华为交换机加固命令汇总

一、、登陆策略
-----------------------------------
登录尝试
local-aaa-user wrong-password retry-interval 5 retry-time 3 block-time 5

密码有效期
local-aaa-user password policy administrator  password expire 0

登录超时
aaa] local-user admin idle-timeout 15 0      (15分0秒无操作后超时）

源地址限制
user-interface vty 0
 authentication-mode aaa
user-interface vty 1 4
 acl 2000 inbound
 authentication-mode aaa
user-interface vty 16 20

//acl 2000为限制源地址的acl

二、SSH
--------------------------------------
1、创建rsa本地密钥对与创建账号

[Huawei]rsa local-key-pair create 

The key name will be: Huawei_Host

The range of public key size is (512 ~ 2048). 

NOTES: If the key modulus is greater than 512, 

       it will take a few minutes.

Input the bits in the modulus[default = 512]:

Generating keys...

2）华为交换机上面创建账号

aaa

local-user admin password cipher TKG40##Y,C!NZPO3JBXBHA!!

local-user admin privilege level 15

 local-user admin service-type ssh

2、开启ssh服务以及ssh用户：

stelnet server enable

ssh user admin

ssh user admin authentication-type password

ssh user admin service-type stelnet

3
3、VTY下添加设置：

[Huawei]user-interface vty 0 4

[Huawei-ui-vty0-4]authentication-mode aaa

[Huawei-ui-vty0-4]protocol inbound ssh

三、Syslog
------------------------------------
进入用户视图

system-view

#指定发送消息基本，表示从level 0-7 都发送

info-center source default channel 2 log level debugging

#指定从哪个接口发送

info-center loghost source *******

#指定远程syslog服务器ip

info-center loghost 10.0.13.114

四、禁止ing
-------------------------------------
限制终端到交换机的ping

system-view

[HUAWEI] cpu-defend policy icmp

[HUAWEI-cpu-defend-policy-1] deny packet-type icmp

[HUAWEI-cpu-defend-policy-1] quit

[HUAWEI] cpu-defend-policy icmp global

————
最好用：

undo icmp type 8 code 0 receive

五、改密操作
---------------------------------------
aaa]

aaa]local-user admin password irreversible-cipher  xxxxxxxx.
 
//xxxxxxxx为自定义密码

六、NTP配置
---------------------------------------
配置设备作为NTP服务器
单播客户端/服务器模式

# 配置NTP主时钟，层数为2
<HUAWEI> system-view
[HUAWEI] ntp refclock-master 2
# 配置NTP认证功能，配置认证密钥并声明该密钥可信
[HUAWEI] ntp authentication enable
[HUAWEI] ntp authentication-keyid 42 authentication-mode md5 newplayer
[HUAWEI] ntp reliable authentication-keyid 42
# 开启NTP服务器功能
[HUAWEI] undo ntp-service disable

# 配置NTP认证功能，配置认证密钥并声明该密钥可信
<HUAWEI> system-view
[HUAWEI] ntp authentication enable
[HUAWEI] ntp authentication-keyid 42 authentication-mode md5 newplayer
[HUAWEI] ntp reliable authentication-keyid 42
# 为NTP单播客户端指定NTP单播服务器，并指定使用密钥ID 42加密
[HUAWEI] ntp unicast-server 10.1.1.1 authentication-keyid 42

七、ARP防攻击
----------------------------------------
固定ip-mac

arp static  IP    MAC

系统视图或接口视图下执行

arp anti-attack entry-check { fixed-all | send-ack } enable

配置ARP表项固化功能

八、黑洞mac(用于封禁特定mac主机）
----------------------------------------

mac-address blackhole  c03f-d502-8a3f

---------------------------------------------------------------------

Thanks
 
----------------------------------------------------------------------