No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>Search

Reminder

To have a better experience, please upgrade your IE browser.

upgrade

ME60 V800R010C10SPC500 Configuration Guide - Security Hardening 01

This is ME60 V800R010C10SPC500 Configuration Guide - Security Hardening
Rate and give feedback:
Huawei uses machine translation combined with human proofreading to translate this document to different languages in order to help you better understand the content of this document. Note: Even the most advanced machine translation cannot match the quality of professional translators. Huawei shall not bear any responsibility for translation accuracy and it is recommended that you refer to the English document (a link for which has been provided).
Discarding Insecure Access Channels

Discarding Insecure Access Channels

The access requirements of services must be met preferentially based on service requirement analysis. When an access requirement has multiple access channel services, the insecure access channels must be obsoleted, whereas the secure channels must be selected.

The access channels of higher security levels are selected. The following table lists the security levels of the various access channels:

Table 7-1 Assessment of the security capabilities of access channels

Access Requirement

Secure Channel

Insecure Channel

Remote login

SSHv2

Telnet

File transfer

SFTP

FTP, TFTP

Network management system (NMS)

SNMPv3

SNMPv1/v2

Routing Information Protocol (RIP) route

RIPv2

RIP

Example for Configuring File Transfer Using SFTP

Networking Requirements

In Figure 7-2, if the SFTP server function is enabled on the device working as the Secure Shell (SSH) server, the PC, which is the SFTP client, can connect to the SSH server after being authenticated in password, RSA, password-RSA, DSA, password-DSA, or all mode.

This example describes how to configure login to the SSH server in password mode.

Figure 7-2 Networking diagram for configuring file transfer using SFTP

Device Name Interface IP Address
SSH Server

GE1/0/1

10.137.217.225/16
Configuration Roadmap

The configuration roadmap is as follows:

  1. Configure the SSH server to generate a local key pair to achieve secure data exchange between the SSH server and SFTP client.
  2. Configure an SSH user, including the authentication mode, user name and password, and authorized directory.
  3. Enable the SFTP server function on the SSH server and configure the service type for the SSH user.
Data Preparation

To complete the configuration, you need the following data:

  • Password authentication mode, user name client001, and password Hello-huawei123.
  • User level 3 for user client001.
  • SSH server with the IP address 10.137.217.225.
Procedure
  1. Configure the SSH server to generate a local key pair.
    <HUAWEI> system-view
    [~HUAWEI] sysname SSH Server
    [*HUAWEI] commit
    [~SSH Server] rsa local-key-pair create
    The key name will be:HUAWEI_Host 
    The range of public key size is (2048 ~ 2048). 
    NOTE: Key pair generation will take a short while. 
    
  2. Configure the SSH user name and password.
    [*SSH Server] aaa
    [*SSH Server-aaa] local-user client001 password
    Please configure the password (8-128)
    Enter Password:
    Confirm Password:
    Info: A new user is added.
    [*SSH Server-aaa] local-user client001 level 3
    [*SSH Server-aaa] local-user client001 service-type ssh
    [*SSH Server-aaa] commit
    [~SSH Server-aaa] quit
    
  3. Enable the SFTP server function and configure the service type for the SSH user.
    [~SSH Server] sftp server enable
    [*SSH Server] ssh user client001 authentication-type password
    [*SSH Server] ssh user client001 service-type sftp
    [*SSH Server] commit
    
  4. Configure the authorized directory for the SSH user.
    [~SSH Server] ssh user client001 sftp-directory cfcard:
    [*SSH Server] commit
  5. Verify the configuration.

    # Access the SFTP server using the OpenSSH software.

    Figure 7-3 Access interface view

Configuration Files
  • Configuration file of the SSH server
#
 sysname SSH Server
#
aaa
 local-user client001 password irreversible-cipher $1a$jbB7=)5o.6$::j(W-#|XF&f6"M0>X**1bD0%2_"{4XX!lO="Sn0$
 local-user client001 level 3
 local-user client001 service-type ssh
#
interface GigabitEthernet1/0/1
 undo shutdown
 ip address 10.137.217.225 255.255.0.0
#
sftp server enable
ssh user client001
ssh user client001 authentication-type password
ssh user client001 service-type sftp
ssh user client001 sftp-directory cfcard:
#
user-interface vty 0 4
 authentication-mode aaa
 protocol inbound ssh
#
return
Translation
Download
Updated: 2019-01-04

Document ID: EDOC1100059445

Views: 7426

Downloads: 9

Average rating:
This Document Applies to these Products
Related Documents
Related Version
Share
Previous Next