徐州电信城域网SR 7750加固模板.doc

1、1、关闭 ICMP 重定向ICMP 重定向默认是打开，在 interface 下修改XZ-TSXQ-R-AC7750-01configserviceiesif# icmp no redirects2、垃圾流量过滤红色的是在原来的 filter 里面新增的命令：XZ-TSXQ-R-AC7750-01configfilterip-filter# ip-filter 101 createdefault-action forwarddescription “virus-filter-ingress“entry 1 creatematch protocol tcpdst-port eq 135 exit

2、 action dropexit entry 2 creatematch protocol tcpdst-port eq 137 exit action dropexit entry 3 creatematch protocol tcpdst-port eq 138 exit action dropexit entry 4 creatematch protocol tcpdst-port eq 139 exit action dropexit entry 5 creatematch protocol tcpdst-port eq 445 exit action dropexit entry 6

3、 creatematch protocol tcpdst-port eq 5554 exit action dropexit entry 7 creatematch protocol tcpdst-port eq 901 exit action dropexit entry 8 creatematch protocol tcpdst-port eq 2745 exit action dropexit entry 9 creatematch protocol tcpdst-port eq 3127 exit action dropexit entry 10 creatematch protoco

4、l tcpdst-port eq 3128 exit action dropexit entry 11 creatematch protocol tcpdst-port eq 6129 exit action dropexit entry 12 create match protocol tcpdst-port eq 6667 exit action dropexit entry 13 creatematch protocol tcpdst-port eq 4444 exit action dropexit entry 14 creatematch protocol tcpdst-port e

5、q 1025 exit action dropexit entry 15 creatematch protocol tcpdst-port eq 593 exit action dropexit entry 16 creatematch protocol udpdst-port eq 135 exit action dropexit entry 17 creatematch protocol udpdst-port eq 137 exit action dropexit entry 18 creatematch protocol udpdst-port eq 138 exit action d

6、ropexit entry 19 creatematch protocol udpdst-port eq 445 exit action dropexit entry 20 creatematch protocol udpdst-port eq 9995 exit action dropexit entry 21 creatematch protocol udpdst-port eq 9996 exit action dropexit entry 22 creatematch protocol udpdst-port eq 1434 exit action dropexit entry 23

7、creatematch protocol udpdst-port eq 136 exit action dropexit entry 24 creatematch protocol udpdst-port eq 139 exit action dropexit entry 25 creatematch src-ip 127.0.0.0/8 exit action dropexit entry 26 creatematch src-ip 192.168.0.0/16exit action dropexit entry 27 creatematch src-ip 172.16.0.0/12exit

8、 action dropexit entry 29 creatematch src-ip 169.254.0.0/16 exit action dropexit entry 30 creatematch src-ip 224.0.0.0/5 exit action dropexit entry 31 creatematch protocol icmpfragment true exitaction dropexitexit exit在 SR 下联子接口入方向引用：XZ-TSXQ-R-AC7750-01configserviceiesifsap# ingress filter ip 1013、在

9、子接口启用 URPFalcatel 7750 不支持5、关闭未使用的服务7750 不支持 Bootp、CDP、DNS lookup 、HTTP、小 TCP/UDPDHCP 默认关闭，在 VPRN 的 interface 内查看A:XZ-TSXQ-R-AC7750-01configservicevprn# interface To_TSYanCaoA:XZ-TSXQ-R-AC7750-01configservicevprnifdhcp# info-shutdown6、检查远程访问XZ-TSXQ-R-AC7750-01configsystemsecurity#systemsecuritytelne

10、t-servermanagement-access-filterdefault-action permitentry 10src-ip 61.147.6.168/30dst-port 20 65532action permitexitentry 20src-ip 61.147.25.248/30dst-port 20 65532action permitexitentry 30src-ip 61.147.6.172/30dst-port 20 65532action permitexitentry 40src-ip 61.147.25.252/30dst-port 20 65532action

11、 permitexitentry 50src-ip 222.187.98.0/26dst-port 20 65532action permitexitentry 60 src-ip 10.186.30.252/32dst-port 20 65532action permitexitentry 100dst-port 20 65532action denyexitexit7、SNMP 安全配置访问策略：XZ-TSXQ-R-AC7750-01configsystemsecuritymgmt-access-filter# entry 110src-ip 10.186.33.3/32protocol

12、17dst-port 161 65535action permitexitentry 120src-ip 221.229.238.248/29protocol 17dst-port 161 65535action permitexitentry 130src-ip 222.187.98.25/32protocol 17dst-port 161 65535action permitexit检查 SNMP 读口令：snmpcommunity “xzcore“ rwa version bothcommunity “xzpower“ rwa version v2c8、netstream 部署未启用9、检查 NTP 部署A:XZ-TSXQ-R-AC7750-01configsystemtime# info-ntpserver 202.102.15.164 version 3 prefer server 202.102.15.166 version 3 no shutdownexitsntpshutdownexitzone BEIJ 08