Professional Documents
Culture Documents
Nguyn B Nhim
Thc s, hc vin CISCO, Trng HTV
TM TT
NTP (Network Time Protocol) cho php cc router trong mng ng b th i gian h
thng vi mt server NTP. Mt nhm ca cc client NTP l y thng tin th i gian, ngy thng
t mt h thng server NTP thit lp thi gian thch hp v nh ng thng i p Syslog
c pht sinh c th phn tch d dng hn. iu ny c th gip ngi qun tr khi xy ra
s c mng v hacker tn cng mng. Server NTP trin khai trong h th ng m ng c th
trong mng cc b hoc mng Internet. NTP l mt server ng b ha ng h h
thng. Vy chng ta s cu hnh cc router khong thi gian nh k cp nht ng h h
thng t server NTP.
Server Syslog cung cp thng ip ghi li tt c du vt hot ng (logging message)
ca h thng mng. Chng ta s cu hnh nhng router nhn logging message trong h
thng mng xc nh server Syslog. Bn cnh , cn cu hnh dch v timestamp cho
logging trn cc router, vi mc ch th hin ng thi gian v ngy thng trong cc thng
ip c ghi li trn server Syslog, gip kim tra thng tin mt cch chnh xc. Thi gian v
ngy thng ca thng ip khng chnh xc s gy kh khn cho vic xc nh cc s ki n
xy ra trong mng thng qua cc logging message.
ISP (nh cung cp dch v Internet) c kt ni n hai m ng qua BranchA v
BranchB. Mt ngi qun tr cc b ti BranchB c th thc hi n phn l n s c u hnh
v kim tra cc s c. Tuy nhin, BranchB l mt router qun l, ISP c n truy c p t xa n
BranchB kim tra s c v cp nht thng tin cu hnh. s truy cp t xa di n ra an
ton, ngi qun tr phi cu hnh SSH (Secure Shell). Chng ta s dng CLI (Command
Line Interface) cu hnh router cho vic qun l bo mt truy c p t xa dng SSH thay
cho Telnet. SSH l mt th tc mng cho php truy cp t xa bo m t n m t router ho c
cc thit b mng khc. SSH m ha tt c cc thng tin c truyn trn mng v cung cp
xc nhn ngi dng, my tnh truy cp. SSH l mt th tc thay th cho Telnet - km b o
mt hn.
Trong m hnh mng trin khai, Server NTP cu hnh ng h h thng ng vi
thi gian thc v khng yu cu xc nhn ngi dng. Server Syslog cng c cu hnh.
Chng ta s cu hnh trn cc router cho NTP, logging messsge, SSH v cc giao th c h tr
khc.
II. Cu hnh cc Router nh Client-NTP
2.1.
Kim tra s kt ni
Dng lnh Ping t Client-SSH n BranchB
router BranchB
Dng ti khon user cc b ng nhp router BranchB v ch ch p nh n s k t
ni SSH
BranchB(config)# line vty 0 4
BranchB(config-line)# login local
BranchB(config-line)# transport input ssh
4.4. Xa kha m ha (key pairs) tn ti trn router BranchB
C nhiu kha m ha RSA c xa trn router, trc khi t li kha m ha m i.
Thc hin cc lnh trn router BranchB
BranchB(config)#crypto key zeroize rsa
Nu key khng tn ti, chng ta c th nhn mt thng bo nh sau: % No Signature
RSA Keys found in configuration.
4.5
To kha m ha RSA cho router BranchB
Router BranchB dng kha m ha RSA cho vic xc nhn v m ha khi truy n d li u giao
thc SSH. Cu hnh key RSA vi 1024 bit. Mc nhin l 512 bit v thu c trong kho ng t
360 n 2048 bit.
BranchB(config)# crypto key generate rsa [Enter]
The name for the keys will be: BranchB.networksecurity.com
Choose the size of the key modulus in the range of 360 to 2048
for your
General Purpose Keys. Choosing a key modulus greater than 512
may take a few minutes.
How many bits in the modulus [512]:1024 % Generating 1024 bit
RSA keys, keys will be non-exportable...[OK]
4.6
Kim tra cu hnh SSH
Dng lnh show ip ssh xem cu hnh SSH hin ti trn router. Kim tra xc nhn
thi gian kt ni (timeout) v s ln c gng kt ni, theo thng s mc nhin 120 giy v 3
ln ng nhp.
BranchB#show ip ssh
SSH Enabled - version 1.99
Authentication timeout: 120 secs; Authentication retries: 3
4.7
Cu hnh timeouts SSH v nhng thng s xc nhn ng nhp
Nhng thng s mc nh timeouts SSH v s ln ng nhp c th thay i. Chng ta thay
i thi gian timeouts SSH la 180 giy v s ln c gng xc nhn ng nhp l 4 ln v s
dng SSH version 2.
BranchB(config)# ip ssh time-out 180
BranchB(config)# ip ssh authentication-retries 4
BranchB(config)# ip ssh version 2
xem nhng thng tin va cu hnh dng lnh show ip ssh, chng ta thy cc thng s
c thay i.
4.8
Kt ni Telnet t client-SSH n router BranchB
M mn hnh Desktop ca client-ssh, chn biu tng Command Prompt v g lnh nh sau:
Client-ssh> telnet 172.30.200.1
6
duplex auto
speed auto
!
interface FastEthernet0/1
no ip address
duplex auto
speed auto
shutdown
!
interface Serial0/0/0
ip address 209.165.200.229 255.255.255.252
clock rate 64000
!
interface Serial0/0/1
no ip address
shutdown
!
interface Vlan1
no ip address
shutdown
!
router rip
!
ip classless
ip route 0.0.0.0 0.0.0.0 Serial0/0/0
!
logging 172.30.1.200
line con 0
password 7 0822455D0A16
logging synchronous
login
line vty 0 4
password 7 0822455D0A16
login
!
!
ntp server 172.30.1.100 key 0
ntp update-calendar
!
end
5.2
!
version 12.4
service timestamps log datetime msec
no service timestamps debug datetime msec
service password-encryption
!
hostname BranchB
!
enable secret 5 $1$mERr$hx5rVt7rPNoS4wqbXKX7m0
!
username
adminssh
privilege
15
$1$mERr$SIAhNGTETLPi.cdWVTrDn1
!
ip ssh version 2
ip ssh authentication-retries 2
ip ssh time-out 90
no ip domain-lookup
ip domain-name networksecurity.com
!
interface FastEthernet0/0
ip address 172.30.200.1 255.255.255.0
duplex auto
speed auto
!
interface FastEthernet0/1
no ip address
duplex auto
speed auto
shutdown
!
interface Serial0/0/0
no ip address
shutdown
!
interface Serial0/0/1
ip address 209.165.200.234 255.255.255.252
!
interface Vlan1
no ip address
shutdown
!
ip classless
ip route 0.0.0.0 0.0.0.0 Serial0/0/1
!
9
secret
logging 172.30.1.200
line con 0
password 7 0822455D0A16
login
line vty 0 4
password 7 0822455D0A16
login local
transport input ssh
!
ntp server 172.30.1.100 key 0
ntp update-calendar
!
end
5.3
secret
speed auto
shutdown
!
interface Serial0/0/0
no ip address
shutdown
!
interface Serial0/0/1
ip address 209.165.200.234 255.255.255.252
!
interface Vlan1
no ip address
shutdown
!
ip classless
ip route 0.0.0.0 0.0.0.0 Serial0/0/1
!
logging 172.30.1.200
line con 0
password 7 0822455D0A16
login
line vty 0 4
password 7 0822455D0A16
login local
transport input ssh
!
ntp server 172.30.1.100 key 0
ntp update-calendar
!
end
VI. Kt lun
Trn thc t, vic xy dng mt h thng mng hot ng tt i h i ngi qu n tr
mng phi bit trin khai c s h tng mng, trin khai cc ng dng dch v v bo mt
mng. Trong , cng vic bo mt kh khn hn c i vi ngi qun tr mng. Vi mc
ch gip ngi qun tr mng qun l tt hn, bi vit trnh by mt s khi nim cc
giao thc h tr bo mt mng, cu hnh cc giao thc trn router ca Cisco nh c u hnh
NTP client trn cc router, router t cp nht thi gian h th ng thng qua NTP, router ghi
thng ip log n server Syslog, router xc nh ng thi gian cho thng ip log c ghi
trn server Syslog, to cc user ng nhp trong router v cu hnh VTY (ng kt ni o)
theo giao thc kt ni SSH. Kt qu thc hin ng theo yu cu t ra, c th hi n
thng qua cc tp tin cu hnh trn cc router ca m hnh mng v cc bc ki m tra
thc hin trong bi vit.
11
12