Configure the vro to use Cisco AutoSecure

Source: Internet
Author: User
Tags modulus ssh server

Configure the router to use the Cisco AutoSecure experiment process: R1 # auto secure --- AutoSecure Configuration --- *** AutoSecure configuration enhances the security ofthe router, but it will not make it absolutely resistan=all security attacks *** AutoSecure will modify the configuration of your device. all configuration changes will be shown. for a detailedexplanation of how the configuration changes enhance securityand any possible Side effects, please refer to Cisco.com forAutosecure documentation. At any prompt you may enter '? 'For help. Use ctrl-c to abort this session at any prompt. Gathering information about the router for AutoSecureIs this router conneconnected to the internet? [No]: yesEnter the number of interfaces facing the internet [1]: Interface IP-Address OK? Method Status failed/0 unassigned YES unset reset down Ethernet1/0 unassigned YES unset reset down Ethernet1/1 unassigned YES unset administratively down Ethernet1/2 unassigned YES unset reset down Ethernet1/ 3 unassigned YES unset administratively down Enter the interface name that is facing the internet: fastEthernet0/0 Secur Ing Management plane services... disabling service authentication service padDisabling udp & tcp small serversEnabling service password Authentication service tcp-keepalives-inEnabling service tcp-keepalives-outDisabling the cdp beyond the bootp serverDisabling the http serverDisabling the finger has source already reached arpHere is a sample Security Banner To be shownat every access to device. modify it to suit yourenterprise requirements. authorized Access only This system is the property of So-&-So-Enterprise. unauthorized access to this device is prohibited. you must have explicit permission to access this device. all activities specified med on this device are logged. any violations of access policy will result in disciplinary action. enter the secur Ity banner {Put the banner betweenk and k, where k is any character}: k www.norvel.com.cn kEnable secret is either not configured or is the same as enable passwordEnter the new enable secret: confirm the enable secret: Enter the new enable password: Choose a password that's different from secretEnter the new enable password: % Password too short-must be at least 6 characters. password timed Ion failedEnter the new enable password: Confirm the enable password: Configuration of local user databaseEnter the username: suyajuncnEnter the password: Confirm the password: Refreshing AAA local authenticationConfiguring Console, aux and VTY lines forlocal authentication, exec-timeout, and transportSecuring device against Login AttacksConfigure the following parametersBlocking Period when Login Attack detected: Device not secured against 'login attacks'. Configure SSH server? [Yes]: yesEnter the domain-name: blog.norvel.com. cnConfiguring interface specific AutoSecure servicesDisabling the following ip services on all interfaces: no ip redirects no ip proxy-arp no ip unreachables no ip directed-broadcast no ip mask-replyDisabling mop on Ethernet interfacesSecuring Forwarding plane services... enabling CEF (This might impact the memory requirements for your platform) Enabl Ing unicast rpf on all interfaces connectedto internetConfigure CBAC Firewall feature? [Yes/no]: yesThis is the configuration generated: no service fingerno service padno service udp-small-serversno service tcp-small-serversservice password-encryptionservice tcp-keepalives-inservice tcp-keepalives-outno cdp runno ip bootp serverno ip http serverno ip fingerno ip source-routeno ip gratuitous-arpsno ip identdbanner motd ^ C www.norvel.com.cn ^ Csecurity passwords min-length 6 security aut Hentication failure rate 10 logenable secret 5 $1 $ Bjbb $ u54FP6qoSwpVXyBs6PBmY. enable password 7 login suyajuncn password 7 login new-modelaaa authentication login local_auth localline con 0 login authentication local_auth exec-timeout 5 0 transport output telnetline aux 0 login authentication local_auth exec-timeout 10 0 transport output telnetline vty 0 4 l Ogin authentication local_auth transport input telnetip domain-name blog.norvel.com. cncrypto key generate rsa general-keys modulus 1024ip ssh time-out 60ip ssh authentication-retries 2 line vty 0 4 transport input ssh telnetservice timestamps debug datetime msec localtime show-interval timestamps log datetime msec localtime show-timezonelogging facility local2logging trap debuggingservice se Quence-numberslogging console restart bufferedinterface FastEthernet0/0 no ip redirects no ip proxy-arp no ip unreachables no ip directed-broadcast no ip mask-reply no mop enabledinterface Ethernet1/0 no ip redirects no ip proxy-arp no ip unreachables no ip directed-broadcast no ip mask-reply no mop enabledinterface Ethernet1/1 no ip redirects no ip proxy-arp no ip unreachables no ip direc Ted-broadcast no ip mask-reply no mop enabledinterface Ethernet1/2 no ip redirects no ip proxy-arp no ip unreachables no ip directed-broadcast no ip mask-reply no mop enabledinterface Ethernet1/ 3 no ip redirects no ip proxy-arp no ip unreachables no ip directed-broadcast no ip mask-reply no mop enabledip cefaccess-list 100 permit udp any eq bootpcinterface FastEthernet0/0 ip verify unicast sou Rce reachable-via rx allow-default 100ip inspect audit-trailip inspect dns-timeout 7ip inspect tcp idle-time 14400ip inspect udp idle-time 1800ip inspect name limit cuseeme timeout 3600ip inspect name limit ftp timeout 3600ip inspect name autosec_inspect http timeout 3600ip inspect name autosec_inspect rcmd timeout 3600ip inspect name autosec_inspect realaudio timeout 3600ip in Spect name distinct smtp timeout 3600ip inspect name autosec_inspect tftp timeout 30ip inspect name autosec_inspect udp timeout 15ip inspect name limit tcp timeout 3600ip access-list extended limit permit udp any eq bootpc deny ip any anyinterface fastnet0 /0 ip inspect autosec_inspect out ip access-group autosec_firewall_acl in! End Apply this configuration to running-config? [Yes]: yesApplying the config generated to running-configThe name for the keys will be: R1.blog.norvel.com.cn % The key modulus size is 1024 bits % Generating 1024 bit RSA keys, keys will be non-exportable... [OK] R1 # R1 # R1 # R1 # R1 # R1 # R1 # show runBuilding configuration... current configuration: 3069 bytes! Upgrade fpd autoversion 12.4no service padservice tcp-keepalives-inservice tcp-keepalives-outservice timestamps debug datetime msec localtime show-interval timestamps log datetime msec localtime show-interval password-encryptionservice sequence-numbers! Hostname R1! Boot-start-markerboot-end-marker! Security authentication failure rate 10 logsecurity passwords min-length 6 logging console criticalenable secret 5 $1 $ Bjbb $ u54FP6qoSwpVXyBs6PBmY. enable password 7 095F5B10180F021C0802! Aaa new-model !! Aaa authentication login local_auth local !! Aaa session-id commonno ip source-routeno ip gratuitous-arpsip cef !!!! No ip bootp serverno ip domain lookupip domain name blog.norvel.com. cnip inspect audit-trailip inspect udp idle-time 1800ip inspect dns-timeout 7ip inspect tcp idle-time 14400ip inspect name specified cuseeme timeout 3600ip inspect name specified ftp timeout 3600ip inspect name specified http timeout 3600ip inspect name autosec_inspect rcmd timeout 3600ip inspect name autosec_insp Ect realaudio timeout 3600ip inspect name autosec_inspect smtp timeout 3600ip inspect name limit tftp timeout 30ip inspect name limit udp timeout 15ip inspect name limit tcp timeout 3600ip auth-proxy max-nodata-conns 3ip admission max- nodata-conns 3! Multilink bundle-name authenticated !! !! Username suyajuncn password 7 01001_d5a0113012242archive log config logging enable hidekeys! !!! Ip ssh time-out 60ip ssh authentication-retries 2 !!!! Interface FastEthernet0/0 no ip address ip access-group autosec_firewall_acl in ip verify unicast source reachable-via rx allow-default 100 no ip redirects no ip unreachables no ip proxy-arp ip inspect autosec_inspect out shutdown duplex half no mop enabled! Interface Ethernet1/0 no ip address no ip redirects no ip unreachables no ip proxy-arp shutdown duplex half no mop enabled! Interface Ethernet1/1 no ip address no ip redirects no ip unreachables no ip proxy-arp shutdown duplex half no mop enabled! Interface Ethernet1/2 no ip address no ip redirects no ip unreachables no ip proxy-arp shutdown duplex half no mop enabled! Interface Ethernet1/3 no ip address no ip redirects no ip unreachables no ip proxy-arp shutdown duplex half no mop enabled! Ip forward-protocol ndno ip http serverno ip http secure-server! !! Ip access-list extended autosec_firewall_acl permit udp any eq bootpc deny ip any! Logging alarm informationallogging trap debugginglogging facility local2access-list 100 permit udp any eq bootpcno cdp run !!! Control-plane !!! Gatekeeper shutdown! Banner motd ^ C! Line con 0 exec-timeout 5 0 logging synchronous login authentication local_auth transport output telnet stopbits 1 line aux 0 login authentication local_auth transport output telnet stopbits 1 line vty 0 4 login authentication local_auth transport input telnet ssh !! End R1 #

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.