1 modify the default password!
According
to the survey, 80% breach
ws-c3750x-24t-e of security incidents were caused
by weak password.The network has the most extensive default router password list. You can be sure of in some places, someone will know your birthday. SecurityStats.com website maintenance, adetailed list of available / unavailable password, a password and reliability
test.
2 IP directed broadcast (IP Directed Broadcast)
Your server is very obedient. Let it do what it can do, and no
matter who issued
instructions.The Smurf attack is a denial
of service attack. In this
attack, an attacker using a source address spoofing to network broadcast address to send you a "ICMP echo" request. This requires responded to the broadcast request all hosts. This will
at least reduce the performance of your network.
Reference the router information file you, know how to close the IP direct broadcast. For example, "Central (config) #no IP source-route this directive" will IP
directed broadcastaddress Cisco router.
3 if possible, shut down the router HTTP settings
As the Cisco technical note briefly explains, identification protocol used by HTTP is equivalent to the entire network to send a non encrypted password. However, unfortunately,the HTTP protocol is not a valid provisions for verification or one-time
password password.
Although
this is not encrypted passwords for you from a remote location (such as home) to set your router may be very convenient, but, you can do things others can still be. Especially
if you are using the default password! If you
have remote management router, you mustensure that the use of SNMPv3 and above version of the protocol, because it supports morestrict password.
4 block ICMP Ping request
The main
purpose of Ping is currently
being used by the host recognition. Therefore, Ping is usually used before the cooperative attack larger reconnaissance activities. By eliminating the response ability of the remote user receives Ping requests, you can easily avoid thescanning activity neglected or defense for those looking for easy targets for "script kiddies"(script kiddies).
5 to
prevent the IP source address spoofing
In the
Cisco router, we can use the following two methods:
A at the boundary of the network, the implementation of IP source address spoofing filtering
Stop one of the most simple and effective method for IP source address spoofing is by using the inward at the border router access list, limit the packet network in downstream is inallowable address range, is not in the allowed range of data will be deleted. At the same time,in order to trace the attacker, you can use the log record is deleted data.
B, the use of reverse address to send
Use access
control lists to do IP restriction in the lower reaches of the entrance, is the IP address based on the downstream section. But in the upstream of the entrance, into the dataIP address range is sometimes difficult to determine. In the
scope of the filter can not be
determined, a feasible method is the use of reverse address to send (Unicast Reverse PathForwarding).
Reverse
address transmission is a new
version of the IOS Cisco router properties provide,referred to as uRPF.
The work
principle of uRPF is: when a
router receives a packet in an
interface, it will search for CEF (Cisco Express Forward) list, verify the existence of the receiving
interface between the source address in the specified routing, namely reverse lookup path, verify itsauthenticity, if there
is no such the path passes the packet to delete.
Compared to the access control list, uRPF has many advantages, such as: spend less CPU resource, can adapt to the dynamic change of router routing table (because the CEF tablewill follow the dynamic routing table and update), so less maintenance, less influence
on the performance of router.
URPF is
based on the interface
configuration, configuration
commands are as follows:
IP CEF (config) #
(config-if) IP verify unicast reverse-path #
Note: the implementation of uRPF, CEF must
be a global open WS-C2960S-24TD-L , and is enabled in theconfiguration interface.