华为交换机加固
1、关闭未用服务
undo dhcp enable
undo ip http server enable
undo ip https server enable
undo ndp
undo ftp server port
undo tftp client-source
2、设置banner
header login information % %
header shell information % %
3、不存在默认路由
删除默认路由,配置明细路由
undo ip route-static 0.0.0.0 0.0.0.0 *
ip route-static X.X.0.0 255.255.0.0 **
ip route-static X.0.0.0 255.0.0.0
4、创建ssh用户,创建源限制登录acl,在接口下应用用户绑定acl,设置con口
aaa
local-user password cipher
local-user * privilege level 15
local-user * service-type terminal ssh
ssh server enable 或 stelnet server enable
ssh user * authentication-type password
rsa local-key-pair create
acl number 3500
rule 5 permit ip source ** 0
rule 20 deny ip
ssh server acl 3500 #应用acl或在用户接口下应用
user-interface vty 0 15
undo set authentication password
authentication-mode aaa
user privilege level 3
idle-timeout 5 0
protocol inbound ssh
acl 3500 inbound
user-interface aux 0
authentication-mode aaa
idle-timeout 5 0
账号创建完成,通过ssh登录后:
undo telnet server enable #关闭telnet功能
aaa
undo local-user admin #注销原来账号
undo ssh user admin #注销原来的ssh
5、日志记录:
display logbuffer #查询存在日志信息即可:
6.时钟
ntp-service unicast-server ** source-interface Vlanif 10/20
undo ntp-service server disable
clock timezone beijing add 08:00:00
7、业务访问控制列表
acl number 3000(acl明细参考访问控制列表细化,厂站不同,acl不同)
业务acl创建完成,需应用于厂站交换机业务接口(交换机上行互联口不可应用)
例:
interface GigabitEthernet1/0/1
packet-filter 3000 inbound
8、空闲端口关闭
例:
interface GigabitEthernet1/0/1
shutdown
加固完成进行配置保存:save