用ACL来应对安全威胁
2009-03-11 17:26
239 查看
用ACL来应对安全威胁
在决定如何处理服务器服务,端口和协议时,总应该考虑采用下面两条规则
1关闭不用的服务,端口或协议
2限制对服务,端口或协议的访问
流量过滤
常见路由器服务如下:
常用服务 端口 传输
tcpmux 1 tcp udp
echo 7 tcp udp
diacard 9 tcp udp
daytime 13 tcp udp
time 37 tcp
whois 43 udp
bootp 67 udp
tftp 69 udp
dcp 93 tcp udp
sunrpc 111 tcp udp
epmap 135 tcp udp
netbios-ns 137 tcp udp
netbios-dgm 138 tcp udp
netbios-ssn 139 tcp udp
xdmcp 177 udp
microsoft-ds 445 TCP
exec 512 TCP
printer 515 TCP
talk 517 udp
ntalk 518 udp
uncp 540 TCP
microsoft upnp ssdp 1900 5000 tcp udp
nfs 2049 udp
x window system 6000-6063 tcp
ircu 6665-6669 tcp
italk 12345 tcp
back orifice 31337-31338 tcp udp
企业受保护网络或者路由器自身上面常见服务
服务 端口 传输
finger 79 tcp
snmp 161 tcp udp
snmptrap 162 tcp udp
rlogin 513 tcp
who 513 udp
shell 514 tcp
syslog 514 udp
new-who 550 tcp udp
控制对路由器服务的访问有两种途径
1 关闭服务本身
2 用ACL来限制对服务的访问
过滤路由器服务流量
1过滤telnet服务例子:
access-list 105 permit host 16.2.1.3 eq 23 any log
access-list 105 permit host 16.2.1.2 eq 23 any log
access-list 105 deny any log
line vty 0 4
access-class 105 in
end
IP扩展ACL105允许主机16.2.1.3和16.2.1.2用TELNET来访问路由器R2.而且进行日志记录
2 SNMP服务
SNMP只应该被用在受保护的内部网络,可以利用ACL来限制对路由器SNMP代理的访问
实例:
access-list 80 permit host 16.2.1.3
snmp-server community snmp-host1 ro 80
这个例子中只有地址16.2.1.3的SNMP主机才能访问R2的SNMP代理,这个ACL还进一步规定,SNMP主机必须用一个名为snmp-host1的community字符串。
3路由选择协议
例子:
access-list 12 deny 16.2.2.0 0.0.0.255
access-list 12 permit any
router ospf 1
distribute-list 12 out
end
过滤网络流量
如何实施ACL,以消减以下威胁:
IP地址欺骗--入站
IP地址欺骗--出站
DOS TCP SYN攻击--阻塞外部攻击
DOS TCP SYN攻击--使用TCP拦截
DOS smurf攻击
过滤ICMP信息--入站
过滤ICMP信息--出站
过滤路由跟踪
IP地址欺骗对策
入站规则:决不应该允许任何源地址是内部主机或网络地址的数据包进入一个私有的网络。
----e0/0(16.1.1.2)-router(R2)-e0/1(16.2.1.1)----远程访问局域网(16.2.1.0/24)
R2上的ACL150配置:
access-list 150 deny ip 16.2.1.0 0.0.0.255 any log
access-list 150 deny ip 127.0.0.0 0.255.255.255 any log
access-list 150 deny ip 0.0.0.0 0.255.255.255 any log
access-list 150 deny ip 10.0.0.0 0.255.255.255 any log
access-list 150 deny ip 172.16.0.0 0.15.255.255 any log
access-list 150 deny 192.168.0.0 0.0.255.255 any log
access-list 150 deny 224.0.0.0 15.255.255.255 any log
access-list 150 deny ip host 255.255.255.255 any log
access-list 150 permit ip any 16.2.1.0 0.0.0.255
interface e0/0
ip access-group 150 in
exit
150ACL功能:拒绝任何来自一下源地址的数据包
1 任何来自内部16.2.1.0网络的地址
2 任何本地主机地址
3 任何保留的私有地址
4 任何组播IP地址
5 该ACL应用于路由器R2的外部接口(e0/0)
出站规则:决不应该允许任何含有非内部网络有效地址的IP数据包出站。
----e0/0(16.1.1.2)-router(R2)-e0/1(16.2.1.1)----远程访问局域网(16.2.1.0/24)
R2上的ACL150配置:
access-list 105 permit ip 16.2.1.0 0.0.0.255 any
access-list 105 deny ip any any log
interface e0/1
ip access-group 105 in
end
阻塞外部访问
----e0/0(16.1.1.2)-router(R2)-e0/1(16.2.1.1)----远程访问局域网(16.2.1.0/24)
ACL109实例,用来阻塞外部TCP SY DOS数据包
access-list 109 permit tcp any 16.2.1.0 0.0.0.255 established
access-list 109 deny ip any any log
interface e0/0
ip access-group 109 in
end
ACL109允许来自外部网络的对源自内部网络的请求的响应,拒绝任何从外部网络发起的TCP连接
使用TCP拦截
tcp拦截是一种防治内部网络主机遭受外部TCP SYN攻击的工具。
实例:
ip tcp intercept list 110
access-list 110 permit tcp any 16.2.1.0 0.0.0.255
access-list 110 deny ip any any log
interface e0/0
ip access-group 110 in
end
借助TCP拦截,路由器会检查每一个入站TCP连接企图,确定源地址是否来自外部一台可达的主机。
路由器软件会代表目的服务器与客户端建立一个连接,如果成功,在代表客户端与服务器建立连接,两个半连接被透明地结合在一起。
TCP拦截会加重路由器的负担,建议提前进行有效测试。
DOS smurf攻击对策
smurf攻击:是向一个路由器子网广播地址发送大量的ICMP包,IP地址伪装成属于这个子网。
利用ACL111来防止smurf攻击
access-list 111 deny ip any host 16.2.1.255 log
access-list 111 deny ip any host 16.2.1.0 log
interface e0/0
ip access-group 111 in
end
这个ACL过滤了所有发往特定广播地址(16.2.1.255 和16.2.1.)的IP数据包
注意:CISCO IOS 12.0 及后续版本缺省都启用了 no ip directed-broadcast,可以防止此类ICMP攻击,不必再建立这里演示的ACL了。
过滤ICMP消息
入站方向
ICMP Echo数据包可用来发现子网和受保护网络中的主机,也能用来实施DOS攻击。ICMP重定向消息可用来更该主机路由选择表。无论是ICMP echo还是重定向消息,都应该被路由器做入站阻塞
过滤入站ICMP消息
实例:
access-list 112 deny icmp any any echo log
access-list 112 deny icmp any any redirect log
access-list 112 deny icmp any any mask-request log
access-list 112 permit icmp any 16.2.1.0 0.0.0.255
interface e0/0
ip access-group 112 in
end
ACL112也能阻塞掩码请求消息,而所有发往16.2.1.0/24网络的其他ICMP消息都允许。
出站方向:
下列ICMP消息用作网管,应该允许出站:
回声echo 允许用户PING 外部主机
参数问题 parameter problem 通知主机数据包头问题
数据包太大 packet too big 需要MTU发现
源队列 source quench 必要时截止流量
安装常规,应该阻止所有其他ICMP消息出站
ACL114实例:
access-list 114 permit icmp 16.2.1.0 0.0.0.255 any echo
access-list 114 permit icmp 16.2.1.0 0.0.0.255 any parameter-problem
access-list 114 permit icmp 16.2.1.0 0.0.0.255 any packet-too-big
access-list 114 permit icmp 16.2.1.0 0.0.0.255 any source-quench
access-list 114 deny icmp any any log
interface e0/1
ip access-group 114 in
end
路由跟踪
常规应该阻止所有入站和出站的路由跟踪UDP信息。UDP端口33400-34400
access-list 120 deny udp any any range 33400 34400 log
interface e0/0
ip access-group 120 in
end
access-list 121 permit udp 16.2.1.0 0.0.0.255 any range 33400 34400 log
interface e0/1
ip access-group 121 in
end
DDOS对策
路由器不可能防止所有的DDOS攻击,但通过建立ACL,过滤已知攻击端口,有助于减少此类攻击的数量。
现有的DDOS代理:
1 TRIN00
2 Stacheldraht
3 trinityV3
4 subseven
TRIN00需要阻塞的端口流量 TCP -1524 TCP -27665 UDP -31335 UDP -27444
实例:
access-list 190 deny tcp any any eq 1524 log
access-list 190 deny tcp any any eq 27665 log
access-list 190 deny udp any any eq 31335 log
access-list 190 deny udp any any eq 27444 log
stacheldraht需要阻塞的端口流量 TCP -16660 TCP -65000
实例:
access-list 190 deny tcp any any eq 16660 log
access-list 190 deny tcp any any eq 65000 log
为了防止攻击者在系统上设置后门,还应该设置ICMP echo请求和ICMP ECHO响应,命令如下:
access-list 190 deny icmp any any echo
access-list 190 deny icmp any any echo-reply
注意:阻塞这些ICMP端口,会影响使用PING命令
Trinity V3需要阻塞的端口流量 TCP -33270 TCP -39168
实例:
access-list 190 deny tcp any any eq 33270 log
access-list 190 deny tcp any any eq 39168 log
Subseven需要阻塞的端口流量 TCP -6711-6712 TCP -6776 TCP -6669 TCP -2222 TCP -7000
实例:
access-list 190 deny tcp any any range 6711 6712 log
access-list 190 deny tcp any any eq 6776 log
access-list 190 deny tcp any any eq 6669 log
access-list 190 deny tcp any any eq 2222 log
access-list 190 deny tcp any any eq 7000 log
理论网络--路由器配置实例
hostname R2
interface ethernet0/0
ip address 16.1.1.2 255.255.0.0
ip access-group 126 in
interface ethernet0/1
ip address 16.2.1.1 255.255.255.0
ip access-group 128 in
router ospf 44
network 16.1.0.0 0.0.255.255 area 0
network 16.2.1.0 0.0.0.255 area 1
!access list 80 applies to snmp hosts allowed to access this router
no access-list 80
access-list 80 permit host 16.2.1.2
access-list 80 permit host 16.2.1.3
!access list 126 applies to traffic flowing from external networks to the internal network or to the router itself
no access-list 126
access-list 126 deny ip 16.2.1.0 0.0.0.255 any log
access-list 126 deny ip host 16.1.1.2 host 16.1.1.2 log
access-list 126 deny ip 127.0.0.0 0.255.255.255 any log
access-list 126 deny ip 0.0.0.0 0.255.255.255 any log
access-list 126 deny ip 10.0.0.0 0.255.255.255 any log
access-list 126 deny ip 172.16.0.0 0.15.255.255 any log
access-list 126 deny ip 192.168.0.0 0.0.255.255 any log
access-list 126 deny ip 224.0.0.0 15.255.255.255 any log
access-list 126 deny ip any host 16.2.1.255 log
access-list 126 deny ip any host 16.2.1.0 log
access-list 126 permit tcp any 16.2.1.0 0.0.0.255 established
access-list 126 deny icmp any any echo log
access-list 126 deny icmp any any redirect log
access-list 126 deny icmp any any mask-request log
access-list 126 permit icmp any 16.2.1.0 0.0.0.255
access-list 126 permit ospf 16.1.0.0 0.0.255.255 host 16.1.1.2
access-list 126 deny tcp any any range 6000 6063 log
access-list 126 deny tcp any any eq 6667 log
access-list 126 deny tcp any any range 12345 12345 log
access-list 126 deny tcp any any eq 31337 log
access-list 126 permit tcp any eq 20 16.2.1.0 0.0.0.255 gt 1023
access-list 126 deny udp any any eq 2049 log
access-list 126 deny udp any any eq 31337 log
access-list 126 deny udp any any range 33400 34400 log
access-list 126 permit udp any eq 53 16.2.1.0 0.0.0.255 gt 1023
access-list 126 deny tcp any range 0 65535 any range 0 65535 log
access-list 126 deny udp any range 0 65535 any range 0 65535 log
access-list 126 deny ip any any log
!access list 128 applies to traffic flowing from the interfnal network to external network or to the router itself
no access-list 128
access-list 128 deny ip host 16.2.1.1 log
access-list 128 permit icmp 16.2.1.0 0.0.0255 any echo
access-list 128 permit icmp 16.2.1.0 0.0.0255 any parameter-problem
access-list 128 permit icmp 16.2.1.0 0.0.0255 any packet-too-big
access-list 128 permit icmp 16.2.1.0 0.0.0255 any source-quench
access-list 128 deny tcp any any range 1 19 log
access-list 128 deny tcp any any eq 43 log
access-list 128 deny tcp any any eq 93 log
access-list 128 deny tcp any any range 135 139 log
access-list 128 deny tcp any any eq 445 log
access-list 128 deny tcp any any range 512 518 log
access-list 128 deny tcp any any eq 540 log
access-list 128 permit tcp 16.2.1.0 0.0.0.255 gt 1023 any lt 1024
access-list 128 permit tcp 16.2.1.0 0.0.0.255 gt 1023 any eq 53
access-list 128 permit tcp 16.2.1.0 0.0.0.255 any range 33400 34400 log
access-list 128 deny tcp any range 0 65535 any range 0 65535 log
access-list 128 deny udp any range 0 65535 any range 0 65535 log
access-list 128 deny ip any any log
!access list 85 applies to remote access for the specified hosts to the router ifself
no access-list 85
access-list 85 permit tcp host 16.2.1.10 host 0.0.0.0 eq 23 log
access-list 85 permit tcp host 16.2.1.11 host 0.0.0.0 eq 23 log
access-list 85 permit tcp host 16.2.1.12 host 0.0.0.0 eq 23 log
access-list 85 deny ip any any log
snmp-server community snmp-host1 ro 80
在决定如何处理服务器服务,端口和协议时,总应该考虑采用下面两条规则
1关闭不用的服务,端口或协议
2限制对服务,端口或协议的访问
流量过滤
常见路由器服务如下:
常用服务 端口 传输
tcpmux 1 tcp udp
echo 7 tcp udp
diacard 9 tcp udp
daytime 13 tcp udp
time 37 tcp
whois 43 udp
bootp 67 udp
tftp 69 udp
dcp 93 tcp udp
sunrpc 111 tcp udp
epmap 135 tcp udp
netbios-ns 137 tcp udp
netbios-dgm 138 tcp udp
netbios-ssn 139 tcp udp
xdmcp 177 udp
microsoft-ds 445 TCP
exec 512 TCP
printer 515 TCP
talk 517 udp
ntalk 518 udp
uncp 540 TCP
microsoft upnp ssdp 1900 5000 tcp udp
nfs 2049 udp
x window system 6000-6063 tcp
ircu 6665-6669 tcp
italk 12345 tcp
back orifice 31337-31338 tcp udp
企业受保护网络或者路由器自身上面常见服务
服务 端口 传输
finger 79 tcp
snmp 161 tcp udp
snmptrap 162 tcp udp
rlogin 513 tcp
who 513 udp
shell 514 tcp
syslog 514 udp
new-who 550 tcp udp
控制对路由器服务的访问有两种途径
1 关闭服务本身
2 用ACL来限制对服务的访问
过滤路由器服务流量
1过滤telnet服务例子:
access-list 105 permit host 16.2.1.3 eq 23 any log
access-list 105 permit host 16.2.1.2 eq 23 any log
access-list 105 deny any log
line vty 0 4
access-class 105 in
end
IP扩展ACL105允许主机16.2.1.3和16.2.1.2用TELNET来访问路由器R2.而且进行日志记录
2 SNMP服务
SNMP只应该被用在受保护的内部网络,可以利用ACL来限制对路由器SNMP代理的访问
实例:
access-list 80 permit host 16.2.1.3
snmp-server community snmp-host1 ro 80
这个例子中只有地址16.2.1.3的SNMP主机才能访问R2的SNMP代理,这个ACL还进一步规定,SNMP主机必须用一个名为snmp-host1的community字符串。
3路由选择协议
例子:
access-list 12 deny 16.2.2.0 0.0.0.255
access-list 12 permit any
router ospf 1
distribute-list 12 out
end
过滤网络流量
如何实施ACL,以消减以下威胁:
IP地址欺骗--入站
IP地址欺骗--出站
DOS TCP SYN攻击--阻塞外部攻击
DOS TCP SYN攻击--使用TCP拦截
DOS smurf攻击
过滤ICMP信息--入站
过滤ICMP信息--出站
过滤路由跟踪
IP地址欺骗对策
入站规则:决不应该允许任何源地址是内部主机或网络地址的数据包进入一个私有的网络。
----e0/0(16.1.1.2)-router(R2)-e0/1(16.2.1.1)----远程访问局域网(16.2.1.0/24)
R2上的ACL150配置:
access-list 150 deny ip 16.2.1.0 0.0.0.255 any log
access-list 150 deny ip 127.0.0.0 0.255.255.255 any log
access-list 150 deny ip 0.0.0.0 0.255.255.255 any log
access-list 150 deny ip 10.0.0.0 0.255.255.255 any log
access-list 150 deny ip 172.16.0.0 0.15.255.255 any log
access-list 150 deny 192.168.0.0 0.0.255.255 any log
access-list 150 deny 224.0.0.0 15.255.255.255 any log
access-list 150 deny ip host 255.255.255.255 any log
access-list 150 permit ip any 16.2.1.0 0.0.0.255
interface e0/0
ip access-group 150 in
exit
150ACL功能:拒绝任何来自一下源地址的数据包
1 任何来自内部16.2.1.0网络的地址
2 任何本地主机地址
3 任何保留的私有地址
4 任何组播IP地址
5 该ACL应用于路由器R2的外部接口(e0/0)
出站规则:决不应该允许任何含有非内部网络有效地址的IP数据包出站。
----e0/0(16.1.1.2)-router(R2)-e0/1(16.2.1.1)----远程访问局域网(16.2.1.0/24)
R2上的ACL150配置:
access-list 105 permit ip 16.2.1.0 0.0.0.255 any
access-list 105 deny ip any any log
interface e0/1
ip access-group 105 in
end
阻塞外部访问
----e0/0(16.1.1.2)-router(R2)-e0/1(16.2.1.1)----远程访问局域网(16.2.1.0/24)
ACL109实例,用来阻塞外部TCP SY DOS数据包
access-list 109 permit tcp any 16.2.1.0 0.0.0.255 established
access-list 109 deny ip any any log
interface e0/0
ip access-group 109 in
end
ACL109允许来自外部网络的对源自内部网络的请求的响应,拒绝任何从外部网络发起的TCP连接
使用TCP拦截
tcp拦截是一种防治内部网络主机遭受外部TCP SYN攻击的工具。
实例:
ip tcp intercept list 110
access-list 110 permit tcp any 16.2.1.0 0.0.0.255
access-list 110 deny ip any any log
interface e0/0
ip access-group 110 in
end
借助TCP拦截,路由器会检查每一个入站TCP连接企图,确定源地址是否来自外部一台可达的主机。
路由器软件会代表目的服务器与客户端建立一个连接,如果成功,在代表客户端与服务器建立连接,两个半连接被透明地结合在一起。
TCP拦截会加重路由器的负担,建议提前进行有效测试。
DOS smurf攻击对策
smurf攻击:是向一个路由器子网广播地址发送大量的ICMP包,IP地址伪装成属于这个子网。
利用ACL111来防止smurf攻击
access-list 111 deny ip any host 16.2.1.255 log
access-list 111 deny ip any host 16.2.1.0 log
interface e0/0
ip access-group 111 in
end
这个ACL过滤了所有发往特定广播地址(16.2.1.255 和16.2.1.)的IP数据包
注意:CISCO IOS 12.0 及后续版本缺省都启用了 no ip directed-broadcast,可以防止此类ICMP攻击,不必再建立这里演示的ACL了。
过滤ICMP消息
入站方向
ICMP Echo数据包可用来发现子网和受保护网络中的主机,也能用来实施DOS攻击。ICMP重定向消息可用来更该主机路由选择表。无论是ICMP echo还是重定向消息,都应该被路由器做入站阻塞
过滤入站ICMP消息
实例:
access-list 112 deny icmp any any echo log
access-list 112 deny icmp any any redirect log
access-list 112 deny icmp any any mask-request log
access-list 112 permit icmp any 16.2.1.0 0.0.0.255
interface e0/0
ip access-group 112 in
end
ACL112也能阻塞掩码请求消息,而所有发往16.2.1.0/24网络的其他ICMP消息都允许。
出站方向:
下列ICMP消息用作网管,应该允许出站:
回声echo 允许用户PING 外部主机
参数问题 parameter problem 通知主机数据包头问题
数据包太大 packet too big 需要MTU发现
源队列 source quench 必要时截止流量
安装常规,应该阻止所有其他ICMP消息出站
ACL114实例:
access-list 114 permit icmp 16.2.1.0 0.0.0.255 any echo
access-list 114 permit icmp 16.2.1.0 0.0.0.255 any parameter-problem
access-list 114 permit icmp 16.2.1.0 0.0.0.255 any packet-too-big
access-list 114 permit icmp 16.2.1.0 0.0.0.255 any source-quench
access-list 114 deny icmp any any log
interface e0/1
ip access-group 114 in
end
路由跟踪
常规应该阻止所有入站和出站的路由跟踪UDP信息。UDP端口33400-34400
access-list 120 deny udp any any range 33400 34400 log
interface e0/0
ip access-group 120 in
end
access-list 121 permit udp 16.2.1.0 0.0.0.255 any range 33400 34400 log
interface e0/1
ip access-group 121 in
end
DDOS对策
路由器不可能防止所有的DDOS攻击,但通过建立ACL,过滤已知攻击端口,有助于减少此类攻击的数量。
现有的DDOS代理:
1 TRIN00
2 Stacheldraht
3 trinityV3
4 subseven
TRIN00需要阻塞的端口流量 TCP -1524 TCP -27665 UDP -31335 UDP -27444
实例:
access-list 190 deny tcp any any eq 1524 log
access-list 190 deny tcp any any eq 27665 log
access-list 190 deny udp any any eq 31335 log
access-list 190 deny udp any any eq 27444 log
stacheldraht需要阻塞的端口流量 TCP -16660 TCP -65000
实例:
access-list 190 deny tcp any any eq 16660 log
access-list 190 deny tcp any any eq 65000 log
为了防止攻击者在系统上设置后门,还应该设置ICMP echo请求和ICMP ECHO响应,命令如下:
access-list 190 deny icmp any any echo
access-list 190 deny icmp any any echo-reply
注意:阻塞这些ICMP端口,会影响使用PING命令
Trinity V3需要阻塞的端口流量 TCP -33270 TCP -39168
实例:
access-list 190 deny tcp any any eq 33270 log
access-list 190 deny tcp any any eq 39168 log
Subseven需要阻塞的端口流量 TCP -6711-6712 TCP -6776 TCP -6669 TCP -2222 TCP -7000
实例:
access-list 190 deny tcp any any range 6711 6712 log
access-list 190 deny tcp any any eq 6776 log
access-list 190 deny tcp any any eq 6669 log
access-list 190 deny tcp any any eq 2222 log
access-list 190 deny tcp any any eq 7000 log
理论网络--路由器配置实例
hostname R2
interface ethernet0/0
ip address 16.1.1.2 255.255.0.0
ip access-group 126 in
interface ethernet0/1
ip address 16.2.1.1 255.255.255.0
ip access-group 128 in
router ospf 44
network 16.1.0.0 0.0.255.255 area 0
network 16.2.1.0 0.0.0.255 area 1
!access list 80 applies to snmp hosts allowed to access this router
no access-list 80
access-list 80 permit host 16.2.1.2
access-list 80 permit host 16.2.1.3
!access list 126 applies to traffic flowing from external networks to the internal network or to the router itself
no access-list 126
access-list 126 deny ip 16.2.1.0 0.0.0.255 any log
access-list 126 deny ip host 16.1.1.2 host 16.1.1.2 log
access-list 126 deny ip 127.0.0.0 0.255.255.255 any log
access-list 126 deny ip 0.0.0.0 0.255.255.255 any log
access-list 126 deny ip 10.0.0.0 0.255.255.255 any log
access-list 126 deny ip 172.16.0.0 0.15.255.255 any log
access-list 126 deny ip 192.168.0.0 0.0.255.255 any log
access-list 126 deny ip 224.0.0.0 15.255.255.255 any log
access-list 126 deny ip any host 16.2.1.255 log
access-list 126 deny ip any host 16.2.1.0 log
access-list 126 permit tcp any 16.2.1.0 0.0.0.255 established
access-list 126 deny icmp any any echo log
access-list 126 deny icmp any any redirect log
access-list 126 deny icmp any any mask-request log
access-list 126 permit icmp any 16.2.1.0 0.0.0.255
access-list 126 permit ospf 16.1.0.0 0.0.255.255 host 16.1.1.2
access-list 126 deny tcp any any range 6000 6063 log
access-list 126 deny tcp any any eq 6667 log
access-list 126 deny tcp any any range 12345 12345 log
access-list 126 deny tcp any any eq 31337 log
access-list 126 permit tcp any eq 20 16.2.1.0 0.0.0.255 gt 1023
access-list 126 deny udp any any eq 2049 log
access-list 126 deny udp any any eq 31337 log
access-list 126 deny udp any any range 33400 34400 log
access-list 126 permit udp any eq 53 16.2.1.0 0.0.0.255 gt 1023
access-list 126 deny tcp any range 0 65535 any range 0 65535 log
access-list 126 deny udp any range 0 65535 any range 0 65535 log
access-list 126 deny ip any any log
!access list 128 applies to traffic flowing from the interfnal network to external network or to the router itself
no access-list 128
access-list 128 deny ip host 16.2.1.1 log
access-list 128 permit icmp 16.2.1.0 0.0.0255 any echo
access-list 128 permit icmp 16.2.1.0 0.0.0255 any parameter-problem
access-list 128 permit icmp 16.2.1.0 0.0.0255 any packet-too-big
access-list 128 permit icmp 16.2.1.0 0.0.0255 any source-quench
access-list 128 deny tcp any any range 1 19 log
access-list 128 deny tcp any any eq 43 log
access-list 128 deny tcp any any eq 93 log
access-list 128 deny tcp any any range 135 139 log
access-list 128 deny tcp any any eq 445 log
access-list 128 deny tcp any any range 512 518 log
access-list 128 deny tcp any any eq 540 log
access-list 128 permit tcp 16.2.1.0 0.0.0.255 gt 1023 any lt 1024
access-list 128 permit tcp 16.2.1.0 0.0.0.255 gt 1023 any eq 53
access-list 128 permit tcp 16.2.1.0 0.0.0.255 any range 33400 34400 log
access-list 128 deny tcp any range 0 65535 any range 0 65535 log
access-list 128 deny udp any range 0 65535 any range 0 65535 log
access-list 128 deny ip any any log
!access list 85 applies to remote access for the specified hosts to the router ifself
no access-list 85
access-list 85 permit tcp host 16.2.1.10 host 0.0.0.0 eq 23 log
access-list 85 permit tcp host 16.2.1.11 host 0.0.0.0 eq 23 log
access-list 85 permit tcp host 16.2.1.12 host 0.0.0.0 eq 23 log
access-list 85 deny ip any any log
snmp-server community snmp-host1 ro 80
内容来自用户分享和网络整理,不保证内容的准确性,如有侵权内容,可联系管理员处理 
相关文章推荐
- 如何应对内网安全的那些新挑战——威胁不断,防御不止
- 趋势科技7月推云安全3.0 应对云计算三大威胁
- 【网站安全】网站通常面临的几种安全威胁及应对方式
- 美国大选疑遭黑客入侵,网络安全威胁如何应对?
- 安天移动安全应对“DressCode”威胁,发布企业移动威胁检查工具
- 2018年五大云安全威胁需要应对
- 如何应对内网安全的那些新挑战——威胁不断,防御不止 推荐
- 互联网安全威胁及应对方案
- 【网站安全】网站通常面临的几种安全威胁及应对方式【总结版】
- 内网安全新趋势之应对移动设备的威胁 推荐
- 全球“大情报”应对网络威胁 IT安全市场增长猛
- 移动应用安全测试:工具与威胁模型相结合
- 动态ACL在网络安全上的应用
- 虚拟平台安全威胁
- 如何应对BYOD时代的安全风险
- 微软安全通报 979352 及威胁形势透析
- 微软提示企业用户采取整体安全措施应对广泛而有针对性的攻击
- 可能存在安全威胁的端口及操作建议
- McAfee: 2007年度十大安全威胁名单