1.华为交换机关闭http和https
undo http server enable
undo http secure-server enable
注:关闭时需先关闭http再关闭https;开启时需先开启https再开启http。
2.华为交换机修改密码:
[CN-HBCR-OA-1-2F419-ASW30-aaa] local-user admin password irreversible-cipher uxin777888
Please enter old password:
3.华为交换机SSH远程配置
rsa local-key-pair create # 生成RSA密钥对。
aaa
local-user admin password irreversible-cipher xinghen1216
local-user admin service-type ssh telnet
# 创建本地用户admin,并设置用户密码、服务类型
stelnet server enable
ssh user admin
ssh user admin authentication-type password
ssh user admin service-type stelnet
user-interface vty 0 4
authentication-mode aaa
user privilege level 15
protocol inbound ssh
4.华为交换机配置ntp
clock timezone BJ add 8 #配置时区
ntp-service unicast-server 10.1.41.156 #配置时间服务器
dis ntp-service status #查看ntp状态
clock status: synchronized
clock stratum: 4
reference clock ID: 10.1.41.156
nominal frequency: 100.0000 Hz
actual frequency: 100.0000 Hz
clock precision: 2^18
clock offset: 0.0000 ms
root delay: 31.18 ms
root dispersion: 1.13 ms
peer dispersion: 1.95 ms
reference time: 02:41:38.856 UTC Nov 2 2021(E52B23E2.DB3ECCC4)
synchronization state: clock set
dis ntp-service sessions #查看ntp会话
clock source: 10.1.41.156
clock stratum: 3
clock status: configured, master, sane, valid
reference clock ID: 203.107.6.88
reach: 3
current poll: 64
now: 41
offset: -4.3416 ms
delay: 4.64 ms
disper: 1.01 ms
5.华为交换机配置snmp
snmp-agent sys-info version all #配置snmp版本
snmp-agent community read cipher uxinsnmp123 #配置snmp只读团体名称
snmp-agent trap enable #开启交换机主动发送trap消息功能
snmp-agent target-host trap address udp-domain 10.1.41.253 params securityname cipher uxinsnmp123 #配置告警主机
6.华为交换机管理员安全配置
1)举例:口令长度不低于12位,为数字、字母、特殊字符混合组合;密码有效期限为90天;输入密码次数过多后锁定。用户成功登录后10分钟内无任何操作,则断开该登录连接;三权(系统管理员、安全管理员、审计管理员)分开 。
[CN-HBDHY-OA-1-1F312-DSW01]undo user-interface password complexity-check disable #开启全局密码复杂度检测,此规则默认开启
[CN-HBDHY-OA-1-1F312-DSW01]set password min-length 12 #配置密码长度最短为12位
[CN-HBDHY-OA-1-1F312-DSW01]aaa
[CN-HBDHY-OA-1-1F312-DSW01-aaa]local-user admin idle-timeout 10 #配置本地管理员admin的闲置超时时间为为10分钟
[CN-HBDHY-OA-1-1F312-DSW01-aaa]user-password complexity-check #开启本地账号密码复杂度检测
[CN-HBDHY-OA-1-1F312-DSW01-aaa]local-aaa-user wrong-password retry-interval 5 retry-time 5 block-time 5 #本地帐号用户的重试时间间隔为5分钟,本地帐号连续输入错误密码的限制次数为5次,本地帐号锁定时间为5分钟
[CN-HBDHY-OA-1-1F312-DSW01-aaa]local-aaa-user password policy administrator #进入administrator密码策略视图
[CN-HBDHY-OA-1-1F312-DSW01-aaa-lupp-admin]password expire 90 #配置administrator密码策略的密码失效时间位90天
[CN-HBDHY-OA-1-1F312-DSW01-aaa-lupp-admin]password alert before-expire 30 #配置administrator密码策略的密码过期前30天提醒
[CN-HBDHY-OA-1-1F312-DSW01-aaa-lupp-admin]password history record number 5 #配置administrator密码策略的历史密码记录为5条
2)登录源IP限制
acl name sourlimit 2001 rule 11 permit source 10.1.13.100 0 rule 12 permit source 10.1.21.131 0 rule 15 permit source 10.1.41.170 0 rule 21 permit source 10.16.2.100 0 ssh server acl 2001
3)管理员三权分开
local-user admin password irreversible-cipher Abc123123# idle-timeout 10 0
local-user admin privilege level 15 #系统管理员分配管理级权限,即有全部权限
local-user admin service-type terminal ssh
local-user audit password irreversible-cipher Abc123123# idle-timeout 10 0
local-user audit privilege level 1 #审计管理员分配监控级权限,只有部门查看权限
local-user audit service-type terminal ssh
local-user security password irreversible-cipher Abc123123# idle-timeout 10 0
local-user security privilege level 2 #安全管理员分配配置级权限,有日常配置查看和修改的权限,不能进行FTP、文件下载、故障诊断等
local-user security service-type terminal ssh
7.华为交换机syslog配置
0-7共八个级别,0最高,7最低
1)保存到buffer
info-center logbuffer:开启Log信息向Log缓冲区的发送功能,此功能默认开启
2)保存到syslog服务器
[CN-HBDHY-OA-1-1F312-DSW01]info-center loghost source Vlanif348 [CN-HBDHY-OA-1-1F312-DSW01]info-center loghost 10.1.33.10 facility local0
3)查看syslog配置
[CN-HBDHY-OA-1-1F312-DSW01]dis info-center Information Center:enabled Log host: the interface name of the source address:Vlanif348 10.1.33.10, channel number 2, channel name loghost, language English , host facility local0 Console: channel number : 0, channel name : console Monitor: channel number : 1, channel name : monitor SNMP Agent: channel number : 5, channel name : snmpagent Log buffer: enabled,max buffer size 1024, current buffer size 512, current messages 512, channel number : 4, channel name : logbuffer dropped messages 0, overwritten messages 97581 Trap buffer: enabled,max buffer size 1024, current buffer size 256, current messages 256, channel number:3, channel name:trapbuffer dropped messages 0, overwritten messages 219323 logfile: channel number : 9, channel name : channel9, language : English Information timestamp setting: log - date, trap - date, debug - date millisecond Sent messages = 531626, Received messages = 531626 IO Reg messages = 0 IO Sent messages = 0