‹‹ 上一主题 | 下一主题 ››
发新话题
打印

关于Extreme i设备上的一些安全的配置命令

bear

首席元老

管理员

Rank: 12Rank: 12Rank: 12

官方管理员

1楼 发表于 2007-10-14 01:36  只看该作者

关于Extreme i设备上的一些安全的配置命令

感谢Extreme TAC George Liang 和former-extremeist Kevin Wang


# Revision History
# 03/xx/2003 draft by Kevin Wang (kwang@extremenetworks.com)
# 08/18/2003 version 1.0.0 by George Liang (gliang@extremenetworks.com)
# 08/23/2003 version 1.0.1 by George Liang
# Added ACLs blocking "Nachi/Blaster-D/Welchia worm"
# 08/26/2003 version 1.1.0 by George Liang
# Added ACLs blocking "W32/Sobig.F Worm"
# 09/01/2003 version 1.1.1 by George Liang
# Removed ACLs "tcpport0-d-de" and "udpport0-d-de", since it will block destination port ANY
# 09/18/2003 version 1.1.2 by George Liang
# Removed ACL "udp1434-s-de", since it may block some normal traffic
# 29/01/2004 version 1.2.0 by George Liang
# Added ACLs blocking multicast destination except ospf
# 26/04/2004 version 1.3.0 by George Liang
# Added ACLs blocking "Many variants of W32/MyDoom malicious code"
# Added ACLs blocking "Many variants of W32/Beagle malicious code"
# Added ACLs blocking "Exploit for Microsoft PCT vulnerability released"
# Removed ACL "bog070-d-de"
# Added ACL "bog071-d-de"
# Removed ACL "bog083-d-de"
# Removed ACL "bog084-d-de"
# Removed ACL "bog088-d-de"
# Removed seldom used ACLs - Part 5, "bogxxx-s-de"
# Removed seldom used ACLs - original Part 6 - reserved/unassigned TCP/UDP ports (optional)
# Commented ACL "martians0-s-de"
# Commented ACL "bog000-d-de"
# 07/05/2004 version 1.3.1 by George Liang
# Added ACLs blocking "W32/Sasser"
# 13/05/2004 version 1.3.2 by George Liang
# Chaned ACL "multicast-d-de" destination network mask length to 4 from 3
# Moved ACL "broadcast-d-pe" from Part 6 to Part 5, ahead of ACL "bog240-d-de"
# Modified ACL "bog240-d-de" precedence number to insert ACL "broadcast-d-pe"
# 16/06/2004 version 1.3.3 by George Liang
# Added ACLs blocking "Increased scanning of 5000/tcp, UPnP"


# Comments welcomed


# Followings ACLs (Access Control Lists) in 6 parts are recommended to apply on Extreme switches
# Users' own ACLs should be applied after these ACLs, ie. with larger precedence number
# You need read notes carefully before applying these ACLs
# Part 1 - icmp (necessary)
# Part 2 - attack (necessary)
# Part 3 - private ip addresses (necessary)
# Part 4 - invalid source ip addresses (necessary)
# Part 5 - reserved/unassigned ip addresses (optional)
# Part 6 - multicast destination except ospf (optional)


# ACL name specification
# xxxxxxxx-x-xx 3 parts
# 1st part is standard name
# 2nd part is "d" for "destination", "s" for "source", "b" for both, "n" for neither
# 3rd part is "de" for "deny", or "pe" for "permit"



# ****************************** Part 1 ******************************
# Only permit icmp packets of echo, echo reply, traceroute and need fragment, deny others
# These ACLs's precedences are within 101 ~ 200

create access-list icmpEcho-n-pe icmp destination any source any type 8 code 0 permit ports any precedence 110
create access-list icmpReply-n-pe icmp destination any source any type 0 code 0 permit ports any precedence 120
create access-list icmpTraceroute-n-pe icmp destination any source any type 11 code 0 permit ports any precedence 130
create access-list icmpNeedFrag-n-pe icmp destination any source any type 3 code 4 permit ports any precedence 140
create access-list icmpAny-n-de icmp destination any source any type any code any deny ports any precedence 150


# ****************************** Part 2 ******************************
# These ACLs are to block virus attack
# You need to make sure all your expected network service are not blocked by these ACLs
# These ACLs' precedence are within 1001 ~ 1500

# SQL Slammer/MS-SQL Server Worm (http://www.cert.org/advisories/CA-2003-04.html)
create access-list udp1434-d-de udp destination any ip-port 1434 source any ip-port any deny ports any precedence 1001

# W32/Blaster worm (http://www.cert.org/advisories/CA-2003-20.html)
# Remove "udp69-d-de" if the switch needs to forward tftp packets
create access-list udp69-d-de udp destination any ip-port 69 source any ip-port any deny ports any precedence 1011
create access-list tcp135-d-de tcp destination any ip-port 135 source any ip-port any deny ports any precedence 1012
create access-list udp135-d-de udp destination any ip-port 135 source any ip-port any deny ports any precedence 1013
create access-list tcp139-d-de tcp destination any ip-port 139 source any ip-port any deny ports any precedence 1014
create access-list udp139-d-de udp destination any ip-port 139 source any ip-port any deny ports any precedence 1015
create access-list tcp445-d-de tcp destination any ip-port 445 source any ip-port any deny ports any precedence 1016
create access-list udp445-d-de udp destination any ip-port 445 source any ip-port any deny ports any precedence 1017
create access-list tcp593-d-de tcp destination any ip-port 593 source any ip-port any deny ports any precedence 1018
create access-list tcp4444-d-de tcp destination any ip-port 4444 source any ip-port any deny ports any precedence 1019

# NetBIOS
# create access-list udp135-d-de udp destination any ip-port 135 source any ip-port any deny ports any precedence 1021
create access-list udp135-s-de udp destination any ip-port any source any ip-port 135 deny ports any precedence 1022
create access-list udp137-d-de udp destination any ip-port 137 source any ip-port any deny ports any precedence 1023
create access-list udp137-s-de udp destination any ip-port any source any ip-port 137 deny ports any precedence 1024
create access-list udp138-d-de udp destination any ip-port 138 source any ip-port any deny ports any precedence 1025
create access-list udp138-s-de udp destination any ip-port any source any ip-port 138 deny ports any precedence 1026

# FW1
create access-list tcp256-s-de tcp destination any ip-port any source any ip-port 256 deny ports any precedence 1031

# Nachi/Blaster-D/Welchia worm (http://www.cert.org/current/current_....html#welchia; http://www.microsoft.com/technet/tre...erts/nachi.asp)
# Most ACLs already included in "W32/Blasteer worm" and "NetBIOS"
# You need to remove ACL "icmpEcho-n-pe" and "icmpReply-n-pe" in order to block the worm's ping scanning
# The worm also use TCP port 80 (HTTP), which can't be blocked as whole, you may selectively block it based on ip addresses/ports
create access-list tcp707-d-de tcp destination any ip-port 707 source any ip-port any deny ports any precedence 1041

# W32/Sobig.F Worm (http://www.cert.org/incident_notes/IN-2003-03.html)
# Remove "udp123-d-de" if the switch needs to forward NTP packets
create access-list udp123-d-de udp destination any ip-port 123 source any ip-port any deny ports any precedence 1051
create access-list udp995-d-de udp destination any ip-port range 995 999 source any ip-port any deny ports any precedence 1052
create access-list udp8998-d-de udp destination any ip-port 8998 source any ip-port any deny ports any precedence 1053

# Many variants of W32/MyDoom malicious code (http://www.cert.org/incident_notes/IN-2004-01.html)
create access-list tcp3127-d-de tcp destination any ip-port 3127 source any ip-port any deny ports any precedence 1061
create access-list tcp3127-s-de tcp destination any ip-port any source any ip-port 3127 deny ports any precedence 1062
create access-list tcp3176-d-de tcp destination any ip-port 3176 source any ip-port any deny ports any precedence 1063
create access-list tcp3176-s-de tcp destination any ip-port any source any ip-port 3176 deny ports any precedence 1064

# Many variants of W32/Beagle malicious code (http://www.us-cert.gov/current/current_activity.html)
create access-list tcp2556-d-de tcp destination any ip-port 2556 source any ip-port any deny ports any precedence 1071
create access-list tcp2556-s-de tcp destination any ip-port any source any ip-port 2556 deny ports any precedence 1072
create access-list tcp2745-d-de tcp destination any ip-port 2745 source any ip-port any deny ports any precedence 1073
create access-list tcp2745-s-de tcp destination any ip-port any source any ip-port 2745 deny ports any precedence 1074
create access-list tcp6667-d-de tcp destination any ip-port 6667 source any ip-port any deny ports any precedence 1075
create access-list tcp6667-s-de tcp destination any ip-port any source any ip-port 6667 deny ports any precedence 1076
create access-list tcp8866-d-de tcp destination any ip-port 8866 source any ip-port any deny ports any precedence 1077
create access-list tcp8866-s-de tcp destination any ip-port any source any ip-port 8866 deny ports any precedence 1078

# Exploit for Microsoft PCT vulnerability released (http://www.us-cert.gov/current/current_activity.html)
create access-list tcp31337-d-de tcp destination any ip-port 31337 source any ip-port any deny ports any precedence 1081
create access-list tcp31337-s-de tcp destination any ip-port any source any ip-port 31337 deny ports any precedence 1082

# W32/Sasser (http://www.us-cert.gov/current/current_activity.html)
# create access-list tcp445-d-de tcp destination any ip-port 445 source any ip-port any deny ports any precedence 1091
create access-list tcp9996-d-de tcp destination any ip-port 9996 source any ip-port any deny ports any precedence 1092
create access-list tcp9996-s-de tcp destination any ip-port any source any ip-port 9996 deny ports any precedence 1093
create access-list tcp5554-d-de tcp destination any ip-port 5554 source any ip-port any deny ports any precedence 1094
create access-list tcp5554-s-de tcp destination any ip-port any source any ip-port 5554 deny ports any precedence 1095

# Increased scanning of 5000/tcp, UPnP (http://www.us-cert.gov/current/current_activity.html)
create access-list tcp5000-d-de tcp destination any ip-port 5000 source any ip-port any deny ports any precedence 1101



# ****************************** Part 3 ******************************
# These are private addresses, should not appear in Internet
# Howerver, if you use them in your Intranet, don't apply them, or your traffic will be blocked
# These ACLs' precedences are within 1601 ~ 1700
# You can also create icmp ACL for these ip addresses as well

create access-list private10-d-de ip destination 10.0.0.0/8 source any deny ports any precedence 1610
create access-list private172-d-de ip destination 172.16.0.0/12 source any deny ports any precedence 1620
create access-list private192-d-de ip destination 192.168.0.0/16 source any deny ports any precedence 1630

create access-list private10-s-de ip destination any source 10.0.0.0/8 deny ports any precedence 1640
create access-list private172-s-de ip destination any source 172.16.0.0/12 deny ports any precedence 1650
create access-list private192-s-de ip destination any source 192.168.0.0/16 deny ports any precedence 1660


# ****************************** Part 4 ******************************
# These ip addresses should not be source
# These ACLs' precedeces are within 1801 ~ 1900
# You can also create icmp ACL for these ip addresses as well

# Remove "martians0-s-de" if the switch needs to forward Bootp/DHCP packets
# create access-list martians0-s-de ip destination any source 0.0.0.0/8 deny ports any precedence 1801
create access-list martians127-s-de ip destination any source 127.0.0.0/8 deny ports any precedence 1802
create access-list martians192-s-de ip destination any source 192.0.2.0/24 deny ports any precedence 1803
create access-list martians169-s-de ip destination any source 169.254.0.0/16 deny ports any precedence 1804
create access-list martians198-s-de ip destination any source 198.18.0.0/15 deny ports any precedence 1805
create access-list martians224-s-de ip destination any source 224.0.0.0/4 deny ports any precedence 1806
create access-list martians240-s-de ip destination any source 240.0.0.0/4 deny ports any precedence 1807
create access-list martians255-s-de ip destination any source 255.255.255.255/32 deny ports any precedence 1808


# ****************************** Part 5 ******************************
# These addresses are reserved or unassigned by IANA, should not appear in Internet. (http://www.iana.org/assignments/ipv4-address-space)
# These ACLs' precedences are within 2001 ~ 2200
# You can also create icmp ACLs for these ip addresses as well

# Removed "bog000-d-de" as there's a bug for ip address 0.0.0.0/8
# create access-list bog000-d-de ip destination 0.0.0.0/8 source any deny ports any precedence 2001
create access-list bog001-d-de ip destination 1.0.0.0/8 source any deny ports any precedence 2002
create access-list bog002-d-de ip destination 2.0.0.0/8 source any deny ports any precedence 2003
create access-list bog005-d-de ip destination 5.0.0.0/8 source any deny ports any precedence 2004
create access-list bog007-d-de ip destination 7.0.0.0/8 source any deny ports any precedence 2005
create access-list bog023-d-de ip destination 23.0.0.0/8 source any deny ports any precedence 2006
create access-list bog027-d-de ip destination 27.0.0.0/8 source any deny ports any precedence 2007
create access-list bog031-d-de ip destination 31.0.0.0/8 source any deny ports any precedence 2008
create access-list bog036-d-de ip destination 36.0.0.0/7 source any deny ports any precedence 2009
create access-list bog039-d-de ip destination 39.0.0.0/8 source any deny ports any precedence 2010
create access-list bog041-d-de ip destination 41.0.0.0/8 source any deny ports any precedence 2011
create access-list bog042-d-de ip destination 42.0.0.0/8 source any deny ports any precedence 2012
create access-list bog049-d-de ip destination 49.0.0.0/8 source any deny ports any precedence 2013
create access-list bog050-d-de ip destination 50.0.0.0/8 source any deny ports any precedence 2014
create access-list bog058-d-de ip destination 58.0.0.0/7 source any deny ports any precedence 2015
create access-list bog071-d-de ip destination 71.0.0.0/8 source any deny ports any precedence 2016
create access-list bog072-d-de ip destination 72.0.0.0/5 source any deny ports any precedence 2017
create access-list bog096-d-de ip destination 96.0.0.0/3 source any deny ports any precedence 2021
create access-list bog173-d-de ip destination 173.0.0.0/8 source any deny ports any precedence 2022
create access-list bog174-d-de ip destination 174.0.0.0/7 source any deny ports any precedence 2023
create access-list bog176-d-de ip destination 176.0.0.0/5 source any deny ports any precedence 2024
create access-list bog184-d-de ip destination 184.0.0.0/6 source any deny ports any precedence 2025
create access-list bog189-d-de ip destination 189.0.0.0/8 source any deny ports any precedence 2026
create access-list bog190-d-de ip destination 190.0.0.0/8 source any deny ports any precedence 2027
create access-list bog197-d-de ip destination 197.0.0.0/8 source any deny ports any precedence 2028
create access-list bog223-d-de ip destination 223.0.0.0/8 source any deny ports any precedence 2029
create access-list broadcast-d-pe ip destination 255.255.255.255/32 source any permit ports any precedence 2039
create access-list bog240-d-de ip destination 240.0.0.0/4 source any deny ports any precedence 2040


# ****************************** Part 6 ******************************
# You need permit other expected multicast except ospf destination if necessary
# These ACLs' precedences are within 2501 ~ 2600
create access-list ospf.5-d-pe ip destination 224.0.0.5/32 source any permit ports any precedence 2501
create access-list ospf.6-d-pe ip destination 224.0.0.6/32 source any permit ports any precedence 2502
create access-list multicast-d-de ip destination 224.0.0.0/4 source any deny ports any precedence 2590
# END

TOP

‹‹ 上一主题 | 下一主题 ››
发新话题
最近访问的版块