XY DNG H THNG MNG BO MT

VI SYSLOG, NTP, SSH TRN ROUTER CISCO

Nguyn B Nhim
Thc s, hc vin CISCO, Trng HTV

TM TT

Hin nay, bo mt mng l mt vn rt nan gii cho cc cng ty, c quan nh

nc, trng hc v c nhng ngi qun tr mng. Bi vit gii thiu mt s d ch v
trin khai da trn c s h tng mng ca thit b Cisco, gip cho ng i qu n tr lm ch
h thng mng nh bo mt, kim sot v x l s c c t t h n. T t c vi c thi t l p,
cu hnh, s hot ng ca h thng mng nh Hnh 1 v c m phng trn phn m m
Packet Tracer ca Cisco.

Hnh 1. M hnh mng trin khai thc hin

I. Gii thiu
M hnh mng c trnh by trong hnh 1, chng ta s cu hnh NTP v Syslog trn
cc router. Trn router BranchB s cu hnh SSH. i vi server NTP, server Syslog c
ngi qun tr cu hnh trc , trong bi vit khng hng dn cu hnh chi ti t 2 server
ny.
1

NTP (Network Time Protocol) cho php cc router trong mng ng b th i gian h
thng vi mt server NTP. Mt nhm ca cc client NTP l y thng tin th i gian, ngy thng
t mt h thng server NTP thit lp thi gian thch hp v nh ng thng i p Syslog
c pht sinh c th phn tch d dng hn. iu ny c th gip ngi qun tr khi xy ra
s c mng v hacker tn cng mng. Server NTP trin khai trong h th ng m ng c th
trong mng cc b hoc mng Internet. NTP l mt server ng b ha ng h h
thng. Vy chng ta s cu hnh cc router khong thi gian nh k cp nht ng h h
thng t server NTP.
Server Syslog cung cp thng ip ghi li tt c du vt hot ng (logging message)
ca h thng mng. Chng ta s cu hnh nhng router nhn logging message trong h
thng mng xc nh server Syslog. Bn cnh , cn cu hnh dch v timestamp cho
logging trn cc router, vi mc ch th hin ng thi gian v ngy thng trong cc thng
ip c ghi li trn server Syslog, gip kim tra thng tin mt cch chnh xc. Thi gian v
ngy thng ca thng ip khng chnh xc s gy kh khn cho vic xc nh cc s ki n
xy ra trong mng thng qua cc logging message.
ISP (nh cung cp dch v Internet) c kt ni n hai m ng qua BranchA v
BranchB. Mt ngi qun tr cc b ti BranchB c th thc hi n phn l n s c u hnh
v kim tra cc s c. Tuy nhin, BranchB l mt router qun l, ISP c n truy c p t xa n
BranchB kim tra s c v cp nht thng tin cu hnh. s truy cp t xa di n ra an
ton, ngi qun tr phi cu hnh SSH (Secure Shell). Chng ta s dng CLI (Command
Line Interface) cu hnh router cho vic qun l bo mt truy c p t xa dng SSH thay
cho Telnet. SSH l mt th tc mng cho php truy cp t xa bo m t n m t router ho c
cc thit b mng khc. SSH m ha tt c cc thng tin c truyn trn mng v cung cp
xc nhn ngi dng, my tnh truy cp. SSH l mt th tc thay th cho Telnet - km b o
mt hn.
Trong m hnh mng trin khai, Server NTP cu hnh ng h h thng ng vi
thi gian thc v khng yu cu xc nhn ngi dng. Server Syslog cng c cu hnh.
Chng ta s cu hnh trn cc router cho NTP, logging messsge, SSH v cc giao th c h tr
khc.
II. Cu hnh cc Router nh Client-NTP
2.1.
Kim tra s kt ni
Dng lnh Ping t Client-SSH n BranchB

Hnh 2. Kt ni thnh cng gia client-SSH v BranchB

- Dng lnh Ping ISP n Branch B

Hnh 3. Kim tra kt ni mng gia ISP v BranchB

- Dng lnh Telnet t Client-SSH n BranchB

Hnh 4. Kt ni t xa thnh cng t Client-SSH n BranchB

- Dng lnh telnet t ISP n Branch B

Hnh 5. Telnet thnh cng t ISP n BranchB

2.2.
Cu hnh router BranchA, ISP, BranchB nh Client-NTP
BranchA(config)#ntp server 172.30.1.100
ISP(config)#ntp server 172.30.1.100
BranchB(config)#ntp server 172.30.1.100
Kim tra cu hnh trn cc client-NTP bng lnh show ntp status trn tt c cc router

Hnh 6. NTP c cu hnh trn router BranchA

2.3. Cu hnh cc router cp nht ng h h thng (hardware clock)
Cu hnh router BranchA, ISP, BranchB cp nht nh k ng h h thng t server NTP
BranchA(config)# ntp update-calendar
ISP(config)# ntp update-calendar
BranchB(config)# ntp update-calendar
kim tra ng h h thng c cp nht dng lnh show clock
BranchA#show clock
*15:55:10.8 UTC Tue Aug 2 2011
2.4. Cu hnh timestamp cc router ng b thi gian vi server Syslog
Cu hnh dch v timestamp cho logging trn cc router
BranchA(config)# service timestamps log datetime msec
ISP(config)# service timestamps log datetime msec
BranchB(config)# service timestamps log datetime msec
III. Cu hnh cc router t ng gi cc thng ip log n server syslog
4

3.1. Cu hnh cc router xc nh c server Syslog m n s nhn cc thng

ip logging
BranchA(config)# logging host 172.30.1.200
ISP(config)# logging host 172.30.1.200
BranchB(config)# logging host 172.30.1.200
Ti giao din console ca router s th hin mt thng bo, logging th c hi n trn cc
router

Hnh 7. Kim tra cu hnh logging, dng lnh show logging

3.2. kim tra cc log ca server Syslog
Trong tab Config ca giao din server Syslog, chn nt Syslog services. Quan st thy
cc thng ip logging c nhn t cc router. Nhng thng ip log c th pht sinh trn
server do thc hin cc lnh trn router. V d, trn router Branch A chng ta thot kh i
global configuration mode s pht sinh mt thng ip thng tin v cu hnh ca router.
Hnh 8. Server Syslog ghi nhn cc log ca cc router

IV. Cu hnh router branchb h tr s kt ni SSH

4.1
Cu hnh tn domain

Cu hnh mt tn domain ca networksecurity.com trn router BranchB

BranchB(config)# ip domain-name networksecurity.com
4.2
Cu hnh cc user cho ng nhp t client-SSH trn router BranchB
To mt user tn adminSSH vi mc bo mt cao v m ha password ciscossh
BranchB(config)# username adminSSH privilege 15 secret ciscossh
4.3
Cu hnh cc ng kt ni t xa (s kt ni o - virtual terminal line) trn
5

router BranchB
Dng ti khon user cc b ng nhp router BranchB v ch ch p nh n s k t
ni SSH
BranchB(config)# line vty 0 4
BranchB(config-line)# login local
BranchB(config-line)# transport input ssh
4.4. Xa kha m ha (key pairs) tn ti trn router BranchB
C nhiu kha m ha RSA c xa trn router, trc khi t li kha m ha m i.
Thc hin cc lnh trn router BranchB
BranchB(config)#crypto key zeroize rsa
Nu key khng tn ti, chng ta c th nhn mt thng bo nh sau: % No Signature
RSA Keys found in configuration.
4.5
To kha m ha RSA cho router BranchB
Router BranchB dng kha m ha RSA cho vic xc nhn v m ha khi truy n d li u giao
thc SSH. Cu hnh key RSA vi 1024 bit. Mc nhin l 512 bit v thu c trong kho ng t
360 n 2048 bit.
BranchB(config)# crypto key generate rsa [Enter]
The name for the keys will be: BranchB.networksecurity.com
Choose the size of the key modulus in the range of 360 to 2048
for your
General Purpose Keys. Choosing a key modulus greater than 512
may take a few minutes.
How many bits in the modulus [512]:1024 % Generating 1024 bit
RSA keys, keys will be non-exportable...[OK]
4.6
Kim tra cu hnh SSH
Dng lnh show ip ssh xem cu hnh SSH hin ti trn router. Kim tra xc nhn
thi gian kt ni (timeout) v s ln c gng kt ni, theo thng s mc nhin 120 giy v 3
ln ng nhp.
BranchB#show ip ssh
SSH Enabled - version 1.99
Authentication timeout: 120 secs; Authentication retries: 3
4.7
Cu hnh timeouts SSH v nhng thng s xc nhn ng nhp
Nhng thng s mc nh timeouts SSH v s ln ng nhp c th thay i. Chng ta thay
i thi gian timeouts SSH la 180 giy v s ln c gng xc nhn ng nhp l 4 ln v s
dng SSH version 2.
BranchB(config)# ip ssh time-out 180
BranchB(config)# ip ssh authentication-retries 4
BranchB(config)# ip ssh version 2
xem nhng thng tin va cu hnh dng lnh show ip ssh, chng ta thy cc thng s
c thay i.
4.8
Kt ni Telnet t client-SSH n router BranchB
M mn hnh Desktop ca client-ssh, chn biu tng Command Prompt v g lnh nh sau:
Client-ssh> telnet 172.30.200.1
6

Hnh 9. Kt ni Telnet b t chi

S kt ni khng thnh cng, v trn router BranchB c cu hnh ch chp nhn s k t
ni SSH trn virtual terminal lines.
4.9
Kt ni SSH trn client-ssh n router BranchB
M mn hnh Desktop ca client-ssh, chn biu tng Command Prompt v g l nh k t n i
n router BranchB theo giao thc SSH vi user adminssh. Khi thc hin yu cu nhp
password: ciscossh
Client-ssh> ssh l adminssh 172.30.200.1
Hnh 10. Kt ni ssh thnh cng t PC n Branch B

Kt ni SSH t router ISP n router BranchB

qun l vn s c v bo tr trn router BranchB, ngi qun tr admin ti ISP
phi dng SSH truy cp router bng CLI (command line interface). T CLI c a router ISP,
g lnh kt ni n router BranchB theo giao thc SSH version 2 v i user admin ng nh p
adminssh v password ciscossh
ISP# ssh v 2 l adminssh 209.165.200.234
Open
Password:
BranchB#
V. Cc tp tin cu hnh ca cc router
5.1
Tp tin cu hnh router BranchA
4.10

Current configuration : 861 bytes

!
version 12.4
service timestamps log datetime msec
no service timestamps debug datetime msec
service password-encryption
!
hostname BranchA
!
!
enable secret 5 $1$mERr$hx5rVt7rPNoS4wqbXKX7m0
!
no ip domain-lookup
!
interface FastEthernet0/0
ip address 172.30.1.1 255.255.255.0
7

duplex auto
speed auto
!
interface FastEthernet0/1
no ip address
duplex auto
speed auto
shutdown
!
interface Serial0/0/0
ip address 209.165.200.229 255.255.255.252
clock rate 64000
!
interface Serial0/0/1
no ip address
shutdown
!
interface Vlan1
no ip address
shutdown
!
router rip
!
ip classless
ip route 0.0.0.0 0.0.0.0 Serial0/0/0
!
logging 172.30.1.200
line con 0
password 7 0822455D0A16
logging synchronous
login
line vty 0 4
password 7 0822455D0A16
login
!
!
ntp server 172.30.1.100 key 0
ntp update-calendar
!
end
5.2

Tp tin cu hnh router ISP

Current configuration : 1014 bytes

8

!
version 12.4
service timestamps log datetime msec
no service timestamps debug datetime msec
service password-encryption
!
hostname BranchB
!
enable secret 5 $1$mERr$hx5rVt7rPNoS4wqbXKX7m0
!
username
adminssh
privilege
15
$1$mERr$SIAhNGTETLPi.cdWVTrDn1
!
ip ssh version 2
ip ssh authentication-retries 2
ip ssh time-out 90
no ip domain-lookup
ip domain-name networksecurity.com
!
interface FastEthernet0/0
ip address 172.30.200.1 255.255.255.0
duplex auto
speed auto
!
interface FastEthernet0/1
no ip address
duplex auto
speed auto
shutdown
!
interface Serial0/0/0
no ip address
shutdown
!
interface Serial0/0/1
ip address 209.165.200.234 255.255.255.252
!
interface Vlan1
no ip address
shutdown
!
ip classless
ip route 0.0.0.0 0.0.0.0 Serial0/0/1
!
9

secret

logging 172.30.1.200
line con 0
password 7 0822455D0A16
login
line vty 0 4
password 7 0822455D0A16
login local
transport input ssh
!
ntp server 172.30.1.100 key 0
ntp update-calendar
!
end
5.3

Tp tin cu hnh router BranchB

Current configuration : 1014 bytes

!
version 12.4
service timestamps log datetime msec
no service timestamps debug datetime msec
service password-encryption
!
hostname BranchB
!
enable secret 5 $1$mERr$hx5rVt7rPNoS4wqbXKX7m0
!
username
adminssh
privilege
15
$1$mERr$SIAhNGTETLPi.cdWVTrDn1
!
ip ssh version 2
ip ssh authentication-retries 2
ip ssh time-out 90
no ip domain-lookup
ip domain-name networksecurity.com
!
interface FastEthernet0/0
ip address 172.30.200.1 255.255.255.0
duplex auto
speed auto
!
interface FastEthernet0/1
no ip address
duplex auto
10

secret

speed auto
shutdown
!
interface Serial0/0/0
no ip address
shutdown
!
interface Serial0/0/1
ip address 209.165.200.234 255.255.255.252
!
interface Vlan1
no ip address
shutdown
!
ip classless
ip route 0.0.0.0 0.0.0.0 Serial0/0/1
!
logging 172.30.1.200
line con 0
password 7 0822455D0A16
login
line vty 0 4
password 7 0822455D0A16
login local
transport input ssh
!
ntp server 172.30.1.100 key 0
ntp update-calendar
!
end
VI. Kt lun
Trn thc t, vic xy dng mt h thng mng hot ng tt i h i ngi qu n tr
mng phi bit trin khai c s h tng mng, trin khai cc ng dng dch v v bo mt
mng. Trong , cng vic bo mt kh khn hn c i vi ngi qun tr mng. Vi mc
ch gip ngi qun tr mng qun l tt hn, bi vit trnh by mt s khi nim cc
giao thc h tr bo mt mng, cu hnh cc giao thc trn router ca Cisco nh c u hnh
NTP client trn cc router, router t cp nht thi gian h th ng thng qua NTP, router ghi
thng ip log n server Syslog, router xc nh ng thi gian cho thng ip log c ghi
trn server Syslog, to cc user ng nhp trong router v cu hnh VTY (ng kt ni o)
theo giao thc kt ni SSH. Kt qu thc hin ng theo yu cu t ra, c th hi n
thng qua cc tp tin cu hnh trn cc router ca m hnh mng v cc bc ki m tra
thc hin trong bi vit.
11

TI LIU THAM KHO

1. James Boney (2001), Cisco IOS in a Nutshell , O'Reilly .
2. Cisco Systems (2010), CCNA Security Curriculum.
3. Cisco Systems (2010), CCNA Curriculum.

12