首页 > 学院 > 网络通信 > 正文

CISCO 防御冲击波方法

2019-11-05 00:09:24
字体:
来源:转载
供稿:网友

  ! --- block TFTP
  
  access-list 115 deny udp any any eq 69
  
  ! --- block W32.Blaster related PRotocols
  
  access-list 115 deny tcp any any eq 135
  access-list 115 deny udp any any eq 135
  
  ! --- block other vulnerable MS protocols
  
  access-list 115 deny udp any any eq 137
  access-list 115 deny udp any any eq 138
  access-list 115 deny tcp any any eq 139
  access-list 115 deny udp any any eq 139
  access-list 115 deny tcp any any eq 445
  access-list 115 deny tcp any any eq 593
  
  ! --- block remote access due to W32.Blaster
  
  access-list 115 deny tcp any any eq 4444
  
  ! --- Allow all other traffic -- insert
  ! --- other existing access-list entries here
  
  access-list 115 permit ip any any
  
  interface
  
  ip access-group 115 in
  ip access-group 115 out
  
  另外,阻止非法地址的命令是:
  
  Router(config)# interface
  Router(if-config)# no ip unreachables
  
  假如此命令不能禁止,可参考下面这个命令:
  
  Elab(config)# ip icmp rate-limit unreachable
  VACL on the CatOS
  
  ! --- block TFTP
  set security acl ip BLASTER deny udp any any eq 69
  
  ! --- block vulnerable MS protocols
  ! --- Blaster related
  set security acl ip BLASTER deny tcp any any eq 135
  set security acl ip BLASTER deny udp any any eq 135
  
  ! --- Non-blaster related
  
  set security acl ip BLASTER deny tcp any any eq 137
  set security acl ip BLASTER deny udp any any eq 137
  set security acl ip BLASTER deny tcp any any eq 138
  set security acl ip BLASTER deny udp any any eq 138
  set security acl ip BLASTER deny tcp any any eq 139
  set security acl ip BLASTER deny udp any any eq 139
  set security acl ip BLASTER deny tcp any any eq 593
  
  ! --- block remote access due to W32.Blaster
  
  set security acl ip BLASTER deny tcp any any eq 4444
  
  ! --- Allow all other traffic
  ! --- insert other existing access-list entries here
  
  set security acl ip BLASTER permit any any
  
  ! -- applies both inbound and outbound
  
  commit security acl BLASTER
  set security acl map BLASTER
  PIX
  
  access-list acl_inside deny udp any any eq 69
  access-list acl_inside deny tcp any any eq 135
  access-list acl_inside deny udp any any eq 135
  access-list acl_inside deny tcp any any eq 137
  access-list acl_inside deny udp any any eq 137
  access-list acl_inside deny tcp any any eq 138
  access-list acl_inside deny udp any any eq 138
  access-list acl_inside deny tcp any any eq 139
  access-list acl_inside deny udp any any eq 139
  access-list acl_inside deny tcp any any eq 445
  access-list acl_inside deny tcp any any eq 593
  access-list acl_inside deny tcp any any eq 4444
  !
--- insert previously configured acl statements here,
  ! --- or permit all other traffic out
  
  access-list acl_inside permit ip any any
  
  access-group acl_inside in interface inside

发表评论 共有条评论
用户名: 密码:
验证码: 匿名发表