该蠕虫病毒主要利用TCP的445端口进行传播, 对于各大企事业单位影响很大。为了阻断病毒快速传播, 建议在核心网络设备的三层接口位置, 配置ACL规则从网络层面阻断TCP 445端口的通讯。 以下内容是基于较为流行的网络设备,举例说明如何配置ACL规则,以禁止TCP 445网络端口传输,仅供大家参考。在实际操作中,请协调网络管理人员或网络设备厂商服务人员,开奖,根据实际网络环境在核心网络设备上进行配置。 Juniper设备的建议配置(示例) set firewall family inet filter deny-wannacry term deny445 from protocol tcp set firewall family inet filter deny-wannacry term deny445 from destination-port 445 set firewall family inet filter deny-wannacry term deny445 then discard set firewall family inet filter deny-wannacry term default then accept #在全局应用规则 set forwarding-options family inet filter output deny-wannacry set forwarding-options family inet filter input deny-wannacry #在三层接口应用规则 set interfaces [需要挂载的三层端口名称] unit 0 family inet filter output deny-wannacry set interfaces [需要挂载的三层端口名称] unit 0 family inet filter input deny-wannacry 华三(H3C)设备的建议配置(示例) 新版本: acl number 3050 rule deny tcp destination-port 445 rule permit ip interface [需要挂载的三层端口名称] packet-filter 3050 inbound packet-filter 3050 outbound 旧版本: acl number 3050 rule permit tcp destination-port 445 traffic classifier deny-wannacry if-match acl 3050 traffic behavior deny-wannacry filter deny qos policy deny-wannacry classifier deny-wannacry behavior deny-wannacry #在全局应用 qos apply policy deny-wannacry global inbound qos apply policy deny-wannacry global outbound #在三层接口应用规则 interface [需要挂载的三层端口名称] qos apply policy deny-wannacry inbound qos apply policy deny-wannacry outbound 华为设备的建议配置(示例) acl number 3050 rule deny tcp destination-port eq 445 rule permit ip traffic classifier deny-wannacry type and if-match acl 3050 traffic behavior deny-wannacry traffic policy deny-wannacry classifier deny-wannacry behavior deny-wannacry precedence 5 interface [需要挂载的三层端口名称] traffic-policy deny-wannacry inbound traffic-policy deny-wannacry outbound Cisco设备的建议配置(示例) 旧版本: ip access-list extended deny-wannacry deny tcp any any eq 445 permit ip any any interface [需要挂载的三层端口名称] ip access-group deny-wannacry in ip access-group deny-wannacry out 新版本: ip access-list deny-wannacry deny tcp any any eq 445 permit ip any any interface [需要挂载的三层端口名称] ip access-group deny-wannacry in ip access-group deny-wannacry out 锐捷设备的建议配置(示例) ip access-list extended deny-wannacry deny tcp any any eq 445 permit ip any any interface [需要挂载的三层端口名称] ip access-group deny-wannacry in ip access-group deny-wannacry out 采用快速处置方式,可以使用360安全卫士的“NSA武器库免疫工具 ”,下载地址: (责任编辑:本港台直播) |