mop enabled
interface GigabitEthernet0/1
 no ip redirects
 no ip proxy-arp
 no ip unreachables
 no ip directed-broadcast
 no ip mask-reply
 no mop enabled
interface Serial0/0/0
 no ip redirects
 no ip proxy-arp
 no ip unreachables
 no ip directed-broadcast
 no ip mask-reply
interface Serial0/0/1
 no ip redirects
 no ip proxy-arp
 no ip unreachables
 no ip directed-broadcast
 no ip mask-reply
access-list 100 permit udp any any eq bootpc
interface Serial0/0/0
 ip verify unicast source reachable-via rx allow-default 100
!
end
Apply this configuration to running-config? [yes]#yes
 // running-config에 이 구성을 적용하시겠습니까?
Applying the config generated to running-config  
The name for the keys will be: R1.ccnasecurity.com  
  
% The key modulus size is 1024 bits  
% Generating 1024 bit RSA keys, keys will be non-exportable...  
[OK] (elapsed time was 3 seconds)  
  
R1#  
000046: *Dec 30 22:44:35.503 UTC: %AUTOSEC-1-MODIFIED: AutoSecure configuration has been Modified on this device

 

---