O‘ZBEKISTON RESPUBLIKASI AXBOROT TEXNOLOGIYALARI VA
KOMMUNIKATSIYALARINI RIVOJLANTIRISH VAZIRLIGI
MUHAMMAD AL-XORAZMIY NOMIDAGI
TOSHKENT AXBOROT TEXNOLOGIYALARI UNIVERSITETI
“Tarmoq havfsizligi”
fanidan
1-laboratoriya
Bajardi: NWS006-L1 guruh talabasi
G’ulomov Sardor
Qabul qildi: Shakarov Muhiddin
Toshkent 2022
1-laboratoriya
TARMOQ QURILMALARIDA DASTLABKI XAVFSIZLIK SOZLAMALARINI O’RNATISH
Ishdan maqsad : Kommutator qurilmasining tuzilishi, ishlash tamoyillari, masofadan kirishni ta‘minlash
usullari hamda xavfsizlik ko‘rsatkichlarini sozlash qoidalarini tadqiq qilishdan iborat.
1. Kommutatorni sozlashni tekshirish.
1.1. Topologiyaga mos ravishda kabellarni ulang.
1.2. Kommutatorni dastlabki xolatini tekshiring.
a.
Switch>enable
Switch#
b.
Switch#show running-config
Building configuration...
Current configuration : 1043 bytes
!
version 12.2
no service timestamps log datetime msec
no service timestamps debug datetime msec
no service password-encryption
!
hostname Switch
!
!
!
!
!
spanning-tree mode pvst
!
interface FastEthernet0/1
!
interface FastEthernet0/2
!
interface FastEthernet0/3
!
interface FastEthernet0/4
!
interface FastEthernet0/5
!
interface FastEthernet0/6
!
interface FastEthernet0/7
!
interface FastEthernet0/8
!
interface FastEthernet0/9
!
interface FastEthernet0/10
!
interface FastEthernet0/11
!
interface FastEthernet0/12
!
interface FastEthernet0/13
!
interface FastEthernet0/14
!
interface FastEthernet0/15
!
interface FastEthernet0/16
!
interface FastEthernet0/17
!
interface FastEthernet0/18
!
interface FastEthernet0/19
!
interface FastEthernet0/20
!
interface FastEthernet0/21
!
interface FastEthernet0/22
!
interface FastEthernet0/23
!
interface FastEthernet0/24
!
interface GigabitEthernet0/1
!
interface GigabitEthernet0/2
!
interface Vlan1
no ip address
shutdown
!
!
!
!
line con 0
!
line vty 0 4
login
line vty 5 15
login
!
!
end
2960 kommutatori nechta FastEthernet interfeyslari mavjud? - 15 ta
2960 kommutatori nechta Gigabit Ethernet interfeyslari mavjud? - 3 ta
VTY-kanalining diapazon qiymati qancha? – 0 15
c. VLAN 1 uchun SVI harakteristikalarini o’rganing.
Switch#show interface vlan1
Vlan1 is administratively down, line protocol is down
Hardware is CPU Interface, address is 00d0.9785.379d (bia 00d0.9785.379d)
MTU 1500 bytes, BW 100000 Kbit, DLY 1000000 usec,
reliability 255/255, txload 1/255, rxload 1/255
Encapsulation ARPA, loopback not set
ARP type: ARPA, ARP Timeout 04:00:00
Last input 21:40:21, output never, output hang never
Last clearing of "show interface" counters never
Input queue: 0/75/0/0 (size/max/drops/flushes); Total output drops: 0
Queueing strategy: fifo
Output queue: 0/40 (size/max)
5 minute input rate 0 bits/sec, 0 packets/sec
5 minute output rate 0 bits/sec, 0 packets/sec
1682 packets input, 530955 bytes, 0 no buffer
Received 0 broadcasts (0 IP multicast)
0 runts, 0 giants, 0 throttles
0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored
563859 packets output, 0 bytes, 0 underruns
0 output errors, 23 interface resets
0 output buffer failures, 0 output buffers swapped out
Switch#show ip interface vlan1
Vlan1 is administratively down, line protocol is down
Internet protocol processing disabled
d. Kommutatorning Cisco IOS operatsion tizimi to’g’risidagi ma‘lumotni o’rganing.
Switch#show version
Cisco IOS Software, C2960 Software (C2960-LANBASE-M), Version 12.2(25)FX, RELEASE SOFTWARE (fc1)
Copyright (c) 1986-2005 by Cisco Systems, Inc.
Compiled Wed 12-Oct-05 22:05 by pt_team
ROM: C2960 Boot Loader (C2960-HBOOT-M) Version 12.2(25r)FX, RELEASE SOFTWARE (fc4)
System returned to ROM by power-on
Cisco WS-C2960-24TT (RC32300) processor (revision C0) with 21039K bytes of memory.
24 FastEthernet/IEEE 802.3 interface(s)
2 Gigabit Ethernet/IEEE 802.3 interface(s)
63488K bytes of flash-simulated non-volatile configuration memory.
Base ethernet MAC Address : 00D0.9785.379D
Motherboard assembly number : 73-9832-06
Power supply part number : 341-0097-02
Motherboard serial number : FOC103248MJ
Power supply serial number : DCA102133JA
Model revision number : B0
Motherboard revision number : C0
Model number : WS-C2960-24TT
System serial number : FOC1033Z1EY
Top Assembly Part Number : 800-26671-02
Top Assembly Revision Number : B0
Version ID : V02
CLEI Code Number : COM3K00BRA
Hardware Board Revision Number : 0x01
Switch Ports Model SW Version SW Image
------ ----- ----- ---------- ---------* 1 26 WS-C2960-24TT 12.2 C2960-LANBASE-M
Configuration register is 0xF
2. Tarmoq qurilmasini asosiy ko‘rsatkichlarini sozlash.
2.1. Kommutatorning asosiy parametrlari: qurilmaning nomi, lokal parollar, MOTD (qurilmaga kirishda
kiruvchini ogohlantiruvchi xabar) banneri, boshqaruv manzili va Telnet orqali kirishlarni sozlang.
a.
Switch>enable
Switch#
b. Global konfiguratsiya rejimiga o’ting.
Switch#configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
Switch(config)#
c. Kommutatorga nom bering.
Switch(config)#hostname Sardor
Sardor(config)#
d. Parolni shifrlanishini sozlang.
Sardor(config)#service password-encryption
Sardor(config)#
e. Imtiyoz rejimiga kirish uchun maxfiy parol sifatida imtiyoz so’zini belgilang.
Sardor(config)#enable secret imtiyoz
Sardor(config)#
f. MOTD (qurilmaga kirishda kiruvchini ogohlantiruvchi xabar) bannerini sozlang.
Sardor(config)#banner motd #Qurilmaga kirish taqiqlanadi!!!#
g. Rejimlarga o‗tishdagi o‗tishlarni sozlanganligini tekshiring.
Sardor(config)#exit
Sardor#
%SYS-5-CONFIG_I: Configured from console by console
Sardor#exit
Foydalanuvchi rejimidan imtiyoz rejimiga o’ting. Parol so’ralganda imtiyoz ni kiriting.
Sardor con0 is now available
Press RETURN to get started.
Qurilmaga kirish taqiqlanadi!!!
Sardor>
Sardor>enable
Password:
Sardor#
Izoh: kiritishda Parol ko’rinmaydi.
i. Kommutatorning SVI siga IP manzil qo’yish uchun global rejimga kiring. Bu esa kommutatorni uzoqdan
boshqarish imkoniyatini beradi.
S1 kommutatorni uzoqdagi PC-A kompyuter orqali boshqarishdan oldin kommutatorga IP manzil qo’yish
kerak. Kommutatorning dastlabki xolatidagi konfiguratsiyaga asosan kommutatorni boshqarish VLAN 1
orqali amalga oshiriladi.
Kommutatorning ichki virtual interfeys (SVI) VLAN 1 ga IP manzil 192.168.1.100 va tarmoq maskasi
255.255.255.0 ni sozlang.
Sardor#config
Configuring from terminal, memory, or network [terminal]?
Enter configuration commands, one per line. End with CNTL/Z.
Sardor(config)#interface vlan1
Sardor(config-if)#ip address 192.168.1.100 255.255.255.0
Sardor(config-if)#no shutdown
Sardor(config-if)#
%LINK-5-CHANGED: Interface Vlan1, changed state to up
Sardor(config-if)#exit
Sardor(config)#
3. Console konfiguratsiyasini sozlash.
Konsol port orqali kirishni ham chegaralash kerak. Dastlabki xolatdagi konfiguratsiyaga asosan barcha
konsolli ulanishlar parolsiz sozlangan bo’lishi kerak. Konsol xabarlarini uzluksizligini ta‘minlash uchun logging
synchronous buyrug’i kiritiladi.
Sardor(config)#line console 0
Sardor(config-line)#password konsol
Sardor(config-line)#login
Sardor(config-line)#logging synchronous
Sardor(config-line)#exit
Sardor(config)#
4. Telnet konfiguratsiyasini sozlash.
Kommutator telnet orqali kirishga ruxsat berishi uchun, ya‘ni uzoqdan boshqarish uchun virtual bog’lanish
kanali (vty) ni sozlash kerak. Agar vty paroli qo‗yilmasa telnet orqali qurilmaga kirib bo’lmaydi.
Sardor(config)#line vty 0 15
Sardor(config-line)#password telnet
Sardor(config-line)#login
Sardor(config-line)#end
Sardor#
5. SSH konfiguratsiyasini sozlash.
SSH protokolini sozlashdan oldin kommutatorda tugunning maxsus nomini va tarmoq ulanishining mos
keluvchi ko`rsatkichlarini ko’rsatish lozim.
1 – qadam. SSH protokolini borligini tekshirish.
SSH protokoli borligini bilish uchun show ip ssh buyrug’i beriladi.
Sardor#show ip ssh
SSH Disabled - version 1.99
%Please create RSA keys (of atleast 768 bits size) to enable SSH v2.
Authentication timeout: 120 secs; Authentication retries: 3
2 – qadam. IP domenni sozlash.
Tarmoqning IP domenini global konfiguratsiya rejimida ip domain-name domen nomi yordamida
ko’rsating.
Sardor(config)#ip domain-name tuit.uz
Sardor(config)#crypto key generate rsa
The name for the keys will be: Sardor.tuit.uz
Choose the size of the key modulus in the range of 360 to 2048 for your
General Purpose Keys. Choosing a key modulus greater than 512 may take
a few minutes.
How many bits in the modulus [512]: 1024
% Generating 1024 bit RSA keys, keys will be non-exportable...[OK]
Sardor(config)#username Sardor secret ssh
*??? 2 2:26:18.888: %SSH-5-ENABLED: SSH 1.99 has been enabled
Sardor(config)#
Sardor(config)#line vty 0 15
Sardor(config-line)#transport input ssh
Sardor(config-line)#login local
Sardor(config-line)#exit
Sardor(config)#ip ssh version 2
Sardor(config)#exit
Sardor#
%SYS-5-CONFIG_I: Configured from console by console
Sardor#
3– qadam. RSA kalitlarini yaratish.
IOS ning hamma versiyalarida ham SSH ning 2 versiyasi ishlatilmaydi. SSH ning 1 versiyasida ma‘lum
zaifliklar mavjud. SSH ni sozlash uchun global konfiguratsiya rejimida ip ssh version 2 buyrug’i beriladi. Juft
RSA kalitlari yaratilganda SSH protokoli avtomatik ishga tushadi. Kommutatorda SSH serverini ishlatish va
juft RSA kalitlarini generatsiya qilish uchun global konfiguratsiya rejimida crypto key generate rsa buyrug’i
kiritiladi. RSA kalitlarini yaratishda administratordan modulni uzunligini kiritish talab etiladi. Modulning
uzunligi 1024 bit bo’lishi tavsiya etiladi. Uzun modul ishlatilsa xavfsiz bo’ladi, lekin uni yaratishda va
ishlatishda ko’p vaqt ketadi.
4 – qadam. Foydalanuvchining autentifikatsiyasini sozlash.
SSH-server foydalanuvchilarni lokal yoki autentifikatsiya serveri yordamida himoyalashi mumkin.
Autentifikatsiyaning lokal usulini ishlatish uchun global konfiguratsiya rejimida username foydalanuvchi
nomi secret password buyrug’i beriladi. Foydalanuvchi uchun Sardor parol uchun ssh olindi.
5 – qadam. VTY kanalini sozlash.
transport input ssh kanal konfiguratsiya rejimida VTY kanalida SSH protokoli yoqiladi. Kommutatorlarda
VTY kanalining diapazoni 0 dan 15 gacha bo’ladi. Bunday sozlash SSH protokolidan boshqa barcha
ulanishlar (Masalan; Telnet)ni bekor qiladi va kommutatorga faqat SSH protokoli bo’yicha ulanishga ruxsat
beradi. Global konfiguratsiya rejimida line vty buyrug’i beriladi, so’ng SSH ulanish paytida
foydalanuvchilarning lokal ma‘lumotlar bazasidan lokal autentifikatsiya ishlatilishi uchun kanalning
konfiguratsiya rejimida login local buyrug’i beriladi.
6 – qadam. SSH versiya 2 ni qo‘llash.
Tinch xolatda SSH ikkala versiya (1 va 2)ni qo’llab quvvatlaydi. Agar ikkala versiya ishlasa, u holda show ip
ssh buyrug’ining natijasi 1.99 versiya deb xabar beradi. 1 versiyada ko’p zaifliklar mavjud. Shu sababli faqat
2 - versiyani ishlatish tavsiya qilinadi. Uni ishlatish uchun global konfiguratsiya rejimida ip ssh version 2
buyrug’i beriladi.
Uzoqdagi qurilmaga xavfsiz ulanishni boshqarish uchun Telnet protokolini o’rniga SSH protokolini qo’llash
tavsiya etiladi. Telnet da ochiq shifrlanmagan matnli almashish ishlatiladi. SSH protokoli qurilmalar
o’rtasida uzatilayotgan barcha ma‘lumotlarni ishonchli shifrlash orqali uzoqdagi qurilma bilan xavfsiz
ulanishni ta‘minlaydi.
6. PC-A kompyuteri uchun IP manzil qo‘ying.
7. Tarmoq bog‘lanishni tekshiring.
7.1. Kommutatorning konfiguratsiyasini chiqaring.
Sardor#show run
Building configuration...
Current configuration : 1411 bytes
!
version 12.2
no service timestamps log datetime msec
no service timestamps debug datetime msec
service password-encryption
!
hostname Sardor
!
enable secret 5 $1$mERr$ZdZ2g9X0ZTLtUcdBNuMHC.
!
!
!
ip ssh version 2
ip domain-name tuit.uz
!
username Sardor secret 5 $1$mERr$u6bXnRbHtjySSeBKFm9BU.
!
!
spanning-tree mode pvst
!
interface FastEthernet0/1
!
interface FastEthernet0/2
!
interface FastEthernet0/3
!
interface FastEthernet0/4
!
interface FastEthernet0/5
!
interface FastEthernet0/6
!
interface FastEthernet0/7
!
interface FastEthernet0/8
!
interface FastEthernet0/9
!
interface FastEthernet0/10
!
interface FastEthernet0/11
!
interface FastEthernet0/12
!
interface FastEthernet0/13
!
interface FastEthernet0/14
!
interface FastEthernet0/15
!
interface FastEthernet0/16
!
interface FastEthernet0/17
!
interface FastEthernet0/18
!
interface FastEthernet0/19
!
interface FastEthernet0/20
!
interface FastEthernet0/21
!
interface FastEthernet0/22
!
interface FastEthernet0/23
!
interface FastEthernet0/24
!
interface GigabitEthernet0/1
!
interface GigabitEthernet0/2
!
interface Vlan1
ip address 192.168.1.100 255.255.255.0
!
banner motd ^CQurilmaga kirish taqiqlanadi!!!^C
!
!
!
line con 0
password 7 082A43401A1609
logging synchronous
login
!
line vty 0 4
password 7 08354942071C11
login local
transport input ssh
line vty 5 15
password 7 08354942071C11
login local
transport input ssh
!
!
end
7.2. To‘g‘ridan to‘g‘ri bog‘lanishni exo so‘rov jo‘natish orqali tekshiring.
a. PC-A kompyuterdan kommutatorning SVI interfeysining administrativ manziliga exo so’rov jo’nating.
7.3. S1 kommutatorni uzoqdan boshqarishni tekshiring.
a. PC-A kompyuterning cmd oynasida S1 kommutatorga SVI administrativ manzil orqali ulanish uchun
telnet /SSH buyrug’ini kiriting.
b. ssh parolini kiritgandan so’ng foydalanuvchi rejimiga o’tgan hisoblanadi. Imtiyoz rejimiga o’ting.
c. Telnet yoki SSH seansini tugatish uchun exit ni kiriting.
7.4. Kommutatorga kiritilgan o‘zgarishlarni saqlang.
Konfiguratsiyani saqlang.
Sardor#copy running-config startup-config
Destination filename [startup-config]?
Building configuration...
[OK]
Sardor#