Chinaunix首页 | 论坛 | 博客
  • 博客访问: 751104
  • 博文数量: 256
  • 博客积分: 3502
  • 博客等级: 中校
  • 技术积分: 3988
  • 用 户 组: 普通用户
  • 注册时间: 2012-04-17 21:13
文章分类

全部博文(256)

文章存档

2014年(11)

2013年(134)

2012年(111)

我的朋友

分类: 系统运维

2014-02-10 11:36:42

当前位置: > > >

JUNOS防止DDOS攻击的配置

时间:2012-06-04 06:17来源:未知 作者:admin 点击:次
system { host-name provider; root-authentication { encrypted-password $1$LZn..$5wu/mQL3Y07YWodOqBl5S1; # SECRET-DATA } login { user lab { uid 2000; class super-user; authentication { encrypted-password $1$cfuC.$vLPgSA7peoy/UzF7bIJJA0; # SE
system {
     host-name provider;
     root-authentication {
         encrypted-password "$1$LZn..$5wu/mQL3Y07YWodOqBl5S1"; # SECRET-DATA
     }
     login {
         user lab {
              uid 2000;
              class super-user;
              authentication {
                  encrypted-password "$1$cfuC.$vLPgSA7peoy/UzF7bIJJA0"; # SECRET-DATA
              }
         }
     }
     services {
         ftp;
         telnet;
     }
}
interfaces {
     fxp0 {
         unit 0 {
              family inet {
                  address 172.17.3.232/23;
              }
         }
     }
     ge-0/1/0 {
         gigether-options {
              no-flow-control;
         }
         unit 0 {
              family inet {
                  address 10.0.1.2/24;
              }
         }
     }
     ge-7/1/0 {
         gigether-options {
              no-flow-control;
         }
         unit 0 {
              family inet {
                  filter {
                      output ftp-www-only;
                  }
                  address 10.0.0.2/24;
              }
         }
     }
     lo0 {
         unit 0 {
              family inet {
                  address 10.0.200.1/32;
              }
         }
     }
     so-3/1/3 {
         sonet-options {
              no-payload-scrambler;
         }
         unit 0 {
              family inet {
                  address 10.0.3.2/24;
              }
         }
     }
}
forwarding-options {
     sampling {
         input {
              family inet {
                  rate 50;
              }
         }
         output {
              file filename dos-attack world-readable;
         }
     }
}
routing-options {
     static {
         route 192.168.0.0/24 nexthop 10.0.0.1;
     }
}
protocols {
     ospf {
         export static-ospf;
         area 0.0.0.0 {
              interface ge-0/1/0.0;
              interface ge-7/1/0.0 {
                  passive;
              }
              interface so-3/1/3.0;
              interface lo0.0;
         }
     }
}
policy-options {
     policy-statement static-ospf {
         from protocol static;
         then accept;
     }
}
firewall {
     filter ftp-www-only {
         term temporary-dos-filter {
              from {
                  destination-address {
                      192.168.0.10/32;
                  }
                  protocol tcp;
                  tcp-initial;
              }
              then {
                  count dos-attack;
                  sample;
                  reject;
              }
         }
         term allow-ftp-www {
              from {
                  destination-address {
                      192.168.0.10/32;
                  }
                  protocol tcp;
                  destination-port [ ftp ftp-data http ];
              }
              then accept;
         }
         term reject-other {
              from {
                  destination-address {
                      192.168.0.10/32;
                  }
              }
              then {
                  count unauthorized-service-request;
                  log;
                  discard;
              }
         }
         term accept {
              then accept;
         }
     }
}
阅读(1588) | 评论(0) | 转发(0) |
给主人留下些什么吧!~~