1.H3C交換機SSH遠程登錄配置
public-key local create rsa # 生成RSA密鑰對。
public-key local create dsa # 生成DSA密鑰對。
ssh server enable # 使能SSH服務器功能。
[H3C] user-interface vty 0 4
[H3C-ui-vty0-4] authentication-mode scheme # 設置用戶接口上的認證模式為AAA認證。
[H3C-ui-vty0-4] protocol inbound ssh # 設置用戶接口上支持SSH協議。
[H3C] local-user client001 class manage
New local user addedd
[H3C-luser-manage-client001] password simple aabbcc
[H3C-luser-manage-client001] service-type ssh
[H3C-luser-manage-client001] authorization-attribute user-role level-15
[H3C-luser-manage-client001] authorization-attribute user-role network-operator # 創建本地用戶client001,並設置用戶密碼、服務類型和用戶角色。
2.H3C交換機NTP配置
clock timezone beijing add 8
clock protocol ntp
ntp-service enable
ntp-service unicast-server x.x.x.x
6.H3C交換機配置密碼復雜度
1)舉例:口令長度不低於12位,為數字、字母、特殊字符混合組合;密碼有效期限為90天;輸入密碼次數過多后鎖定。用戶成功登錄后10分鍾內無任何操作,則斷開該登錄連接 。
[CN-HBDHY-OA-5-1F407-DSW01]password-control enable #開啟密碼策略
[CN-HBDHY-OA-5-1F407-DSW01]password-control length 12 #配置密碼長度最短為12位
[CN-HBDHY-OA-5-1F407-DSW01]password-control composition type-number 3 type-length 1 #密碼復雜度為包含3種類型
[CN-HBDHY-OA-5-1F407-DSW01]password-control login-attempt 5 exceed lock-time 5 #配置本地帳號連續輸入錯誤密碼的限制次數為5次,本地帳號鎖定時間為5分鍾
[CN-HBDHY-OA-5-1F407-DSW01]password-control aging 90 #配置密碼失效時間為90天,默認即90天
[CN-HBDHY-OA-5-1F407-DSW01]password-control alert-before-expire 30 #配置密碼過期前30天提醒
[CN-HBDHY-OA-5-1F407-DSW01]password-control history 5 #配置歷史密碼記錄為5條
[CN-HBDHY-OA-5-1F407-DSW01]password-control login idle-time 0 #配置用戶帳號的閑置時間為無限制
[CN-HBDHY-OA-5-1F407-DSW01]line vty 0 4
[CN-HBDHY-OA-5-1F407-DSW01-line-vty0-4]idle-timeout 10 #配置遠程登錄的閑置超時時間為為10分鍾,默認為10分鍾
2)登錄源IP限制
[CN-HBDHY-OA-5-1F407-DSW01]acl number 2001 name sourlimit
[CN-HBDHY-OA-5-1F407-DSW01-acl-basic-2001-sourlimit]rule 11 permit source 10.1.13.100 0
[CN-HBDHY-OA-5-1F407-DSW01-acl-basic-2001-sourlimit]rule 12 permit source 10.1.21.131 0
[CN-HBDHY-OA-5-1F407-DSW01-acl-basic-2001-sourlimit] rule 15 permit source 10.1.41.170 0
[CN-HBDHY-OA-5-1F407-DSW01-acl-basic-2001-sourlimit] rule 21 permit source 10.16.2.100 0
[CN-HBDHY-OA-5-1F407-DSW01]ssh server acl 2001
3)管理員三權分開
local-user admin class manage service-type ssh terminal authorization-attribute user-role level-15 #系統管理員分配管理級權限,即有全部權限 authorization-attribute user-role network-operator local-user audit class manage service-type ssh terminal authorization-attribute user-role level-1 #審計管理員分配監控級權限,只有部門查看權限 undo authorization-attribute user-role network-operator password simple Abc123123# local-user security class manage service-type ssh terminal authorization-attribute user-role level-2 #安全管理員分配配置級權限,有日常配置查看和修改的權限,不能進行FTP、文件下載、故障診斷等 undo authorization-attribute user-role network-operator password simple Abc123123#
7.H3C交換機syslog配置
0-7共八個級別,0最高,7最低
1)保存到buffer
info-center logbuffer:開啟Log信息向Log緩沖區的發送功能,此功能默認開啟
2)保存到syslog服務器
[CN-HBDHY-OA-1-1F312-DSW01]info-center loghost source Vlanif348
[CN-HBDHY-OA-1-1F312-DSW01]info-center loghost 10.1.33.10 facility local0
3)查看syslog配置
[CN-HBDHY-6-F202-Office-ACC02]dis info-center
Information Center: Enabled
Console: Enabled
Monitor: Enabled
Log host: Enabled
Source address interface: Vlan-interface348
10.1.33.10,
port number: 514, DSCP value:0, host facility: local0
Log buffer: Enabled
Max buffer size 1024, current buffer size 512
Current messages 512, dropped messages 0, overwritten messages 1677
Log file: Enabled
Security log file: Disabled
Information timestamp format:
Log host: Date
Other output destination: Date