1、关闭未用服务

undo dhcp enable
undo ip http server enable
undo ip https server enable
undo ndp
undo ftp server port
undo tftp client-source

2、设置banner

header login information % %
header shell information % %

3、创建ssh用户,创建源限制登录acl,在用户接口和con口下应用

aaa
local-user password cipher
local-user * privilege level 15
local-user * service-type terminal ssh

ssh server enable 或 stelnet server enable
ssh user * authentication-type password
rsa local-key-pair create

acl number 3500
rule 0 permit ip source **
rule 5 permit ip source ** 0
rule 10 permit ip source ** 0
rule 20 deny ip

user-interface vty 0 15
undo set authentication password
authentication-mode aaa
user privilege level 3
idle-timeout 5 0
protocol inbound ssh
acl 3500 inbound

user-interface aux 0
authentication-mode aaa
idle-timeout 5 0

账号创建完成,通过ssh登录后:
undo telnet server enable #关闭telnet功能
aaa
undo local-user admin #注销原来账号
undo ssh user admin #注销原来的ssh
4、时钟配置
clock timezone beijing add 08:00:00
5、日志记录

display logbuffer #查询存在日志信息即可:

6、网管参数
snmp-agent trap source LoopBack0 //需要保证Trap接口的IP地址和Trap主机的IP地址之间路由可达。
snmp-agent trap enable
7.关闭空闲端口
例如:
interface GigabitEthernet1/0/1
shutdown

加固完成进行配置保存:save

标签: none

评论已关闭