Ternyata Switch Cisco Produk Lama Seperti Series C2960 dan sejenis dengan IOS Version 12 atau 15 masih banyak digunakan, apalagi sekarang Tren RT RW Net Booming. Switch Cisco produk lama masih dipakai karena bandel banget walaupun umurnya sudah belasan tahun dan tentunya Murah Meriah. Nah Switch ini bisa diotak-atik sesuai kebutuhan kita tapi masalahnya kalau ditaro IP Public akan rentan dari peretasan atau serangan dari luar.
Disini saya akan share Config untuk meminimalisir dampak negatif serangan dari luar network jika di Switch ada IP Public yaitu dengan Akses Remote SSH dan Acces List (ACL)
*Buat User Untuk Akses SSH*
SWITCH-CISCO-C2960(config)#username admin privilege 15 secret @ku-k3r3n
*Buat Domain Name*
SWITCH-CISCO-C2960(config)#ip domain-name mydomain.local
*Generasi Key Untuk Enkrispi Password Kita, Isi Modulus Minimal 512 Maksimal 4096*
SWITCH-CISCO-C2960(config)#crypto key generate rsa
The name for the keys will be: SWITCH-CISCO-C2960.mydomain.local
Choose the size of the key modulus in the range of 360 to 4096 for your
General Purpose Keys. Choosing a key modulus greater than 512 may take
a few minutes.
How many bits in the modulus [512]: 2048
% Generating 2048 bit RSA keys, keys will be non-exportable...
[OK] (elapsed time was 9 seconds)
*Matikan Akses Web Untuk Switch Kita*
SWITCH-CISCO-C2960(config)no ip http server
SWITCH-CISCO-C2960(config)no ip http secure-server
*Aktifkan Versi SSH 2*
SWITCH-CISCO-C2960(config)ip ssh version 2
*Buatkan List IP Address Yang Diperbolehkan Mengakses Dan Dibaris Terakhir Deny Any*
SWITCH-CISCO-C2960(config)access-list 10 permit 170.94.22.0 0.0.1.255
SWITCH-CISCO-C2960(config)access-list 10 permit 110.89.91.128 0.0.0.31
SWITCH-CISCO-C2960(config)access-list 10 permit 192.168.241.0 0.0.0.255
SWITCH-CISCO-C2960(config)access-list 10 deny any
*Config Untuk Konsol* (Disini gak di-encrypt, kalau mau di-encrypt samain saja dengan line vty)
SWITCH-CISCO-C2960(config)line con 0
SWITCH-CISCO-C2960(config-line)#password 4re-you-ok
*Akses Remote Dari Network, Masukkan ACL 10 yang telah kita Config dan Akses SSH)
SWITCH-CISCO-C2960(config)line vty 0 4
SWITCH-CISCO-C2960(config-line)#access-class 10 in
SWITCH-CISCO-C2960(config-line)#login local
SWITCH-CISCO-C2960(config-line)#transport input ssh
SWITCH-CISCO-C2960(config)line vty 5 15
SWITCH-CISCO-C2960(config-line)access-class 10 in
SWITCH-CISCO-C2960(config-line)login local
SWITCH-CISCO-C2960(config-line)transport input ssh
*Jika Ingin Blok Ping/ICMP dan Hanya IP Address Tertentu yang bisa, Maka Config di Interface Vlan*
SWITCH-CISCO-C2960(config)#interface vlan 905
SWITCH-CISCO-C2960(config-if)#ip access-group 10 in
*Hasil Konfigurasi di Switch Cisco 2960*
SWITCH-CISCO-C2960#
!
username admin privilege 15 secret 5 $1$B4ei$6H8uuLPoi8hTuy5as93Du/
!
ip domain-name mydomain.local
!
crypto pki trustpoint TP-self-signed-1328791296
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-1328791296
revocation-check none
rsakeypair TP-self-signed-1328791296
!
crypto pki certificate chain TP-self-signed-1328791296
certificate self-signed 01
3082022B 30820194 A0030201 02020101 300D0609 2A864886 F70D0101 05050030
31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274
69666963 6174652D 31333238 37393132 3936301E 170D3933 30333031 30303030
35375A17 0D323030 31303130 30303030 305A3031 312F302D 06035504 03132649
4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D31 33323837
39313239 3630819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281
8100BF95 F824F569 FD40D709 BBAF65AB 54623235 CB8352C4 989BD506 DF032F88
1FBF80C6 37F26669 6E1C541A 2513F1F7 5418DB31 43117CB3 9837E91D 0EB0E904
45F9F2EA B387E05A 613439EE 8733461A 26EBCF6E 3F798236 8F62E02C 5A4BB7B8
2CD38A8D 9F257185 A1B9AC40 9E7C244A AD660A4C C8F13D1C AEDC1D2A DC360767
F4B70203 010001A3 53305130 0F060355 1D130101 FF040530 030101FF 301F0603
551D2304 18301680 14E8670F 068A06BF 35CC6590 956DC9B6 2D20419A 49301D06
03551D0E 04160414 E8670F06 8A06BF35 CC659095 6DC9B62D 20419A49 300D0609
2A864886 F70D0101 05050003 8181003D 261B8FD8 5BD5E7D3 AA6A5D5D A633E88A
DA9A0482 F6F56CA3 2B685D2E 5DBAF2DE 3FC8C0B0 42DB99B3 3B53A0A9 BB3ABC96
612AECDC 9811D94C E28F44E5 77E82143 AEA8BD8E 179128C7 96564A58 3C9D28F5
CEBF80D6 620184F3 B12A313D 5294627B CAB7E58F 89184E31 568F5570 323E0F02
69A29CE8 3CE1E66A 667E258C 910B8C
quit
!
ip ssh version 2
!
interface Vlan905
ip address 170.94.23.23 255.255.255.240
ip access-group 10 in
!
ip default-gateway 180.94.23.17
no ip http server
no ip http secure-server
access-list 10 permit 170.94.22.0 0.0.1.255
access-list 10 permit 110.89.91.128 0.0.0.31
access-list 10 permit 192.168.243.0 0.0.0.255
access-list 10 deny any
!
line con 0
password f62518
line vty 0 4
access-class 10 in
login local
transport input ssh
line vty 5 15
access-class 10 in
login local
transport input ssh
!
end
*Ping dari Network yang di-allow di ACL*
[C:\~]$ ping 170.94.23.23
Pinging 170.94.23.23 with 32 bytes of data:
Reply from 170.94.23.23: bytes=32 time=101ms TTL=254
Reply from 170.94.23.23: bytes=32 time=121ms TTL=254
Reply from 170.94.23.23: bytes=32 time=164ms TTL=254
Reply from 170.94.23.23: bytes=32 time=164ms TTL=254
*Ping dari Network yang gak di-allow di ACL*
[C:\~]$ ping 170.94.23.23
Pinging 170.94.23.23 with 32 bytes of data:
Reply from 170.94.23.23: Destination net unreachable.
Reply from 170.94.23.23: Destination net unreachable.
Reply from 170.94.23.23: Destination net unreachable.
Reply from 170.94.23.23: Destination net unreachable.