当前位置: > > >
JUNOS防止DDOS攻击的配置
时间:2012-06-04 06:17来源:未知 作者:admin 点击:次
system { host-name provider;
root-authentication { encrypted-password
$1$LZn..$5wu/mQL3Y07YWodOqBl5S1; # SECRET-DATA } login { user lab { uid
2000; class super-user; authentication { encrypted-password
$1$cfuC.$vLPgSA7peoy/UzF7bIJJA0; # SE
system {
host-name provider;
root-authentication {
encrypted-password "$1$LZn..$5wu/mQL3Y07YWodOqBl5S1"; # SECRET-DATA
}
login {
user lab {
uid 2000;
class super-user;
authentication {
encrypted-password "$1$cfuC.$vLPgSA7peoy/UzF7bIJJA0"; # SECRET-DATA
}
}
}
services {
ftp;
telnet;
}
}
interfaces {
fxp0 {
unit 0 {
family inet {
address 172.17.3.232/23;
}
}
}
ge-0/1/0 {
gigether-options {
no-flow-control;
}
unit 0 {
family inet {
address 10.0.1.2/24;
}
}
}
ge-7/1/0 {
gigether-options {
no-flow-control;
}
unit 0 {
family inet {
filter {
output ftp-www-only;
}
address 10.0.0.2/24;
}
}
}
lo0 {
unit 0 {
family inet {
address 10.0.200.1/32;
}
}
}
so-3/1/3 {
sonet-options {
no-payload-scrambler;
}
unit 0 {
family inet {
address 10.0.3.2/24;
}
}
}
}
forwarding-options {
sampling {
input {
family inet {
rate 50;
}
}
output {
file filename dos-attack world-readable;
}
}
}
routing-options {
static {
route 192.168.0.0/24 nexthop 10.0.0.1;
}
}
protocols {
ospf {
export static-ospf;
area 0.0.0.0 {
interface ge-0/1/0.0;
interface ge-7/1/0.0 {
passive;
}
interface so-3/1/3.0;
interface lo0.0;
}
}
}
policy-options {
policy-statement static-ospf {
from protocol static;
then accept;
}
}
firewall {
filter ftp-www-only {
term temporary-dos-filter {
from {
destination-address {
192.168.0.10/32;
}
protocol tcp;
tcp-initial;
}
then {
count dos-attack;
sample;
reject;
}
}
term allow-ftp-www {
from {
destination-address {
192.168.0.10/32;
}
protocol tcp;
destination-port [ ftp ftp-data http ];
}
then accept;
}
term reject-other {
from {
destination-address {
192.168.0.10/32;
}
}
then {
count unauthorized-service-request;
log;
discard;
}
}
term accept {
then accept;
}
}
}
host-name provider;
root-authentication {
encrypted-password "$1$LZn..$5wu/mQL3Y07YWodOqBl5S1"; # SECRET-DATA
}
login {
user lab {
uid 2000;
class super-user;
authentication {
encrypted-password "$1$cfuC.$vLPgSA7peoy/UzF7bIJJA0"; # SECRET-DATA
}
}
}
services {
ftp;
telnet;
}
}
interfaces {
fxp0 {
unit 0 {
family inet {
address 172.17.3.232/23;
}
}
}
ge-0/1/0 {
gigether-options {
no-flow-control;
}
unit 0 {
family inet {
address 10.0.1.2/24;
}
}
}
ge-7/1/0 {
gigether-options {
no-flow-control;
}
unit 0 {
family inet {
filter {
output ftp-www-only;
}
address 10.0.0.2/24;
}
}
}
lo0 {
unit 0 {
family inet {
address 10.0.200.1/32;
}
}
}
so-3/1/3 {
sonet-options {
no-payload-scrambler;
}
unit 0 {
family inet {
address 10.0.3.2/24;
}
}
}
}
forwarding-options {
sampling {
input {
family inet {
rate 50;
}
}
output {
file filename dos-attack world-readable;
}
}
}
routing-options {
static {
route 192.168.0.0/24 nexthop 10.0.0.1;
}
}
protocols {
ospf {
export static-ospf;
area 0.0.0.0 {
interface ge-0/1/0.0;
interface ge-7/1/0.0 {
passive;
}
interface so-3/1/3.0;
interface lo0.0;
}
}
}
policy-options {
policy-statement static-ospf {
from protocol static;
then accept;
}
}
firewall {
filter ftp-www-only {
term temporary-dos-filter {
from {
destination-address {
192.168.0.10/32;
}
protocol tcp;
tcp-initial;
}
then {
count dos-attack;
sample;
reject;
}
}
term allow-ftp-www {
from {
destination-address {
192.168.0.10/32;
}
protocol tcp;
destination-port [ ftp ftp-data http ];
}
then accept;
}
term reject-other {
from {
destination-address {
192.168.0.10/32;
}
}
then {
count unauthorized-service-request;
log;
discard;
}
}
term accept {
then accept;
}
}
}