身份鉴别

开启密码复杂度;定期修改密码;开启登录失败处理策略和登录会话超时时间

有些老旧的交换机无法进行配置,一般来说新设备都自己开启了密码策略

1
2
3
4
5
6
7
8
9
10
11
12
// 开启密码策略
password-control enable
// 开启密码有效期的策略
password-control aging enable
// 配置密码有效的时间为90天
password-control aging 90
// 开启密码长度的限制
password-control length enable
// 配置密码长度最小为16位
password-control length 16
// 配置密码可尝试的失败次数为10
password-control login-attempt 10 exceed lock-time 10

设置登录会话超时时间

1
2
3
4
5
6
7
[Huawei-aaa]local-user admin idle-timeout ?
  INTEGER<0-35791>  Set the number of minutes before terminal user(s) time out
  
[Huawei]user-interface current
[Huawei-ui-console0]idle-timeout ?
  INTEGER<0-35791>  Set the number of minutes before a terminal user times
                    out(default: 10minutes)

访问控制

配置登录用户权限(三权分立);清除多余的账户;禁用不必要的服务;关闭不必要的端口

只允许console登录或者是较为安全的ssh远程登录

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
# aaa认证
aaa
# 配置本地用户并设置权限
local-user sysadmin privilege level 15 password cipher Huawei@123
# 配置用户接入类型(注意:默认不设置,terminal为本终端,如果不配置用户无法进入终端)
local-user sysadmin service-type ssh terminal

# 进入console
user-interface console 0
# 配置认证模式aaa
authentication-mode aaa

# 配置ssh

# 开启ssh服务
stelnet server enable

# 添加ssh用户
ssh user sysadmin authentication-type password

# 创建公钥
rsa local-key-pair create
dsa local-key-pair create
# 进入用户接口
user-interface vty 0 4
# 配置认证模式aaa
authentication-mode aaa
# 配置登录协议
protocol inbound ssh

安全审计

开启日志审计(满足180天);本地备份日志信息;定期备份并做恢复测试

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
# 开启信息管理
info-center enable
# 日志服务器
[Huawei]info-center ?
  channel             Set the name of information channel
  console             Setting of console configuration 
  enable              Enable the information center
  filter-id           Specify the configuration of the ID filtering table
  local               Setting of logging configuraitons except loghost
  logbuffer           Setting of log buffer configuration 
  loghost             Setting of logging host configuration
  monitor             Setting of monitor configuration 
  rate-limit          Specify the rate at which the information center
                      processes information
  snmp                Setting of snmp configuration 
  source              Informational source setting
  statistic-suppress  Suppression that the first occurrence of an event is
                      always logged immediately, but subsequence identical
                      messages are suppressed
  timestamp           Set the time stamp type of information
  trapbuffer          Setting of trap buffer configuration