linuxnetworking.html

黑客培训教程

<br><b>&lt;mikestevens></b> yes
<br><b>&lt;bracaman></b> :))
<br><b>&lt;Ghost_Rider> ok..so like we were saying ip masquerading is really
cute but it has some problems</b>
<br><b>&lt;Mikkkeee></b> yup and voice
<br><b>&lt;Ghost_Rider> like if you need someone to connect to a host inside
ur network it can't..</b>
<br><b>&lt;Ghost_Rider> or like if you wanna use ftp or any other protocol</b>
<br><b>&lt;Ghost_Rider> that works in a way that the remote host makes
a connection to you it won't work..</b>
<br><b>&lt;Ghost_Rider> well that's not interily true</b>
<br><b>&lt;Ghost_Rider> you have the kernel modules to support ftp on active
mode</b>
<br><b>&lt;Ghost_Rider> you have kernel modules for real audio</b>
<br><b>&lt;Ghost_Rider> for dcc over irc</b>
<br><font color="#FF0000">*** Quits: binz (Quit: cya)</font>
<br><b>&lt;Ghost_Rider> and a couple of other services</b>
<br><font color="#FF0000">*** Joins: Andrei_</font>
<br><b>&lt;Ghost_Rider> that will work one part of the prob</b>
<br><b>&lt;Ghost_Rider> but what about if you really wanna allow ppl like
to login in one of our boxes</b>
<br><font color="#FF0000">*** Joins: RedShadow</font>
<br><b>&lt;Ghost_Rider> well the answer to that is a program called ipmasqadm</b>
<br><font color="#FF0000">*** Quits: Nightshade (Ping timeout)</font>
<br><b>&lt;Ghost_Rider> you can find it at freshmeat.net</b>
<br><b>&lt;Ghost_Rider> and what it does ir redirect traffic from localhost
port X to remote HOST port Z</b>
<br><font color="#FF0000">*** RedShadow is now known as _RedShadow-</font>
<br><font color="#FF0000">*** Joins: Craft</font>
<br><font color="#FF0000">*** SteeLe sets mode: +v _RedShadow-</font>
<br><font color="#FF0000">*** _RedShadow- is now known as RedShadow</font>
<br><font color="#FF0000">*** Craft is now known as Sup|ED-209|Craft</font>
<br><b>&lt;Ghost_Rider> but allowing ppl to connect inside our network</b>
<br><b>&lt;Ghost_Rider> might be unsecure</b>
<br><font color="#FF0000">*** Joins: HellFish</font>
<br><b>&lt;Ghost_Rider> since if it roots that box it's one step to root
the intire network</b>
<br><b>&lt;Ghost_Rider> so it's time to talk about the concept of DMZ</b>
<br><font color="#FF0000">*** Quits: ShellFish (Killed (NickServ (GHOST
command used by HellFish)))</font>
<br><font color="#FF0000">*** HellFish is now known as shellfish</font>
<br><b>&lt;Ghost_Rider> DMZ stands for De-Militarized Zone</b>
<br><font color="#FF0000">*** Mikkkeee sets mode: +v Sup|ED-209|Craft</font>
<br><font color="#FF0000">*** Parts: mayfaer</font>
<br><b>&lt;Ghost_Rider> if you check example 3 you'll see what I'm talking
about</b>
<br><b>&lt;Ghost_Rider> the DMZ is a subnet were the untrusted host are</b>
<br><font color="#FF0000">*** Joins: HardW1r3</font>
<br><font color="#FF0000">*** ChanServ sets mode: +v HardW1r3</font>
<br><font color="#FF0000">*** Quits: zwanderer (Quit: Liberae sunt nostrae
cogitationes)</font>
<br><b>&lt;HardW1r3></b> im back
<br><b>&lt;Ghost_Rider> a way of doing this kind of DMZ</b>
<br><b>&lt;Sup|ED-209|Craft></b> who many ppl here...
<br><b>&lt;Ghost_Rider> is setting ur masquerading host with 2 ethernet
cards</b>
<br><b>&lt;Mikkkeee></b> sorry to cut in rider, problems with NAT also
occur with software that embeds TCP/IP address info inside TCP/IP packets
and tehn relies upon that information will not work cause the interior
tcp/ip address info will be wrong, this occurs with FTP and other protocols.
<br><b>&lt;mikestevens></b> like AIM or FTP
<br><b>&lt;Ghost_Rider> still you guys have the modules</b>
<br><b>&lt;mikestevens></b> there are modules for FTP
<br><b>&lt;mikestevens></b> and a few others
<br><b>&lt;Mikkkeee></b> PPTP, Sqlnet2, FTP, and best of all IRC.
<br><font color="#FF0000">*** Joins: jaxler</font>
<br><font color="#FF0000">*** Joins: UraniumD</font>
<br><b>&lt;Ghost_Rider> mikestevens: but why are you cutting of if I already
told that?</b>
<br><b>&lt;Ghost_Rider> Mikkkeee: but why are you cutting of if I already
told that?</b>
<br><b>&lt;Mikkkeee></b> u did
<br><b>&lt;Mikkkeee></b> sorry
<br><b>&lt;Ghost_Rider> it was for mikkkee not mikestevens</b>
<br><b>&lt;Ghost_Rider> I did</b>
<br><b>&lt;Ghost_Rider> no prob</b>
<br><b>&lt;Mikkkeee></b> sorry
<br><font color="#FF0000">*** Quits: ryph (Quit: )</font>
<br><b>&lt;Ghost_Rider> well continuing</b>
<br><font color="#FF0000">*** Joins: freerider</font>
<br><b>&lt;Ghost_Rider> other way of implementing a DMZ</b>
<br><b>&lt;Ghost_Rider> is setting a ip masquerading host</b>
<br><b>&lt;Ghost_Rider> inside the LAN</b>
<br><b>&lt;Ghost_Rider> which is example 4</b>
<br><font color="#FF0000">*** Quits: XMulder (Quit: )</font>
<br><b>&lt;Ghost_Rider> of course this kind of network aren't home networks
but I think it's always good to know about this stuff</b>
<br><b>&lt;Ghost_Rider> the most imporant thing is that ur LAN won't trust
the DMZ</b>
<br><b>&lt;Ghost_Rider> so in my opnino the best way to implement it is
using the so call 2 legged network</b>
<br><b>&lt;Ghost_Rider> that is the ip masquerade host with 2 ethernet
cards</b>
<br><b>&lt;Ghost_Rider> then you would setup the firewall to allow traffic
for the DMZ ethernet interface but not for the trusted LAN</b>
<br><b>&lt;Ghost_Rider> do you guys wanna add anything?</b>
<br><font color="#FF0000">*** Quits: muncheese (Quit: Leaving)</font>
<br><b>&lt;Ghost_Rider> shall we stop for questions about DMZs?</b>
<br><b>&lt;Sup|ED-209|Craft></b> which firewall you are using?
<br><b>&lt;Ghost_Rider> I use ipchains</b>
<br><b>&lt;Mikkkeee></b> ipchains
<br><font color="#FF0000">*** Quits: UraniumD (Ping timeout)</font>
<br><font color="#FF0000">*** Ghost_Rider sets mode: -m</font>
<br><b>&lt;Ghost_Rider> anyone has questions that wanna ask?</b>
<br><b>&lt;kn1x></b> so could a DMZ be setup like a 'honeypot'?
<br><b>&lt;Frydo></b> why connect the trusted lan to the router in the
first place ?
<br><b>&lt;Ghost_Rider> Frydo: because you want the trusted lan to have
access to the internet</b>
<br><font color="#FF0000">*** Quits: SpiderMan (Ping timeout)</font>
<br><b>&lt;Ghost_Rider> Frydo: and you just have a ppp-dial up connection</b>
<br><b>&lt;Ghost_Rider> kn1x: yes..but it's not the major thought when
setting up a DMZ</b>
<br><font color="#FF0000">*** Quits: Infini7y (Connection reset by peer)</font>
<br><b>&lt;Frydo></b> but where's the difference to the dmz then ? if you
hack the router the protection is gone !?!
<br><b>&lt;Ghost_Rider> when you setup a DMZ you are thinking in giving
services to the internet but not taking very risk at it</b>
<br><b>&lt;kn1x></b> well could you trick an attacker, by making him think
that was your network, when it is actually hidden further in..?
<br><b>&lt;mikestevens></b> kn1x: yes
<br><b>&lt;Ghost_Rider> Frydo: well if you root the router is it's the
same thing all network is in a bad situaton</b>
<br><b>&lt;mikestevens></b> the real network is hidden behind NAT
<br><b>&lt;Ghost_Rider> Frydo: but if you hack like the mail server</b>
<br><b>&lt;Ghost_Rider> Frydo: that's not so bad..since the DMZ is suposed
to be under hevially watching</b>
<br><font color="#FF0000">* Sup|ED-209|Craft is reading http://www.linuxdoc.org/HOWTO/IPCHAINS-HOWTO-2.html</font>
<br><b>&lt;Mikkkeee></b> well faults in static traslation won't protect
the internal host
<br><b>&lt;Ghost_Rider> Frydo: and since traffic from DMZ --> trusted LAN</b>
<br><b>&lt;Ghost_Rider> Frydo: won't be routed</b>
<br><b>&lt;Ghost_Rider> Frydo: you gain some time there...</b>
<br><b>&lt;Frydo></b> got it
<br><b>&lt;Ghost_Rider> Frydo: of course like you root the firewall the
LAN is doomed</b>
<br><font color="#FF0000">*** Joins: Nightshade</font>
<br><b>&lt;Ghost_Rider> but since the firewall isn't really running services</b>
<br><b>&lt;Andrei_></b> Ghost_Rider
<br><b>&lt;Ghost_Rider> it's just redirecting them to the DMZ</b>
<br><b>&lt;Ghost_Rider> andrei_ : yes?</b>
<br><b>&lt;Andrei_></b> i'm soryy to interrup this discution
<br><b>&lt;Andrei_></b> but i can'd set up my internal network
<br><b>&lt;Ghost_Rider></b> what's ur prob?
<br><b>&lt;freeque></b> lol. he charges &pound;50 and hour :-)
<br><b>&lt;Andrei_></b> in fact i camn't give internet access to a computer
<br><b>&lt;Ghost_Rider> lo@freeque</b>
<br><b>&lt;Ghost_Rider> Andrei_: but is ur LAN working, like you can ping
lan hosts, you can't just masq?</b>
<br><b>&lt;Andrei_></b> iexactly
<br><b>&lt;Andrei_></b> i can ping
<br><b>&lt;Ghost_Rider></b> Andrei_: can you ping ur ppp0 ip?
<br><b>&lt;Andrei_></b> my internat network works just fine
<br><b>&lt;freerider></b>&nbsp; /freerider REGISTER 2825902 cantnot@adinet.com.uy
<br><b>&lt;Sup|ED-209|Craft></b> Ghost_Rider: have you read David Ranch's
faq?
<br><b>&lt;Andrei_></b> Ghost_Rider nope
<br><font color="#FF0000">*** Mikkkeee sets mode: +o RedShadow</font>
<br><b>&lt;Andrei_></b> that's the problem
<br><b>&lt;Ghost_Rider> Sup|ED-209|Craft: I don't think so why?</b>
<br><b>&lt;Nightshade></b> Ok guys, thats me for tonight, c ya laterz
<br><font color="#FF0000">*** Parts: Nightshade</font>
<br><b>&lt;Ghost_Rider> Andrei_: well check ur routing table..I'll keep
with you on private</b>
<br><b>&lt;Ghost_Rider> guys the lecture is going on..for the final part</b>
<br><font color="#FF0000">*** Ghost_Rider sets mode: +m</font>
<br><b>&lt;Sup|ED-209|Craft></b> Ghost_Rider: maybe usefull to read @ http://www.linuxdoc.org/HOWTO/IP-Masquerade-HOWTO.html
?
<br><b>&lt;Ghost_Rider> oh...ip masquerade howto yes I read it when I setting
up my 1st lan hehe</b>
<br><font color="#FF0000">* Mikkkeee says guys if u don't understand/still
got questions all will be clear once rider releases the tut</font>
<br><font color="#FF0000">*** Joins: |\Lesma\|</font>
<br><font color="#FF0000">*** |\Lesma\| is now known as samurai</font>
<br><b>&lt;Ghost_Rider> so guys this puts us on the final topic and most
buggy one too NFS</b>
<br><b>&lt;Ghost_Rider> (damn I was seeing that I would never end this
lecture)</b>
<br><b>&lt;mikestevens></b> I want AFS or CODA!!!
<br><font color="#FF0000">*** Joins: SileNceR</font>
<br><b>&lt;mikestevens></b> sorry
<br><b>&lt;Ghost_Rider> as usual mike giving it's very unique taste to
the chat</b>
<br><b>&lt;mikestevens></b> lol
<br><b>&lt;Sup|ED-209|Craft></b> lol
<br><b>&lt;Ghost_Rider> but let's keep going</b>
<br><b>&lt;Ghost_Rider> nfs stands for network file system</b>
<br><font color="#FF0000">*** Retrieving #bsrf info...</font>
<br><b>&lt;Ghost_Rider> I once read a very simple definition nfs = file
sharing windows for *nix</b>
<br><b>&lt;Ghost_Rider> yes..that's true</b>
<br><b>&lt;Ghost_Rider> but NFS</b>
<br><b>&lt;Ghost_Rider> is much more configurable</b>
<br><b>&lt;Megram></b> sorry guys, i need to run off, sleep is calling.
Have fun all of you :O)
<br><b>&lt;Sup|ED-209|Craft></b> nt filesystem
<br><b>&lt;Megram></b> gj so far btw GR :O)
<br><font color="#FF0000">*** Quits: Megram (Quit: Why do we need cheese?)</font>
<br><font color="#FF0000">*** H2-0[Away] is now known as H2-0</font>
<br><font color="#FF0000">*** Quits: H2-0 (Quit: good users don't use colored
quits)</font>
<br><b>&lt;Ghost_Rider> to make nfs available</b>
<br><b>&lt;Ghost_Rider> you have to put some really buggy daemons running</b>
<br><b>&lt;Ghost_Rider> I know at least 2 linux worms uses portmap probs
to spread and you will need to use portmap</b>
<br><b>&lt;Ghost_Rider> rpc.portmap, rpc.mountd and rpc.nfsd</b>
<br><b>&lt;Ghost_Rider> will be the services you'll need to run to allow
nfs</b>
<br><b>&lt;Ghost_Rider> now one questions that we ask when we are setting
up NFS is "is this really necessary?"</b>
<br><b>&lt;Ghost_Rider> well NFS is slow as hell, if you need anything
from one computer to other you can just start a ftp deamon and upload or
download</b>
<br><b>&lt;Sup|ED-209|Craft></b> can somebody give me your plan(s)?
<br><b>&lt;Ghost_Rider> it would be faster...</b>
<br><b>&lt;Ghost_Rider> Sup|ED-209|Craft: i'm almost finishing...it's last
topic man</b>
<br><b>&lt;Sup|ED-209|Craft></b> ok
<br><b>&lt;Ghost_Rider> to make this quick since you guys are already tired
of reading what I say</b>
<br><b>&lt;Ghost_Rider> you have 3 main files to configure NFS</b>
<br><b>&lt;Ghost_Rider> /etc/hosts.allo /etc/hosts.deny and /etc/exports</b>
<br><font color="#FF0000">*** Joins: SpiderMan</font>
<br><font color="#FF0000">*** ChanServ sets mode: +o SpiderMan</font>
<br><font color="#FF0000">*** Quits: freerider (Quit: Leaving)</font>
<br><b>&lt;Ghost_Rider> /etc/hosts.allow /etc/hosts.deny and /etc/exports</b>
<br><b>&lt;Ghost_Rider> hosts.allow and hosts.deny will check allow or
deny connections from hosts</b>
<br><font color="#FF0000">*** Joins: Hand_of_God</font>
<br><b>&lt;Ghost_Rider> you just allow ur local network and deny all the
rest</b>
<br><b>&lt;Ghost_Rider> so hosts.allow would be something like</b>
<br><b>&lt;Ghost_Rider> rpc.portmap: 192.168.0.0/24</b>
<br><font color="#FF0000">*** Quits: Sh0ck3R (Ping timeout)</font>
<br><b>&lt;Ghost_Rider> rpc.mountd: 192.168.0.0/24</b>
<br><b>&lt;Ghost_Rider> rpc.nfsd: 192.168.0.0/24</b>
<br><font color="#FF0000">*** Quits: jimi (Quit: BitchX-1.0c16 -- just
do it.)</font>
<br><b>&lt;Ghost_Rider> and on hosts.deny just ALL: ALL and would deny
everything that isn't accepted</b>
<br><font color="#FF0000">*** Joins: freerider</font>
<br><b>&lt;Ghost_Rider> on /etc/exports you'll have the exports dir</b>
<br><b>&lt;Ghost_Rider> and the hosts that could export it</b>
<br><b>&lt;Ghost_Rider> for example /home&nbsp; HOSTNAME(rw)</b>
<br><b>&lt;Ghost_Rider> the (rw) stands for read and write giving these
permissions to HOSTNAME when he mounts /home</b>
<br><b>&lt;Ghost_Rider> well I think this is done</b>
<br><b>&lt;SteeLe></b> tired heh ?
<br><font color="#FF0000">* DigitalFallout wakes up</font>
<br><b>&lt;DigitalFallout></b> DId I miss anything?
<br><b>&lt;Mikkkeee></b> man we all got to give it up for Rider
<br><font color="#FF0000">*** Joins: _RooTs_</font>
<br><font color="#FF0000">* DigitalFallout gives Ghost_Rider a "round of
applause"</font>
<br><font color="#FF0000">*** Mikkkeee sets mode: -m</font>
<br><b>&lt;mikestevens></b> great job
<br><b>&lt;Ghost_Rider> man I'm exausted..almost 2 hours...u guys killed
me</b>
<br><b>&lt;Ghost_Rider> thnx mike</b>
<br><font color="#FF0000">* Ellis_D gives a standing ovacion</font>
<br><b>&lt;DigitalFallout></b> That is like a BSRF lecture record
<br><font color="#FF0000">* Mikkkeee gives Rider a "round of applause"</font>
<br><b>&lt;Ghost_Rider> well guys I cutted some parts because this was
already too extensive</b>
<br><b>&lt;Ghost_Rider> thnx mikkkeee</b>
<br><b>&lt;Ghost_Rider> glad that you guys liked</b>
<br><b>&lt;Mikkkeee></b> hell yah
<p><b>&lt;--------------End of lecture------------></b>
<br>&nbsp;
<br>&nbsp;
</body>
</html>