作者 主題: 資安工具: snort swatch tripwire nmap , VPN ipsec , Nessus  (閱讀 14482 次)

0 會員 與 1 訪客 正在閱讀本文。

小徒兒

  • 區域板主
  • 鑽研的研究生
  • *****
  • 文章數: 622
    • 檢視個人資料
***ipsec

***Virtual rivate Network Solutions
-PPP
-PPTP
-IPSec
 IP encapsulated over IP
 
-OPEN VPN
http://phorum.study-area.org/viewtopic.php?t=34013
***IPSec Overview
-RFC 2411
-Uses three sub protocols
  IKE
  ESP
  AH

-two modes:
  Transport mode: host-to-host
  Tunneling mode: router-to-router


image from ibm Linux Network Administratation II: Network Security and Firewalls Studen Notebook LX24

***vpn integration



***Frees/WAN
http://www.freeswan.org #更新慢

Open Source implementation of IPSec for Linux
 - GNU Publich License #Suse 內包好了

OpenSwan #建議用

Components:
-Lips:Kernel IPSec patches #把IPSec 打到Kernel(必須抓到一個kernel) 到kernel.org 先Download
-Pluto:Key negotiation daemon
-Various utilities

Config files:
-/etc/ipsec.conf
-/etc/ipsec.secrets



***Installing FreeS/WAN from Source
#Make sure you have a working /usr/src/linux/.config
cd /usr/src/linux
cp configs/kernel-version-arch.config .config
make oldconfig

#Unpack and build FreeS/WAN executables
cd /usr/src
tar -zxvf /root/freeswan-version.tar.gz
cd freeswan-version
make programs
make install

#Insert FreeS/WAN patches in kernel and recompile
make insert
cd /usr/src/linux
make menuconfig
vi Makefile (change EXTRAversion)
make dep clean bzImage modules
reboot



***Installing Frees/WAN (Red Hat/Suse)
freeswan-userland.rpm
freeswan-modules.rpm

#suse
kernel module is compiled into each kernel
freeswan.rpm



***Activating FreeS/WAN
#Verify that IP forwarding is on
cat /proc/sys/net/ipv4/ip_forward
echo 1 > /proc/sys/net/ipv4/ip_forward

#Verify the rp_filter is off
cat /proc/sys/net/ipv4/conf/all/rp_filter
echo 0 > /proc/sys/net/ipv4/conf/all/rp_filter
#rp_filter 為檢查來源封包與來源介面是否為一

#Verify that Pluto is started automatically
chkconfig ipsec on

#Decide on keying method and authentication method

#Add connection information to /etc/ipsec.conf

#Add secret keyps to /etc/ipsec.secrets

#start ipsec
service ipset start
rcipset start #suse


***Session Key
-Manually (手動)(o) 做一次就夠 (x)變更要兩邊變更

- Automatically (o)自動 (x)要先進行身分驗證
---------------------------Authentication RSA
-------------------------------------------------DNS (Public key)
-------------------------------------------------/etc/ipsec.conf (Public key)
-------------------------------------------------/etc/ipsec.secret (Private key)
           
------------------------- Authentication Shared secret



----------------------------------------------------------------------------------
***靜態
代碼: [選擇]

conn team1-team2
left=62.186.134.70
leftsubnet=192.168.1.0/24
right=62.186.134.71
rightsubnet=192.168.2.0/24

auto=add
spi=0x200 #Security Parameter Index
espenckey=0x01234567_89abcdef_02468ace_13579bdf_12345678_9abcdef0
espauthkey=0x12345678_9abcdef0_2468ace0_13579bdf



#to start, run on both machines:
ipsec team1-team2

-----------------------------------------------------------------------------------
***動態  1
代碼: [選擇]

conn team1-team2
left=62.186.134.70
leftsubnet=192.168.1.0/24
right=62.186.134.71
rightsubnet=192.168.2.0/24

auto=add
authby=secret


ipsec auto --add team1-team2
ipset auto --up team1-team2

vi /etc/ipsec.secrets
...........
#generate with ranbits

61.186.134.70 62.186.134.71 "This is our common secret"
61.186.134.70 62.186.134.72 "0x70b38908sfjsajfl;s"

.........

------------------------------------------------------------------------------

-----------------------------------------------------------------------------------
***動態  2 :RSA Public Key Authenticaion
#Gernerate RSA public/private key pair for each station
ipsec newhostkey --output /etc/ipsec.secrets


#Extract public key and put in other sides /etc/ipsec.conf
ipsec showhostkey --left #if you are left
ipsec showhostkey --right #if you are right


vi /etc/ipsec.conf #left
代碼: [選擇]

conn team1-team2
authby=rsasig
auto=start
left=62.186.134.70
leftid=@fw.team1.com
leftsubnet=192.168.1.0/24
leftrsasigkey=0sAQ... #本端的RSA Key
right=62.186.134.71
rightsubnet=192.168.2.0/24
rightrsasigkey=0sAQO... #遠端的RSA Key


vi /etc/ipsec.secrets of left #left
代碼: [選擇]

#208.164.186.1 208.164.186.2: RSA {
@fw.team1.com: RSA {
 
      Modulus: 0x95daee1be05f .......
      PublicExponent: 0x03.......
      # everything after this point is secret
        PrivateExponent: 3e74967eaea2025c98c6..........
        Prime1: 0xc5b471a88b025dd09d4bd7b6.............
        Prime2: 0xc20a99feeafe79767122409b6..........
        Exponent1: 0x83cda11b0756e935be328f.........
        Exponent2: 0x815c66a9f1fefba44b6c2b1........
        Coefficient: 5a5731a73875d30186520f1..........
}




------------------------------------------------------------------------------
***動態3: Storing Public Key In DNS

#Extract public key and put in other sides /etc/ipsec.conf
ipsec showhostkey --key

#add key in the leftid/rightid DNS entry
fw.team1.com. IN KEY 0x4200  4  1 AQDSFE

#Other side can now refer to DNS in /etc/ipsec.conf
vi /etc/ipsec.conf
..........
leftid=@fw.team1.com
leftrsasigkey=%dns

........................
------------------------------------------------------------------------------





#to start, run on both machines:
ipsec team1-team2



source from netman

--------
== on the LEFT (pc5) ==
rpm -q openswan || yum install openswan
ipsec newhostkey --output /etc/ipsec.secrets
ipsec showhostkey --left   # then COPY the output key
vi /etc/ipsec.conf
  conn team5-team6
        left=10.1.1.5
        leftsubnet=192.168.5.0/24
        leftid=@pc5.test.cxm
        leftrsasigkey=0sAQN9Hzec.....LEFT..........
        right=10.1.1.6
        rightsubnet=192.168.6.0/24
        rightid=@pc6.test.cxm
        rightrsasigkey=
        auto=add

== on the RIGHT (pc6) ==
rpm -q openswan || yum install openswan
ipsec newhostkey --output /etc/ipsec.secrets
ipsec showhostkey --right        # then COPY the output key
vi /etc/ipsec.conf
  conn team5-team6
        left=10.1.1.5
        leftsubnet=192.168.5.0/24
        leftid=@pc5.test.cxm
        leftrsasigkey=
        right=10.1.1.6
        rightsubnet=192.168.6.0/24
        rightid=@pc6.test.cxm
        rightrsasigkey=0sAQPE7w.........RIGHT.............
        auto=add
ssh pc5.test.cxm "ipsec showhostkey --left"   # copy the output key
vi /etc/ipsec.conf
        leftrsasigkey=0sAQN9Hzec.....LEFT..........

== on the LEFT (pc5) ==
ssh pc6.test.cxm "ipsec showhostkey --right"   # copy the output key
vi /etc/ipsec.conf
        rightrsasigkey=0sAQPE7w.........RIGHT.............

== on the BOTH (pc5 & pc6)
vi /etc/sysctl.conf
   net.ipv4.ip_forward = 1
   net.ipv4.conf.all.rp_filter = 0
sysctl -p /etc/sysctl.conf
service ipsec start
chkconfig ipsec on
ipsec auto --up team5-team6
route -n[/img]

小徒兒

  • 區域板主
  • 鑽研的研究生
  • *****
  • 文章數: 622
    • 檢視個人資料
nessus
« 回覆 #1 於: 2007-01-09 21:31 »
### server
# rpm -ivh Nessus-3.0.4-fc5.i386.rpm
# /opt/nessus/sbin/nessus-add-first-user
   - to create admin
# /opt/nessus/bin/nessus-mkcert-client
   - to create myuser
# /opt/nessus/sbin/nessus-adduser
   - to create guestuser
   - user those two rules:
      accept 10.1.2.0/24
      default deny
# service nessusd start


### activation code
   - goto http://www.nessus.org/register
   - to have a license code
   - select Registered FREE(7 days late)

# /opt/nessus/bin/nessus-fetch --regiester <license code>
# /opt/nessus/sbin/nessus-update-plugins

### client
# rpm -ivh NessusClient-1.0.1-fc5.i386.rpm
$ NessusClient
   new task
   new scop
   start scop

小徒兒

  • 區域板主
  • 鑽研的研究生
  • *****
  • 文章數: 622
    • 檢視個人資料
apache+ssl
« 回覆 #2 於: 2007-01-09 21:33 »
source from netman

  951  yum install mod_ssl
  952  cd /etc/httpd/conf
  954  mkdir ssl.key ssl.crt
  971  cd /etc/pki/tls/certs
  973  make pc1.key
   # give pass phrase (minimum 6 characters)
  975  make pc1.crt
   # type infomation:
   #-> CC:      TW
   #-> State:    Taiwan
   #-> City:    KaoHsiung
   #-> Ogranization: Pcschool
   #-> Department:    class203
   #-> CommonName:   pc1.test.cxm  #--!! make sure --!!
   #-> Email:   root@pc1.test.cxm
  978  mv pc1.key /etc/httpd/conf/ssl.key/
  979  mv pc1.crt /etc/httpd/conf/ssl.crt/
  980  cd /etc/httpd/conf.d
  981  cp ssl.conf ssl.conf.bak
  982  vi ssl.conf
   # change three lines:
   #-> ServerName:   pc1.test.cxm:443
   #-> SSLCertificateFile /etc/httpd/conf/ssl.crt/pc1.crt
   #-> SSLCertificateKeyFile /etc/httpd/conf/ssl.key/pc1.key
  983  service httpd restart
   # type passphrase
 1004  vi /etc/httpd/sslpasswd
   # make it like these:
   #->   #!/bin/bash
   #->   echo "sslpassword"
 1005  chmod 700 /etc/httpd/sslpasswd
 1006  vi ssl.conf
   #-> SSLPassPhraseDialog  exec:/etc/httpd/sslpasswd
 1007  service httpd restart

小徒兒

  • 區域板主
  • 鑽研的研究生
  • *****
  • 文章數: 622
    • 檢視個人資料
securities tools: nmap , Nessus
« 回覆 #3 於: 2007-01-10 17:37 »
FingerPrinter

Port Scanner

Nmap
nc (hecker)
strobe
ftp://ftp.suburbia.net

***Nmap
功能非常強大
resource from 台灣電腦網路危機處理中心 林岳生

代碼: [選擇]

namp 是一個在unix 上的port scanner 軟體,藉由nmap 的掃描,可以輕易迅速
的得知遠端主機上所執行的服務,甚至可以猜測遠端主機的作業系統以及版
本,也可以針對子網路進行掃描,偵測子網路上有哪些主機存在,並一一探測
其服務。
Nmap 的支援的功能包括:
• Vanilla TCP connect() scanning
• TCP SYN (half open) scanning
• TCP FIN, Xmas, or NULL (stealth) scanning
• TCP ftp proxy (bounce attack) scanning
• SYN/FIN scanning using IP fragments (bypasses some packet filters)
• TCP ACK and Window scanning
• UDP raw ICMP port unreachable scanning
• ICMP scanning (ping-sweep)
• TCP Ping scanning
• Direct (non portmapper) RPC scanning
• Remote OS Identification by TCP/IP Fingerprinting
• Reverse-ident scanning
Nmap 也支援動態延遲時間計算,封包逾時重傳,藉由同時ping 來測試大量機
器up or down , nmap 也提供彈性的目標和埠號選擇,假造IP 來scan,判斷
TCP Sequence 預測特性,等等。
詳細的安裝及使用說明請到http://www.insecure.org/nmap 查詢取得




Nessus – Security Scanner
resource from 台灣電腦網路危機處理中心 林岳生

代碼: [選擇]

Nessus 是一套免費、功能強大、更新迅速、使用容易的遠端掃描軟體,在系統
管理員使用nmap 快速得知主機大略狀況之後,便可以針對想要進行詳細掃描
的機器,使用nessus 進行測試,nessus 可以依據其plugin 進行弱點的測試及攻
擊,並列出可能的問題,以及解決的建議方法,詳細特點歸類如下:
1. plug-in 的結構:每項安全掃描都是寫成在外部的plug-in,用這種方法,你可
以輕易的增減你所需做的測試,而不需要去修改nessus 掃描引擎的程式碼,
目前已有的plugin 可分為以下幾類:
• Backdoors:各種後門程式
• CGI abuses:測試常見的CGI 問題
• Denial of Service:阻斷停止服務
• Finger abuses:測試finger 的問題
• Firewalls:測試防火牆的一些設定常有的疏失
• FTP:包括匿名使用者的權限、檔案權限、各種ftp server 的漏洞
• Gain a shell remotely:測試某些服務可能造成遠端得到shell 的問題
• Gain root remotely:測試某些服務可能造成遠端得到root 的權限
• General:一般性問題的plugin
• Misc:其他問題的plugin
• NIS:測試NIS 的問題
• Port scanners:使用nmap 對遠端機器進行ping、tcp connect scan、FTP
bounce scan、TCP SYN scan
• Remote file access:遠端檔案權限存取測試
• RPC:遠端程序呼叫問題的plugin
• SMTP problems:檢查常見mail server 的問題,像是sendmail 較舊版本遠
端得到shell,覆寫檔案,mail relay 等問題
• Useless services:檢查是否有一些並不一定需要,且容易造成系統可能的
安全問題,像是以明碼傳送的telnt、rlogin、rsh 等等
• Windows:測試windows 上檔案分享服務,認證服務等問題
2. NASL:為了讓撰寫安全掃描程式迅速簡易,因此設計了NASL(Nessus Attack
Scripting Language),使得不需修改nessus 的掃描引擎核心程式即可達到各種
掃描求。
3. 時常更新的弱點資料庫:nessus 的開發維護人員專注於檢查每天最新的安全
漏洞,弱點資料庫更新的時間原則是以天來計算。
4. Client-server 架構:nessus 是由兩個部分組成,nessus server 和nessus client,
nessus server 部分負責攻擊,client 則是一個控制和觀看訊息的介面,你可以在
不同的系統跑server 和client,也就是可以在PC 上稽核檢視整個網域主機的
狀況,而執行攻擊的則是一台在機房的大型主機,目前server 部分只能在
POSIX 系統上執行(Solaris、FreeBSD、GNU/Linux and others),client 有X11、
JAVA 和Win32 三種版本。
5. 可以同時測試無限多台電腦:依照nessus server 那台主機的能力而定。
6. 不依照埠號來決定主機服務的項目:nessus 不會拘泥於IANA 所定的埠號來
決定服務的項目,也就是說當FTP server 跑在31337,當Web server 跑在8080
時,nessus 一樣可以辨別他們的服務項目。
7. 模擬入侵者的行為:nessus 不會依照相信service 對外宣稱的版本資訊來決定
這個版本是否安全,他依然會測試各種可能的問題,像是version x.y.z 之類的,
95%的安全測試依然會執行他們的測試,仍然會嘗試overflow 你的buffers,對
你的mail server 做relay,甚至毀掉你的系統。
8. 完整的報告:nessus 不會指告訴你哪裡有問題,在大多數的情況下還會告訴
你該如何預防入侵者的攻擊這些弱點,並會分級表示弱點的嚴重性。
9. 可轉換格式報表:可將掃描報告轉成ASCII text、LaTeX、HTML、"spiffy" HTML
這些格式。
10. 獨立的開發者: nessus 的開發者是完全獨立無顧忌的,跟商業軟體廠商毫

任何關係,所以決不會因為他們跟某軟體有關係而隱瞞任何的安全的弱點。
nessus 的運作過程:
1. 尋找有哪些port 有服務正在進行,nessus 的port scan 部分是依靠nmap 來完成。
2. 測試這個port 的服務有哪些可能的漏洞存在。
3. 產生測試報告。
4. 提出系統可能的漏洞。
5. 提出系統可能問題的解決方案。
詳細使用安裝說明可以到nessus 台灣的mirror 站http://www.tw.nessus.org 或是
到http://www.nessus.org 總站取得。


小徒兒

  • 區域板主
  • 鑽研的研究生
  • *****
  • 文章數: 622
    • 檢視個人資料
ldap + tls
« 回覆 #4 於: 2007-01-11 20:57 »
cd /etc/pki/tls/misc
./CA -newca
cd ../../CA
openssl req -new -nodes -keyout newreq.pem -out newreq.pem
# IMPORTANT: the servername must the same as the $(hostname) command
/etc/pki/tls/misc/CA -sign
mv cacert.pem /etc/openldap/cacerts
mv newcert.pem /etc/openldap/cacerts
mv newreq.pem /etc/openldap/cacerts
chown ldap:ldap /etc/openldap/cacerts/newreq.pem
chmod 600 /etc/openldap/cacerts/newreq.pem
vi /etc/openldap/slapd.conf
  TLSCACertificateFile /etc/openldap/cacerts/cacert.pem
  TLSCertificateFile /etc/openldap/cacerts/newcert.pem
  TLSCertificateKeyFile /etc/openldap/cacerts/newreq.pem
vi /etc/openldap/ldap.conf
  TLS_CACERT /etc/openldap/cacerts/cacert.pem
  TLS_CACERTDIR /etc/openldap/cace
vi /etc/ldap.conf
  ssl start_tls
  tls_cacertfile /etc/openldap/cacerts/cacert.pem
  tls_cacertdir /etc/openldap/cacerts
ldapsearch -x -b 'dc=linux,dc=org' -H ldaps://<servername>:636    # MUST use hostname(not IP)!!

小徒兒

  • 區域板主
  • 鑽研的研究生
  • *****
  • 文章數: 622
    • 檢視個人資料
查看網路入侵偵測工具:snort
« 回覆 #5 於: 2007-01-11 20:59 »
***Tools
Psionic PortSentry
Scanlogd
Snort

***Installing Snort by make install
cd /usr/src
tar -zxvf /root/snort-version.tar.gz
cd snort-version
./configure
make
make install

***Snort Sniffer Mode
snort [-i interface] -v [expression]
#[expression] 很像 tcpdump

#Options
-e #show layer-2 info as well
-d #show data as well (hex and char)



***Snort Packet Logging Mode
#tcpdump compatible
snort -b [-l <directory>] [-L <filename>]
#read a tcpdump binary file:
snort -r <file>

#snort  -l 指定directory
snort -l <directory> [-h <home-net>]

***Snort NIDS mode #偵測出某些行為,發出alert
vi /etc/snort.conf
#output plugin (syslog, tcpdump, database,SNMP)

#rule & action
#可以用include把規則包進來
log tcp any any -> 1.2.3.4 22

#rule sets can be download 到snort網站download 規則
/usr/src/sort-version/rules


***Snort Rulesets

virus/exploits
http://www.whitehats.com/ids
http://users.pandorabe/larc
http://www.superhac.com #豐富即時


### install Snort
# wget http://www.snort.org/dl/binaries/linux/snort-2.6.1.2-1.FC5.i386.rpm
# rpm -ivh snort-2.6.1.2-1.FC5.i386.rpm

### update rules
- goto https://www.snort.org/pub-bin/register.cgi
- to register an account, password will be sent via email
- then login
- scoll down to the bottom and click 'Get Code'
- copy that code then goto http://www.snort.org/pub-bin/downloads.cgi
- find out the latest version (i.e. 2.4)
- modify the URL like this http://www.snort.org/pub-bin/oinkmaster.cgi/<code here>/snortrules-snapshot-2.4.tar.gz

### download rules
# cd /etc/snort
# wget
# http://www.snort.org/pub-bin/oinkmaster.cgi/386a37f1cd715f80573aa7c5b9558b14fef344a2/snortrules-snapshot-2.4.tar.gz
# tar zxvf snortrules-snapshot-2.4.tar.gz
# service snort restart

小徒兒

  • 區域板主
  • 鑽研的研究生
  • *****
  • 文章數: 622
    • 檢視個人資料
分析Log的工具: swatch
« 回覆 #6 於: 2007-01-11 21:00 »
分析Log的工具: swatch
***Logfile Monitoring
consider 真實性 即時性

Syslog --> Logwatch #會每天跑一次
Swatch (及時性,以Daemon的方式)

#通知方式 pager sms msn

downlod from http://swatch.sourceforge.net
perl Makefile.PL
make
make install

#Configuration
~/.swatchrc

#default log file
/var/log/messages



***Swatch Configuration Options
ignore <regex>
watchfor <regex>
   -echo [<color>]
   -bell #ring a bell
   -pipe <command>
   -write <user>
   -throttle <limit> #限定alert number
   -continue


exec sendSMS -r $0 #先用 perl寫好指令
http://phorum.study-area.org/viewtopic.php?t=21695&highlight=sendSMS
pipe="sendSMS -r 348xxxxx"

exec /usr/bin/play /usr/local/Sounds/shark.au
mail addresses=root,subject=Login Message
mail andy@page55.com ,subject=--- Snort IDS Alert ---
exec echo $0 >> /var/log/snort  

ignore /test/
ignore /modprobe/
ignore /this too, and more/

watchfor /.*/
     echo

***tail -f mode
watchfor /panic/
 echo red
bell


watchfor /apm/
echo green


watchfor /startup|shutdown/
echo blue

watchfor /.*/
echo


***Daemon Mode
watchfor /panic/
 mail addresses=joe,pete, subject=panic


watchfor /snort/
  #Swatch-2.2/utils/call_pager.pl 內建呼叫器perl 函數
  exec "call_pager 7654321 NIDS alert: $*"
  throttle 00:05

ignore /.*/


***General Logging Tips
logger




***Countering Attacks當遇到攻擊時

#start a network trace
tcpdump -i eth0 -w file

#start script
script attack.log

#analyze,document 評估損失


### install
# yum install swatch

### create config_file
# vi ~/.swatchrc
   watchfor /kernel/
           echo red

   watchfor /sshd/
           echo blue

   watchfor /.*/
           echo

### run swatch
# swatch -t /var/log/secure
- then use other machine to ssh login


### other example
# mkdir ~/.swatch
# vi ~/.swatch/daemon
   watchfor /session opened for user root/
           exec "echo Root just logged in | wall"

   ignore /.*/

# watch -c ~/.swatch/daemon -t /var/log/secure
- run su in other terminal

小徒兒

  • 區域板主
  • 鑽研的研究生
  • *****
  • 文章數: 622
    • 檢視個人資料
系統完整性檢查工具 tripwire
« 回覆 #7 於: 2007-01-11 21:46 »
系統完整性檢查工具 tripwire

#建置資料庫,會把舊與新的檔案,哪些被刪除 修改了都列出
rpm -q tripwire
yum install tripwire

***Tripwire Installation and Usage
#coonfig
vi /etc/tripwire/twcfg.txt
#policy
vi /etc/tripwire/twpol.txt

#create signed/encrypted config
/etc/tripwire/twinstall.sh #red hat
twadmin #suse or redhat

#initialize database
tripwire --init #建議燒出至光碟

#perform a check against the database
tripwire --check [filename]
twreport -m r -r report #指定路徑 FQDN 年月日時分

#update the database
tripwire --update






#resource from netman's class notes
代碼: [選擇]

*** INSTALL
wget ftp://ftp.isu.edu.tw/pub/Linux/Fedora/linux/extras/4/i386/tripwire-2.3.1-22.i386.rpm
rpm -ivh --nodeps tripwire-2.3.1-22.i386.rpm
ln -s /lib/libcrypto.so.6 /lib/libcrypto.so.5


*** SETUP
cd /etc/tripwire/
twadmin --generate-keys -L `hostname -f`-local.key
twadmin --generate-keys -S site.key
twadmin --create-cfgfile -S site.key twcfg.txt
twadmin --create-polfile -S site.key twpol.txt
tripwire --init


*** PREPARE
tripwire --check 2>&1 | awk '/Filename:/{print $3}' > notfound.txt
notfound=`cat notfound.txt | tr -d ' ' | tr -s '\n' '|'`
cp twpol.txt twpol.txt.bak
cat twpol.txt.bak | grep -Ev "${notfound%?}" > twpol.txt
twadmin --create-polfile -S site.key twpol.txt
tripwire --init


*** CHECK
tripwire --check


*** REPORT
twprint -m r --twrfile /var/lib/tripwire/report/your.machine.name-<date>-<time>.twr


*** UPDATE
tripwire --update -r /var/lib/tripwire/report/your.machine.name-<date>-<time>.twr
# and this is entering vi editor,
# then delete the x in the [x] box which is in front of the object
# exit vi then enter local passsphrase



小徒兒

  • 區域板主
  • 鑽研的研究生
  • *****
  • 文章數: 622
    • 檢視個人資料
資安檢查事項
« 回覆 #8 於: 2007-01-12 15:13 »
***Do-It-Yourself 自我檢查表
#Save the following files
/etc/*
/boot/*

#Save output of following commands

ps -aux
netstat -an
netstat -rn
free
df #硬碟
du / #目錄使用量
vmstat
ls -lR / #LR列出所有
mount #得出mount point 狀態
rpm -qa

#Save md5sum of all executables and libraries
#把所有的指令根任何檔案 用md5來檢查是否執行檔被改過



***檔案系統完整性檢查 Filesystem Integrity Checking
#Save characteristics of every important files:
ctime, mtime
length
link count
checksum

#tools to check 系統完整性檢查工具
Tripwire (http://www.tripwire.com #最經典的



***Day-to-Day Operations

-Monitor system behaviour
  tail /var/log/messages
  top
  baseline


-Prepare for attacks
  Prioritize services
  Who, When and How needs to be informed? (SOP)

-worst case scenario

-不要捕風捉影 Don't chase windmills
  99% of attacks are script kiddies who discovered Nessus and nmap


***Network and System Setup
     -Secure distributions <== google (secure linux distribution)
     - Hardening scripts < == Bastille-Linux download scripts
       http://www.bastille-linux.org
       LIDS (Liux Intrusion Detection System)
       http://www.lids.org

     -Failover/fallback system

     -Defense in depth

     -Disaster recovery plans


***User Education

    -Use good passwords
      At least six characters
      Not a dictionary word, name, birthdate, license plate
      Not easily guessablel
      Change frequently
      Don't write them down

     -Don't tell anybody your password
      Not even someone who claims to be an administrator

      -Don't downlaod software from the internet (China)

      -Don't run any program that was sent to you by mail
     
      -Don't leave computer/sessions unattended
       Password-protected screen saver




***Administrator Education
      - Keep current on security developments
        General mailing lists: CERT, Bugtraq, FBI, IBM, ERS
        Newsgroups: comp.security.*
        IRC: fnet