unixsec.html

黑客培训教程

<p>Service - what network service(s) do you want to allow/deny to this host? Services 
  are defined by their port number. You can also put ALL instead to block of EVERY 
  well-known port to this host (a well-known port is any port between 0 and 1024. 
  These ports are called well-known ports because each one has a default network 
  service associated with it. For example: port 23 is the default for telnet, 
  port 21 is the default for FTP, port 25 is the default for Sendmail, port 110 
  is the default for POP3 etc').</p>
<p>Each line within this file represents a combination of a host and a port(s) 
  that you don't want this host to be able to access. This is called basic packet 
  filtering.</p>
<p>Now, the /etc/hosts.allow file works exactly like hosts.deny, only it contains 
  hosts that you want to allow access to. Here are a few examples of why you would 
  need such a thing:</p>
<p>Example #1: You want to block every well-known port to AOL users besides port 
  21, so they could access your FTP server. To do this, you put *.aol.com:all 
  in your hosts.deny file and then *.aol.com:21 in your hosts.allow file. As you 
  can see, hosts.allow has a higher priority than hosts.deny.</p>
<p>Example #2: You want to block off AOL users from your FTP server on port 21, 
  besides foobar.aol.com, which is actually quite nice and always has something 
  interesting to contribute to your FTP collection. To do this, you put *.aol.com:21 
  in hosts.deny and foobar.aol.com:21 in your hosts.allow file.</p>
<p><b><font size="4">Advanced Packet Filtering</font></b><br>
  <br>
  Yup... firewalls.</p>
<p>Firewalls are programs that watch everything that comes in and out of your 
  network or personal computer, and decide what to allow and what to block. Out 
  of their nature, firewalls need root-priviledges to run (or admin priviledges 
  on NT networks).</p>
<p>Firewalls usually come with a set of premade rules files. Rules files are files 
  with rules on what to allow and what to deny. These rules files can block DoS 
  attacks and relatively popular methods of hacking. Also, most firewalls come 
  with a 'learning mode' option, which is a way of defining your rules as you 
  go on (whenever something comes in or out, you are asked to either allow or 
  deny it, and the firewall adapts itselfs to your preferences).</p>
<p>One of the best firewalls for Unix (and one of the best firewall in the world) 
  is IP Chains. Search for the latest version at packetstorm.securify.com (search 
  for ipchains, not ip-chains or ip chains or anything. Otherwise, you probably 
  won't find anything), securityfocus.com or linux.box.sk.</p>
<p>For help using ipchains (ipchains isn't exactly the most user-friendly firewall 
  in existence), get some ipchains howtos (a howto is a document on how to do 
  something or how to use something), which probably come with the ipchains package 
  anyway, together with the executables, the configurations<br>
  files etc'. These howtos should help you a lot. You should also get a front-end 
  for ipchains if you're a first-time user.</p>
<p>Some people will argue and claim that other packet filtering firewalls, such 
  as BSD's ipfilter, are better than ipchains. However, I still consider ipchains 
  as my firewall of choice.</p>
<p><b><font size="4">DoS Attacks</font></b><br>
  <br>
  DoS stands for Denial of Service. DoS attacks deny access to a certain service 
  for a certain person. DoS attacks can crash your computer, disconnect you, crash 
  your web server programs, SMTP server programs, POP3 server programs etc', disallow 
  you access to your Email account (a mailbomb (flooding someone with enormous 
  amounts of Emails. Usually done with some sort of a program which<br>
  automates this progress) is also considered a DoS attack (although somewhat 
  privitive) because it fills up your mailbox and denies you access to it), block 
  certain remote services and in general anything you can think of that will deny 
  you access to something.</p>
<p>To protect yourself against DoS attacks, I recommend either:</p>
<p>a) Getting a good firewall (see previous section).<br>
  b) Subscribing to security mailing lists and checking online databases<br>
  frequently to get the latest versions of everything and all the latest patches.</p>
<p><b><font size="4">Security Scanners</font></b><br>
  <br>
  Security scanners automatically test the security of a network by attempting 
  to crack into it in different popular ways. It is advised to run one on your 
  network or home PC (unless you don't run any services on your system, which 
  makes your system much less vulnerable, in which case there is no need to be<br>
  so paranoid. Just avoid default configurations and read all the rest of the 
  sections and you're pretty much safe) to test it's security, although just running 
  one isn't enough to secure oneself (follow the rest of the instructions in this 
  text and read some other texts and books. This text is in no way complete (ahem... 
  the name is BASIC Local/Remote Unix Security). Try some of the stuff at blacksun.box.sk's 
  books page).</p>
<p>In the next part, I will review some of the best scanners available at the 
  time this tutorial was written, although not in much depth and detail, since 
  I am limited in size and time.</p>
<p><b><font size="4">The Scanners</font></b><br>
  <br>
  Remote security scanners test the security of a remote network or computer over 
  a LAN (Local Area Network), a WAN (Wide Area Network, such as the Internet) 
  or any other kind of network.</p>
<p><font size="4"><b>SATAN</b></font><br>
  <br>
  Author: Dan Farmer and Weitse Venema.<br>
  Language written in: C and Perl.<br>
  Platform built on: some version of Unix.<br>
  Requirements: Unix, Perl 5.001+, C, IP header files and root access on the system 
  you intend to run Satan from.</p>
<p>Satan stands for Security Administrator's Tool for Analyzing Networks). It 
  is the first security scanner that is actually user-friendly. It is built as 
  a website, where you can choose attacks using simple forms, pulldown boxes, 
  radio boxes and check boxes, and it displays all the output in an easily-readable 
  form, ready for printing.</p>
<p>Satan also includes a short and easy-to-understand tutorial on each attack, 
  which makes it an excellent source for security study for beginners. If you're 
  interested in network security, it is advised to get Satan and try running it 
  on your computer and scanning your friends (DO NOT scan systems you are not 
  allowed to scan! It is illegal!).</p>
<p>If you prefer the command-line approach, Satan can also be run using a simple 
  command-line-based interface.</p>
<p>Satan can be obtained from the following URL: http://www.trouble.org/~zen/satan/satan.html</p>
<p>As far as I know, there are no Windows NT and Macintosh versions of Satan, 
  but I havn't checked for a long time now. I expect that there should be a Windows 
  NT version soon, if there isn't one already.</p>
<p>If you're using any version of Linux, you must make several modifications to 
  run Satan on your system (the next part has been copied from some website. I 
  forgot the website's URL, but I'm not going to credit these folks anyway, since 
  I am sure they have stolen this from some book... forgot the book's name, though...):<br>
  a) The file tcp_scan makes incompatible select() calls. To fix this problem,</p>
<p><b><font size="4">Nessus</font></b><br>
  <br>
  Author: Renaud Deraison.<br>
  Language written in: C.<br>
  Platform built on: Linux.<br>
  Requirements: Linux (most non-Linux distributions will also run it, though, 
  since they all can emulate each other's programs), C, X-Windows and GTK (the 
  version of GTK you will need depends on the version of Nessus you intend to 
  run).</p>
<p>Nessu is another excellent remote security scanner. Has a user-friendly graphical 
  user interface and relatively fast scans. Get Nessus from the following URL: 
  <a href="http://www.nessus.org" target="_blank">http://www.nessus.org</a></p>
<p><b><font size="4">IdentTCPScan</font></b><br>
  <br>
  Author: Dave Goldsmith.<br>
  Language written in: C.<br>
  Platform built on: Unix.<br>
  Requirements: Unix, C, IP header files.</p>
<p>IdentTCPScan has a very useful ability: what it does is that it portscans it's 
  target (determines which ports are open on the target host), tells you what 
  service is probably running on this port and tells you which user is running 
  it by his UID.</p>
<p>This can reveal some interesting holes. For example: if it discovers that some 
  network or computer is running their web server as UID 0 (remember? UID 0 = 
  root access), this is a serious security hole! If some malicious attacker exploits 
  a hole in, say, one of the CGIs on this website, he could access ANY file on 
  the system, since the web server runs as root, hence is not limited with access. 
  Web servers should run on users that have limited access (in this case, the 
  web server should only have access to the files contained in the website and 
  to it's own files, of course).</p>
<p>Unfortunately, I don't have an up-to-date URL. Try searching packetstorm.securify.com 
  or securityfocus.com.</p>
<p></p>
<p><font size="4"><b>Appendix A: Security Checklists</b></font><br>
  <br>
  Here are some URLs for &quot;security checklists&quot; - papers that explain 
  about various actions that need to be taken in order to increase your box'ssecurity.</p>
<p>Unix Computer Security Checklist<br>
  Author: AUCERT<br>
  URL: <a href="http://www.bive.unit.liu.se/security/AUSCERT_checklist1.1html" target="_blank">http://www.bive.unit.liu.se/security/AUSCERT_checklist1.1html</a></p>
<p>Generic Password Security Checklist<br>
  Author: Lindsay Winsor<br>
  URL: <a href="http://delphi.colorado.edu/%7Esecurity/users/access/goodprac.htm" target="_blank">http://delphi.colorado.edu/~security/users/access/goodprac.htm</a></p>
<p>CERT Coordination Center Generic Security Information Checklist<br>
  Author: CERT<br>
  URL: <a href="http://ird.security.mci.net/check/cert-sec.html" target="_blank">http://ird.security.mci.net/check/cert-sec.html</a></p>
<p>TCP/IP Security Checklist<br>
  Author: Dale Drew<br>
  URL: <a href="http://ird.security.mci.net/check.html" target="_blank">http://ird.security.mci.net/check.html</a></p>
<p>Security Policy Checklist*<br>
  Author: Barbara Guttman and Robert Bagwill<br>
  URL: <a href="http://csrc.nist.gov/isptg/html/ISPTG-Contents.html" target="_blank">http://csrc.nist.gov/isptg/html/ISPTG-Contents.html</a></p>
<p>* Why would you want to establish a written security policy? Because if you're 
  running an office network or some other kind of widely-used network and you 
  plan to sue anyone who would hurt or try to hurt the integrity of your network 
  than a written and published security policy would be the first thing you'll 
  need in order to sue.</p>
<p><b><font size="4">Appendix B: Using Different Loggers</font></b><br>
  <br>
  Suppose your network or home PC have been compromised and broken into. What's 
  next? Surely you would like to sue the bastard, or at least find out how exactly 
  they got in. Or perhaps someone is inside your system right now and you want 
  to look for anything suspicious.<br>
  For any of the two, you will need the kind of evidence found in log files. But 
  what if the attacker has erased all forms of evidence of his mischevious acts 
  (which is very probable)? Most attackers will do that using automated log cleaners, 
  which will delete their presense from the log files. But what if you're using 
  something the attacker nor the creator of the log cleaner hasn't been expecting? 
  I'm talking about another logger, which the automated tool will not detect and 
  mess with. If you are using another logger or a modified logger, it is most 
  likely that script kiddies won't notice it, and only real crackers will notice 
  it and get read of their presense in your logs. This will increase the chance 
  that you will get to keep your logs.</p>
<p>&nbsp;</p>
<hr width="75%" align="center">
<p></p>
<p>That's about all for this time, folks. As I have already stated in the introduction 
  (actually, the next part was copied and pasted from the introduction chapter): 
  &quot;I included everything I could possibly think of (that is notable for a 
  beginners guide in this field, of course). With time, I will add more chapters, 
  so make sure you have the latest version by visiting blacksun.box.sk often or 
  subscribing to Black Sun's mailing list (info on how to subscribe at blacksun.box.sk 
  also).&quot;</p>
<p>Oh, by the way, some of you might have been expecting me to mention the r* 
  services (rcp, rlogin, rsh etc'), which don't exactly have perfect security. 
  Well, I was thinking of writing a tutorial completely devoted to them. If you're<br>
  interested, you could go to blacksun.box.sk right now and see if it's already 
  done (if it's not, most chances are that because there are other tutorials scheduled 
  ahead of it).</p>
<p><b>&lt;--! Begin copyright bullshit !--&gt; </b><br>
  All copyrights are reserved. You may distribute this tutorial freely, as long 
  <br>
  as you keep our names and Black Sun Research Facility's URL at the top of this 
  <br>
  tutorial. <br>
  I have written this tutorial for you, the readers. But I also wish to remain 
  <br>
  the author of this guide, meaning I do not want people to change a line or two 
  <br>
  and then claim that the whole guide is theirs. If you wish to create an <br>
  altered version of this tutorial, please contact me by Email - <br>
  <a href="mailto:barakirs@netvision.net.il">barakirs@netvision.net.il</a>. <br>
  <b>&lt;--! End copyright bullshit !--&gt;</b></p>
</body>
</html>