CCNA安全- snp ssh syslog 翻譯.docx

PT Activity: Configure Cisco Routers for Syslog, NTP, and SSH OperationsAddressing TableDeviceInterfaceIP AddressSubnet MaskDefault GatewaySwitch PortR1FA0/1N/AS1 FA0/5S0/0/0 (DCE)52N/AN/AR2S0/0/052N/AN/AS0/0/1 (DCE)52N/AN/AR3FA0/1N/AS3 FA0/5S0/0/52N/AN/APC-ANICS1 FA0/6PC-BNICS2 FA0/18PC-CNICS3 FA0/6Learning ObjectivesConfigure routers as NTP clients.配置路由器作為NTP客戶端。Configure routers to update the hardware clock using NTP.配置路由器使用NTP自動(dòng)更新硬件時(shí)鐘。Configure routers to log messages to the syslog server.配置路由器把日志信息存儲在系統(tǒng)日志服務(wù)器上。Configure routers to timestamp log messages.配置路由器給日志信息打上時(shí)間戳。Configure local users.配置本地用戶。Configure VTY lines to accept SSH connections only.配置虛擬接口，僅僅允許ssh連接。Configure RSA key pair on SSH server.在ssh server上面配置RSA密鑰對。Verify SSH connectivity from PC client and router client.驗(yàn)證從PC端到路由器之間的SSH連接。IntroductionThe network topology shows three routers. You will configure NTP and Syslog on all routers. You will configure SSH on R3.網(wǎng)絡(luò)拓?fù)渲杏腥齻€(gè)路由器。你將在所有路由器上配置NTP和Syslog。在R3路由器上配置SSH。Network Time Protocol (NTP) allows routers on the network to synchronize their time settings with an NTP server. A group of NTP clients that obtain time and date information from a single source have more consistent time settings and Syslog messages generated can be analyzed more easily. This can help when troubleshooting issues with network problems and attacks. When NTP is implemented in the network, it can be set up to synchronize to a private master clock, or to a publicly available NTP server on the Internet.NTP可以使網(wǎng)絡(luò)上的路由器可以自動(dòng)同步到NTP服務(wù)器的設(shè)置。一組NTP客戶端從一個(gè)來源來獲得一致的時(shí)間信息，生成的日志信息分析起來更加容易。當(dāng)NTP在網(wǎng)絡(luò)中實(shí)現(xiàn)后，被設(shè)置同步于一個(gè)私人的主時(shí)鐘，或者同步于互聯(lián)網(wǎng)上的NTP服務(wù)器。The NTP Server is the master NTP server in this lab. You will configure the routers to allow the software clock to be synchronized by NTP to the time server. Also, you will configure the routers to periodically update the hardware clock with the time learned from NTP. Otherwise, the hardware clock will tend to gradually lose or gain time (drift) and the software clock and hardware clock may become out of synchronization with each other.實(shí)驗(yàn)中的NTP服務(wù)器是主NTP服務(wù)器?？梢栽O(shè)定路由器去允許軟件時(shí)鐘同步，也可以設(shè)定路由器周期性的同步硬件時(shí)鐘。否則硬件時(shí)鐘和軟件時(shí)鐘會(huì)逐漸的不一致。The Syslog Server will provide message logging in this lab. You will configure the routers to identify theremote host (Syslog server) that will receive logging messages.Syslog服務(wù)器則提供消息日志中。你可以設(shè)定路由器來確定遠(yuǎn)程的主機(jī)是不是可以接收到日志消息。You will need to configuretimestamp service for logging on the routers. Displaying the correct time and date in Syslog messages is vital when using Syslog to monitor a network. If the correct time and date of a message is not known, it can be difficult to determine what network event caused the message.你需要在路由器為日志配置時(shí)間戳服務(wù)。當(dāng)使用Syslog來監(jiān)控一個(gè)網(wǎng)絡(luò)的時(shí)候，那么在系統(tǒng)日志中顯示正確的時(shí)間和日期則是一個(gè)很重要的因素。如果沒有正確的消息時(shí)間和日期，那么很難決定什么網(wǎng)絡(luò)時(shí)間導(dǎo)致了消息的發(fā)生。R2 is an ISP connected to two remote networks: R1 and R3. The local administrator at R3 can perform most router configurations and troubleshooting; however, since R3 is a managed router, the ISP needs access to R3 for occasional troubleshooting or updates. To provide this access in a secure manner, the administrators have agreed to use Secure Shell (SSH).R2是一個(gè)ISP，連接兩個(gè)遠(yuǎn)程的網(wǎng)絡(luò)，R1和R3。R3本地的管理員可以配置最大限度的路由器配置和故障處理。由于R3是一個(gè)管理路由器，ISP 需要為了不時(shí)地的故障維修和更新。為了保證安全，管理員要使用SSH。You use the CLI to configure the router to be managed securely using SSH instead of Telnet. SSH is a network protocol that establishes a secure terminal emulation connection to a router or other networking device. SSH encrypts all information that passes over the network link and provides authentication of the remote computer. SSH is rapidly replacing Telnet as the remote login tool of choice for network professionals.你可以使用命令行來配置SSH來代替Telnet。SSH是一個(gè)網(wǎng)絡(luò)協(xié)議用來建立終端同道來連接路由器和其他網(wǎng)絡(luò)設(shè)備。SSH 加密網(wǎng)絡(luò)連接的信息并且提供遠(yuǎn)程主機(jī)的認(rèn)證。SSH是一個(gè)替代遠(yuǎn)程登錄工具。The servers have been pre-configured for NTP and Syslog services respectively. NTP will not require authentication. The routers have been pre-configured with the following:Enable password:ciscoenpa55Password for vty lines:ciscovtypa55Static routing服務(wù)器已經(jīng)預(yù)設(shè)基本服務(wù)，路由器做的預(yù)先設(shè)置如下：Task 1: Configure routers as NTP Clients. Step 1. Test Connectivity 測試連通性Ping from PC-C to R3. Ping命令Ping from R2 to R3.Telnet from PC-C to R3. Tenlnet命令Telnet from R2 to R3.Step 2. Configure R1, R2 and R3 as NTP clients.Verify client configuration using the commandshow ntp status.驗(yàn)證客戶端配置狀態(tài)，使用show ntp status 命令。Step 3. Configure routers to update hardware clock.Configure R1, R2 and R3 to periodically update the hardware clock with the time learned from NTP.Verify that the hardware clock was updated using the commandshow clock.配置R1，R2和R3路由器，使得周期性的從NTP服務(wù)器更新硬件時(shí)鐘。使用show clock 看硬件時(shí)鐘的更新狀態(tài)。Step 4. Configure routers to timestamp log messages.配置路由器的日志消息時(shí)間戳Step 5.Configuretimestamp service for logging on the routers. Task 2: Configure routers to log messages to the Syslog Server.任務(wù)2：配置路由器，把日志信息，傳遞到系統(tǒng)日志服務(wù)器上。Step 1. Configure the routers to identify theremote host (Syslog Server) that will receive logging messages.The router console will display a message that logging has started.步驟1：在路由器上指明遠(yuǎn)程系統(tǒng)日志服務(wù)器。路由器端會(huì)顯示一個(gè)信息，表明日志已經(jīng)運(yùn)行。Step 2. Verify logging configuration using the command show logging.步驟2：確定配置信息，使用show 命令。Step 3. Examine logs of the Syslog server. From theConfigtab of the Syslog servers dialogue box, select theSyslog servicesbutton. Observe the logging messages received from the routers.Note:Log messages can be generated on the server by executing commands on the router. For example, entering and exiting global configuration mode will generate an informational configuration message.步驟3.在系統(tǒng)日志服務(wù)器上檢查日志信息。從配置標(biāo)簽上，選擇syslog services 按鈕。查看從路由器獲得的信息。提醒：日志信息會(huì)在服務(wù)器端出現(xiàn)。比如你可以試著進(jìn)入和退出全局配置模式。Task 3: Configure R3 to support SSH connections.任務(wù)3：配置R3，讓其支持SSH連接。Step 1. Configure a domain name.Configure a domain name on R3.步驟1:。配置域名。 在R3上，配置域名為。Step 2. Configure users for login from the SSH client on R3.Create a user ID ofSSHadminwith the highest possible privilege level and a secret password ofciscosshpa55.步驟2.在R3上配置登陸SSH使用的用戶名。 創(chuàng)建一個(gè)用戶名為SSHadmin，密碼為ciscosshpa55，權(quán)限設(shè)置為高等級。Step 3. Configure the incoming VTY lines on R3.Use the local user accounts for mandatory login and validation. Accept only SSH connections.步驟3.在R3上配置虛擬終端連接。 限制使用本地帳號，并且只接受SSH連接。Step 4. Erase existing key pairs on R3.Any existing RSA key pairs should be erased on the router.Note:If no keys exist, you might receive this message: % No Signature RSA Keys found in configuration.步驟4.刪除R3路由器已有的密鑰對。 注意：如果本來沒有密鑰對，你將會(huì)看到這樣的消息：“% No Signature RSA Keys found in configuration.”Step 5. Generate the RSA encryption key pair for R3.The router uses the RSA key pair for authentication and encryption of transmitted SSH data. Configure the RSA keys with a modulus of1024. The default is 512, and the range is from 360 to 2048.R3(config)#crypto key generate rsaEnterThe name for the keys will be: R3.Choose the size of the key modulus in the range of 360 to 2048 for your General Purpose Keys. Choosing a key modulus greater than 512 may take a few minutes.How many bits in the modulus 512:1024% Generating 1024 bit RSA keys, keys will be non-exportable.OKNote:The command to generate RSA encryption key pairs for R3 in Packet Tracer differs from those used in the lab.步驟5.在R3上生成RSA密鑰對。路由器使用密鑰對的信息來認(rèn)證和加密SSH數(shù)據(jù)?？梢远x密鑰的長度為1024位。默認(rèn)值是512，可以選擇的范圍是從360到2048.提示：在Packet Tracer輸入的生成RSA密鑰對命令和在真實(shí)設(shè)備上的命令有所差異。Step 6. Verify the SSH configuration.Use theshow ip sshcommand to see the current settings. Verify that the authentication timeout and retries are at their default values of 120 and 3.步驟6.確認(rèn)SSH配置。使用show ip ssh命令看配置。確定認(rèn)證超時(shí)和重試配置為120和3.Step 7. Configure SSH timeouts and authentication parameters.The default SSH timeouts and authentication parameters can be altered to be more restrictive. Set the timeout to90seconds, the number of authentication retries to2, and the version to2.Issue theshow ip sshcommand again to confirm that the values have been changed.步驟7.配置SSH超時(shí)設(shè)定和認(rèn)證參數(shù)?？梢园裇SH的超時(shí)設(shè)定和認(rèn)證參數(shù)設(shè)定的更為嚴(yán)格。把超時(shí)設(shè)定設(shè)置為90秒，把認(rèn)證重試次數(shù)設(shè)定為2，把版本設(shè)置為2.Step 8. Attempt to connect to R3 via Telnet from PC-C.Open the Desktop of PC-C. Select the Command Prompt icon. From PC-C, enter the command to connect to R3 via Telnet.PCtelnet This connection should fail, since R3 has been configured to accept only SSH connections on the virtual terminal lines.步驟8.嘗試從PC-C連接R3，使用telnet的方式。打開PC-C,輸入下列命令：PCtelnet 連接將顯示不成功，因?yàn)槲覀冊赗3上面配置的僅僅接受SSH連接。Step 9. Connect to R3 using SSH on PC-C.Open the Desktop of PC-C. Select the Command Prompt icon. From PC-C, enter the command to connect to R3 via SSH. When prompted for the