1.华为交换机关闭http和https

undo http server enable
undo http secure-server enable

  注:关闭时需先关闭http再关闭https;开启时需先开启https再开启http。

2.华为交换机修改密码:

[CN-HBCR-OA-1-2F419-ASW30-aaa] local-user admin password irreversible-cipher uxin777888
Please enter old password:

3.华为交换机SSH远程配置

rsa local-key-pair create  # 生成RSA密钥对。

aaa
 local-user admin password irreversible-cipher xinghen1216
 local-user admin service-type ssh telnet
# 创建本地用户admin,并设置用户密码、服务类型

stelnet server enable
ssh user admin
ssh user admin authentication-type password
ssh user admin service-type stelnet

user-interface vty 0 4
 authentication-mode aaa
 user privilege level 15
 protocol inbound ssh 

4.华为交换机配置ntp

clock timezone BJ add 8  #配置时区
ntp-service unicast-server 10.1.41.156  #配置时间服务器

dis ntp-service status  #查看ntp状态
 clock status: synchronized 
 clock stratum: 4 
 reference clock ID: 10.1.41.156
 nominal frequency: 100.0000 Hz 
 actual frequency: 100.0000 Hz 
 clock precision: 2^18
 clock offset: 0.0000 ms 
 root delay: 31.18 ms 
 root dispersion: 1.13 ms 
 peer dispersion: 1.95 ms 
 reference time: 02:41:38.856 UTC Nov 2 2021(E52B23E2.DB3ECCC4)
 synchronization state: clock set 

dis ntp-service sessions  #查看ntp会话
 clock source: 10.1.41.156 
 clock stratum: 3 
 clock status: configured, master, sane, valid
 reference clock ID: 203.107.6.88
 reach: 3 
 current poll: 64 
 now: 41 
 offset: -4.3416 ms 
 delay: 4.64 ms 
 disper: 1.01 ms

5.华为交换机配置snmp

snmp-agent sys-info version all  #配置snmp版本
snmp-agent community read cipher uxinsnmp123  #配置snmp只读团体名称
snmp-agent trap enable #开启交换机主动发送trap消息功能
snmp-agent target-host trap address udp-domain 10.1.41.253 params securityname cipher uxinsnmp123  #配置告警主机

6.华为交换机管理员安全配置

  1)举例:口令长度不低于12位,为数字、字母、特殊字符混合组合;密码有效期限为90天;输入密码次数过多后锁定。用户成功登录后10分钟内无任何操作,则断开该登录连接;三权(系统管理员、安全管理员、审计管理员)分开 。  

[CN-HBDHY-OA-1-1F312-DSW01]undo user-interface password complexity-check disable  #开启全局密码复杂度检测,此规则默认开启
[CN-HBDHY-OA-1-1F312-DSW01]set password min-length 12  #配置密码长度最短为12位
[CN-HBDHY-OA-1-1F312-DSW01]aaa
[CN-HBDHY-OA-1-1F312-DSW01-aaa]local-user admin idle-timeout 10  #配置本地管理员admin的闲置超时时间为为10分钟
[CN-HBDHY-OA-1-1F312-DSW01-aaa]user-password complexity-check  #开启本地账号密码复杂度检测
[CN-HBDHY-OA-1-1F312-DSW01-aaa]local-aaa-user wrong-password retry-interval 5 retry-time 5 block-time 5  #本地帐号用户的重试时间间隔为5分钟,本地帐号连续输入错误密码的限制次数为5次,本地帐号锁定时间为5分钟
[CN-HBDHY-OA-1-1F312-DSW01-aaa]local-aaa-user password policy administrator  #进入administrator密码策略视图
[CN-HBDHY-OA-1-1F312-DSW01-aaa-lupp-admin]password expire 90  #配置administrator密码策略的密码失效时间位90天
[CN-HBDHY-OA-1-1F312-DSW01-aaa-lupp-admin]password alert before-expire 30  #配置administrator密码策略的密码过期前30天提醒
[CN-HBDHY-OA-1-1F312-DSW01-aaa-lupp-admin]password history record number 5  #配置administrator密码策略的历史密码记录为5条

  2)登录源IP限制  

acl name sourlimit 2001
 rule 11 permit source 10.1.13.100 0
 rule 12 permit source 10.1.21.131 0
 rule 15 permit source 10.1.41.170 0
 rule 21 permit source 10.16.2.100 0
ssh server acl 2001

  3)管理员三权分开

 local-user admin password irreversible-cipher Abc123123# idle-timeout 10 0
 local-user admin privilege level 15  #系统管理员分配管理级权限,即有全部权限
 local-user admin service-type terminal ssh
 local-user audit password irreversible-cipher Abc123123# idle-timeout 10 0
 local-user audit privilege level 1  #审计管理员分配监控级权限,只有部门查看权限
 local-user audit service-type terminal ssh
 local-user security password irreversible-cipher Abc123123# idle-timeout 10 0
 local-user security privilege level 2  #安全管理员分配配置级权限,有日常配置查看和修改的权限,不能进行FTP、文件下载、故障诊断等
 local-user security service-type terminal ssh

 7.华为交换机syslog配置

  0-7共八个级别,0最高,7最低

    

  1)保存到buffer 

  info-center logbuffer:开启Log信息向Log缓冲区的发送功能,此功能默认开启

  2)保存到syslog服务器  

[CN-HBDHY-OA-1-1F312-DSW01]info-center loghost source Vlanif348
[CN-HBDHY-OA-1-1F312-DSW01]info-center loghost 10.1.33.10 facility local0 

  3)查看syslog配置    

[CN-HBDHY-OA-1-1F312-DSW01]dis info-center 
Information Center:enabled
Log host:
    the interface name of the source address:Vlanif348
    10.1.33.10, channel number 2, channel name loghost,
language English , host facility local0
Console:
    channel number : 0, channel name : console 
Monitor:
    channel number : 1, channel name : monitor 
SNMP Agent:
    channel number : 5, channel name : snmpagent 
Log buffer:
    enabled,max buffer size 1024, current buffer size 512,
current messages 512, channel number : 4, channel name : logbuffer
dropped messages 0, overwritten messages 97581 
Trap buffer:
    enabled,max buffer size 1024, current buffer size 256,
current messages 256, channel number:3, channel name:trapbuffer
dropped messages 0, overwritten messages 219323 
logfile:
    channel number : 9, channel name : channel9, language : English 
Information timestamp setting:
        log - date, trap - date, debug - date millisecond 

 Sent messages = 531626, Received messages = 531626 

 IO Reg messages = 0 IO Sent messages = 0

 

posted on 2021-03-04 15:08  星痕1216  阅读(4429)  评论(0编辑  收藏  举报