1.H3C交换机修改密码:
[FC-RX_6F-SW-06]local-user admin class manage
[FC-RX_6F-SW-06-luser-manage-admin]password simple K**TYEKmL#d8
2.H3C交换机SSH远程登录配置
public-key local create rsa # 生成RSA密钥对。
public-key local create dsa # 生成DSA密钥对。
ssh server enable # 使能SSH服务器功能。
[H3C] user-interface vty 0 4
[H3C-ui-vty0-4] authentication-mode scheme # 设置用户接口上的认证模式为AAA认证。
[H3C-ui-vty0-4] protocol inbound ssh # 设置用户接口上支持SSH协议。
[H3C] local-user client001 class manage
New local user addedd
[H3C-luser-manage-client001] password simple aabbcc
[H3C-luser-manage-client001] service-type ssh
[H3C-luser-manage-client001] authorization-attribute user-role level-15
[H3C-luser-manage-client001] authorization-attribute user-role network-operator # 创建本地用户client001,并设置用户密码、服务类型和用户角色。
3.H3C交换机DNS配置
dns source-interface Vlan-interface348
dns domain cdg.local
dns server 10.1.41.101
4.H3C交换机NTP配置
clock protocol ntp
ntp-service enable
ntp-service unicast-server ntp.service.cdg.local source LoopBack0
clock timezone beijing add 8
5.H3C交换机snmp配置
snmp-agent
snmp-agent community read cdgsnmp666
snmp-agent sys-info version v2c v3
6.H3C交换机配置密码复杂度
1)举例:口令长度不低于12位,为数字、字母、特殊字符混合组合;密码有效期限为90天;输入密码次数过多后锁定。用户成功登录后10分钟内无任何操作,则断开该登录连接 。
[CN-HBDHY-OA-5-1F407-DSW01]password-control enable #开启密码策略
[CN-HBDHY-OA-5-1F407-DSW01]password-control length 12 #配置密码长度最短为12位
[CN-HBDHY-OA-5-1F407-DSW01]password-control composition type-number 3 type-length 1 #密码复杂度为包含3种类型
[CN-HBDHY-OA-5-1F407-DSW01]password-control login-attempt 5 exceed lock-time 5 #配置本地帐号连续输入错误密码的限制次数为5次,本地帐号锁定时间为5分钟
[CN-HBDHY-OA-5-1F407-DSW01]password-control aging 90 #配置密码失效时间为90天,默认即90天
[CN-HBDHY-OA-5-1F407-DSW01]password-control alert-before-expire 30 #配置密码过期前30天提醒
[CN-HBDHY-OA-5-1F407-DSW01]password-control history 5 #配置历史密码记录为5条
[CN-HBDHY-OA-5-1F407-DSW01]password-control login idle-time 0 #配置用户帐号的闲置时间为无限制
[CN-HBDHY-OA-5-1F407-DSW01]line vty 0 4
[CN-HBDHY-OA-5-1F407-DSW01-line-vty0-4]idle-timeout 10 #配置远程登录的闲置超时时间为为10分钟,默认为10分钟
2)登录源IP限制
[CN-HBDHY-OA-5-1F407-DSW01]acl number 2001 name sourlimit
[CN-HBDHY-OA-5-1F407-DSW01-acl-basic-2001-sourlimit]rule 11 permit source 10.1.13.100 0
[CN-HBDHY-OA-5-1F407-DSW01-acl-basic-2001-sourlimit]rule 12 permit source 10.1.21.131 0
[CN-HBDHY-OA-5-1F407-DSW01-acl-basic-2001-sourlimit] rule 15 permit source 10.1.41.170 0
[CN-HBDHY-OA-5-1F407-DSW01-acl-basic-2001-sourlimit] rule 21 permit source 10.16.2.100 0
[CN-HBDHY-OA-5-1F407-DSW01]ssh server acl 2001
3)管理员三权分开
local-user admin class manage
service-type ssh terminal
authorization-attribute user-role level-15 #系统管理员分配管理级权限,即有全部权限
authorization-attribute user-role network-operator
local-user audit class manage
service-type ssh terminal
authorization-attribute user-role level-1 #审计管理员分配监控级权限,只有部门查看权限
undo authorization-attribute user-role network-operator
password simple Abc123123#
local-user security class manage
service-type ssh terminal
authorization-attribute user-role level-2 #安全管理员分配配置级权限,有日常配置查看和修改的权限,不能进行FTP、文件下载、故障诊断等
undo authorization-attribute user-role network-operator
password simple Abc123123#
7.H3C交换机syslog配置
0-7共八个级别,0最高,7最低
1)保存到buffer
info-center logbuffer:开启Log信息向Log缓冲区的发送功能,此功能默认开启
2)保存到syslog服务器
[CN-HBDHY-OA-1-1F312-DSW01]info-center loghost source Vlanif348
[CN-HBDHY-OA-1-1F312-DSW01]info-center loghost 10.1.33.10 facility local0
3)查看syslog配置
[CN-HBDHY-6-F202-Office-ACC02]dis info-center
Information Center: Enabled
Console: Enabled
Monitor: Enabled
Log host: Enabled
Source address interface: Vlan-interface348
10.1.33.10,
port number: 514, DSCP value:0, host facility: local0
Log buffer: Enabled
Max buffer size 1024, current buffer size 512
Current messages 512, dropped messages 0, overwritten messages 1677
Log file: Enabled
Security log file: Disabled
Information timestamp format:
Log host: Date
Other output destination: Date
看看天上,于是我去了满是风雪的地方
