1 / 55

Linux 系統安全 系統安全

Linux 系統安全 系統安全. 講師:施勢帆 博士. 老師簡介. 姓名:施勢帆 學歷:國立台灣科技大學電機工程研究所博士 經歷 :亞東技術學院電機系專任副教授 曾任:亞東技術學院電子計算機中心主任 專長:寬頻網路、開放原始碼軟體系統 網站: http://oss.oit.edu.tw E-mail : shie@ee.oit.edu.tw Phone : (02)77384258-16. 2. 課程內容. 1) Linux 安全性概論。 2) 駭客攻擊及駭客工具。 3) 最少套件安裝。 4) SSL_Webmin + SSH 。

virginiasimpson
Download Presentation

Linux 系統安全 系統安全

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Linux 系統安全 系統安全 講師:施勢帆 博士

  2. 老師簡介 姓名:施勢帆 學歷:國立台灣科技大學電機工程研究所博士 經歷 :亞東技術學院電機系專任副教授 曾任:亞東技術學院電子計算機中心主任 專長:寬頻網路、開放原始碼軟體系統 網站:http://oss.oit.edu.tw E-mail:shie@ee.oit.edu.tw Phone :(02)77384258-16 2

  3. 課程內容 1) Linux 安全性概論。 2) 駭客攻擊及駭客工具。 3) 最少套件安裝。 4) SSL_Webmin + SSH。 5) 網路管理 + Ntop。 6) PGP/GPG。 7) 防火牆 + NAT。 8) 安全工具 9) 郵件管理 10) 入侵偵測-NIDS。 11) 記錄與稽核追蹤。 12) 備份 3

  4. 課程練習 1.System Installation with Minimal required packages. 2.Autoupdate 3.Webmin with SSL 4.Network Management and ntop 5.GPG 6.NAT 7.iptables 8.Security Tools 9.OpenWebmail 10.MailScanner 11.NIDS 12.backup 4

  5. 系統安全概論 TCSEC – 電腦系統安全評估準則 身分識別 自主式存取控制 強制式存取控制 系統稽核 安全策略 安全保證 入侵原因排行 入侵種類 駭客入侵 電腦病毒入侵 內賊入侵 網路攻擊手法 Vulnerabilities

  6. (From NAI) 入侵原因排行 ( 1.Hosts running unnecessary services; e.g. ftp, sendmail 2.Unpatched, outdated application software and hardware firmware 3.Information leakage through services such as: gopher, finger, telnet, SNMP, SMTP, netstat, etc. 4.Misappropriated trust relationships; e.g. rsh, rlogin, rexec 5.Misconfigured firewalls or router ACL's (Access Control Lists) 6.Weak passwords 7.Misconfigured web servers 8.Improperly imported file systems 9.Misconfigured or unpatched NT systems 10.Unsecured remote access points; e.g. remote access servers, modems pools, etc.

  7. RedHat Vulnerabilities 2000-06-09: 3R Soft MailStudio 2000 Multiple Vulnerabilities 2000-06-07: Multiple Linux Vendor restore Buffer Overflow Vulnerability 2000-06-05: BRU BRUEXECLOG Environmental Variable Vulnerability 2000-05-29: Xlockmore 4.16 Buffer Overflow Vulnerability 2000-05-24: HP Web JetAdmin Directory Traversal Vulnerability 2000-05-24: HP Web JetAdmin 6.0 Printing DoS Vulnerability 2000-05-24: MDBMS Buffer Overflow Vulnerability 2000-05-18: Lotus Domino Server ESMTP Buffer Overflow Vulnerability 2000-05-18: XFree86 Xserver Denial of Service Vulnerability 2000-05-16: Multiple Vendor Kerberos 5/Kerberos 4 Compatibility krb_rd_req() Buffer Overflow Vulnerability Etc.

  8. 網路攻擊手法 Ping of Death Out of Bound Data Mail Bombing Email Spamming Flood Teardrop SYN Flood LAND Denial of Service DDOS … Etc.

  9. Example 1: /var/log/httpd/access.log 80.58.36.107 - - [14/Sep/2003:06:04:09 +0800] "GET /default.ida?XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX%u9090%u6858%ucbd3 %u7801%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u9 090%u8190%u00c3%u0003%u8b00%u531b%u53ff%u0078%u0000%u00=a HTTP/1.0" 404 276 "-" "-" 80.58.36.107 - - [14/Sep/2003:06:07:09 +0800] "GET /default.ida?XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX%u9090%u6858%ucbd3 %u7801%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u9 090%u8190%u00c3%u0003%u8b00%u531b%u53ff%u0078%u0000%u00=a HTTP/1.0" 404 276 "-" "-" 9

  10. Example 2:駭客光碟工具片 10

  11. Ethernet接收端如 何處理封包 11

  12. IP 表 頭 內 容

  13. TCP 建立連線 ( Handshaking ) 3 步驟

  14. TCP中止連線 4 步驟

  15. 安全系統安裝 選擇高品質的伺服器系統安裝套件的要求 Security Availability Commercially Supported Performance and Tuning Simplicity 安裝過程注意事項 Do not Connect to the Network Installation Type - Custom Disk Partitioning and Formatting Installing LILO User Account Configuration Authentication on Configuration Package Selection and the Install Getting and Installing Patches

  16. 安裝後的安全設定 Securing Services Securing LILO linux init=/bin/sh ? password chmod 640 /etc/lilo.conf File Permissions Securing and Managing suid root binaries find / -type f -perm +6000 -exec ls -l {} \; > suidfiles.txt chmod -s programname Other Necessary Steps /etc/passwd /etc/securetty /etc/security/ Bastille Linux Subscribe mail list

  17. 安全網路服務 SSH / SNP / PAM TCP-Wrappers Using Passive Fingerprinting (TTL, Window Size, DF, TOS) Stunnel /usr/sbin/stunnel –p /etc/ssl/certs/server.pem –d spop3 –l /usr/sbin/ipop3d Apache-SSL Chroot PGP/GPG Key Server

  18. 安全稽核機制 /etc/syslog.conf Facility Syslog level Action tcplogd icmpinfo logcheck Tripwire Intrusion Detection Damage Asseccment and Recovery Policy Compliance Software Verification Forensics

  19. Intrusion Detection Lines of Defence

  20. Firewalling Firewalls offer the outermost layer of protection for a network, providing a basic barrier and restricting points of access.

  21. LIDS LIDS is an intrusion detection and prevention system that resides within the Linux kernel. LIDS' protection is aimed at preventing the root user (who would normally have access to the entire system) from tampering with important parts of the system. LIDS' most important features include increased file system protection, protection against direct port access or direct memory access, protection against raw disk access, and protection of log files. LIDS also prevents certain system actions, such as installing a packet sniffer or changing firewall rules.

  22. Securing-Optimizing-Linux-The- Ultimate-Solution 1-10 23-24 52 63-101 175-268 302-361 395-415 632-659 769-787 (pages) 22

  23. 自動更新 安裝 rpm -ivh autoupdate-x.x.x-x.noarch.rpm rpm -ivh autoupdate-cfg-redhat-x.x.x-x.noarch.rpm 組態 vi /etc/autoupdate.d/redhat.dld Host=ftp.redhat.com Dir=/pub/redhat/linux/updates/#DistVersion#/#DistLang#/os// 為 Host=linux.sinica.edu.tw Dir=/redhat/updates/#DistVersion#/#DistLang#/os// 23

  24. 自動更新 (cont) 執行 autodld cd /var/spool/autoupdate rpm -Uvh kernel-2.4.x-x.x.i686.rpm 自動執行 cd /etc/cron.daily vi autodld #!/bin/sh /usr/sbin/autodld chmod 755 autodld 24

  25. SSL + Webmin 安裝 tar xvfz Net_SSLeay.pm-1.23.tar.gz cd Net_SSLeay.pm-1.23 perl Makefile.PL –t make install cd /usr/local tar xvfz /root/webmin-1.100.tar.gz cd webmin-1.100 ./setup.sh [測試 https://IP:port] 25

  26. TCPWRAPPER 1) 關閉所有: # echo "ALL: ALL" >> /etc/hosts.deny 2) 視個別開放: # vi /etc/hosts.allow ALL: 127.0.0.1, localhost sshd: ALL in.ftpd: ALL sendmail: ALL ipop3d: 192.168. * 註: 這樣的設計並不對外提供 pop 服務。 如果 pop 主機不是和內部網路直接相連接﹐ 同時內部網路透過 NAT 連線至 pop 主機的話﹐ 請將 192.168. 改為 NAT 主機的外部 IP 。 26

  27. Ntop 安 裝 tar xvfz Net-SNMP-4.1.2.tar.gz cd Net-SNMP-4.1.2 perl Makefile.PL make install rpm -ivh --nodeps rrdtool-1.0.41-1.8.0.ntop.i386.rpm rpm -ivh --nodeps ntop-2.2-0.i386.rpm ln -sf /lib/libssl.so.0.9.7a /lib/libssl.so.2 ln -sf /lib/libcrypto.so.0.9.7a /lib/libcrypto.so.2 mkdir /var/ntop man ntop 執行 ntop -d 27

  28. Ntop (cont) 28

  29. PGP/GPG gpg--export [--armor] #userid# # outfile 開鑰匙至outfile中 gpg--import [keyfile] ← 將公開鑰匙[keyfile]加入鑰匙環中 gpg -k #userid# ← 列印出公開鑰匙 gpg -e -r #userid# file ←加密file至binary檔file.gpg中 gpg -e -r #userid# --armor file ←加密file至ASCII檔file.asc中 gpg -s file ← 加簽file至binary檔file.gpg中 gpg -s --armor file ← 加簽file至ASCII檔file.asc中 gpg -se -r #userid# file ← 加密加簽file至binary檔file.gpg中 gpg -se -r #userid# [-armor] file ← 加密加簽file至ASCII檔 file.asc中 gpg -v file ← 解密file ← 取出#userid#的公 29

  30. iptables – IP 封包過濾管理 30

  31. iptables – IP 封包過濾管理 (cont) -j MASQUERADE 用於tablesc中的nat的POSTROUTING規則鏈中,告 訴KERNEL去偽裝封包,用來做ip偽裝(NAT) 範例: iptables –t nat –A POSTROUTING -s 192.168.1.0/24 -j MASQUERADE 說明:將來源192.168.1.X這個網段做ip偽裝,對外轉 址。 31

  32. Monitoring & system Integrity Tools sXid Logcheck PortSentry Tripwire logwatch 32

  33. tripwire rpm -ivh /mnt/cdrom/RedHat/RPMS/tripwire-2.3.x- x.i386.rpm cd /etc/tripwire/ ./twinstall.sh tripwire --init 33

  34. Twipwire (cont) 1) 需要的時候﹐執行如下命令檢查﹕ /usr/sbin/tripwire – check 2) 並定期檢查 root 的信箱﹐以確定 tripwire 資訊被正確 的關注。 3) 如果您對檔案進行過更新﹐可以從上兩個步驟中獲得 資訊。 假如您確定報告所列的修改是必須且安全的﹐ 而不希望再次收到其報告﹐ 那可以先在 /var/lib/tripwire/report/ 目錄內﹐找到關於本機的最新 報告﹐ 例如﹕ 34

  35. Twipwire (cont) /var/lib/tripwire/report/your.machine.name-20020326- 040526.twr 執行如下命令來編輯這個檔 (預設是 vi 模式)﹕ /usr/sbin/tripwire -m u -r \ /var/lib/tripwire/report/your.machine.name-20020326- 040526.twr 退出 vi 模式並輸入密碼就能更新資料庫了。 35

  36. Openwebmail 安裝 tar xvfz CGI.pm-2.74.tar.gz cd CGI.pm-2.74 perl Makefile.PL make install cd .. tar xvfz MIME-Base64-2.12.tar.gz cd MIME-Base64-2.12 perl Makefile.PL make install cd .. 36

  37. Openwebmail (cont) tar xvfz Text-Iconv-1.2.tar.gz cd Text-Iconv-1.2 perl Makefile.PL make install cd .. rpm -ivh perl-suidperl-5.8.0-88.i386.rpm rpm -ivh openwebmail-2.10-1.i386.rpm 37

  38. Openwebmail (cont) cd /var/www/cgi-bin/openwebmail/ vi etc/openwebmail.conf from dbm_ext dbmopen_ext dbmopen_haslock default_iconset to dbm_ext dbmopen_ext dbmopen_haslock default_language zh_TW.Big5 default_iconset Cool3D.Chinese.Traditional ./openwebmail-tool.pl --init' .db none no Cool3D.English .db %dbm_ext% yes 38

  39. Openwebmail (cont) vi /etc/httpd/conf/httpd.conf 修改 AddDefaultCharset ISO-8859-1 為 AddDefaultCharset zh_TW.Big5 cp save_user.cgi /usr/local/webmin-1.100/useradmin/save_user.cgi /etc/rc.d/init.d/httpd restart http://IP/cgi-bin/openwebmail/openwebmail.pl <meta http-equiv="refresh" content="0; url=/cgi- bin/openwebmail/openwebmail.pl >] 39

  40. Openwebmail (cont) 40

  41. MailScanner + Sophos tar xvfz MailScanner-x.xx-x.rpm.tar.gz cd MailScanner-x.xx-x ./Update-MakeMaker.sh ./install.sh cd .. tar xvf linux.intel.libc6.tar cd sav-install/ useradd -M -s /bin/true sweep ./install.sh cd .. cd ide cp * /usr/local/sav/ icheckd –d 41

  42. MailScanner + Sophos (cont) vi /etc/MailScanner/MailScanner.conf 修改 Virus Scanners = none 為 Virus Scanners = sophos vi virus.scanners.conf 修改僅剩 sophos /usr/lib/MailScanner/sophos-wrapper /usr/local vi /usr/lib/MailScanner/sophos-wrapper SAV_IDE=/usr/local/sav LD_LIBRARY_PATH=/usr/local/lib 42

  43. MailScanner + Sophos (cont) vi /etc/aliases 修改 #root: 為 root: newaliases vi /etc/mail/sendmail.cf 修改 O DaemonPortOptions=Port=smtp,Addr=127.0.0.1, Name=MTA 為 # O DaemonPortOptions=Port=smtp,Addr=127.0.0.1, Name=MTA cd /etc/mail rm -rf *.db make all /etc/rc.d/init.d/sendmail stop marc admin 43

  44. MailScanner + Sophos (cont) The following e-mail messages were found to have viruses in them: Sender: admin@www.ee.oit.edu.tw IP Address: 61.66.36.199 Recipient: lee@www.ee.oit.edu.tw Subject: your account MessageID: h8H5EkJ29096 report: Sophos: >>> Virus 'W32/Mimail-A' found in file ./h8H5EkJ29096/message.zip/message.html Sophos: >>> Virus 'W32/Mimail-A' found in file ./h8H5EkJ29096/message.zip errezcaz -- MailScanner Email Virus Scanner www.mailscanner.info 44

  45. MailScanner + Sophos (cont) The following e-mail messages were found to have viruses in them: Sender: sender2@www-mailserver.com IP Address: 210.201.64.73 Recipient: pcc@www.ee.oit.edu.tw Subject: =?Big5?B?p0u2T6/BqPotLbftpWqo5a21vNa5SqRXsnulTrdSsa EoNaT5Q0Qp?= MessageID: h8H1WsJ27456 report: MailScanner: foundform -- MailScanner Email Virus Scanner www.mailscanner.info 45

  46. NIDS -- Snort 1.) *** Make sure you have libpcap installed!!! *** 2.) ./configure 3.) make 4.) make install 5.) Create a sample rules file (if you want to use rules, check out the included snort.conf file) 6.) snort -? 7.) If you've used previous versions of Snort, you may need to rewrite your rules to make them compliant to the rules format. See SnortUsersManual.pdf or http://www.snort.org for more information. 46

  47. NIDS – Snort (cont) mkdir /var/log/snort snort -c xxx/etc/snort.conf -D Example: less /var/log/snort/alert [**] [1:483:2] ICMP PING CyberKit 2.2 Windows [**] [Classification: Misc activity] [Priority: 3] 09/17-17:00:58.755169 192.192.72.138 -> 192.192.73.9 ICMP TTL:127 TOS:0x0 ID:20824 IpLen:20 DgmLen:92 Type:8 Code:0 ID:512 Seq:48968 ECHO [Xref => http://www.whitehats.com/info/IDS154] [**] [1:483:2] ICMP PING CyberKit 2.2 Windows [**] [Classification: Misc activity] [Priority: 3] 09/17-17:00:59.020645 192.192.72.138 -> 192.192.73.26 ICMP TTL:127 TOS:0x0 ID:20877 IpLen:20 DgmLen:92 Type:8 Code:0 ID:512 Seq:53320 ECHO [Xref => http://www.whitehats.com/info/IDS154] 47

  48. VPN 測試環境(假設): remote 端(g1): real: 201.0.1.1 vpn: 192.168.1.254 local 端 (g2): real: 202.0.2.2 vpn: 192.168.2.254 設定步驟: 1) 在 201.0.1.1 上設定 SSH # mkdir /etc/skel/.ssh # useradd -m vpn1 2) 在 202.0.2.2 上執行: # ssh-keygen -t rsa # 按三下 Enter 不設定密碼 3) 轉回 201.0.1.1 上面執行: # cd ~vpn1/.ssh # scp 202.0.2.2:/root/.ssh/id_rsa.pub ./ # cat id_rsa.pub >> authorized_keys # chown -R vpn1.vpn1 ~vpn1/.ssh # chmod 711 ~vpn1/.ssh # chmod 644 ~vpn1/.ssh/authorized_keys 4) 再到 202.0.2.2 上面測試 ssh 的 RSA 連線﹐確定無需密碼: # ssh -l vpn1 201.0.1.1 48

  49. VPN(cont) 設定 remote 端 1) 在 201.0.1.1 上執行 visudo ﹐增加如下數行: User_Alias VPNUSER=root,vpn1 Cmnd_Alias VPN=/usr/sbin/pppd,/sbin/route VPNUSER ALL=(ALL) NOPASSWD: VPN 2) 在 /usr/local/sbin 裡面建立一個可執行的 script ﹐取名為 vpn- ppp : #!/bin/bash exec sudo /usr/sbin/pppd ** 注意: 請記得執行: chmod +x /usr/local/sbin/vpn-ppp 3) 修改 vpn1 的 shell : usermod -s /usr/local/sbin/vpn-ppp vpn1 49

  50. VPN(cont) * 設定 local 端 1) 下載 pty-redir-0.1.tgz 到 202.0.2.2 機器﹐並將檔案解至 /usr/local 內: # wget http://www.study-area.org/linux/src/pty-redir-0.1.tgz # tar zxvf pty-redir-0.1.tgz # mv pty-redir-0.1 /usr/local # cd /usr/local/pty-redir-0.1 # make # cp pty-redir /usr/local/sbin 2)複製 vpnd 至 init.d 目錄: # cp vpnd /etc/rc.d/init.d 50

More Related