s3100v2 ver5.2 接入端口如何配置封堵3389端口.
这台电脑貌似中了挖矿病毒,想把这端口封了。
(0)
最佳答案
记得当年永恒之蓝的端口端方法,同样适用于你这个情况,改下端口号就好了。
V5/V7平台交换机ACL规则的匹配顺序均是先下发先生效。(代表产品:S3610/5510、S5500-SI/EI、S5800/5820X、S5810、S5120-SI/EI、6800、75E/105/125-X/125/95E系列)。
1)包过滤方式:
<H3C> system-view
# 定义高级ACL 3000(只要是3000~3999之内的即可),配置目的端口为要过滤的端口。
[H3C] acl number 3000
[H3C-acl-adv-3000] rule 1 deny tcp destination-port eq 445
[H3C-acl-adv-3000] rule 2 deny tcp destination-port eq 135
[H3C-acl-adv-3000] rule 3 deny tcp destination-port eq 137
[H3C-acl-adv-3000] rule 4 deny tcp destination-port eq 138
[H3C-acl-adv-3000] rule 5 deny tcp destination-port eq 139
[H3C-acl-adv-3000] rule 6 deny udp destination-port eq 445
[H3C-acl-adv-3000] rule 7 deny udp destination-port eq 135
[H3C-acl-adv-3000] rule 8 deny udp destination-port eq 137
[H3C-acl-adv-3000] rule 9 deny udp destination-port eq 138
[H3C-acl-adv-3000] rule 10 deny udp destination-port eq 139
[H3C-acl-adv-3000] rule 11 permit ip
[H3C-acl-adv-3000] quit
#在接口下应用ACL
[H3C] interface gigabitethernet 1/0/1
[H3C -GigabitEthernet1/0/1] packet-filter 3000 inbound
[H3C -GigabitEthernet1/0/1] packet-filter 3000 outbound
//只支持接口下应用ACL,不支持在全局或者VLAN应用ACL
2)V5早期的部分版本不支持在接口下配置packet-filter,可以使用QOS策略实现。
#配置ACL定义匹配流量
[H3C] acl number 3000
[H3C-acl-adv-3000] rule 1 permit tcp destination-port eq 445
[H3C-acl-adv-3000] rule 2 permit tcp destination-port eq 135
[H3C-acl-adv-3000] rule 3 permit tcp destination-port eq 137
[H3C-acl-adv-3000] rule 4 permit tcp destination-port eq 138
[H3C-acl-adv-3000] rule 5 permit tcp destination-port eq 139
[H3C-acl-adv-3000] rule 6 permit udp destination-port eq 445
[H3C-acl-adv-3000] rule 7 permit udp destination-port eq 135
[H3C-acl-adv-3000] rule 8 permit udp destination-port eq 137
[H3C-acl-adv-3000] rule 9 permit udp destination-port eq 138
[H3C-acl-adv-3000] rule 10 permit udp destination-port eq 139
[H3C-acl-adv-3000] quit
[H3C]acl number 3001
[H3C-acl- advanced-3001]rule permit ip
[H3C-acl- advanced-3001]quit
#配置流分类
[H3C]traffic classifier 1
[H3C-classifier-1]if-match acl 3000
[H3C-classifier-1]quit
[H3C]traffic classifier 2
[H3C-classifier-2]if-match acl 3001
[H3C-classifier-2]quit
#配置流行为
[H3C]traffic behavior permit
[H3C-behavior-permit]filter permit
[H3C-behavior-permit]quit
[H3C]traffic behavior deny
[H3C-behavior-deny]filter deny
[H3C-behavior-deny]quit
#配置qos策略,绑定流分类和流行为
[H3C]qos policy filter
[H3C-qospolicy-filter]classifier 1 behavior deny //流分类1 匹配拒绝的动作,流量被拒绝
[H3C-qospolicy-filter]classifier 2 behavior permit //放通其他所有的流量
[H3C-qospolicy-filter]quit
在接口下应用QOS策略
[H3C]interface GigabitEthernet 1/0/31
[H3C-GigabitEthernet1/0/31]qos apply policy filter inbound
[H3C-GigabitEthernet1/0/31]qos apply policy filter outbound
#支持针对VLAN应用QOS策略:
[H3C]qos vlan-policy filter vlan 1 inbound
[H3C]qos vlan-policy filter vlan 1 outbound
[H3C]qos vlan-policy filter vlan 1 to 10 inbound //针对连续的多个VLAN应用策略
[H3C]qos vlan-policy filter vlan 1 to 10 outbound //针对连续的多个VLAN应用策略
(0)
亲~登录后才可以操作哦!
确定你的邮箱还未认证,请认证邮箱或绑定手机后进行当前操作
举报
×
侵犯我的权益
×
侵犯了我企业的权益
×
抄袭了我的内容
×
原文链接或出处
诽谤我
×
对根叔社区有害的内容
×
不规范转载
×
举报说明
暂无评论