379.html

关于jsp的一些好文章 主要介绍一些关于JSP的应用技巧方面的东西

<STYLE type=text/css>
<!--
body,td { font-size:9pt;}
hr { color: #000000; height: 1px}
-->
</STYLE>

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN" "http://www.w3.org/TR/REC-html40/loose.dtd">
<HTML>
<HEAD><TITLE>论坛精华 >> solaris 专栏 >> Solaris针对安全的网络设置</title>
</head>
<body >

<p><IMG SRC="../image/jsp001_middle_logo.gif" WIDTH="180" HEIGHT="60" BORDER=0 ALT=""></p>

<table width=100% bgcolor="#cccccc" align=center cellpadding="2" cellspacing="0" border=1 bordercolorlight="#000000" bordercolordark="#FFFFFF">
<tr bgcolor="#EFF8FF"><td>
<a href=http://www.jsp001.com/list_thread.php?int_attribute=4>论坛精华</a>
>> <a href=http://www.jsp001.com/list_thread.php?forumid=39&int_attribute=4>solaris 专栏</a>
>> Solaris针对安全的网络设置 [<a href=http://www.jsp001.com/forum/showthread.php?goto=newpost&threadid=379>查看别人的评论</a>]<br>

<hr>
<p>由 fei 发布于: 2001-02-12 14:43</p>

<p> </p>

<p>作者：deepin (deepin@nsfocus.com) <br>
主页：http://www.nsfocus.com <br>
<br>
没有前言，让我们直接开始。 <br>
<br>
一.Solaris ndd命令 <br>
Ndd命令能容易的在不重新配置系统内核和重起系统的情况下，修改核心和TCP/IP的设备的一些参数。使用如下命令可看到相应的帮助。 <br>
<br>
[root@ /]&gt; ndd /dev/arp \? <br>
? (read only) <br>
arp_cache_report (read only) <br>
arp_debug (read and write) <br>
arp_cleanup_interval (read and write) <br>
[root@ /]&gt; ndd /dev/icmp \? <br>
? (read only) <br>
icmp_wroff_extra (read and write) <br>
icmp_def_ttl (read and write) <br>
icmp_bsd_compat (read and write) <br>
icmp_xmit_hiwat (read and write) <br>
icmp_xmit_lowat (read and write) <br>
icmp_recv_hiwat (read and write) <br>
icmp_max_buf (read and write) <br>
icmp_status (read only) <br>
[root@ /]&gt; ndd /dev/ip \? <br>
? (read only) <br>
ip_forwarding (read and write) <br>
ip_respond_to_address_mask_broadcast(read and write) <br>
ip_respond_to_echo_broadcast (read and write) <br>
ip_respond_to_timestamp (read and write) <br>
ip_respond_to_timestamp_broadcast(read and write) <br>
ip_send_redirects (read and write) <br>
ip_forward_directed_broadcasts(read and write) <br>
ip_debug (read and write) <br>
ip_mrtdebug (read and write) <br>
ip_ire_cleanup_interval (read and write) <br>
ip_ire_flush_interval (read and write) <br>
ip_ire_redirect_interval (read and write) <br>
ip_def_ttl (read and write) <br>
ip_forward_src_routed (read and write) <br>
ip_wroff_extra (read and write) <br>
ip_ire_pathmtu_interval (read and write) <br>
ip_icmp_return_data_bytes (read and write) <br>
ip_send_source_quench (read and write) <br>
ip_path_mtu_discovery (read and write) <br>
ip_ignore_delete_time (read and write) <br>
ip_ignore_redirect (read and write) <br>
ip_output_queue (read and write) <br>
ip_broadcast_ttl (read and write) <br>
ip_icmp_err_interval (read and write) <br>
ip_reass_queue_bytes (read and write) <br>
ip_strict_dst_multihoming (read and write) <br>
ip_addrs_per_if (read and write) <br>
ip_ill_status (read only) <br>
ip_ipif_status (read only) <br>
ip_ire_status (read only) <br>
ip_ipc_status (read only) <br>
ip_rput_pullups (read and write) <br>
ip_enable_group_ifs (read and write) <br>
[root@ /]&gt; ndd /dev/tcp \? <br>
? (read only) <br>
tcp_close_wait_interval (read and write) <br>
tcp_conn_req_max_q (read and write) <br>
tcp_conn_req_max_q0 (read and write) <br>
tcp_conn_req_min (read and write) <br>
tcp_conn_grace_period (read and write) <br>
tcp_cwnd_max (read and write) <br>
tcp_debug (read and write) <br>
tcp_smallest_nonpriv_port (read and write) <br>
tcp_ip_abort_cinterval (read and write) <br>
tcp_ip_abort_linterval (read and write) <br>
tcp_ip_abort_interval (read and write) <br>
tcp_ip_notify_cinterval (read and write) <br>
tcp_ip_notify_interval (read and write) <br>
tcp_ip_ttl (read and write) <br>
tcp_keepalive_interval (read and write) <br>
tcp_maxpsz_multiplier (read and write) <br>
tcp_mss_def (read and write) <br>
tcp_mss_max (read and write) <br>
tcp_mss_min (read and write) <br>
tcp_naglim_def (read and write) <br>
tcp_rexmit_interval_initial (read and write) <br>
tcp_rexmit_interval_max (read and write) <br>
tcp_rexmit_interval_min (read and write) <br>
tcp_wroff_xtra (read and write) <br>
tcp_deferred_ack_interval (read and write) <br>
tcp_snd_lowat_fraction (read and write) <br>
tcp_sth_rcv_hiwat (read and write) <br>
tcp_sth_rcv_lowat (read and write) <br>
tcp_dupack_fast_retransmit (read and write) <br>
tcp_ignore_path_mtu (read and write) <br>
tcp_rcv_push_wait (read and write) <br>
tcp_smallest_anon_port (read and write) <br>
tcp_largest_anon_port (read and write) <br>
tcp_xmit_hiwat (read and write) <br>
tcp_xmit_lowat (read and write) <br>
tcp_recv_hiwat (read and write) <br>
tcp_recv_hiwat_minmss (read and write) <br>
tcp_fin_wait_2_flush_interval (read and write) <br>
tcp_co_min (read and write) <br>
tcp_max_buf (read and write) <br>
tcp_zero_win_probesize (read and write) <br>
tcp_strong_iss (read and write) <br>
tcp_rtt_updates (read and write) <br>
tcp_wscale_always (read and write) <br>
tcp_tstamp_always (read and write) <br>
tcp_tstamp_if_wscale (read and write) <br>
tcp_rexmit_interval_extra (read and write) <br>
tcp_deferred_acks_max (read and write) <br>
tcp_slow_start_after_idle (read and write) <br>
tcp_slow_start_initial (read and write) <br>
tcp_co_timer_interval (read and write) <br>
tcp_extra_priv_ports (read only) <br>
tcp_extra_priv_ports_add (write only) <br>
tcp_extra_priv_ports_del (write only) <br>
tcp_status (read only) <br>
tcp_bind_hash (read only) <br>
tcp_listen_hash (read only) <br>
tcp_conn_hash (read only) <br>
tcp_queue_hash (read only) <br>
tcp_host_param (read and write) <br>
tcp_1948_phrase (write only) <br>
<br>
显示当前值 <br>
#ndd /dev/arp arp_debug <br>
0 <br>
0:代表特性禁止 <br>
ndd –set /dev/arp arp_debug 1 <br>
1:允许 <br>
<br>
由于这些参数一般是经过优化过的，而且一旦改变失误，可能导致系统的不正常工作。所以sun不提供文档供人随意调节。 <br>
<br>
二.ARP <br>
有关ARP协议的细节，请自己参阅相关文档。对于sun的系统,核心默认的ARP表过期的时间是5分钟,并且可以调节.另外一张表是ip层的路由表，它和arp表配合记录动态路由信息，20分钟过期，最后一个特性是”无偿ARP” ,即系统广播自己的硬件地址。这个特性用来诊断是否存在相同的硬件地址，另外也用来生成硬件地址的变动通知。 <br>
1、ARP攻击 <br>
针对ARP的攻击主要有两种，一种是DOS,一种是Spoof。 <br>
ARP欺骗往往应用于一个内部网络，我们可以用它来扩大一个已经存在的网络安全漏洞。 <br>
如果你可以入侵一个子网内的机器，其它的机器安全也将受到ARP欺骗的威胁。同样，利用APR的DOS甚至能使整个子网瘫痪。 <br>
<br>
2、对ARP攻击的防护 <br>
防止ARP攻击是比较困难的,修改协议也是不大可能。但是有一些工作是可以提高本地网络的安全性。 <br>
首先，你要知道，如果一个错误的记录被插入ARP或者IP route表，可以用两种方式来删除。 <br>
a. 使用arp –d host_entry <br>
b. 自动过期，由系统删除 <br>
<br>
这样，可以采用以下的一些方法： <br>
1）. 减少过期时间 <br>
#ndd –set /dev/arp arp_cleanup_interval 60000 <br>
#ndd -set /dev/ip ip_ire_flush_interval 60000 <br>
60000=60000毫秒 默认是300000 <br>
加快过期时间，并不能避免攻击，但是使得攻击更加困难，带来的影响是在网络中会大量的出现ARP请求和回复，请不要在繁忙的网络上使用。 <br>
2）. 建立静态ARP表 <br>
这是一种很有效的方法，而且对系统影响不大。缺点是破坏了动态ARP协议。可以建立如下的文件。 <br>
test.nsfocus.com 08:00:20:ba:a1:f2 <br>
user. nsfocus.com 08:00:20:ee:de:1f <br>
使用arp –f filename加载进去，这样的ARP映射将不会过期和被新的ARP数据刷新，除非使用arp –d才能删除。但是一旦合法主机的网卡硬件地址改变，就必须手工刷新这个arp文件。这个方法，不适合于经常变动的网络环境。 <br>
3）．禁止ARP <br>
可以通过ifconfig interface –arp 完全禁止ARP，这样，网卡不会发送ARP和接受ARP包。但是使用前提是使用静态的ARP表，如果不在apr表中的计算机 ，将不能通信。这个方法不适用与大多数网络环境，因为这增加了网络管理的成本。但是对小规模的安全网络来说，还是有效和可行的。 <br>
<br>
3、IP <br>
IP是用来传输数据的底层协议。 <br>