Home > Others

Configure a router to block the virus propagation path in the LAN

Source: Internet
Author: User
Tags md5 hash
Developer on Alibaba Coud: Build your first app with APIs, SDKs, and tutorials on the Alibaba Cloud. Read more >

Vro setting virus blocking measure 2

(1) Port reinforcement

The setting of the password is of course very important if you want to make sure that the wall of the router is solid. Generally, the network administrator can log on to the vro through the Console Aux and Ethernet ports of the vro and then configure the vro. This situation makes management easy, but illegal users can also access it through virtual machines. Therefore, adding a password to the corresponding port is a common configuration method. Taking the Aux port as an example, the command is as follows:

 
 
    
  
  
  1. Router#configure terminal  
    2. 
  
  
  2.  
    3. 
  
  
  3. Enter configuration commands, one per line. End with CNTL/Z.  
    4. 
  
  
  4.  
    5. 
  
  
  5. Router(config)#line aux 0  
    6. 
  
  
  6.  
    7. 
  
  
  7. Router(config-line)#password test54ee  
    8. 
  
  
  8.  
    9. 
  
  
  9. Router(config-line)#login 
    10.

Obviously, the mixing of passwords should be enhanced during password configuration so that illegal intruders may not easily break into the door and launch attacks on the vro. Many administrators use the enable password command when setting the Super User password, which poses a major security risk. In view of this, we recommend that you use the enable secret command to encrypt the password. This encryption uses the MD5 hash algorithm, which is more secure than the previous configuration.

Router (config) # enable secret test54ee

(2) filter ICMP Packets

Malicious ping is a common attack method of LAN viruses. The virus randomly generates the ping Destination Address and forwards packets through the vro. Therefore, you need to create a NAT table for each ping ICMP packet in the vro. If the Administrator views the table in privileged user mode, if the user sees a large number of icmp nat sessions, he should be cautious about whether the table has been attacked (that is, DoS attacks ).

If the virus maliciously initiates an ICMP ping attack and tens of thousands of ping packets are sent within a few seconds, the NAT table occupies a large number of NAT Session connections. The existence time of the udp nat SESSlON is 5 seconds, and the SESSION time of the NAT connection is 24 hours, this vicious ping attack may occupy all the nat session values. The consequence is that normal network data packets cannot communicate normally because all the NAT SESSlON of the router is occupied by the NAT service. Therefore, we can filter out ICMP packets in the access list to ensure normal network services. We can use the following command to shield ICMP packets from external and internal sources.

 
 
    
  
  
  1. Router(Config)#access-list 110 deny icmp any any echo log  
    2. 
  
  
  2.  
    3. 
  
  
  3. Router(Config)#access-list 110 deny icmp any any redirect log  
    4. 
  
  
  4.  
    5. 
  
  
  5. Router(Config)#access-list 110 deny icmp any any mask-request log  
    6. 
  
  
  6.  
    7. 
  
  
  7. Router(Config)#access-list 110 permit icmp any any  
    8. 
  
  
  8.  
    9. 
  
  
  9. Router(Config)#access-list 111 permit icmp any any echo  
    10. 
  
  
  10.  
    11. 
  
  
  11. Router(Config)#access-list 111 permit icmp any any Parameter-problem  
    12. 
  
  
  12.  
    13. 
  
  
  13. Router(Config)#access-list 111 permit icmp any any packet-too-big  
    14. 
  
  
  14.  
    15. 
  
  
  15. Router(Config)#access-list 111 permit icmp any any source-quench  
    16. 
  
  
  16.  
    17. 
  
  
  17. Router(Config)#access-list 111 deny icmp any any log 
    18.

(3) port filtering

Create an access list at the egress and ingress of the router to control access to viruses. These access control lists are based on ports (such as 135, 136, 445, and 4444. Generally, administrators can view the number of data packets to adjust their order and put the number of packets to the front to increase the speed.

 
 
    
  
  
  1. Router(Config)#Access-list 110 deny tcp any any eq 135  
    2. 
  
  
  2.  
    3. 
  
  
  3. Router(Config)#Access-list 110 deny udp any any eq 135  
    4. 
  
  
  4.  
    5. 
  
  
  5. Router(Config)#Access-list 110 deny tcp any any eq 136  
    6. 
  
  
  6.  
    7. 
  
  
  7. Router(Config)#Access-list 110 deny udp any any eq 136  
    8. 
  
  
  8.  
    9. 
  
  
  9. Router(Config)#Access-list 110 deny tcp any any eq 445  
    10. 
  
  
  10.  
    11. 
  
  
  11. Router(Config)#Access-list 110 deny udp any any eq 445  
    12. 
  
  
  12.  
    13. 
  
  
  13. Router(Config)#Access-list 110 deny tcp any any eq 4444  
    14. 
  
  
  14.  
    15. 
  
  
  15. Router(Config)#Access-list 110 deny udp any any eq 4444 
    16.

Follow the preceding steps to apply the list to the corresponding port.

The virus blocking measures are not only described above. For more information, see: Configuring a router to block the virus propagation path in the LAN.

  1. Router POS access technology and Solutions
  2. Configuration method of router log information record
  3. For beginners, refer to the CISCO router tutorial.
  4. How to Set rootkit on a vro Intranet
  5. Describes vro settings to ensure security
  6. Soft route application skills: build cross-network access Bridges

This article is an English version of an article which is originally in the Chinese language on aliyun.com and is provided for information purposes only. This website makes no representation or warranty of any kind, either expressed or implied, as to the accuracy, completeness ownership or reliability of the article or any translations thereof. If you have any concerns or complaints relating to the article, please send an email, providing a detailed description of the concern or complaint, to info-contact@alibabacloud.com. A staff member will contact you within 5 working days. Once verified, infringing content will be removed immediately.

Related Keywords:
get the permalink how to configure router in packet tracer how to configure router in cisco packet tracer pdf how to configure router to use wpa2 how to configure router to wpa2 how to configure cisco router using putty how to configure bgp on cisco router

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

What's Trending
Top 10 Tags
datastax versions naming convention zookeeper client class definition md5 microsoft sql server 2005 data structures exception handling error handling
Top 10 Keywords
microsoft download center down wordpress address url site address url wordpress address url windows installer 4 0 download 302 not found web address url definition site address url wordpress db2 integer mac os installation step by step pdf abbreviation for return

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

Get Started for Free

  • Sales Support

    1 on 1 presale consultation

    Chat Contact Sales

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

    Open a Ticket

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.

    Learn More