Scribd Logo
Загрузить

Добро пожаловать в Scribd!

  • Instructions - Hardening

    Загружено:

    Bev Garcia
    31 просмотров4 страницы
    AOS

    Авторское право

    © © All Rights Reserved

    Доступные форматы

    TXT, PDF, TXT или читайте онлайн в Scribd

    Этот документ был вам полезен?

    Это неприемлемый материал?

    Пожаловаться на этот документ
    AOS

    Авторское право:

    © All Rights Reserved
    Скачайте в формате TXT, PDF, TXT или читайте онлайн в Scribd
    Отметить как неприемлемый контент
    31 просмотров4 страницы

    Instructions - Hardening

    Загружено:

    Bev Garcia
    AOS

    Авторское право:

    © All Rights Reserved
    Скачайте в формате TXT, PDF, TXT или читайте онлайн в Scribd
    Отметить как неприемлемый контент
    из 4

    //NTP

    ntp client enable


    ntp server <IP_Address>

    show ntp status


    show ntp server status

    Snipp- save "Hardening", "1h" ntp

    //AAA
    aaa radius-server NPS01 host 10.208.1.31 key FM1040
    aaa authentication http NPS01 local
    aaa accounting vlan NPS01 local

    //VTY Transport SSH


    no ip service telnet
    no aaa authentication telnet
    ssh enable
    ip service ssh
    aaa authentication ssh NPS01 local

    show aaa server


    show aaa accounting
    show aaa authentication

    Snipp- save "Hardening", "2h" aaa

    //Appropriate banners shall be configured during login or for message of the day
    (MOTD)
    "Two steps are rquired to change the login banner. These steps are listed here:
    � Create a text file that contains the banner you want to display in the
    switch�s /flash/switch directory.
    � Enable the text file by entering the session banner CLI command followed by the
    filename.
    To create the text file containing the banner text, you may use the vi text editor
    in the switch. This
    method allows you to create the file in the /flash/switch directory without leaving
    the CLI console
    session. You can also create the text file using a text editing software package
    (such as MS Wordpad) and
    transfer the file to the switch�s /flash/switch directory
    If you want the login banner in the text file to apply to FTP switch sessions,
    execute the following CLI
    command where the text filename is firstbanner.txt.
    -> session banner ftp /flash/switch/firstbanner.txt
    If you want the login banner in the text file to apply to CLI switch sessions,
    execute the following CLI
    command where the text filename is secondbanner.txt.
    -> session banner cli /flash/switch/secondbanner.txt"

    using FTP
    Snipp- save "Hardening", "3-1h" before transfer
    Snipp- save "Hardening", "3-2h" after transfer

    Command:-
    session banner cli /flash/switch/banner.txt
    session banner http /flash/switch/banner.txt
    session banner ftp /flash/switch/banner.txt
    Note:- Assuming that the banner file is banner.txt
    //Timeout for Login Sessions
    session login-timeout 240
    session timeout cli 5

    //Configure the SSH Timeout


    session timeout cli 2
    session timeout http 1
    session timeout ftp 2

    //Limit the number of SSH Authentication Retries


    session login-attempt 5

    show session config

    Snipp- save "Hardening", "4h" session

    show system

    //Clock Timezone
    system timezone zp8
    //correct the time
    system time hh:mm:ss

    //Clock Timezone with Daylight settings


    system daylight savings time enable

    //Configure the Domain Name


    ip domain-name sport.gov.sg

    show system

    Snipp- save "Hardening", "5h" verify SYS time

    //System Logging
    swlog
    swlog appid bridge level warning

    //Logging Buffer-ok
    swlog output flash file-size 128000

    //Logging to Device Console


    swlog output console

    //Logging to Syslog Server


    swlog output socket 10.208.70.22

    //Logging Trap Severity Level


    swlog appid system level warning

    show swlog

    Snipp- save "Hardening", "6h"

    //Forbid Directed Broadcast


    ip directed-broadcast off

    show ip config
    Snipp- save "Hardening", "7h"

    ===================================================================
    //create management vlan 10.232.x.224/28 -pool ////"X" is the existing pool
    ====================================================================
    Commands:-
    vlan 510 name "management"
    vlan 510 enable
    ip interface MANAGEMENT address 10.232.x.228/28 vlan 510
    vlan 510 port default <port_number> // assign vlan 510 to one interface [note down
    the interface].

    vlan 957 name "unused_vlan"


    vlan 957 port default <port number> //assign this to all unused ports.
    interface <port> admin down //after assigning a vlan to all unused port,disable
    the interface.

    eg:vlan 957 port default 1/6


    interface 1/6 admin down

    show ip interface

    Snipp- save "Hardening", "8-1h"

    show vlan port

    Snipp- save "Hardening", "8-2h"

    password
    switch
    HCL@dm1n
    HCL@dm1n

    Snipp- save "Hardening", "9h"

    ======================================================================
    write memory
    copy working certified

    show configuration snapshot

    Snipp- save "Hardening", "10-1h, 10-2h, 10-3h"

    test FTP/HTTP/Telnet/SSH and Console with Mngt IP

    Snipp- save "Final Test", "Console/FTP/HTTP/SSH and Telnet and FTP Mngt/HTTP
    Mngt/SSH and Telnet Mngt"

    Notes:-
    note down the unused interfaces.
    note down in which interface the management vlan is assigned by you.
    collect all logs.
    collect screenshots.

    you may encounter "Low Flash Memory Issue" hence after updating AOS Delete 2 files
    inside "Working directory"

    Check your boot.cfg to see if all configs are set on the router before backup and
    doing certify. Screenshot needed as well.
    you need to have 4 backup copies of boot.cfg
    Boot1 : before AOS update
    Boot2 : after AOS update
    Boot3 : after hardening
    Final : copy form certified folder

    Вам также может понравиться