Differences

This shows you the differences between two versions of the page.

--- ccr_1016_config [2015/03/27 18:05] – [Use USB serial port to connect to other devices (switch)] admin
+++ ccr_1016_config [2015/08/25 17:39] – [Authentication / Security] admin
@@ Line 14: / Line 14: @@
   * Log in with new user, and disable the default admin user:<code>/user disable admin</code>
   * Create self signed certificate for HTTPS:<code>/certificate add name=ca-template common-name=CA key-usage=key-cert-sign
-add name=server-template common-name=server
+/certificate add name=server-template common-name=server
 /certificate sign ca-template name=CA
 /certificate sign ca=CA server-template name=server
@@ Line 23: / Line 23: @@
   * Disable services, enable SSH / HTTPS:<code>/ip service disable telnet,ftp,www,api,api-ssl,winbox
 /ip service enable ssh,www-ssl</code>
+  * Enable strong crypto (RSA), requires version >= 6.31:<code>/ip ssh set strong-crypto=yes</code>
   * Disable default MAC telnet server:<code>/tool mac-server disable numbers=0
 /tool mac-server mac-winbox disable numbers=0</code>
@@ Line 76: / Line 77: @@
   * If connection does not happen, power cycle usb first:<code>/system routerboard usb power-reset
 </code>
+====Source validation====
+Current recommended practice in RFC3704 is to enable strict mode to prevent IP spoofing from DDos attacks. If using asymmetric routing or other complicated routing, then loose mode is recommended.
+strict - Strict mode as defined in RFC3704 Strict Reverse Path. Each incoming packet is tested against the FIB and if the interface is not the best reverse path the packet check will fail. By default failed packets are discarded.
+  * set rp_filter to strict:<code>/ip settings set rp-filter=strict</code>