•
•
•
•
•
Disable telnet. Generate new encryption keys. Use crypto-resistant algorithms.
Solution:
Disable remote telnet control:
esr(config)# no ip telnet server
Generate new encryption keys:
esr-20(config)# crypto key generate dsa
esr-20(config)# crypto key generate ecdsa
esr-20(config)# crypto key generate ed25519
esr-20(config)# crypto key generate rsa
esr-20(config)# crypto key generate rsa1
Disable outdated and not crypto-resistant algorithms:
esr(config)# ip ssh server
esr(config)# ip ssh authentication algorithm md5 disable
esr(config)# ip ssh authentication algorithm md5-96 disable
esr(config)# ip ssh authentication algorithm ripemd160 disable
esr(config)# ip ssh authentication algorithm sha1 disable
esr(config)# ip ssh authentication algorithm sha1-96 disable
esr(config)# ip ssh encryption algorithm aes128 disable
esr(config)# ip ssh encryption algorithm aes128ctr disable
esr(config)# ip ssh encryption algorithm aes192 disable
esr(config)# ip ssh encryption algorithm aes192ctr disable
esr(config)# ip ssh encryption algorithm arcfour disable
esr(config)# ip ssh encryption algorithm arcfour128 disable
esr(config)# ip ssh encryption algorithm arcfour256 disable
esr(config)# ip ssh encryption algorithm blowfish disable
esr(config)# ip ssh encryption algorithm cast128 disable
esr(config)# ip ssh key-exchange algorithm dh-group-exchange-sha1 disable
esr(config)# ip ssh key-exchange algorithm dh-group1-sha1 disable
esr(config)# ip ssh key-exchange algorithm dh-group14-sha1 disable
esr(config)# ip ssh key-exchange algorithm ecdh-sha2-nistp256 disable
esr(config)# ip ssh key-exchange algorithm ecdh-sha2-nistp384 disable
esr(config)# ip ssh key-exchange algorithm ecdh-sha2-nistp521 disable
7.6 Configuration of protection against network attacks mechanisms
The algorithms for configuring the network attack protection mechanisms are described in the Logging and
network protection configuration section of this manual.
For detailed information about the commands to configure the password policy, see Management of logging
and protection against network attacks in the CLI Command Reference.
7.6.1 Recommendations
It is recommended to always enable protection against ip spoofing.
It is recommended to always enable protection against TCP packets with incorrectly set flags.
It is recommended to always enable protection against fragmented TCP packets with the SYN flag set.
It is recommended to always enable protection against fragmented ICMP packets.
It is recommended to always enable protection against large ICMP packets.
To Next Page
Loading...
Need help?
General
