作者 主題: Securities by ibm lab 筆記 +iptables + proxy +ssh + tunnel +mail +dns  (閱讀 35253 次)

0 會員 與 1 訪客 正在閱讀本文。

小徒兒

  • 區域板主
  • 鑽研的研究生
  • *****
  • 文章數: 622
    • 檢視個人資料
***Installing the Firewall

login: root
rpm -Fvh 'ls *.rpm | grep -v kernel'
rpm -ivh kernel-version.rpm
vi /boot/grub/menu.lst

grub
md5crypt
quit

vi /boot/grub/menu.lst
............
password $ksjfajlfjsa;f/skjfladjal/
...........

vi /etc/profile
...........
export TMOUT=3600
...........

netstat -anut | less
chkconfig --list
chkconfig acpid off

vi /etc/fstab
...............
/dev/had7    /                  reiserfs          defaults                               1 1
/dev/hda1   /boot             reiserfs          defaults, noexec, nosuid, nodev  1 2
/dev/hda8   /home           reiserfs           defaults,nosuid, nodev
/dev/cdrom /media/cdrom iso9660          noauto, owner, ro
/dev/hda9
.........................

reboot

login as root
netstat -anut | less

vi /etc/inittab

kill -HUP 1
vi /etc/issue

.........
remove all
.........

cp /etc/issue /etc/issue.net
vi /etc/motd

logout
login: root
you should now see the contens of /etc/motd

which pppd
mount -o remount,rw /usr
mkdir /mnt/nfs
mount -o nolock 10.0.0.100:/export/<distribution> /mnt/nfs
rpm -ivh /mnt/nfs/RedHat/RPMS/ppp-version.rpm
#suse: rpm -ivh /mnt/nfs/suse/i586/ppp-version.rpm

umount /mnt/nfs
mount -o remount,ro /usr

**on the firewall
vi /etc/inittab
............
s1:2345:respawn:/usr/sbin/pppd crtscts noauth -detach fw-ip:ws-ip ttyS0 38400
...............

**on the work station
vi /etc/inittab
..............
s1:2345:respawn:/usr/sbin/pppd crtscts noauth -detach ws-ip:fw-ip ttyS0 38400
...............

kill -HUP 1
ifconfig
ping fw-ip
ping ws-ip

hostname -f
hostname fw.team1.test.cxm

***on the firewall
vi /etc/sysconfig/network
.............
hostname fw.team1.test.cxm
.............

***on the workstation
vi /etc/sysconfig/network
.............
hostname ws.team1.test.cxm
.............

**on the firewall
#suse vi /etc/hostname
vi /etc/hosts
..........................................................................
10.1.1.1 fw.team1.test.cxm
192.168.1.1 fw-ppp0.team1.test.cxm fw-ppp0
192.168.1.2 ws.team1.test.cxm

.........................................................................
hostname -f



**ws
--------------------------------------------------------------------------
hostname -f
hostname ws.team1.test.cxm

vi /etc/sysconfig/network
#suse vi /etc/HOSTNAME
.............
hostname fw.team1.test.cxm
.............


vi /etc/hosts
..............................................................
127.0.0.1 localhsot.localdomain localhost
192.168.1.1 fw-ppp0.team1.test.cxm fw-ppp0
192.168.1.2 ws.team1.test.cxm ws
...............................................................

**on the firewall
vi /etc/resolv.conf
..............................................................
search team1.test.cxm
nameserver 10.0.0.100
..............................................................

**on the workstation
vi /etc/resolv.conf
.........
empty

............
« 上次編輯: 2008-06-24 15:37 由 小徒兒 »

小徒兒

  • 區域板主
  • 鑽研的研究生
  • *****
  • 文章數: 622
    • 檢視個人資料
Installing tcpdump
« 回覆 #1 於: 2006-12-14 17:10 »
***Installing tcpdump
which tcpdump
mount -o remount,rw /usr
mount -o nolock 10.0.0.100:/export/<distribution> /mnt/nfs
rpm -ivh /mnt/nfs/RedHat/RPMS/tcpdump-version.rpm
#suse rpm -ivh /mnt/nfs/suse/i586/tcpdump-version.rpm
umount /mnt/nfs
mount -o remount,ro /usr

**on the firewall
#packets is traceds. Only trace the PPP interface
tcpdump -i ppp0 -l -n -x | tee tcpdump.ping

**ws
#use the hexadecimal string "deadbeef" as packet content
ping -c 1 -p deadbeef 192.168.1.1


**on the firewall
crtl c
view tcpdump.ping


#use bc calculator , output base to 2 and input base to 16

bc
obase=2
ibase=16
F
echo "1+1"|bc
echo "obase=2;8"|bc

#verify both xinetd and telnet daemon is present
which xinetd
which in.telnetd

mount -o remount,rw /usr
mount -o nolock 10.0.0.100:/export/<distribution> /mnt/nfs
rpm -ivh /mnt/nfs/RedHat/RPMS/xinetd-version.rpm
#suse rpm -ivh /mnt/nfs/suse/i586/xinetd-version.rpm
rpm -ivh /mnt/nfs/RedHat/RPMS/telnet-server-version.rpm
#sue rpm -ivh /mnt/nfs/suse/i586/telnet-server-version.rpm
umount /mnt/nfs
mount -o remount,ro /usr


chkconfig telnet on
chkconfig xinetd on
service xinetd start
#suse rcxinetd start

tcpdump -i ppp0 -l -n -x | tee tcpdump.telnet

**from the ws
telnet fw-ip
login:root

**on the firewall
^C
view tcpdump.telnet

#disable the telnet daemon
service xinetd stop
#suse rcxinetd stop
chkconfig telnet off
chkconfig xinetd off

***Configuring kernel networking options
vi /etc/sysctl.conf
............
net.ipv4.ip_forward = 0
net.ipv4.conf.default.rp_filter = 1
net.ipv4.icmp_echo_ignore_broadcasts = 1
net.ipv4.icmp_ratelimit = 1
net ipv4.icmp_ratemask = 6168

...

sysctl -p /etc/sysctl.conf
cat /proc/sys/net/ipv4/tcp_syncookies

#make usre that the boot.sysctl service is started
#disable the boot.ipconfig
chkconfig boot.sysctl on
chkconfig boot.ipconfig off
reboot
#verify the device -specific kernel
cat /proc/sys/net/ipv4/conf/eth0/rp_filter
#should be one

小徒兒

  • 區域板主
  • 鑽研的研究生
  • *****
  • 文章數: 622
    • 檢視個人資料
Packet Filtering and Network Address
« 回覆 #2 於: 2006-12-14 17:22 »
resource from : IBM


***Packet Filtering and Network Address

只有 incoming Packet 才會參考 -i 的規則


***Tables:
filter
nat: snat,dnat
mangle 亂砍


***other feather
transparent proxing          
#a packet that needs to be routed is snet to the local system (e.g. proxy) instead (DNAT)

Port forwarding
#a packet that is snet to a local port is masqueraded and sent to another server instead (DNAT)
#useful if you have an internet web server inside the firewall


Stateful TCP inspection
#Requires ipt_state kernel module

Packet Mangling
#change IP and TCP options on packets in transit


 




***command
-L List all rules
-F Flush all rules 清空
-Z Zero all counters 計數器青空
-A Append a rule
-I insert a rule  #first match
-P Defaualt action for thtis chain
-N Create user defined chaing
-X Delete user defined chain
-D Delete rules
-R replace rule

***parameters
-i incoming interface
-o outgoing interface
 -p protocol
 -s source-IP
-sport source
-d destination-IP
--dport destionation-port
--icmp-type type
Use ! to negate options

***Targets:
Basic:ACCEPT,DROP
Extended:REJECT,LOG

                 TABLE              -cmd  ***CHAIN *****************RULE -J (POLICY)

iptable -t table -D -R
             filter
             nat
             mangle

-p tep --dpoart 80 -i eth0 -s 1.2.3.4
也可以啥都不寫
-s -d ip net/mask --sport   p1
                          --dport  p1:p2
                             p2:
                             :p2

FQDN (www.google.com) DNS


4. --icmptype type type/e.code 3/0 3/2 3/4 destination unreachable 8(echo request)

5. verify with windows

IPTABLE -T TABLE

iptables -X  #順序看板本
iptables -F #再沒 default policy
iptables -P INPUT DROP
iptables -P OUTPUT DROP
iptables -P FORWARD DROP
iptables -A INPUT -i lo -j ACCEPT
iptables -A OUTPUT -o lo -j ACCEPT
iptables -A INPUT -i eth0 -j ACCEPT     #內部interface
iptables -A OUTPUT -o eth0 -j ACCEPT  
iptables -A INPUT -i pppo -j ACCEPT   #如果不是外部的位置 ppp0 外部介面
iptables -A OUTPUT -o pppo -j ACCEPT  從外部進來的ip擋掉

如果沒有-t 就是filter, 沒有就是全部drop掉

iptables -A INPUT -i ppp0 -s 10.0.0.0/8 -j DROP

針對ip詐騙,對外的interface卻有內部的ip,奇怪的ip通通DROP掉
代碼: [選擇]
iptables -A INPUT -i ppp0 -s 10.0.0.0/8 -j DROP
iptables -A INPUT -i ppp0 -d 10.0.0.0/8 -j DROP
iptables -A INPUT -i ppp0 -s 172.16.0.0/12 -j DROP
iptables -A INPUT -i ppp0 -d 172.16.0.0/12 -j DROP
iptables -A INPUT -i ppp0 -s 192.168.0.0/16 -j DROP
iptables -A INPUT -i ppp0 -d 192.168.0.0/16 -j DROP
iptables -A INPUT -i ppp0 -s 127.0.0.0/8 -j DROP
iptables -A INPUT -i ppp0 -d 127.0.0.0/8 -j DROP
iptables -A INPUT -i ppp0 -s 0.0.0.0 -j DROP
iptables -A INPUT -i ppp0 -d 255.255.255.255 -j DROP


***允許icmp
iptables -A OUTPUT -o ppp0 -p icmp -s 62.186.134.70 -d 0.0.0.0/0 --icpm-type 8 -j ACCEPT
iptables -A INPUT -i ppp0 -p icmp -s 0.0.0.0/0 -d 62.186.134.70 --icpm-type 0 -j ACCEPT
iptables -A OUTPUT -i ppp0 -p icmp -s 0.0.0.0/0 -d 62.186.134.70 --icpm-type 8 -j ACCEPT
iptables -A INPUT -o ppp0 -p icmp -s 62.186.134.70 -d 0.0.0.0/0 --icpm-type 0 -j ACCEPT


***other icmp filtering
destination unreachable (3)
Source Quench (4)
Time exceeded (11)
Parameter Problem (12)

iptables -A INPUT -i ppp0 -p icmp -s 0.0.0.0/0 -d 62.186.134.70 --icpm-type 3 -j ACCEPT
iptables -A OUTPUT -i ppp0 -p icmp -s 62.186.134.70 -d 0.0.0.0/0 --icpm-type 3 -j ACCEPT

iptables -A INPUT -i ppp0 -p icmp -s 0.0.0.0/0 -d 62.186.134.70 --icpm-type 4 -j ACCEPT
iptables -A OUTPUT -i ppp0 -p icmp -s 62.186.134.70 -d 0.0.0.0/0 --icpm-type 4 -j ACCEPT

iptables -A INPUT -i ppp0 -p icmp -s 0.0.0.0/0 -d 62.186.134.70 --icpm-type 11 -j ACCEPT
iptables -A OUTPUT -i ppp0 -p icmp -s 62.186.134.70 -d 0.0.0.0/0 --icpm-type 11 -j ACCEPT

iptables -A INPUT -i ppp0 -p icmp -s 0.0.0.0/0 -d 62.186.134.70 --icpm-type 12 -j ACCEPT
iptables -A OUTPUT -i ppp0 -p icmp -s 62.186.134.70 -d 0.0.0.0/0 --icpm-type 12 -j ACCEPT

#0.0.0.0 是真的ip為0
#0.0.0.0/0 任何位置都可以

***outgoing tcp/udp connection
#source port >1023
#destination port <=1023

iptables -A OUTPUT -o ppp0 -p tcp -s 62.186.134.70 --sport 1024: -d any/0 --dport :1023 -j ACCEPT
iptables -A INPUT -i ppp0 -p tcp -s any/0 --sport :1023 -d 62.186.134.70 --dport 1024: -j ACCEPT

***Identd


iptables -P INPUt DROP
iptables -P OUTPUt DROP
iptables -P FORWARD DROP

iptables -z #歸零

***ping得出去 別人ping 不出來
iptables -A OUTPUT -o eth0 -p icmp --icmp-type 8 -s 10.11.1.254 -d 0.0.0.0/0 -j ACCEPT


iptables -D INPUT 3 #delete rule 3
iptables -D OUPUT 3
iptables -v -L

iptables -I OUTPUT 2 -O eth
iptables -I OUTPUT 2 -o eth
iptables -I INPUT 2  -i eth
iptables -v -L

iptables -I OUTPUT 3 -o eth0 -p icmp
iptables -I INPUT 3 -i eth0 -p icmp
iptables -v -L
iptables-save

INPUT -i lo -j ACCEPT
INPUT -d 10.1.1.254 -i eth0 -p icmp -m icmp
INPUT -i eth0 -p icmp -j DROP
INPUT -i eth0 -j ACCEPT


***
vi my.iptables.sh
./my.iptables.sh
iptables-save

ftp 10.1.1.254


***Identd********
vi /etc/hosts.deny
.....................
vsftpd: ALL: DENY
vsftpd: KNOWN@ALL

..........................
cd iptables

iptables -A INPUT -o eth0 -p icmp --icmp-type 8 -s 10.11.1.254 -d 0.0.0.0/0 -j ACCEPT
iptables-save = iptalbe -v -L


iptables-save > my.rules 保存規則
service iptables stop
iptalbes -v -L
iptables-restare < my.rules

vi myiptable
#!/bibn/bash
PATH=/SBIN:/USR/SBIN:/BIN:/USR/bin

iptalbes -F
iptalbes -X

-Use --log-level #specify log level, kernel log, syslod, syslogd
-Use --log-prefix to specify prefix #加上標籤可以過濾

-Use --limit to specify maximum average #每分鐘最多紀錄的封包平均值
-Use --limit-burst to specify maximum initial number 觸發limit的點 允許封包的初始值

iptable -I INPUT -m limit --limit --limit 3/minuste --limit-burst 3 -j LOG --log-level DEBUG --log-prefix "Incoming IP Packet"
#一分鐘最多紀錄3個封包, 一分鐘觸發limit 是三個封包


-m state --state <STATE>
                            NEW

-i
-o

-m state --state <STATE>
  NEW  #出去可以
ESTABLISHED #NEW連線已接上所以可以接受
RELATED #NEW連線已接上所以可以接受
INVALID

-s $INT_TRUST_IP   #只要內部那依台
-state INVALID DROP #只要封包非法
STATE ESTABLISHED, REALTED -j ACCEPT #NEW 已經建立

cp my.iptables.sh iptables2.sh
service iptables stop #會清空

Output 可以不管

modprobe ip_conntrack_ftp

***Masquerading
iptables -t nat -A POSTROUTING -o ppp0 -p tcp -s 10.0.0.0/24 1024: -d ! 10.0.0.0/24\
 --dport :1023 -j SNAT --to-source 62.186.134.70

iptables -t nat -A POSTROUTING -o ppp0 -p tcp -s 10.0.0.0/24 1024: -d ! 10.0.0.0/24\
 --dport :1023 -j MASQUERADE

iptables -t nat -A POSTROUTING -o ppp0 -p tcp -s 10.0.0.0/24 1024: -d ! 10.0.0.0/24\
 --dport :1023 -j ACCEPT

iptables -t nat -A POSTROUTING -o ppp0 -p tcp -s 10.0.0.0/24 1024: -d ! 10.0.0.0/24\
 --dport :1023 -j ACCEPT

echo 1 > /proc/sys/net/ipv4/ip_forward


***enable ssh
iptables -A INPUT -i $INT_IP_P tcp -p --dport 22 -s INT_TRUST_IP -j ACCEPT
iptables -A INPUT -i $EXT_IF -d $EXT_IP -p tcp --dport -j ACCEPT

icmp type 0 8 3 4 11

port www tcp 80, dns udp 53, ftp tcp 21, tcp email
output
iptable -A OUTPUT -d 1.2.3.4 -j DROP #-D 也可以用DOMAIN NAME FQDN



***NAT
modporbe ip_conntrack_ftp ip_nat_ftp
modprobe ip_conntrack_irc ip_nat_ftp

add to /etc/rc.local
or   /etc/modules.conf

***saving and restor rules
/sbin/iptables-save > iptables.rules
cat /etc/iptables.rule
iptables -F
iptables -x
/sbin/iptables-restore < iptables.rules


REDHAT
cat /etc/sysconfig/iptables
service iptables panic
chkconfig --list iptables
modprobe
/etc/rc.local
/etc/rc5/Sxx 都會跑

***讓重開機可以load rule

ls /root/iptables iptables.sh >> /etc/rc.d/rc.local

#如果網路從跑
service iptables save 放在shell script 最後一行


***圖形介面
##Suse
SuSEfirewall
/etc/

#http://www.fwbuilder.org
supports:
ipfilter
OpenBSD PF
Cisco PIX


iptables -A OUTPUT -o ppp0 -p udp -s 62.186.134.70 --sport 1024: -d any/0 --dport :1023 -j ACCEPT
iptables -A INPUT -i ppp0 -p udp -s any/0 --sport :1023 -d 62.186.134.70 --dport 1024: -j ACCEPT


**fw
iptables -n -L
#delete all user-defined chains
iptables -X
#flush all rules
iptables -F
#set the default policy for the input,output, and forward chain
iptables -P INPUT DROP

#add the rules to allow traffic over the loopback interface
iptables -A INPUT -i lo -j ACCEPT
iptables -A OUTPUT -o lo -j ACCEPT


#unlimited traffic over the internal interface
iptables -A INPUT -i ppp0 -j ACCEPT
iptables -A OUTPUT -o ppp0 -j ACCEPT

#sending packets which are not destined to/originating from the external interfaces IP address
iptables -A INPUT -i eth0 -s 0.0.0./0 -d ! 10.0.0.1 -j DROP
iptables -A OUTPUT -o eth0 -s ! 10.0.0.1 -d 0.0.0.0/0 -j DROP

#protect your external interface from receiving and/or sending packets from/to IP addresses which are certain to be spoofed

iptables -t nat -A POSTROUTING -O EHT0 -P UDP -S 192.168.1.0/24 --sport 1024: -d ! 192.168.1.0/24 --dport:1024 -j SNAT --TO-SOURCE 10.0.0.1

iptables -t nat -A POSTROUTING -O ETH0 -P ICMP -S 192.168.1.1.0/24 -d ! 192.168.1.0/24 -j SNAT --to-source 10.0.0.1


#useing MASQUERADE
iptables -t nat -A POSTROUTING -o eth0 -p tcp -s 192.168.1.0/24 --sport 1024: -d ! 192.168.1.0/24 --dport:1023 -j MASQUERADE

iptables -t nat -A POSTROUTING -o eth0 -p udp -s 192.168.1.0/24 --sport 1024: -d ! 192.168.1.0/24 --dport:1023 -j MASQUERADE

iptables -t nat -A POSTROUTING -o eth0 -p icmp -s 192.168.1.0/24 --sport 1024: -d ! 192.168.1.0/24 --dport:1023 -j MASQUERADE

#FORWARD
iptables -A FORWARD -i ppp0 -o eth0 -p tcp -s 192.168.1.0/24 --sport 1024: -d ! 192.168.1.0/24 --dport:1024 -j ACCEPT

iptables -A FORWARD -i eth0 -o ppp0 -p tcp -s 192.168.1.0/24 --sport 1024: -d ! 192.168.1.0/24 --dport:1024 -j ACCEPT

iptables -A FORWARD -i ppp0 -o eth0 -p udp -s 192.168.1.0/24 --sport 1024: -d ! 192.168.1.0/24 --dport:1024 -j ACCEPT

iptables -A FORWARD -i eth0 -o ppp0 -p udp -s 192.168.1.0/24 --sport 1024: -d ! 192.168.1.0/24 --dport:1024 -j ACCEPT

iptables -A FORWARD -i ppp0 -o eth0 -p icmp -s 192.168.1.0/24 --sport 1024: -d ! 192.168.1.0/24 --dport:1024 -j ACCEPT

iptables -A FORWARD -i eth0 -o ppp0 -p icmp -s 192.168.1.0/24 --sport 1024: -d ! 192.168.1.0/24 --dport:1024 -j ACCEPT


#turn the forwarding on
echo 1 > /proc/sys/net/ipv4/ip_forward
vi /etc/sysctl.conf
............
net.ipv4.ip_forward = 1
............

**ws
ping the teacher
telnet teacher

**teacher
can not ping the ws
telnet ws


#list firewall rules
iptables -L -n -v --lin-numbers

#SUSE
vi /etc/init.d/iptables
ln -s /etc/init.d/iptables /sbin/rciptables


#iptables script, save the firewall rules
service iptables save
#suse rciptables save

vi /etc/sysonfig/iptables

#suse chkconfig SuSEfirewall2 off

chkconfig iptables on
reboot
iptables -L -n -v --line-numbers

#execue a panic denial of all packets
service iptables panic
suse rciptables panic


#restore all iptables rules
service iptables restart
suse rciptables restart

code stolen from netman
代碼: [選擇]

#!/bin/bash

PATH=/sbin:/usr/sbin:/bin:/usr/bin

INT_IF=eth0
EXT_IF=eth1
EXT_IP=`ifconfig $EXT_IF | awk '/inet addr:/{print $2}' | cut -d: -f2`

### initial
iptables -F
iptables -X
iptables -P INPUT DROP
iptables -P OUTPUT DROP
iptables -P FORWARD DROP
iptables -A INPUT -i lo -j ACCEPT
iptables -A OUTPUT -o lo -j ACCEPT
iptables -A INPUT -i $INT_IF -j ACCEPT
iptables -A OUTPUT -o $INT_IF -j ACCEPT
iptables -A INPUT -i $EXT_IF -d ! $EXT_IP -j DROP
iptables -A OUTPUT -o $EXT_IF -s ! $EXT_IP -j DROP

### reserved ip
iptables -A INPUT -i $EXT_IF -s 172.16.0.0/12 -j DROP
iptables -A OUTPUT -o $EXT_IF -d 172.16.0.0/12 -j DROP
iptables -A INPUT -i $EXT_IF -s 192.168.0.0/16 -j DROP
iptables -A OUTPUT -o $EXT_IF -d 192.168.0.0/16 -j DROP
iptables -A INPUT -i $EXT_IF -s 127.0.0.0/8 -j DROP
iptables -A OUTPUT -o $EXT_IF -d 127.0.0.0/8 -j DROP
iptables -A INPUT -i $EXT_IF -s 0.0.0.0 -j DROP
iptables -A OUTPUT -o $EXT_IF -d 255.255.255.255 -j DROP

### icmp
iptables -A OUTPUT -o $EXT_IF -s $EXT_IP -d 0.0.0.0/0 -p icmp --icmp-type 8 -j ACCEPT
iptables -A INPUT -i $EXT_IF -d $EXT_IP -s 0.0.0.0/0 -p icmp --icmp-type 0 -j ACCEPT
iptables -A INPUT -i $EXT_IF -d $EXT_IP -s 0.0.0.0/0 -p icmp --icmp-type 8 -j ACCEPT
iptables -A OUTPUT -o $EXT_IF -s $EXT_IP -d 0.0.0.0/0 -p icmp --icmp-type 0 -j ACCEPT
iptables -A INPUT -i $EXT_IF -d $EXT_IP -s 0.0.0.0/0 -p icmp --icmp-type 3 -j ACCEPT
iptables -A OUTPUT -o $EXT_IF -s $EXT_IP -d 0.0.0.0/0 -p icmp --icmp-type 3 -j ACCEPT
iptables -A INPUT -i $EXT_IF -d $EXT_IP -s 0.0.0.0/0 -p icmp --icmp-type 4 -j ACCEPT
iptables -A OUTPUT -o $EXT_IF -s $EXT_IP -d 0.0.0.0/0 -p icmp --icmp-type 4 -j ACCEPT
iptables -A INPUT -i $EXT_IF -d $EXT_IP -s 0.0.0.0/0 -p icmp --icmp-type 11 -j ACCEPT
iptables -A OUTPUT -o $EXT_IF -s $EXT_IP -d 0.0.0.0/0 -p icmp --icmp-type 11 -j ACCEPT
iptables -A INPUT -i $EXT_IF -d $EXT_IP -s 0.0.0.0/0 -p icmp --icmp-type 12 -j ACCEPT
iptables -A OUTPUT -o $EXT_IF -s $EXT_IP -d 0.0.0.0/0 -p icmp --icmp-type 12 -j ACCEPT

### tcp/udp
iptables -A OUTPUT -o $EXT_IF -p tcp -s $EXT_IP --sport 1024: -d 0.0.0.0/0 --dport :1023 -j ACCEPT
iptables -A INPUT -i $EXT_IF -p tcp -d $EXT_IP --dport 1024: -s 0.0.0.0/0 --sport :1023 -j ACCEPT
iptables -A OUTPUT -o $EXT_IF -p udp -s $EXT_IP --sport 1024: -d 0.0.0.0/0 --dport :1023 -j ACCEPT
iptables -A INPUT -i $EXT_IF -p udp -d $EXT_IP --dport 1024: -s 0.0.0.0/0 --sport :1023 -j ACCEPT

### identd
iptables -A INPUT -i $EXT_IF -p tcp -s 0.0.0.0/0 -d $EXT_IP --dport 113 -j REJECT


server firewall
代碼: [選擇]


#!/bin/bash

PATH=/sbin:/usr/sbin:/bin:/usr/bin

modprobe ip_conntrack_ftp

INT_IF=eth1
INT_IP=`ifconfig $INT_IF | awk '/inet addr:/{print $2}' | cut -d: -f2`
INT_TRUST_IP=192.168.5.2
EXT_IF=eth0
EXT_IP=`ifconfig $EXT_IF | awk '/inet addr:/{print $2}' | cut -d: -f2`

### initial
service iptables stop
iptables -P INPUT DROP
iptables -P FORWARD DROP
iptables -A INPUT -m state --state INVALID -j DROP
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A INPUT -i lo -j ACCEPT
iptables -A INPUT -i $INT_IF -s $INT_TRUST_IP -j ACCEPT
iptables -A INPUT -i $EXT_IF -d ! $EXT_IP -j DROP

### reserved ipg
#iptables -A INPUT -i $EXT_IF -s 10.0.0/8 -j DROP
iptables -A INPUT -i $EXT_IF -s 172.16.0.0/12 -j DROP
iptables -A INPUT -i $EXT_IF -s 192.168.0.0/16 -j DROP
iptables -A INPUT -i $EXT_IF -s 127.0.0.0/8 -j DROP
iptables -A INPUT -i $EXT_IF -s 0.0.0.0 -j DROP

### icmp
iptables -A INPUT -i $EXT_IF -d $EXT_IP -p icmp --icmp-type 0 -j ACCEPT
iptables -A INPUT -i $EXT_IF -d $EXT_IP -p icmp --icmp-type 8 -j ACCEPT
iptables -A INPUT -i $EXT_IF -d $EXT_IP -p icmp --icmp-type 3 -j ACCEPT
iptables -A INPUT -i $EXT_IF -d $EXT_IP -p icmp --icmp-type 4 -j ACCEPT
iptables -A INPUT -i $EXT_IF -d $EXT_IP -p icmp --icmp-type 11 -j ACCEPT
iptables -A INPUT -i $EXT_IF -d $EXT_IP -p icmp --icmp-type 12 -j ACCEPT

### service
iptables -A INPUT -i $EXT_IF -d $EXT_IP -p tcp --dport 22 -j ACCEPT # ssh
iptables -A INPUT -i $EXT_IF -d $EXT_IP -p tcp --dport 80 -j ACCEPT # www
iptables -A INPUT -i $EXT_IF -d $EXT_IP -p udp --dport 53 -j ACCEPT # dns
#iptables -A INPUT -i $EXT_IF -d $EXT_IP -p tcp --dport 53 -s 4.3.2.1 -j ACCEPT # dns-zonetransfer
#iptables -A INPUT -i $EXT_IF -d $EXT_IP -p tcp --dport 53 -s 4.3.2.2 -j ACCEPT # dns-zonetransfer
iptables -A INPUT -i $EXT_IF -d $EXT_IP -p tcp --dport 21 -j ACCEPT # ftp
iptables -A INPUT -i $EXT_IF -d $EXT_IP -p tcp --dport 25 -j ACCEPT # email


### identd
iptables -A INPUT -i $EXT_IF -p tcp -s 0.0.0.0/0 -d $EXT_IP --dport 113 -j REJECT


### output
iptables -A OUTPUT -d 1.2.3.4 -j DROP
iptables -A OUTPUT -d 1.2.3.5 -j DROP
iptables -A OUTPUT -d 1.2.3.6 -j DROP





***nat 與router 有一樣的效果
route -n



***nat
nat 將私有ip轉換為外部ip,送出internet
nat 再將外部ip轉回nat的 封包轉換 destination ip:私有ip 送回來




modprobe ip_conntrack_ftp ip_nat_ftp
modprobe ip_conntrack_irc ip_nat_ftp


#use post-install in /etc/modules to load modules automatically
post-install ip_conntrack modporbe ip_conntrack_ftp
post-install iptables_nat modporbe ip_nat_ftp






#nat 將通過 ppp0 對外網卡 的 封包,私有ip 10.0.0.2:1287 轉換為外部ip 62.186.134.70:4011,送出internet,如果ppp0上面的外部ip為浮動的,建議使用 MASQUERADE 動作

iptables -t nat -A POSTROUTING -o ppp0 -p tcp -s 10.0.0.0/24 --sport 1024: -d ! 10.0.0.0/24 --dport :1023 -j SNAT --to-source 62.186.134.70

或是

iptables -t nat -A POSTROUTING -o ppp0 -p tcp -s 10.0.0.0/24 --sport 1024: -d ! 10.0.0.0/24 --dport :1023 -j MASQUERADE


#從內部網卡 到連接 外部網卡介面的封包 如果是1024port 以上的(Client) 是forward 的 就接受

iptables -A FORWARD -i eth0 -o ppp0 -p tcp -s 10.0.0.0/24 --sport 1024: -d ! 10.0.0.0/24\
 --dport :1023 -j ACCEPT


#從外部網卡介面  到連接內部網卡 的封包 如果是1024port 以下的(server) 是forward 的 就接受
iptables -A FORWARD -i ppp0 -o eth0 -p tcp -s ! 10.0.0.0/24 --sport :1023 -d 10.0.0.0/24\ --dport 1024: -J ACCEPT

echo 1 > /proc/sys/net/ipv4/ip_forward

--------------------------------------------------------

***ipt.client.sh
代碼: [選擇]

#!/bin/bash

PATH=/sbin:/usr/sbin:/bin:/usr/bin

modprobe ip_conntrack_ftp

INT_IF=eth1
INT_IP=`ifconfig $INT_IF | awk '/inet addr:/{print $2}' | cut -d: -f2`
INT_TRUST_IP=192.168.5.2
EXT_IF=eth0
EXT_IP=`ifconfig $EXT_IF | awk '/inet addr:/{print $2}' | cut -d: -f2`

### initial
service iptables stop
iptables -P INPUT DROP
iptables -P FORWARD DROP
iptables -A INPUT -m state --state INVALID -j DROP
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A INPUT -i lo -j ACCEPT
iptables -A INPUT -i $INT_IF -s $INT_TRUST_IP -j ACCEPT
iptables -A INPUT -i $EXT_IF -d ! $EXT_IP -j DROP

### reserved ipg
#iptables -A INPUT -i $EXT_IF -s 10.0.0/8 -j DROP
iptables -A INPUT -i $EXT_IF -s 172.16.0.0/12 -j DROP
iptables -A INPUT -i $EXT_IF -s 192.168.0.0/16 -j DROP
iptables -A INPUT -i $EXT_IF -s 127.0.0.0/8 -j DROP
iptables -A INPUT -i $EXT_IF -s 0.0.0.0 -j DROP

### icmp
iptables -A INPUT -i $EXT_IF -d $EXT_IP -p icmp --icmp-type 0 -j ACCEPT
iptables -A INPUT -i $EXT_IF -d $EXT_IP -p icmp --icmp-type 8 -j ACCEPT
iptables -A INPUT -i $EXT_IF -d $EXT_IP -p icmp --icmp-type 3 -j ACCEPT
iptables -A INPUT -i $EXT_IF -d $EXT_IP -p icmp --icmp-type 4 -j ACCEPT
iptables -A INPUT -i $EXT_IF -d $EXT_IP -p icmp --icmp-type 11 -j ACCEPT
iptables -A INPUT -i $EXT_IF -d $EXT_IP -p icmp --icmp-type 12 -j ACCEPT

### service

### identd
iptables -A INPUT -i $EXT_IF -p tcp -s 0.0.0.0/0 -d $EXT_IP --dport 113 -j REJECT


### output
iptables -A OUTPUT -d 1.2.3.4 -j DROP
iptables -A OUTPUT -d 1.2.3.5 -j DROP
iptables -A OUTPUT -d 1.2.3.6 -j DROP

from netman



小徒兒

  • 區域板主
  • 鑽研的研究生
  • *****
  • 文章數: 622
    • 檢視個人資料
Secure Shell and Secure Copy: ssh & scp
« 回覆 #3 於: 2006-12-15 12:28 »
**scp 將root 的歷史指令
scp 10.1.1.254:/root/.bash_history .


***Secure Shell and Secure Copy

**fw
vi /etc/ssh/sshd_config
..............
X11Forwarding no

#modify banner line
Banner /etc/issue.net
.........................

service sshd restart
rcschd

ssh root@192.168.1.1
logout
vi ~/testfile
scp ~/testfile root@192.168.1.1:/tmp/myfile

#透過ssh 在遠端電腦執行命令
ssh root@192.168.1.1 cat /tmp/myfile

**fw
service iptables restart
rciptables restart #suse

#在防火牆上挖洞給 ssh用
iptables -A INPUT -i eth0 -p tcp -s any/0 --sport 1024: -d 10.0.0.1 --dport 22 -j ACCEPT
iptables -A OUTPUT -o eth0 -p tcp -s 10.0.0.1 --sport 22 -d any/0 --dport 1024: -J ACCEPT

service iptables save
rciptalbes save #suse

vi /etc/sysconfig/iptables
#change the file to include the rule listed above
service iptables restart
rciptables save #suse

ssh 10.0.0.1

**ws
<CTRL-ALT-F1>
login:tux1
pass: penguin1

ssh-keygen -d #generate a DSA key pair


cd .ssh
ls -la
view id_dsa
view id_dsa.pub


**fw
scp id_dsa.pub root@192.168.1.1:id_dsa.one
ssh root@192.168.1.1
ls
mkdir .sssh
chmod 700 .ssh
cat id_dsa.one >> .ssh/authorized_keys2
chmod 600 .ssh/authorized_keys2

**log off and on to fw
logout
ssh -l root 192.168.1.1
logoff


***Working with ssh-agent and ssh-add
echo $$
ssh-agent bash #start ssh-agent
echo $$  #view the process ID of your current shell again
pstree #to determine which porcesses are all started as child porcess of ssh-agent

ssh-add #upload your private key to ssh agent

ssh root@192.168.1.1
logout

<CTrl-Alt-F7>
login:tux1
Password:penguin1

ps -aux | grep ssh-agent #check whether ssh-agent is started

#suse
vi .xinitrx
.............
#change
exec $WINDOWMANAGER
#into
ssh-agent $WINDOWMANAGER

#suse
..................

**fw
login to the firewall
ssh root@192.168.1.1
logout


***Tracing an SSH connection with tcpdump
tcpdump -i ppp0 -l -n -x | tee tcpdump.sh #dumping the contend to a file named tcpdum.ssh

**ws ssh fw(192.168.1.1)
ssh root@192.168.1.1
ls
logout

**fw
^C
view tcpdump.ssh


***Disabling telnet
chkconfig telnet off
chkconfig xinetd off
service xinetd stop
rcxinetd stop #suse

netstat -anut | less #verify that ssh is the only network service active


***X11 Forwarding
**fw
which xauth xeyes #verify xauth and xeyes are available
moutn -o remount,rw /usr
mount -o nolock 10.0.0.100:/export/<distribution> /mnt/nfs

cd /mnt/nfs/Redhat/RPMS
rpm -ivh --nodeps XFree86-xauth-version.rpm
rpm -ivh --nodeps XFree86-libs-version.rpm
rpm -ivh --nodeps XFree86-version.rpm
rpm -ivh --nodeps XFree86-tools-version.rpm

#suse
cd /mnt/nfs/suse/i586
rpm -ivh --nodeps XFree86-libs-version.rpm
rpm -ivh --nodeps XFree86-version.rpm

#suse end

cd
umount /mnt/nfs
mount -o remount,ro /usr

**ws
netstat -anutp
echo $DISPLAY

**login to the fw
ssh root@192.168.1.1
echo $DISPLAY
netstat -anutp #what port ports are open now
xeyes
logout

**fw
vi /etc/ssh/sshd_config #enable X11 forwarding

...............
X11Forwarding yes
..............

service sshd restart
rcsshd restart #suse

**from ws login fw
ssh root@192.168.1.1
echo $DISPLAY
netstat -anutp
xeyes
logout


***ssh tunneling
**ws
chkconfig daytime on #
service xinetd restart
rcxinetd restart

telnet localhost 13

***
walk over to the instructor server, or to the firewall of a fellow student.
setup and ssh tunnel so that if you connect to local port 6543 (on the instructor server or firewall of your fellow student), this connection is tunneled to your firewall, upon which your sshd daemon should connect to your workstationn daytime port

ssh -L 6543:192.168.1.2:13 10.0.0.1
#192.168.1.2 ws
#10.0.0.1 firewall

(in another window or VT)
telnet localhost 6543







service iptables restart
rciptables restart #suse
iptables -A INPUt -i eth0 -p tcp -s any/0 --sport 1024:


***/etc/nologin
#touch /etc/nologin #勿讓一般權限者 shell 登入主機,不管是 telnet 或 ssh/ssh2

***trouble shooting @@@ HOST IDENTIFICATION HAS CHANGED @@@
/etc/ssh_known_hosts
vi $HOME/.ssh/ssh_known_hosts

***/etc/sshrc
if $HOME/.ssh/rc exist, run the user shell, if /etc/sshrc exist, run /bin/sh


***ssh-keygen dsa

ssh-keygen -t dsa -N "mykeyphrase" #set the keyphrase to mykeyphrase
scp ~/.ssh/id_dsa.pub 192.168.1.1:myid_dsa
ssh 192.168.1.1
cat myid_dsa >> ~/.ssh/authorized_keys2
chmod 600 ~/.ssh/authorized_keys2


***ssh-keygen rsa

ssh-keygen -N "mykeyphrase" #set the keyphrase to mykeyphrase
scp ~/.ssh/identity.pub 192.168.1.1:myidentity
ssh 192.168.1.1
cat myidentity >> ~/.ssh/authorized_keys
chmod 600 ~/.ssh/authorized_keys


***on windows

拷貝鑰到欲連線的主機
putty.exe

Host Name
root@172.16.107.145

ssh-->Auth-->PrivateKey-->browse-->C:\private.ppk


--generate key--
puttygen.exe
generate
save public key to C:\public.ppk no phrase
save private key to C:\private.ppk no phrase


--用直接貼上public key的方式
copy the generate output like
代碼:

ssh-rsa AAAAB3NzaC1yc2EAAAABJQAAAIEAg3i6olZd+Z7+QbBBo03fGjYA8oJvLvM
UTSBSsLfSEBnJYCSi1cBAFwyIfamGbmoprWYDTiSsFb7AvNmeE7KmNfMiP4
bauAVkmZYxQATPM6eIyVS4ownBICU7b2lxepC3qDcJFSGz2dqrUZ1Ams/V
2Uj6bbIqiQ+/TZpg1Z7Ht0c
 


to the users' home directory that you want to login
for example

#cd ~
#mkdir .ssh
#vi authorized_keys
past the keygen output
-------------
login again
done


--用ftp public key 的方式
copy到ftp的位址
wget [shift] [insert]



*** ssh X Forwarding X window X視窗 傳送
vi /etc/ssh/sshd_config

............
X11Forwarding yes
.............

ssh -X 10.1.1.1
xeyes
firefox


client$ echo $DISPLAY
:0.0
client$ ssh server
server$ echo $DISPLAY
localhost:10.0
server$ xeyes

小徒兒

  • 區域板主
  • 鑽研的研究生
  • *****
  • 文章數: 622
    • 檢視個人資料
lab: secure tunneling
« 回覆 #4 於: 2006-12-26 10:44 »
rpm -ivh http://10.1.1.254/DL/pkgs/sendmail-cf-8.13.rpm
vi sendmail.mc
............

...........

mc sendmail.mc > sendmail.cf
service sendmail start
service sendmail restart

telnet 1ocalhost 25

***Forward tunnelss:
ssh -L <localport>:<remote sys>:<remote port> <firewall>
ssh -L 1025:192.168.1.2:25 10.1.1.1



#on 192.168.1.2
telnet localhost 1025



***Reverse tunnelss:
ssh -R <remoteport>:<local sys>:<local port> <firewall>
ssh -R 25:10.1.1.1:1025  10.1.1.1



#on 192.168.1.2
telnet localhost 1025


***SSH firewall considerations
#SSH client uses a dynamic port
  -May be below 1024 unless -P option used

#SSH server uses port 22

#May need to open up server to allow incoming connections from the internet

iptables -A input -i ppp0 -p tcp -s any/0 --sport 1024: -d 62.186.134.70 --dport 22 -j ACCEPT

iptables -A output -o ppp0 -p tcp -s 62.186.134.70 --sport 22 -d any/0 --dport 1024: -j ACCEPT


telnet localhost 12345

netman

  • 管理員
  • 俺是博士!
  • *****
  • 文章數: 17466
    • 檢視個人資料
    • http://www.study-area.org
good job! 您真用功!  ^_^

不過,最後關於 ssh tunnel 的那幅圖,好像有點不對。
tunnel 應該是建在 client 跟 ssh server(agent) 之間,而不是在 agent 到 mail server 之間。
只有如此,才能穿越 gfw 的過濾。

再且,你用的 -L 參數,
因此 client 端 telnet 的是 localhost,而不是 agent 的 1235 port 。

再修改看看.... 加油!

小徒兒

  • 區域板主
  • 鑽研的研究生
  • *****
  • 文章數: 622
    • 檢視個人資料
觀念還是不清楚,請老師指教! orz
« 回覆 #6 於: 2006-12-26 15:40 »
所以每個smtp client 都要設定 ssh -L?

那 windows client 怎麼辦??

netman

  • 管理員
  • 俺是博士!
  • *****
  • 文章數: 17466
    • 檢視個人資料
    • http://www.study-area.org
不是,你要在 client site 用一台 client 來做 ssh tunnel 就行。
然後其它的 client 就使用這台的 port 。

舉個例子:
client 端 IP 是 10.1.1.1
agent 端 IP 是 1.2.3.4
mail server 是 10.1.2.3
然後 client 端執行: ssh -L 2025:10.1.2.3:25 1.2.3.4
剩下其它 10.1.1.x 的機器,就將 smtp server 設為 10.1.1.1 ,port 用 2025 。

小徒兒

  • 區域板主
  • 鑽研的研究生
  • *****
  • 文章數: 622
    • 檢視個人資料
socks
« 回覆 #8 於: 2006-12-27 14:37 »
echo 0 > /proc/sys/net/ipv4/ip_forward
vi /etc/sysctl.conf

..............
  net.ipv4.ip_forward = 0
...........

service iptables restart
rciptables restart #suse

iptables -F FORWARD
service iptables save
rciptables save #suse

or

vi /etc/sysconfig/iptables
Delete all FORWARD rules

service iptables restart
rciptables restart #suse

***Downloading and installing

#rpmbuild -ta dante-version.tar.gz

rpm -ivh --nodeps /usr/src/redhat/RPMS/i386/dante-version.rpm
rpm -ivh /mnt/nfs/suse/i586/dante-version.rpm #suse

**fw
mount -o remount,rw /usr
scp 192.168.1.2:/usr/src/redhat/RPMS/i386/dante*.rpm /root
rpm -ivh --nodeps /root/dante-version.rpm
rpm -ivh --nodeps /root/dante-server.rpm

#suse
mount -o nolock 10.0.0.100:/export/<distribution> /mnt/nfs
rpm -ivh /mnt/nfs/suse/i586/dante-version.rpm
rpm -ivh /mnt/nfs/suse/i586/dante-server-version.rpm
umountj /mnt/nfs
#suse end

mount -o remount,ro /usr

***Setting up the Dante socks server

vi /etc/sockd.conf
.....
logoutput:syslog
internal: 192.168.1.1 port = 1080
external: 10.0.0.1
method: username none
user.privileged:root


TODO
..........

service sockd start
rcsockd start #suse

tail /var/log/messages

service sockd status
rcsockd status

***Socksifying applications

vi /etc/socks.conf
........
route {
      from: 0.0.0.0/0 to: 192.168.1.0/24 via: direct
}

route {

      from 0.0.0.

TODO
...........

socksify telnet 10.0.0.100 #using socksify telent into the instructor server
export LD_PRELOAD="libdsocks.so"
telnet 10.0.0.100

***stopping the Dante socks server
service sockd stop
rcsockd stop #suse

小徒兒

  • 區域板主
  • 鑽研的研究生
  • *****
  • 文章數: 622
    • 檢視個人資料
proxy
« 回覆 #9 於: 2006-12-27 14:49 »
***Configuring Apache for Proxy Service
which httpd
mount -o remount,rw /usr
mount -o nolock 10.0.0.100:/export/<distribution> /mnt/nfs

rpm -ivh /mnt/nfs/RedHat/RPMS/httpd-version.rpm
rpm -ivh /mnt/nfs/suse/i586/apache-version.rpm #suse

umount /mnt/nfs
mount -o remount,ro /usr

***Configuring Apache for proxy services
httpd -v
#version 1.3
vi /etc/httpd/conf/httpd.onf
vi /etc/httpd/httpd.conf # suse

..................

ServerName fw.team1.com
Listen 192.168.1.1:8080
LoadModules proxy_modules /usr/lib/apache/libproxy.so
AddModule mod_proxy.c
<IfModule mod_proxy.c>
ProxyRequests On
<Directory proxy:*>
      Order deny,allow
      Deny from all
      Allow from 192.168.1.0/24
</Directory>

</IfModule>
.......................................................

#version 2.0

vi /etc/httpd/conf/httpd.conf
vi /etc/httpd/httpd.conf #suse

..................

ServerName fw.team1.com
Listen 192.168.1.1:8080
LoadModules proxy_modules modules/mod_proxy.so
<IfModule mod_proxy.c>
ProxyRequests On
<Proxy:*>
      Order deny,allow
      Deny from all
      Allow from 192.168.1.0/24
</Proxy>

</IfModule>

***Start Apache
service httpd start
rcapache start #suse

netstat -an | less #verify that apache only listens to the internal interface

cd /var/log/httpd
less access_log

***sop apache
service httpd stop
rcapache stop


===============================
Squid (proxy of biggest market share )
===============================

which squid

mount -o remount,rw /usr
mount -o nolocak 10.0.0.100:/export/<distribution> /mnt/nfs
rpm -ivh /mnt/nfs/RedHat/RPMS/squid-version.rpm
rpm -ivh /mnt/nfs/suse/i586/squid-version.rpm #suse
umount /mnt/nfs
mount -o remount,ro /usr

vi /etc/squid/squid.conf

.........................
http_port 192.168.1.1:8080
icp_port 0
cache_mem 8 MB
# cache_dir: /var/spool/squid on RH but /var/cache/squid on SuSE
cache_dir ufs /var/spool/squid 100 16 256
cache_access_log /var/log/squid/access.log
cache_log /var/log/squid/cache.log
pid_filename /var/run/squid.pid
acl all src 0.0.0.0/0.0.0.0
#changed this below must
acl allowed_hosts src 192.168.1.0/255.255.255.0
http_access allow allwed_hosts

#
http_access deny all
icp_access deny all
miss_access allow all
cache_effective_user squid
cache_effective_group squid
snmpt_port 0

..................................

servie squid start
rcsquid start #suse
netstat -an | less # verify that Squid only listen to the internal interface

**ws

set up the proxy server on the web browser

cd /var/log/squid
less access.log

cd /var/spool/squid
cd /var/cache/squid #suse

ls -lR
find . -type f -exec file {} \; #view the content of various files in the hierarchy
less #any file from the list that was generated by find)

***Stop Squid
service squid stop
rcsquid stop


--------------------squid lab------------
義守大學
ftp://ftp.isu.edu.tw/Linux/Fedora/linux/core/5/i386/os/Fedora/RPMS/squid-2.5.STABLE12-5.1.i386.rpm

wget ftp://ftp.isu.edu.tw/Linux/Fedora/linux/core/5/i386/os/Fedora/RPMS/squid-2.5.STABLE12-5.1.i386.rpm

rpm -ivh http://10.1.1.254/squid-2.5.STABLE12-5.1.i386.rpm
cd /etc/squid
cp /etc/squid.conf /etc/squid.conf.bak
vi /etc/squid.conf
...............
take awy # from
# http-port 3128
# icp-port 3130 #if icp-port is 0 means disable icp

.....................


#Cache_mem 8MB #memory is as large as possible 8G-64G is best, let the proxy server only runs as socks, nat, proxy

#Cache_dir  nfs /var/spool/squid 100M 16 255

#Cache_access_log
#acl aclname acttype network_location/netmask #acl means access control

**FW
vi /etc/squid/squid.conf
#acl
#find this line
acl all src 0.0.0.0/0.0.0.0

acl team5 src 192.168.5.0/255.255.255.0
                    192.168.1.0

#find this line
#INSERT YOUR OWN RULE(S)
http-access allow team5

.................................

servcie squid start

#on the firefox or ie (web client)  /file/reference

proxy
http://192.168.5.1       port 3128

#try to browse the network

service squid stop
#try to browse the website again

service squid start
#try to browse the website again




.................

小徒兒

  • 區域板主
  • 鑽研的研究生
  • *****
  • 文章數: 622
    • 檢視個人資料
Secure DNS
« 回覆 #10 於: 2006-12-27 15:26 »
***DNS Consideration

**Don't give away internal information to internet users
   - Might be used by hackers
   - Might contain reserved IP addresses

**Allow internal users to retrive internet DNS information
   - Needed when using NAT or Socks
   - Not strictly needed when using Proxies (the proxy resolves the IP address)

**Ensure that regualr and reverse DNS queries match

**Don't allow dynamic updates
   - Might be used to insert malicious data

**Don't allow large transfer to anybody (e.g. zone transfer, dig)
   - Might be used for DoS attacks

--------------------------------------------------------------------------------

***DNS Name Consideration

**One name registration: 像是太證用的
    - www.acme.com: internet server
    - w3.acme.com: intranet server

**One registration, two domains:
    - www.acme.com: internet server
    - www.intranet.acme.com: intranet server

**Two registrations:
    - www.acme.com: internet server
    - www.acme.net: intranet server

**Made-up Top-Level Domain (TLD) #自己做一個Top-Level Domain
    - www.acme.com: internet server
    - www.servers.acme:intranet server

--------------------------------------------------------------------------------

***Configuring the workstation as intranet DNS


***Install the bind RPM
#mkdir /mnt/nfs
ifconfig eth0 10.0.0.x netmask 255.255.255.0 up
mountj 10.0.0.100:/export/<distribution> /mnt/nfs

rpm -ivh /mnt/nfs/RedHat/RPMS/bind-version.rpm
rpm -ivh /mnt/nfs/suse/i586/bind9-version.rpm #suse

umount /mnt/nfs
ifconfig eth0 down



***create teh anmed configuration file /etc/named.cnf
vi /etc/named.conf
...................


//Intranet DNS server team1.com

options {
              # Red Hat: directory "/var/named";
              # SuSE: directory "/var/lib/named";
              forward only;
              forwarders { 192.168.1.1; };
};

controls {

              inet 127.0.0.1 allow {localhost; } keys {rndckey; };
};

zone "team1.com" IN {
             type master;
             # Red Hat: file "named.team1.com";
             # SuSE: file "master/named.team1.com";
};

zone "1.168.192.in-addr.arpa" IN {
            type master;
            # Red Hat: file "named.192.168.1";
            # SuSE: file "master/named.192.168.1";
}

zone "localhost" IN {
            type master;
            file "localhost.zone";
            allow-update {none;};
}

zone "0.0.127.in-addr.arpa" IN {
            type master;
            #Red Hat: file "named.local";
            #SuSE: file "127.0.0.zone";
};

include "/etc/rndc.key";

...........................................

vi /var/named/named.team.com
vi /var/lib/named/master/named.team1.com #suse

.....................

$TTL 86400
@            IN            SOA           ws.team1.com      root.ws.team1.com. (
                                                    2006122600; Serial
                                                    28800         ; Refresh
                                                    14400         ; Retry
                                                    3600000      ; Expire
                                                    86400  )      ; Minimum
              IN             NS            ws.team.com.

fw           IN              A             10.0.0.1
fw-ppp0   IN              A             192.168.1.1
ws           IN              A             192.168.1.2

...............................

#Create the IP zone file which should contain all IP address of all hosts in your intranet

vi /var/named/named.192.168.1
vi /var/lib/named/maste/named.192.168.1 #suse

......................
$TTL 86400
@              IN            SOA        ws.team1.com.    root.ws.team1.com. (
                                                           2006122600; serial
                                                           28800         ; Refresh
                                                           14400         ; Retry
                                                           3600000      ; Expire
                                                           86400  )      ; Minimum

                 IN              NS        ws.team1.com.

1               IN              PTR       fw-ppp0.team1.com.
2               IN              PTR       ws.team1.com.

.........................



vi  /var/named/localhost.zone
#suse vi /var/lib/named/localhost.zone

.....................
$TTL 86400
@                IN               SOA        ws.team1.com.   root.ws.team1.com. (
                                                                       2006122600  ; Serial
                                                                       28800           ; Refresh
                                                                       14400           ; Retry
                                                                       3600000       ;  Expire
                                                                       86400  )        ; Minimum
                   IN                NS         ws.team1.com.

localhost.      IN                A             127.0.0.1

.........................

vi /var/named/named.local

#suse vi /var/lib/named/127.0.0.zone

..............................
$TTL 86400
@                  IN              SOA       ws.team1.com    root.ws.team1.com. (
                                                            2006122600     ; Serial
                                                            28800              ; Refresh
                                                            14400              ; Retry
                                                            3600000           ; Expire
                                                            86400       )      ; Minimum

                     IN               NS         ws.team1.com.
1                   IN               PTR        localhost

...............................


vi /etc/resolve.conf

..........
domain team1.com
nameserver 127.0.0.1

.........................

service named start
#suse rcnamed start

tail -100 /var/log/messages | grep named | less

host fw.team1.com
host fw-ppp0.team1.com
host ws.team1.com
host 10.0.0.1
host 192.168.1.1.
host 192.168.1.2


chkconfig named on


***fw

vi /etc/named.conf

...................


//Internet DNS server team1.com

options {
                # Red Hat: directory "/var/named";
                # SuSE: directory "/var/lib/named";
};

controls {
                 inet 127.0.0.1 allow {localhost; } keys {rndckey; } ;
};

zone "." IN {
                 type hint;
                 file "named.ca";
};

zone "team1.com" IN {
                 type master;
                 # Red Hat: file "named.team1.com";
                 # SuSE: file "master/named.team1.com";
                 allow-upadte { none; };
                 allow-query {any}
                 allow-transfer { none; };
};

zone "0.0.10.in-addr.arpa" IN {
                  type master;
                  # Red Hat: file "named.10.0.0";
                  # SuSE: file "master/named.10.0.0.0";
                   allow-update { none; };
                   allow-query  { any; };
                   allow-transfer { none; };
};

zone "localhost" IN {
                type master;
                file "localhost.zone";
                allow-update { none; };
};

zone "0.0.127.in-addr.arpa" IN {
                type master;
                # Red Hat: file "named.local";
                # SuSE: file "127.0.0.zone";
                allow-update{ none; };
};

include "/etc/rndc.key";

...........................

***create the name zone file named team(n).com

vi /var/named/named.team1.com
#suse vi /var/lib/named/master/named.team1.com

....................
$TTL 86400
@           IN             SOA     fw.team1.com.     root.team1.com.   (
                                                    2006122600; Serial
                                                    28800         ; Refresh
                                                    14400         ; Retry
                                                    3600000      ; Expire
                                                    86400  )      ; Minimum

              IN             NS       fw.team1.com.
fw           IN             A         10.0.0.1

......................






***create the zone file named.(network)

vi /var/named/named.10.0.0
#suse vi /var/named/master/named.10.0.0

.........................................
$TTL 86400
@               IN               SOA      fw.team1.com.  root.team1.com. (
                                                  2006122600   ; Serial
                                                  28800            ; Refresh
                                                  14400            ; Retry
                                                  3600000        ;  Expire
                                                  86400      )    ;  Minimum

                  IN               NS         fw.team1.com.

1                IN               PTR        fw.team1.com.


..........................................


vi  /var/named/localhost.zone
#suse vi /var/lib/named/localhost.zone

.....................
$TTL 86400
@                IN               SOA        fw.team1.com.   root.team1.com. (
                                                                       2006122600  ; Serial
                                                                       28800           ; Refresh
                                                                       14400           ; Retry
                                                                       3600000       ;  Expire
                                                                       86400  )        ; Minimum
                   IN                NS         fw.team1.com.

localhost.      IN                A             127.0.0.1

.........................



vi /var/named/named.local
#suse vi /var/lib/named/127.0.0.zone

..............................
$TTL 86400
@                  IN              SOA       fw.team1.com    root.team1.com. (
                                                            2006122600     ; Serial
                                                            28800              ; Refresh
                                                            14400              ; Retry
                                                            3600000           ; Expire
                                                            86400       )      ; Minimum

                     IN               NS         fw.team1.com.
1                   IN               PTR        localhost
...............................



vi /var/named/named.ca
#suse vi /var/lib/named/named.ca

............................



.                     IN              NS         www.instructor.com.
www.instructor.com.        IN        A  10.0.0.100

..........................



vi /etc/resolv.conf

..............
domain team1.com
nameserver 127.0.0.1

................


service named start
#suse rcnamed start

tail -100 /var/log/messages | grep named | less
hsot fw.team1.com
host fw-ppp0.team1.com

host ws.team1.com
host 10.0.0.1
#the answer shuld be fw.team1.com
host 192.168.1.1
#should be unknown
host 192.168.1.2
#should be unknown


chkconfig named on

***Testing the firewall DNS from the outside

service iptables stop

telnet 10.0.0.100
login: team1
Pass: team1
host fw.team1.com
#should be 10.0.0.1

host fw-ppp0.team1.com
#should be unknow

host ws.teama1.com
#should be unknow

host 10.0.0.1
#should be fw.team1.com

host 192.168.1.1
#should be unknow

host 192.168.1.2
#should be unknow

logout

***ws, test whether forwarding works
host www.instructor.com
#should be 10.0.0.100



***Modifying iptables rules

service iptables start
#suse rciptables start

iptables -A INPUT -i eth0 -p tcp -s any/0 --sport 1024: -d 10.0.0.1 --dport 53 -j ACCEPT

iptables -A OUTPUT -o eth0 -p tcp -s 10.0.0.1 --sport 53: -d any/0 --dport 1024 -j ACCEPT

iptables -A INPUT -i eth0 -p udp -s any/0 --sport 1024: -d 10.0.0.1 --dport 53 -j ACCEPT

iptables -A OUTPUT -o eth0 -p udp -s 10.0.0.1 --sport 53: -d any/0 --dport 1024 -j ACCEPT

service iptables save
#suse rciptables save

or
----------------
vi /etc/sysconfig/iptables
change the file to include the rules listed above

service iptables restart
#suse rciptables restart

----------------

**instructor server
telnet 10.0.0.1
login: team1
Password: team1


host fw.team1.com
#should be 10.0.0.1

host fw-ppp0.team1.com
#should be unknow

host ws.teama1.com
#should be unknow

host 10.0.0.1
#should be fw.team1.com

host 192.168.1.1
#should be unknow

host 192.168.1.2
#should be unknow

logout


.

小徒兒

  • 區域板主
  • 鑽研的研究生
  • *****
  • 文章數: 622
    • 檢視個人資料
secure mail
« 回覆 #11 於: 2006-12-27 17:34 »
***Email Considerations

**Don't allow your server to be used as a relay
**Block mesages that are too large
**Block incoming junk email


mail structure
 


***Mail Servers for linux

**Sendmail (http://www.sendmail.org)
70 % mareket share

**Postfix (http:/www.postfix.org)
Secure replacement for Sendmail
Default in Suse

**Qmail (http://www.qmail.org)


***Configuring Sendmail as Mail Gateway 當Gateway

#Allow relaying of email fo from acme com domain
cd /etc/mail
vi access
...........
        acme.com RELAY
............    

vi mailertable
..........
        acme.com smtp:mail.acme.com
...........

make


#Allow connections via all interfaces
vi /etc/sendmail.mc
.............
dnl DAEMON_OPTIONS(`Port=smtp, Addr=127.0.0.1, Name=MTA')
..............

m4 /etc/mail/sendmail.mc > /etc/mail/sendmail.cf

#restart Sendmail
service sendmail restart


***Configuring Sendmail as Mail Server 內部的Mail Server

#Add local domain and start relay info to config file:
vi /etc/mail/sendmail.mc
............
MASQUERADE_DOMAIN(acme.com)
define(`SMART_HOST', 'mailrelay.acme.com')
dnl DAEMON_OPTIONS(`Port=smtp,Addr=127.0.0.1, Name=MTA')
...............

m4 /etc/mail/sendmail.mc > /etc/mail/sendmail.cf

#Add lcal domain name to /etc/mail.sendmail.cf
vi /etc/mail.sendmail.cf
............
acme.com
..........

#Allow mail relay
vi /etc/mail/access
...........
acme.com RELAY
...........
make
service sendmail restart

#Enable POP3 server
chkconfig ipop3 on #Red Hat

#Fedora 5
ls /etc/init.d/d*

rpm -ivh dvi.rpm
rpm -ivh perl.rpm
rpm -ivh mysql.rpm
rpm -ivh dovecot.rpm


service dovecot start
chkconfig dovecot on


**254 instructor
host -t mx team5.test.cxm

telnet pc3.test.cxm 25
mail -s "test 001" tux1@team5.test.cxm

echo "xxxx" | mail -s "test 001" tux1@test5.test.cxm

.
#結束

mail #check whether mail mail, or any mail rejected
tail /var/log/maillog

--------------------------------------------------------
**fw
tail /var/log/maillog
less /var/log/maillog

**ws
tail /var/log/maillog
#看[5592] 看ID來追蹤
#看relay key word 來找出relay到哪啦

 
vi /var/named/named.conf
host -t mx team6.test.cxm
host -t mx team5.test.cxm

host pc5.test.cxm
#每個fw用來做master 被授權

***詳細DNS 設定 請看
http://phorum.study-area.org/viewtopic.php?t=43753&highlight=

#verify dns
host fw.team4.test.cxm
host 192.168.5.2
host 192.168.5.2 localhost

**pc254
host -t ns team4.test.cxm localhost

rndc flush #清掉記憶體的dns record
dig ns team5

dns view相關資料
http://www.study-area.org/linux/linuxfr.htm
Bind9 View 底下的 master/slave 設定方案

view "internal"
view "external"

**ws
host -t mx team5.test.cxm
ls -l /var/spool

**ws tux1來收信
evolution &
設定mail client
server type pop3
server ws.team5.test.cxm

外寄
 192.168.5.2 #用localhost
<  > 取消身分認證
-----------------------------

===========================
=**Evolution可以看原始訊息喔*********=
===========================



從外部發信給team5的tux1


**pc254 instructor
#master DNS
team1 IN NS pc1.test.cxm
team2 IN NS pc2.test.cxm

**fw
options
{
             forward first;
forwarders {10.1.1.254};

***詳細Anti Spam 請看 同文 文章主題: sendmail + anti spam + anti virus


***Blocking Junk E-mail
vi /etc/postfix/access
vi /etc/mail/access  

..................
acme.com             RELAY
cracker.org           REJECT
spammer.org        DISCARD
good.spammer.org OK #規則大於spammer.com
badsmtp.org          500 Bad SMTP spken by you
#############error_code error_message

...............
make
service sendmail restart
tail /var/log/maillog
cat .forward


=========================================
=Cofigureing Postfix as Mail Relay                                        =
=========================================

cd /etc/Postfix
vi access
................
acme.com OK
postmap access
...........

vi transport
.............
acme.com smtp:mail.acme.com
postmap transport
.............

vi main.cf
.............
myhostname = mailrelay.acme.com
mydomain = acme.com
myorigin = $mydomain
inet_interfaces = all
mynetworks = 192.168.1.0/24
relay_domains = $mydestination, $mydomain
.............
rcpostfix restart


===================================
=....................IBM Exercise....................................=
===================================

*** Configuring the intranet mail server


cd /etc/mail
vi sendmail.mc

.............

define (`SMART_HOST´, `fw-ppp0.team1.com´)

dnl DAEMON_OPTION(`Port=smtp, Addr=127.0.0.1, Name=MTA´) dnl

MASQUERADE_DOMAIN(team1.com)dnl

............

m4 sendmail.mc > sendmail.cf
vi local-host-names
...........
team1.com
...............

vi access
.........
team1.com RELAY
...........

make
serrvice sendmail restart

=================
Postfix
=================
cd /etc/postfix
vi main.cf
...........
myhostname = ws.team1.com
mydomain = team1.com
myorigin = $mydomain
inet_interfaces = all
mydestination = $myhostname, localhost.$mydomain, $mydomain
relayhost = fw.team1.com
..........

vi access
............
team1.com RELAY
.............

postmap access
rcpostfix restart




==============
Postfix end
==============

ifconfig eth0 10.0.x netmast 255.255.255.0 up
mount 10.0.0.100:/export/<distribution> /mnt/nfs
rpm -ivh /mnt/nfs/RedHat/RPMS/xinetd-version.rpm
rpm -ivh /mnt/nfs/RedHat
..................

##replace by dovacote

**fw
vi mailertable
team1.com smtp:192.168.1.2
make
vi sendmail.mc
.............
#comment out the DAEMON_OPTIONS line
dnl DAEMON_OPTIONS (`Port=smpt, Addr=127.0.0.1, Name=MTA')dnl

.................
m4 sendmail.mc > sendmail.cf
chkconfig sendmail on
service sendmail restart

==========
Postfix Start
=========

cd /etc/postfix
vi access
..........
team1.com OK
..........

postmap access
vi transport

postmap transport
vi main.cf
......................
myhostname = fw.team1.com
mydomain = team1.com
myorigin = $mydomain
inet_inetfaces = all
mynetworks = 192.168.1.0/24
relay_domains = $mydestination, $mydomain

.......................

rcpostfix restart

===============
postfix end
===============

vi /var/named/named.team1.com
vi /var/lib/named/master/named.team1.com #suse
.................
IN NS      fw.team1.com.
IN MX 10 fw.team1.com.

..................

service named restart
rcnamed restart #Suse


service iptables restart
service rciptables restart
---------------------------------------
iptables -A INPUT -i eth0 -p tcp -p tcp -s any/0 -d 10.0.0.1 --dport 25 -j ACCEPT

iptables -A OUTPUT -o eth0 -p tcp -p tcp -s 10.0.0.1 --sport 25 -d any/0 -j ACCEPT

service iptables save
rciptables save #suse

--------or------------------------------
vi /etc/sysconfig/iptables

#change the file to include the rules listed above

---------------------------------------
service iptables restart
service rciptables restart


**limit the message size
vi /etc/mail/sendmail.mc
.................
define(`confMAX_MESSAGE_SIZE', `50000')

...............

service sendmail restart

=========postfix begin


vi /etc/postfix/main.cf
.........
message_size_limit = 50000
.........

rcpostfix restart


==========postfix end

***Blocking domain

cd /etc/mail
vi access
team2.com REJECT

make
service sendmail restart

vi /etc/postfix/access #POSTFIX
.............
team2.com REJECT
...........

postmap access
rcpostfix restart

***SpamAssassin
which spamc
mount -o remount,rw /usr
mount -o nolock 10.0.0.100:/export/<distribution> /mnt/nfs

rpm -ivh /mnt/nfs/RedHat/RPMS/spamassassin-version.rpm

service spamassassin start
rcspamd start #suse
chkconfig spamassassin on
chkconfig spamd on #suse

cd /usr/share/doc/spamassassin-version
cd /usr/share/doc/packeages/perl-spamassassin #suse

cat sample-nonspam.txt | spamc | less
cat sample-spam.txt | spamc | less

***Sendmail user only
**ws
rpmbuild -tb spamass-milter-version.tar.gz

cd /usr/src
tar -zxvf /root/spamass-milter-0.20.tar.gz
touch spamass-milter-0.2.0/COPYING
touch spamass-milter-0.2.0/INSTALL

tar -czvf /root/spamass-milter-0.2.0tar.gz spamass-milter-0.2.0/

rpm -qi #查詢裝了沒
sed -i

小徒兒

  • 區域板主
  • 鑽研的研究生
  • *****
  • 文章數: 622
    • 檢視個人資料
iptables.sh
« 回覆 #12 於: 2007-01-02 19:55 »
script by netman

ipt.dnat.sh
代碼: [選擇]


#!/bin/bash

PATH=/sbin:/usr/sbin:/bin:/usr/bin

modprobe ip_conntrack_ftp
modprobe ip_nat_ftp

INT_IF=eth1
INT_IP=192.168.5.1
INT_NET="192.168.5.0/24"
INT_TRUST_IP=192.168.5.2
EXT_IF=eth0
EXT_IP=
EXT_TRUST_SSH_IP=10.1.1.254

### initial
service iptables stop
iptables -P INPUT DROP
iptables -P FORWARD DROP
iptables -A INPUT -m state --state INVALID -j DROP
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A INPUT -i lo -j ACCEPT
iptables -A INPUT -i $INT_IF -s $INT_TRUST_IP -j ACCEPT
iptables -A INPUT -i $EXT_IF -p tcp --dport 22 -s $EXT_TRUST_SSH_IP -j ACCEPT # ssh

### reserved ipg
#iptables -A INPUT -i $EXT_IF -s 10.0.0/8 -j DROP
iptables -A INPUT -i $EXT_IF -s 172.16.0.0/12 -j DROP
iptables -A INPUT -i $EXT_IF -s 192.168.0.0/16 -j DROP
iptables -A INPUT -i $EXT_IF -s 127.0.0.0/8 -j DROP
iptables -A INPUT -i $EXT_IF -s 0.0.0.0 -j DROP

### icmp
iptables -A INPUT -i $EXT_IF -p icmp --icmp-type 0 -j ACCEPT
iptables -A INPUT -i $EXT_IF -p icmp --icmp-type 8 -j ACCEPT
iptables -A INPUT -i $EXT_IF -p icmp --icmp-type 3 -j ACCEPT
iptables -A INPUT -i $EXT_IF -p icmp --icmp-type 4 -j ACCEPT
iptables -A INPUT -i $EXT_IF -p icmp --icmp-type 11 -j ACCEPT
iptables -A INPUT -i $EXT_IF -p icmp --icmp-type 12 -j ACCEPT

### service
#iptables -A INPUT -i $EXT_IF -p tcp --dport 22 -j ACCEPT # ssh
iptables -A INPUT -i $EXT_IF -p tcp --dport 80 -j ACCEPT # www
iptables -A INPUT -i $EXT_IF -p udp --dport 53 -j ACCEPT # dns
#iptables -A INPUT -i $EXT_IF -p tcp --dport 53 -s 4.3.2.1 -j ACCEPT # dns-zonetransfer
#iptables -A INPUT -i $EXT_IF -p tcp --dport 53 -s 4.3.2.2 -j ACCEPT # dns-zonetransfer
iptables -A INPUT -i $EXT_IF -p tcp --dport 21 -j ACCEPT # ftp
iptables -A INPUT -i $EXT_IF -p tcp --dport 25 -j ACCEPT # email

### identd
iptables -A INPUT -i $EXT_IF -p tcp -s 0.0.0.0/0 --dport 113 -j REJECT

### output
iptables -A OUTPUT -d 1.2.3.4 -j DROP
iptables -A OUTPUT -d 1.2.3.5 -j DROP
iptables -A OUTPUT -d 1.2.3.6 -j DROP

### snat
iptables -t nat -A POSTROUTING -o $EXT_IF -s $INT_NET -d ! $INT_NET -j MASQUERADE
iptables -A FORWARD -m state --state INVALID -j DROP
iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A FORWARD -i $INT_IF -o $EXT_IF -s $INT_NET -d ! $INT_NET -j ACCEPT

### dnat
#iptables -t nat -A PREROUTING -i $EXT_IF -p tcp --dport 25 -j DNAT --to-destination 192.168.5.2:25
#iptables -A FORWARD -i $EXT_IF -o $INT_IF -d 192.168.5.2 -p tcp --dport 25 -j ACCEPT
#iptables -t nat -A PREROUTING -i $EXT_IF -p icmp --icmp-type 8 -j DNAT --to-destination 192.168.5.2
#iptables -A FORWARD -i $EXT_IF -o $INT_IF -d 192.168.5.2 -p icmp --icmp-type 8 -j ACCEPT

### save
service iptables save


ipt.nat.sh
代碼: [選擇]

#!/bin/bash

PATH=/sbin:/usr/sbin:/bin:/usr/bin

modprobe ip_conntrack_ftp
modprobe ip_nat_ftp

INT_IF=eth1
INT_IP=`ifconfig $INT_IF | awk '/inet addr:/{print $2}' | cut -d: -f2`
INT_NET="${INT_IP%.*}.0/24"
INT_TRUST_IP=${INT_IP%.*}.2
EXT_IF=eth0
EXT_IP=`ifconfig $EXT_IF | awk '/inet addr:/{print $2}' | cut -d: -f2`

EXT_TRUST_SSH_IP=10.1.1.254

### initial
service iptables stop
iptables -P INPUT DROP
iptables -P FORWARD DROP
iptables -A INPUT -m state --state INVALID -j DROP
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A INPUT -i lo -j ACCEPT
iptables -A INPUT -i $INT_IF -s $INT_TRUST_IP -j ACCEPT
#iptables -A INPUT -i $EXT_IF -p tcp --dport 22 -s $EXT_TRUST_SSH_IP -j ACCEPT # ssh
iptables -A INPUT -i $EXT_IF -p tcp --dport 22 -j ACCEPT # ssh

### reserved ipg
#iptables -A INPUT -i $EXT_IF -s 10.0.0/8 -j DROP
iptables -A INPUT -i $EXT_IF -s 172.16.0.0/12 -j DROP
iptables -A INPUT -i $EXT_IF -s 192.168.0.0/16 -j DROP
iptables -A INPUT -i $EXT_IF -s 127.0.0.0/8 -j DROP
iptables -A INPUT -i $EXT_IF -s 0.0.0.0 -j DROP

### icmp
iptables -A INPUT -i $EXT_IF -p icmp --icmp-type 0 -j ACCEPT
iptables -A INPUT -i $EXT_IF -p icmp --icmp-type 8 -j ACCEPT
iptables -A INPUT -i $EXT_IF -p icmp --icmp-type 3 -j ACCEPT
iptables -A INPUT -i $EXT_IF -p icmp --icmp-type 4 -j ACCEPT
iptables -A INPUT -i $EXT_IF -p icmp --icmp-type 11 -j ACCEPT
iptables -A INPUT -i $EXT_IF -p icmp --icmp-type 12 -j ACCEPT

### service
#iptables -A INPUT -i $EXT_IF -p tcp --dport 22 -j ACCEPT # ssh
iptables -A INPUT -i $EXT_IF -p tcp --dport 80 -j ACCEPT # www
iptables -A INPUT -i $EXT_IF -p udp --dport 53 -j ACCEPT # dns
#iptables -A INPUT -i $EXT_IF -p tcp --dport 53 -s 4.3.2.1 -j ACCEPT # dns-zonetransfer
#iptables -A INPUT -i $EXT_IF -p tcp --dport 53 -s 4.3.2.2 -j ACCEPT # dns-zonetransfer
iptables -A INPUT -i $EXT_IF -p tcp --dport 21 -j ACCEPT # ftp
iptables -A INPUT -i $EXT_IF -p tcp --dport 25 -j ACCEPT # email

### identd
iptables -A INPUT -i $EXT_IF -p tcp -s 0.0.0.0/0 --dport 113 -j REJECT

### output
iptables -A OUTPUT -d 1.2.3.4 -j DROP
iptables -A OUTPUT -d 1.2.3.5 -j DROP
iptables -A OUTPUT -d 1.2.3.6 -j DROP

### nat
iptables -t nat -A POSTROUTING -o $EXT_IF -s $INT_NET -d ! $INT_NET -j MASQUERADE
iptables -A FORWARD -m state --state INVALID -j DROP
iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A FORWARD -i $INT_IF -o $EXT_IF -s $INT_NET -d ! $INT_NET -j ACCEPT


### save
service iptables save



ipt.server.sh
代碼: [選擇]

#!/bin/bash

PATH=/sbin:/usr/sbin:/bin:/usr/bin

modprobe ip_conntrack_ftp

INT_IF=eth1
INT_IP=`ifconfig $INT_IF | awk '/inet addr:/{print $2}' | cut -d: -f2`
INT_TRUST_IP=192.168.5.2
EXT_IF=eth0
EXT_IP=`ifconfig $EXT_IF | awk '/inet addr:/{print $2}' | cut -d: -f2`
EXT_TRUST_SSH_IP=10.1.1.254

### initial
service iptables stop
iptables -P INPUT DROP
iptables -P FORWARD DROP
iptables -A INPUT -m state --state INVALID -j DROP
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A INPUT -i lo -j ACCEPT
iptables -A INPUT -i $INT_IF -s $INT_TRUST_IP -j ACCEPT
iptables -A INPUT -i $EXT_IF -d ! $EXT_IP -j DROP
iptables -A INPUT -i $EXT_IF -d $EXT_IP -p tcp --dport 22 -s $EXT_TRUST_SSH_IP -j ACCEPT # ssh

### reserved ipg
#iptables -A INPUT -i $EXT_IF -s 10.0.0/8 -j DROP
iptables -A INPUT -i $EXT_IF -s 172.16.0.0/12 -j DROP
iptables -A INPUT -i $EXT_IF -s 192.168.0.0/16 -j DROP
iptables -A INPUT -i $EXT_IF -s 127.0.0.0/8 -j DROP
iptables -A INPUT -i $EXT_IF -s 0.0.0.0 -j DROP

### icmp
iptables -A INPUT -i $EXT_IF -d $EXT_IP -p icmp --icmp-type 0 -j ACCEPT
iptables -A INPUT -i $EXT_IF -d $EXT_IP -p icmp --icmp-type 8 -j ACCEPT
iptables -A INPUT -i $EXT_IF -d $EXT_IP -p icmp --icmp-type 3 -j ACCEPT
iptables -A INPUT -i $EXT_IF -d $EXT_IP -p icmp --icmp-type 4 -j ACCEPT
iptables -A INPUT -i $EXT_IF -d $EXT_IP -p icmp --icmp-type 11 -j ACCEPT
iptables -A INPUT -i $EXT_IF -d $EXT_IP -p icmp --icmp-type 12 -j ACCEPT

### service
#iptables -A INPUT -i $EXT_IF -d $EXT_IP -p tcp --dport 22 -j ACCEPT # ssh
iptables -A INPUT -i $EXT_IF -d $EXT_IP -p tcp --dport 80 -j ACCEPT # www
iptables -A INPUT -i $EXT_IF -d $EXT_IP -p udp --dport 53 -j ACCEPT # dns
#iptables -A INPUT -i $EXT_IF -d $EXT_IP -p tcp --dport 53 -s 4.3.2.1 -j ACCEPT # dns-zonetransfer
#iptables -A INPUT -i $EXT_IF -d $EXT_IP -p tcp --dport 53 -s 4.3.2.2 -j ACCEPT # dns-zonetransfer
iptables -A INPUT -i $EXT_IF -d $EXT_IP -p tcp --dport 21 -j ACCEPT # ftp
iptables -A INPUT -i $EXT_IF -d $EXT_IP -p tcp --dport 25 -j ACCEPT # email


### identd
iptables -A INPUT -i $EXT_IF -p tcp -s 0.0.0.0/0 -d $EXT_IP --dport 113 -j REJECT


### output
iptables -A OUTPUT -d 1.2.3.4 -j DROP
iptables -A OUTPUT -d 1.2.3.5 -j DROP
iptables -A OUTPUT -d 1.2.3.6 -j DROP

### save
service iptables save



my.iptalbes.sh
代碼: [選擇]

#!/bin/bash

PATH=/sbin:/usr/sbin:/bin:/usr/bin

INT_IF=eth0
EXT_IF=eth1
EXT_IP=`ifconfig $EXT_IF | awk '/inet addr:/{print $2}' | cut -d: -f2`

### initial
iptables -F
iptables -X
iptables -P INPUT DROP
iptables -P OUTPUT DROP
iptables -P FORWARD DROP
iptables -A INPUT -i lo -j ACCEPT
iptables -A OUTPUT -o lo -j ACCEPT
iptables -A INPUT -i $INT_IF -j ACCEPT
iptables -A OUTPUT -o $INT_IF -j ACCEPT
iptables -A INPUT -i $EXT_IF -d ! $EXT_IP -j DROP
iptables -A OUTPUT -o $EXT_IF -s ! $EXT_IP -j DROP

### reserved ip
iptables -A INPUT -i $EXT_IF -s 172.16.0.0/12 -j DROP
iptables -A OUTPUT -o $EXT_IF -d 172.16.0.0/12 -j DROP
iptables -A INPUT -i $EXT_IF -s 192.168.0.0/16 -j DROP
iptables -A OUTPUT -o $EXT_IF -d 192.168.0.0/16 -j DROP
iptables -A INPUT -i $EXT_IF -s 127.0.0.0/8 -j DROP
iptables -A OUTPUT -o $EXT_IF -d 127.0.0.0/8 -j DROP
iptables -A INPUT -i $EXT_IF -s 0.0.0.0 -j DROP
iptables -A OUTPUT -o $EXT_IF -d 255.255.255.255 -j DROP

### icmp
iptables -A OUTPUT -o $EXT_IF -s $EXT_IP -d 0.0.0.0/0 -p icmp --icmp-type 8 -j ACCEPT
iptables -A INPUT -i $EXT_IF -d $EXT_IP -s 0.0.0.0/0 -p icmp --icmp-type 0 -j ACCEPT
iptables -A INPUT -i $EXT_IF -d $EXT_IP -s 0.0.0.0/0 -p icmp --icmp-type 8 -j ACCEPT
iptables -A OUTPUT -o $EXT_IF -s $EXT_IP -d 0.0.0.0/0 -p icmp --icmp-type 0 -j ACCEPT
iptables -A INPUT -i $EXT_IF -d $EXT_IP -s 0.0.0.0/0 -p icmp --icmp-type 3 -j ACCEPT
iptables -A OUTPUT -o $EXT_IF -s $EXT_IP -d 0.0.0.0/0 -p icmp --icmp-type 3 -j ACCEPT
iptables -A INPUT -i $EXT_IF -d $EXT_IP -s 0.0.0.0/0 -p icmp --icmp-type 4 -j ACCEPT
iptables -A OUTPUT -o $EXT_IF -s $EXT_IP -d 0.0.0.0/0 -p icmp --icmp-type 4 -j ACCEPT
iptables -A INPUT -i $EXT_IF -d $EXT_IP -s 0.0.0.0/0 -p icmp --icmp-type 11 -j ACCEPT
iptables -A OUTPUT -o $EXT_IF -s $EXT_IP -d 0.0.0.0/0 -p icmp --icmp-type 11 -j ACCEPT
iptables -A INPUT -i $EXT_IF -d $EXT_IP -s 0.0.0.0/0 -p icmp --icmp-type 12 -j ACCEPT
iptables -A OUTPUT -o $EXT_IF -s $EXT_IP -d 0.0.0.0/0 -p icmp --icmp-type 12 -j ACCEPT

### tcp/udp
iptables -A OUTPUT -o $EXT_IF -p tcp -s $EXT_IP --sport 1024: -d 0.0.0.0/0 --dport :1023 -j ACCEPT
iptables -A INPUT -i $EXT_IF -p tcp -d $EXT_IP --dport 1024: -s 0.0.0.0/0 --sport :1023 -j ACCEPT
iptables -A OUTPUT -o $EXT_IF -p udp -s $EXT_IP --sport 1024: -d 0.0.0.0/0 --dport :1023 -j ACCEPT
iptables -A INPUT -i $EXT_IF -p udp -d $EXT_IP --dport 1024: -s 0.0.0.0/0 --sport :1023 -j ACCEPT

### identd
iptables -A INPUT -i $EXT_IF -p tcp -s 0.0.0.0/0 -d $EXT_IP --dport 113 -j REJECT

小徒兒

  • 區域板主
  • 鑽研的研究生
  • *****
  • 文章數: 622
    • 檢視個人資料
sendmail + anti spam + anti virus
« 回覆 #13 於: 2007-01-02 20:09 »
== Anti Spam ==

yum install spamassassin sendmail-devel
wget http://download.savannah.nongnu.org/releases/spamass-milt/spamass-milter-0.3.1.tar.gz
tar zxvf spamass-milter-0.3.1.tar.gz
touch spamass-milter-0.3.1/COPYING
touch spamass-milter-0.3.1/INSTALL
sed -i 's/^Copyright:/License:/' spamass-milter-0.3.1/contrib/spamass-milter.spec
tar czvf spamass-milter-0.3.1.tar.gz spamass-milter-0.3.1
rpmbuild -tb --nodeps spamass-milter-0.3.1.tar.gz
rpm -ivh /usr/src/redhat/RPMS/i386/spamass-milter-0.3.1-3.i386.rpm
chkconfig spamassassin on
service spamassassin start
service spamass-milter start
chkconfig spamass-milter on
 less /usr/share/doc/spamass-milter-0.3.1/README
### copy following lines
INPUT_MAIL_FILTER(`spamassassin', `S=local:/var/run/sendmail/spamass.sock, F=, T=C:15m;S:4m;R:4m;E:10m')dnl
define(`confMILTER_MACROS_CONNECT',`t, b, j, _, {daemon_name}, {if_name}, {if_addr}')dnl
define(`confMILTER_MACROS_HELO',`s, {tls_version}, {cipher}, {cipher_bits}, {cert_subject}, {cert_issuer}')dnl
#----------------
### and paste into /etc/mail/sendmail.mc  ## note:  befor 'MAILER' defination
### change /var/run/sendmail/spamass.sock to /var/run/spamass.sock
m4 /etc/mail/sendmail.mc > /etc/mail/sendmail.cf
service sendmail restart
sed -i '/chkconfig/s/80/81/' /etc/init.d/sendmail
chkconfig sendmail reset


== Anti Virus (1) ==
yum install apt
vi /etc/apt/sources.list
   rpm http://apt.sw.be/dries/fedora fc5/i386 dries
rpm --import http://apt.sw.be/dries/RPM-GPG-KEY.dries.txt   
apt-get update
apt-get --fix-broken install
apt-get install clamav-milter clamd
useradd -d /var/run/clamav -M -s /sbin/nologin clamav
mkdir /var/run/clamav
chown clamav /var/run/clamav
chmod 700 /var/run/clamav
touch /var/log/clamav/clamd.log
chown clamav /var/log/clamav/clamd.log
touch /var/log/freshclam.log
chown clamav /var/log/freshclam.log
freshclam
vi /etc/cron.d/freshclam
   0 */3 * * * /usr/bin/freshclam
wget http://www.eicar.org/download/eicar.com
clamscan eicar.com
vi /etc/clamd.conf
   LocalSocket /var/run/clamav/clamd.sock
   #TCPSocket 3310
   #TCPAddr 127.0.0.1
vi /etc/sysconfig/clamav-milter   
   -obl local:/var/run/clamav/clmilter.sock
cd /etc/mail
vi sendmail.mc
   INPUT_MAIL_FILTER(`clamav', `S=local:/var/run/clamav/clmilter.sock, F=, T=S:4m;R:4m')dnl
        define(`confINPUT_MAIL_FILTERS', `spamassassin,clamav')dnl

m4 sendmail.mc > sendmail.cf
vi /etc/freshclam.conf
   #Example

service clamd start
chkconfig clamd on
service clamav-milter start
chkconfig clamav-milter on
service sendmail restart

== Anti Virus (2) ==
yum install clamav clamav-update
vi /etc/freshclam.conf
   #Example
freshclam
vi /etc/cron.d/freshclam
   0 */3 * * * /usr/bin/freshclam
wget http://www.eicar.org/download/eicar.com
clamscan eicar.com
cd
mkdir amavis.rpms
cd amavis.rpms
wget http://apt.sw.be/dries/fedora/fc5/i386/RPMS.dries/amavisd-new-2.4.4-1.fc5.rf.i386.rpm
wget http://apt.sw.be/dries/fedora/fc5/i386/RPMS.dries/amavisd-new-milter-2.4.4-1.fc5.rf.i386.rpm
wget http://apt.sw.be/dries/fedora/fc5/i386/RPMS.dries/unrar-3.6.8-1.fc5.rf.i386.rpm
wget http://apt.sw.be/dries/fedora/fc5/i386/RPMS.dries/zoo-2.10-2.2.fc5.rf.i386.rpm
wget http://apt.sw.be/dries/fedora/fc5/i386/RPMS.dries/ripole-0.2.0-1.2.fc5.rf.i386.rpm
rpm --import http://apt.sw.be/dries/RPM-GPG-KEY.dries.txt
yum remove amavisd-new
rpm -ivh --test *.rpm
yum install arc lha ncompress  # And also other missings as mentioned
rpm -ivh *.rpm
vi /etc/sysconfig/amavisd
   MILTER_SOCKET="local:/var/amavis/amavis-milter.sock"
   #MILTER_SOCKET="10024@127.0.0.1"
   AMAVIS_ACCOUNT="amavis"
   CONFIG_FILE="/etc/amavisd.conf"
vi /etc/amavisd.conf
   $mydomain = 'team5.test.cxm';
   #$interface_policy{'SOCK'}='AM.PDP-SOCK';
   $interface_policy{'SOCK'}='AM.CL';
   #$policy_bank{'AM.PDP-SOCK'} = { protocol=>'AM.PDP' };
   $policy_bank{'AM.CL'} = { protocol=>'AM.CL' };
   # $notify_method  = 'smtp:[127.0.0.1]:10025';
   $notify_method  = 'smtp:[127.0.0.1]:25';
   # $forward_method = 'smtp:[127.0.0.1]:10025';
   $forward_method = undef;
   $warnbadhsender = 1,
   $warnvirusrecip = 1, $warnbannedrecip = 1, $warnbadhrecip = 1,
cd /etc/mail
vi sendmail.mc
   INPUT_MAIL_FILTER(`milter-amavis', `S=local:/var/amavis/amavis-milter.sock, F=T, T=S:10m;R:10m;E:10m')
   define(`confMILTER_MACROS_ENVFROM', confMILTER_MACROS_ENVFROM``, {b}'')dnl
m4 sendmail.mc > sendmail.cf
service amavisd start
chkconfig amavisd on
service sendmail restart

小徒兒

  • 區域板主
  • 鑽研的研究生
  • *****
  • 文章數: 622
    • 檢視個人資料
secure DNS design sample
« 回覆 #14 於: 2007-01-03 12:25 »
#公司架構圖 scenario



***Internet Primary DNS Server Config File 對外DNS server

vi /etc/named.conf
................
//Internet DNS server team1.com  對外

options {
             directory "/var/named";
# SuSE: directory "/var/lib/named";

zone "." {
              type hint;
              file "named.ca";
}

zone "acme.com" IN {
type master;
             file "named.acme.com";
# SuSE: file "master/named.team1.com";
};

zone "134.186.62.in-addr.arpa" IN {
             type master;
             file "named.192.168.1";
             allow-update { none; };
             allow-transfer { 62.186.134.71; };
# SuSE: file "master/named.192.168.1";
}

...........................................

***Internet Primary DNS Server Name Zone File

vi /var/named/named.acme.com
.........................................
$TTL 86400
@ IN SOA foo.acme.com webmaster.acme.com. (
2006122600; Serial
28800 ; Refresh
14400 ; Retry
3600000 ; Expire
86400  ; Default TTL
)

@                  IN NS foo.acme.com.
@                  IN NS bar.acme.com.

foo                IN A 62.186.134.70
bar                IN A 62.186.134.71

www                IN A 62.186.134.20
ftp                IN A 62.186.134.21

...............................................

***Internet Primary DNS Server IP Zone File

vi /var/named/named.62.186.134
vi /var/lib/named/maste/named.62.186.134 #suse
......................
$TTL 86400
@ IN SOA foo.acme.com webmaster.acme.com. (
2006122600; serial
28800 ; Refresh
14400 ; Retry
3600000 ; Expire
86400  ; Default TTL
)

@       IN NS foo.acme.com.
@       IN NS bar.acme.com.
 

70 IN PTR foo.acme.com.
71 IN PTR bar.acme.com.

20 IN PTR www.acme.com.
21 IN PTR ftp.acme.com.

................................

***Internet Secondary DNS Config File  外部網路第二台slave DNS

vi /etc/named.conf

...................................
//Internet DNS server  對外第二台

options {
             directory "/var/named";
// SuSE: directory "/var/lib/named";
};

zone "." {
              type hint;
              file "named.ca";
}

zone "acme.com" IN {
type slave; master {62.186.134.70}
             file "named.acme.com.bak";
             allow-update { none; };
             allow-transfer {none; };
// SuSE: file "master/named.team1.com";
};

zone "134.186.62.in-addr.arpa" IN {
             type slave; masters { 62.186.134.70; };
             file "named.62.186.134.bak";
             allow-update { none; };
             allow-transfer { none; };
// SuSE: file "master/named.192.168.1";
// 因為是 slave 所以 不用allow transfer 如果是master 會把none 改為slave的ip
}

...............................................................................

***Intranet DNS Server Config File
#內部DNS server

vi /etc/named.conf
..............
//內部DNS server
options {
    directory "/var/named";
    forward only;
    forwarders { 62.186.134.70; 62.186.134.71; };
}

 zone "acme.com" {

  type master;
  file "named.acme.com";
}

  zone "0.0.10.in-addr.arpa" {
   type master;
   file "named.10.0.0";
};

.................................................

***DNS iptables Rules

#On the DNS server itself
iptables -A INPUT -i ppp0 -p tcp -s any/0 -d 62.186.134.70 --dport 53 -j ACCEPT
iptables -A OUTPUT -i ppp0 -p tcp -s 62.186.134.70 --sport 53 -d any/0 -j ACCEPT

iptables -A INPUT -i ppp0 -p udp -s any/0 -d 62.186.134.70 --dport 53 -j ACCEPT
iptables -A OUTPUT -i ppp0 -p udp -s 62.186.134.70 --sport 53 -d any/0 -j ACCEPT

-----------------------------------

#On a router
iptables -A FORWARD -i ppp0 -p tcp -s any/0 -d 62.186.134.70 --dport 53 -j ACCEPT
iptables -A FORWARD -i ppp1 -p tcp -s 62.186.134.70 --sport 53 -d any/0 -j ACCEPT

iptables -A FORWARD -i ppp0 -p udp -s any/0 -d 62.186.134.70 --dport 53 -j ACCEPT
iptables -A FORWARD -i ppp1 -p udp -s 62.186.134.70 --sport 53 -d any/0 -j ACCEPT

iptables -A FORWARD -i ppp0 -p tcp -s any/0 -d 62.186.134.71 --dport 53 -j ACCEPT
iptables -A FORWARD -i ppp1 -p tcp -s 62.186.134.71 --sport 53 -d any/0 -j ACCEPT

iptables -A FORWARD -i ppp0 -p udp -s any/0 -d 62.186.134.71 --dport 53 -j ACCEPT
iptables -A FORWARD -i ppp1 -p udp -s 62.186.134.71 --sport 53 -d any/0 -j ACCEPT

--------------------------------------------------------

小徒兒

  • 區域板主
  • 鑽研的研究生
  • *****
  • 文章數: 622
    • 檢視個人資料
穿越proxy的tunnel架構圖
« 回覆 #15 於: 2007-01-17 16:37 »
***穿越proxy的tunnel架構圖


小徒兒

  • 區域板主
  • 鑽研的研究生
  • *****
  • 文章數: 622
    • 檢視個人資料
Securities (safe test) by Tech Ed 2008 筆記
« 回覆 #16 於: 2008-10-02 15:19 »

Threat analysis & modeling

Report system
On every item
Assign
Tester can record the related report

Internet free/Busy feature in Outloook

惡意攻擊的界面
User interface
Listening sockets
Pipes
Files
Shared sections
Protocol handlers
Active X controls
RPC
http requests
http responses
Database
Message pump
Registry
Email


***Tools
netstat for listening socket
a.   netstat – h
Microsoft network monitor 3.1: for request / response
b.   Capture doubting entry point
c.   Collect data
d.   Analize
e.   Create new capture cap
f.   Webpage
i.   TCP.destport == 80
ii.   apply
g.   capture in detail
h.   not viewing the header
i.   telnet 80, plus get
viewplgs
j.   View pluggable protocol handles (eg., PDF)
k.   Use for PDF and flash
l.   Asynchronous pluggable protocol
Phorum
m.   http://www.securityfocus.com/archive/1
Ways to heck
n.   cross-site scripting (XSS)
o.   SQL injection
p.   Put the username “user 1 –, the comment out to comment the password
Reflector from redgate
q.   Trace coding structure
r.   Code analysis
s.   Code metrics
t.   
web proxy editor

developer test case schnario

clipboard

buffer overrun

fuzzed network traffic

sending requests out of ourder

Man In The Middle Attack
u.   Running MITM how to change traffice
v.   MITM
i.   Launch server name and port
ii.   Sniffering
iii.   Change a to b

w.   Hunting Security


GS (buffer security check)
SAFESEH
hunting security bugs

 
?? real case to explain
?? rely

    4.

system link