ESR series service routers.ESR-Series. User manual
•
•
•
•
•
•
•
Disable outdated and not crypto-resistant algorithms:
esr(config)# ip ssh server
esr(config)# ip ssh authentication algorithm md5 disable
esr(config)# ip ssh authentication algorithm md5-96 disable
esr(config)# ip ssh authentication algorithm ripemd160 disable
esr(config)# ip ssh authentication algorithm sha1 disable
esr(config)# ip ssh authentication algorithm sha1-96 disable
esr(config)# ip ssh authentication algorithm sha2-256 disable
esr(config)# ip ssh encryption algorithm 3des disable
esr(config)# ip ssh encryption algorithm aes128 disable
esr(config)# ip ssh encryption algorithm aes128ctr disable
esr(config)# ip ssh encryption algorithm aes192 disable
esr(config)# ip ssh encryption algorithm aes192ctr disable
esr(config)# ip ssh encryption algorithm aes256 disable
esr(config)# ip ssh encryption algorithm arcfour disable
esr(config)# ip ssh encryption algorithm arcfour128 disable
esr(config)# ip ssh encryption algorithm arcfour256 disable
esr(config)# ip ssh encryption algorithm blowfish disable
esr(config)# ip ssh encryption algorithm cast128 disable
esr(config)# ip ssh key-exchange algorithm dh-group-exchange-sha1 disable
esr(config)# ip ssh key-exchange algorithm dh-group1-sha1 disable
esr(config)# ip ssh key-exchange algorithm dh-group14-sha1 disable
esr(config)# ip ssh key-exchange algorithm ecdh-sha2-nistp256 disable
esr(config)# ip ssh key-exchange algorithm ecdh-sha2-nistp384 disable
esr(config)# ip ssh key-exchange algorithm ecdh-sha2-nistp521 disable
esr(config)# ip ssh host-key algorithm dsa disable
esr(config)# ip ssh host-key algorithm ecdsa256 disable
esr(config)# ip ssh host-key algorithm ecdsa384 disable
esr(config)# ip ssh host-key algorithm ecdsa521 disable
esr(config)# ip ssh host-key algorithm ed25519 disable
Generate new encryption keys:
esr# update ssh-host-key rsa
esr# update ssh-host-key rsa 2048
7.6 Configuration of protection against network attacks mechanisms
The algorithms for configuring the network attack protection mechanisms are described in the Logging and
network protection configuration section of this manual.
For detailed information about the commands to configure the password policy, see Management of logging
and protection against network attacks in the CLI Command Reference.
7.6.1 Recommendations
It is recommended to always enable protection against ip spoofing.
It is recommended to always enable protection against TCP packets with incorrectly set flags.
It is recommended to always enable protection against fragmented TCP packets with the SYN flag set.
It is recommended to always enable protection against fragmented ICMP packets.
It is recommended to always enable protection against large ICMP packets.
It is recommended to always enable protection against unregistered IP protocols.
It is recommended to enable logging of the protection mechanism against network attacks.
To Next Page
Loading...
Need help?
General
