几个安全方面的TCP小服务常识
在R2上开TCP的小服务R2(config)#service tcp-small-servers 在R1上telnet R2R1#telnet 12.1.1.2 echoTrying 12.1.1.2, 7 ... Open111111111111断开方法,ctrl shift 6 + X就可以断开回来了。然后在输入如下命令:R1#disconnect Closing connection to 12.1.1.2 R1#telnet 12.1.1.2 chargen Trying 12.1.1.2, 19 ... Open !"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\]^_`abcdefg!"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\]^_`abcdefgh"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\]^_`abcdefghi#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\]^_`abcdefghij$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\]^_`abcdefghijk在R2上断开的方法:R2#show tcp brief TCB Local Address Foreign Address (state)6746C2E8 12.1.1.2.19 12.1.1.1.23177 ESTABR2#show tcp brief TCB Local Address Foreign Address (state)6746C2E8 12.1.1.2.19 12.1.1.1.23177 ESTABR2#R2#cleR2#clear tcpR2#clear tcp tcR2#clear tcp tcb 6746C2E8 断开了TCP连接,有的时候连上去不知道怎么断开,就用这个命令。 路由器全速发包的命令ping 172.16.1.1 source lo0timeout 0repeat 1000000严格模式必须从入接口学到路由ip verify unicast source reachable-via rx宽松模式必须学到明细路由但不管从哪个接口学到。ip verify unicast source reachable-via any 查数据包来的接口。10 permit ipany host 172.16.1.1 log-input (9 matches)*Jan 26 21:23:22.083: %SEC-6-IPACCESSLOGDP:list 100 permitted icmp 2.2.2.2 (Ethernet1/1 ca02.2380.001c) -> 172.16.1.1(0/0), 1 packet *Jan 26 21:23:24.043: %SEC-6-IPACCESSLOGDP:list 100 permitted icmp 2.2.2.2 (Ethernet1/1 ca02.2380.001c) -> 172.16.1.1(0/0), 1 packet Log-input是软件做的。不是实时显示,是五分钟一次显示的。这个是五分种后的。*Jan 26 21:28:58.615: %SEC-6-IPACCESSLOGDP:list 100 permitted icmp 1.1.1.1 (Ethernet1/0 ca01.266c.001c) -> 172.16.1.1(0/0), 169 packets *Jan 26 21:28:58.615: %SEC-6-IPACCESSLOGDP:list 100 permitted icmp 2.2.2.2 (Ethernet1/1 ca02.2380.001c) -> 172.16.1.1(0/0), 167 packets访问控制列表重新排序。R1#show access-lists Extended IP access list test 5permit ip host 1.1.1.1 host 2.2.2.2 6permit ip host 3.3.3.3 host 1.1.1.1 7permit ip host 4.4.4.4 host 4.4.4.4R1# R1#R1#confR1#configure tR1#configure terminal Enter configuration commands, one perline.End with CNTL/Z.R1(config)#R1(config)#R1(config)#R1(config)#R1(config)#do show access-listExtended IP access list test 5permit ip host 1.1.1.1 host 2.2.2.2 6permit ip host 3.3.3.3 host 1.1.1.1 7permit ip host 4.4.4.4 host 4.4.4.4R1(config)#ip access-list resequence test100 20 Extended IP access list test 100 permit ip host 1.1.1.1 host 2.2.2.2 120 permit ip host 3.3.3.3 host 1.1.1.1140 permit iphost 4.4.4.4 host 4.4.4.4访问控制列表从100开始,间隔10.可以使用这条命令将序列号得新排列。只有采用预共享密钥的远程拨号VPN采用的是主动模式。 Radius服务器只用密码加密,taca+对所有数据包都加密。Radius必要有KEY,但是taca+可以不打KEY.不打key就是明文传输。file:///C:/Users/win7/AppData/Local/Temp/msohtmlclip1/01/clip_image002.jpgTaca+可以支持推送提示符:file:///C:/Users/win7/AppData/Local/Temp/msohtmlclip1/01/clip_image004.jpg R1#1.1.1.1Trying 1.1.1.1 ... Open Plesase enter you username:test1Plesase enter you password:可以看到推送提示符。非26表示的就不是IETF标准。username cisco privilege 15 password 0ciscousername cisco autocommand show run远程登录上去之后输用户名和密码,一旦输入正确。就执行show run这个命令。 R1#show running-config | include priviprivilege configure all level 5 routerprivilege exec level 5 configure terminalprivilege exec level 5 configureprivilege exec level 5 show running-configprivilege exec level 5 show privilege level 15 privilege level 15R1#R1#R1#telR1#telnet 1.1.1.1Trying 1.1.1.1 ... Open Plesase enter you username:test1Plesase enter you password: R1#R1#show runR1#show running-config Building configuration... Current configuration : 132 bytes!boot-start-markerboot-end-marker!!!!!router ospf 10 log-adjacency-changes!router ospf 1 log-adjacency-changes!!end R1# 能配置什么,我们就只能看什么。 aaa authorization commands 5 default grouptacacs+ 学管用户现在在多少级别,只要它想执行五级的命令,这些这命令就会送到AAA服务器上去授权。默认情况下5级是没有任何命令的,也就是说这条命令打不打都不会受到影响。但是通过这面的这个命令,将这些个命令放到5级之后,5级便有了命令。 privilege configure all level 5 routerprivilege exec level 5 configure terminalprivilege exec level 5 configur不管用户处在多少级,只有用户执行这个级别的命令的时候才纪录。aaa accounting commands 5 defaultstart-stop group tacacs+aaa accounting commands 15 defaultstart-stop group tacacs+感谢楼主分享!
页:
[1]