|
|
楼主 |
发表于 2006-3-20 14:24:21
|
显示全部楼层
8. Network Security 网络安全
Network security is becoming more and more important as people spend more and more time connected. Compromising network security is often much easier than compromising physical or local security, and is much more common.
随着人们在网上花费的时间越来越多,网络安全变得越来越重要. 危害网络安全的通常比威胁物理和本地安全更加简单, 并且更加常见.
There are a number of good tools to assist with network security, and more and more of them are shipping with Linux distributions.
有很多不错的工具用于保证网络安全, 并且越来越多的被移植到 Linux 发行版中.
8.1 Packet Sniffers 数据包嗅探
One of the most common ways intruders gain access to more systems on your network is by employing a packet sniffer on a already compromised host. This "sniffer" just listens on the Ethernet port for things like passwd and login and su in the packet stream and then logs the traffic after that. This way, attackers gain passwords for systems they are not even attempting to break into. Clear-text passwords are very vulnerable to this attack.
入侵者最常用的获取您的网络中其它系统的访问权限的方法是在已经入侵的主机上安装数据包嗅探器. "嗅探器"仅仅监听以太网端口以获取数据流中类似 passwd , login 和 su 的内容, 并将其记录下来. 这样,攻击者就可获取系统密码, 甚至包括没有尝试入侵的系统. 明文密码对于这类攻击非常脆弱.
Example: Host A has been compromised. Attacker installs a sniffer. Sniffer picks up admin logging into Host B from Host C. It gets the admins personal password as they login to B. Then, the admin does a su to fix a problem. They now have the root password for Host B. Later the admin lets someone telnet from his account to Host Z on another site. Now the attacker has a password/login on Host Z.
例如: 主机 A 被入侵了. 攻击者在上面安装了一个嗅探器. 嗅探器抓取管理员从主机 C 登录到主机 B 的信息. 然后管理员执行了一个 su 去完成一个问题修复. 这时就得到了主机B的root密码. 稍后, 管理员让人使用其账号 telnet 到主机Z. 这样攻击者也获取了主机 Z 的登录密码.
In this day and age, the attacker doesn't even need to compromise a system to do this: they could also bring a laptop or pc into a building and tap into your net.
长此以往, 攻击者甚至不必入侵系统就可完成这些工作: they could also bring a laptop or pc into a building and tap into your net.
Using ssh or other encrypted password methods thwarts this attack. Things like APOP for POP accounts also prevents this attack. (Normal POP logins are very vulnerable to this, as is anything that sends clear-text passwords over the network.)
使用 ssh 或其它加密密码的方法可以对抗这种攻击. 针对 POP 的 APOP 账号也能抵抗这种攻击. (普通的POP登录是非常脆弱的, 因为它是在网络上明文传送密码.)
8.2 System services and tcp_wrappers 系统服务和 tcp_wrappers
Before you put your Linux system on ANY network the first thing to look at is what services you need to offer. Services that you do not need to offer should be disabled so that you have one less thing to worry about and attackers have one less place to look for a hole.
在您的计算机连入 任何 网络前, 首先要检查一下您需要启动什么服务. 您不需要启动的服务应该禁止掉, 这样您就少一点事情担忧, 攻击者可用漏洞也就更少了.
There are a number of ways to disable services under Linux. You can look at your /etc/inetd.conf file and see what services are being offered by your inetd. Disable any that you do not need by commenting them out (# at the beginning of the line), and then sending your inetd process a SIGHUP.
在 Linux 下有很多方法禁用服务. 您可以查看一下 /etc/inetd.conf 文件, 看看 inetd 提供了哪些服务. 禁用掉哪些您不想对外提供的(在对应行首加上#), 然后对您的 inetd 进程发送一个 SIGHUP 指令.
You can also remove (or comment out) services in your /etc/services file. This will mean that local clients will also be unable to find the service (i.e., if you remove ftp, and try and ftp to a remote site from that machine it will fail with an "unknown service" message). It's usually not worth the trouble to remove services from /etc/services, since it provides no additional security. If a local person wanted to use ftp even though you had commented it out, they would make their own client that used the common FTP port and would still work fine.
您还可以删除(或注释掉) /etc/services 文件中的服务. 这就意味这本地客户端不能发现这一服务(例如, 您删除了 ftp, 然后从这台主机试图 ftp 远程站点, 将会因"未知服务"失败). 通常不用麻烦的从 /etc/services 中删除服务, 因为它并不能提供更多的安全. 如果本地用户要使用 ftp, 即使您注释掉了, 他们也可以同过对客户端指定FTP端口来正常使用.
Some of the services you might want to leave enabled are:
通常需要禁用的一些服务:
* ftp
* telnet (or ssh)
* mail, such as pop-3 or imap
* identd
If you know you are not going to use some particular package, you can also delete it entirely. rpm -e packagename under the Red Hat distribution will erase an entire package. Under Debian dpkg --remove does the same thing.
如果您不想使用某些软件包, 也可以将其完全删除.在 Red Hat 发行版下使用 rpm -e packagename 删除软件包. 在Debian下则是 dpkg --remove.
Additionally, you really want to disable the rsh/rlogin/rcp utilities, including login (used by rlogin), shell (used by rcp), and exec (used by rsh) from being started in /etc/inetd.conf. These protocols are extremely insecure and have been the cause of exploits in the past.
另外, 您确实应该一开始就要从 /etc/inetd.conf 中禁用 rsh/rlogin/rcp 工具集, 包括登录(使用 rlogin), shell(使用 rcp), 以及执行(使用 rsh). 这些协议是极其不安全的, 过去出现了很多漏洞.
You should check /etc/rc.d/rc[0-9].d (on Red Hat; /etc/rc[0-9].d on Debian), and see if any of the servers started in those directories are not needed. The files in those directories are actually symbolic links to files in the directory /etc/rc.d/init.d (on Red Hat; /etc/init.d on Debian). Renaming the files in the init.d directory disables all the symbolic links that point to that file. If you only wish to disable a service for a particular run level, rename the appropriate symbolic link by replacing the upper-case S with a lower-case s, like this:
您应当检查一下 /etc/rc.d/rc[0-9].d(Red Hat 系统; 在 Debian 系统上是/etc/rc[0-9].d)目录, 看是否启动了一些不需要的服务. 这些目录下的文件实际上是指向 /etc/rc.d/init.d(Red Hat 系统; 在Debian系统上是 /etc/init.d)的一些符号连接. 将 init.d 目录下的文件重命名, 将会使指向它的所有符号连接失效. 如果只是想在某个运行级上禁用一个服务, 重命名对应的符号连接, 将大写字母 S 改为小写字母 s 即可, 如:
root# cd /etc/rc6.d
root# mv S45dhcpd s45dhcpd
If you have BSD-style rc files, you will want to check /etc/rc* for programs you don't need.
如果使用的是 BSD 风格的 rc 文件, 则需要检查一下 /etc/rc* 看哪些程序是不需要的.
Most Linux distributions ship with tcp_wrappers "wrapping" all your TCP services. A tcp_wrapper (tcpd) is invoked from inetd instead of the real server. tcpd then checks the host that is requesting the service, and either executes the real server, or denies access from that host. tcpd allows you to restrict access to your TCP services. You should make a /etc/hosts.allow and add in only those hosts that need to have access to your machine's services.
tcp_wrappers 被移植到了很多发行版用于 "wrapping" 所有的TCP服务. tcp_wrapper(tcpd) 是通过 inetd 被调用的, 而不是实际的服务. tcpd 这时检查主机被请求的服务, 然后要么执行真正的服务, 要么拒绝这台主机的访问. tcpd 允许您对 TCP 服务的访问进行限制. 您应当创建一个 /etc/hosts.allow 文件, 在其中添加可以访问您的服务的主机.
If you are a home dial up user, we suggest you deny ALL. tcpd also logs failed attempts to access services, so this can alert you if you are under attack. If you add new services, you should be sure to configure them to use tcp_wrappers if they are TCP-based. For example, a normal dial-up user can prevent outsiders from connecting to his machine, yet still have the ability to retrieve mail, and make network connections to the Internet. To do this, you might add the following to your /etc/hosts.allow:
如果您是家庭拨号用户, 我们建议您将所有(ALL)都禁止. tcpd 也会记录失败的访问服务尝试. 这样就可出现攻击时, 对您发出警告. 如果要添加新的服务, 应当确保将其配置为使用 tcp_wrappers, 如果是基于 TCP 的服务的话. 例如, 普通的拨号用户应当阻止对其机器的外部连接, 但仍能检索邮件, 访问互联网. 完成这些, 您应当在 /etc/hosts.allow 中加入如下内容:
ALL: 127.
And of course /etc/hosts.deny would contain:
当然, /etc/hosts.deny 中应该添加:
ALL: ALL
which will prevent external connections to your machine, yet still allow you from the inside to connect to servers on the Internet.
这将阻止外部连接访问您的机器, 但仍然允许您从内部连接互联网上的服务器.
Keep in mind that tcp_wrappers only protects services executed from inetd, and a select few others. There very well may be other services running on your machine. You can use netstat -ta to find a list of all the services your machine is offering.
牢记 tcp_wrappers 只能保护通过 inetd 运行的服务, 以及其它一些有限的服务. 可能在您的机器上还运行了其它服务.可以通过 netstat -ta 找出您的机器提供的所有服务的列表.
8.3 Verify Your DNS Information 校验您的 DNS 信息
Keeping up-to-date DNS information about all hosts on your network can help to increase security. If an unauthorized host becomes connected to your network, you can recognize it by its lack of a DNS entry. Many services can be configured to not accept connections from hosts that do not have valid DNS entries.
及时更新您网络中所有主机的 DNS 信息, 这有助于您提高安全性. 如果一台没有验证主机连入了您的网络. 则您可以通过在 DNS 中缺少对应记录来识别出来. 很多服务可以配置为不接收没有有效 DNS 记录的主机的连入.
8.4 identd
identd is a small program that typically runs out of your inetd server. It keeps track of what user is running what TCP service, and then reports this to whoever requests it.
identd 是一个典型独立于 inetd 服务的小程序. 其跟踪什么用户运行了何种 TCP 服务, 并报告给查询的人.
Many people misunderstand the usefulness of identd, and so disable it or block all off site requests for it. identd is not there to help out remote sites. There is no way of knowing if the data you get from the remote identd is correct or not. There is no authentication in identd requests.
很多人错误的理解了 identd 的用途, 将其禁用, 或禁止了所有站点对其的访问请求. identd 不是用于协助远程站点的. 事实上如果您能从远程 identd 获取数据, 也无法判断其对错. 在 identd 中没有认证机制.
Why would you want to run it then? Because it helps you out, and is another data-point in tracking. If your identd is un compromised, then you know it's telling remote sites the user-name or uid of people using TCP services. If the admin at a remote site comes back to you and tells you user so-and-so was trying to hack into their site, you can easily take action against that user. If you are not running identd, you will have to look at lots and lots of logs, figure out who was on at the time, and in general take a lot more time to track down the user.
那么, 为什么您想要运行它呢? 因为他可以帮助 您, 并且它是另一个跟踪的数据点. 如果您的 identd 未被入侵, 那么可以从它获取正在使用 TCP 服务的远方站点的用户名或用户 ID. 如果远方站点的管理员联系您, 告诉您用户 so-and-so (讨厌的家伙)要黑他们的网站, 那么您可以很容易的找出这个用户. 如果您没有运行 identd, 则需要查询大量的日志, 来找出是谁在那个时间使用了系统, 并还要花费更多的时间跟踪这个用户.
The identd that ships with most distributions is more configurable than many people think. You can disable it for specific users (they can make a .noident file), you can log all identd requests (We recommend it), you can even have identd return a uid instead of a user name or even NO-USER.
identd 被移植到了很多发行版中, 比人们想像的更容易配置. 可以对某个用户禁用(他们可以创建 .noident 文件), 您可以记录所有的 identd 请求(我们建议这样), 甚至可以令 identd 返回一个用户 ID 而不是用户名, 甚至NO-USER.
8.5 Configuring and Securing the Postfix MTA Postfix MTA 的安全配置
The Postfix mail server was written by Wietse Venema, author of Postfix and several other staple Internet security products, as an "attempt to provide an alternative to the widely-used Sendmail program. Postfix attempts to be fast, easy to administer, and hopefully secure, while at the same time being sendmail compatible enough to not upset your users."
Postfix 邮件服务器是 Wietse Venema 编写的, 他是 Postfix 和其它一些重要的互联网安全产品的作者, "试图提供一个大范围应用的 Sendmail 程序的替代品. Postfix 将更快, 更容易管理, 更安全, 同时与Sendmail 相兼容, 因而不会影响您的用户
Further information on postfix can be found at the Postfix home and in the Configuring and Securing Postfix.
更多信息参阅 Postfix 主页 和 Postfix 的配置及安全.
8.6 SATAN, ISS, and Other Network Scanners 和其它网络扫描器
There are a number of different software packages out there that do port and service-based scanning of machines or networks. SATAN, ISS, SAINT, and Nessus are some of the more well-known ones. This software connects to the target machine (or all the target machines on a network) on all the ports they can, and try to determine what service is running there. Based on this information, you can tell if the machine is vulnerable to a specific exploit on that server.
除了这里列举的还有很多的软件包, 用于主机或网络端口和服务扫描. SATAN, ISS, SAINT, 和 Nessus 是其中比较著名的. 软件连接目标主机(或一个网络的所有主机)的所有端口, 并尝试判断运行了什么服务.
SATAN (Security Administrator's Tool for Analyzing Networks) is a port scanner with a web interface. It can be configured to do light, medium, or strong checks on a machine or a network of machines. It's a good idea to get SATAN and scan your machine or network, and fix the problems it finds. Make sure you get the copy of SATAN from metalab or a reputable FTP or web site. There was a Trojan copy of SATAN that was distributed out on the net. http://www.trouble.org/~zen/satan/satan.html. Note that SATAN has not been updated in quite a while, and some of the other tools below might do a better job.
SATAN (用于分析网络的管理员的安全工具)是一个 web 接口的端口扫描器. 可以配置为完成计算机的或网络上所有计算机的少量的, 中等的, 或强式检查. 设置 SATAN, 扫描您的计算机或网络, 并修复发现的问题是个不错的主意. 确保您是由 metalab 或正规的 FTP 或 web 站点获取的 SATAN 拷贝. 现在网络上发现了有带木马的 SATAN 传播. http://www.trouble.org/~zen/satan/satan.html. 注意 SATAN 很久没有更新了, 并且有很多此类工具性能更好.
ISS (Internet Security Scanner) is another port-based scanner. It is faster than Satan, and thus might be better for large networks. However, SATAN tends to provide more information.
ISS (互联网安全扫描器)是另一个端口扫描器. 比 Satan 速度要快, 因此更适用于大型网络. 但是 SATAN 可以提供更多的信息.
Abacus is a suite of tools to provide host-based security and intrusion detection. Look at it's home page on the web for more information. http://www.psionic.com/abacus/
Abacus 是一套用于提供基于主机安全和入侵检测的工具. 更多信息可以访问其主页. http://www.psionic.com/abacus/
SAINT is a updated version of SATAN. It is web-based and has many more up-to-date tests than SATAN. You can find out more about it at: http://www.wwdsi.com/~saint
SAINT 是 SATAN 的更新版本. 它是基于网页的, 目前来说和 SATAN 相比经过更多的测试. 你可以在 http://www.wwdsi.com/~saint 找到它.
Nessus is a free security scanner. It has a GTK graphical interface for ease of use. It is also designed with a very nice plug in setup for new port-scanning tests. For more information, take a look at: http://www.nessus.org
Nessus 是一个开源的安全扫描器. 提供了 GTK 图形接口, 更易使用. 它也提供了一个很棒的插件, 用户端口扫描测试. 更多信息, 查阅: http://www.nessus.org
Detecting Port Scans 监测端口扫描
There are some tools designed to alert you to probes by SATAN and ISS and other scanning software. However, if you liberally use tcp_wrappers, and look over your log files regularly, you should be able to notice such probes. Even on the lowest setting, SATAN still leaves traces in the logs on a stock Red Hat system.
也有一些工具用于识别 SATAN 和 ISS 和其它扫描软件的探测. 但是, 如果您使用 tcp_wrappers, 并经常查看您的日志文件, 您应该能注意到这类探测. 即使最低的设定, SATAN 也会在标准的 Red Hat 系统的日志中留下蛛丝马迹.
There are also "stealth" port scanners. A packet with the TCP ACK bit set (as is done with established connections) will likely get through a packet-filtering firewall. The returned RST packet from a port that _had no established session_ can be taken as proof of life on that port. I don't think TCP wrappers will detect this.
还有一些"隐形"端口扫描器. 设定了 TCP ACK 位的数据包可以通过数据包过滤的防火墙. 由一个端口返回的 RST 数据包 _had no established session_ 可以表明这个端口是活着的. 我不认为 TCP wrappers 能监测到这个.
You might also look at SNORT, which is a free IDS (Intrusion Detection System), which can detect other network intrusions. http://www.snort.org
您还可以考虑一下 SNORT, 这是一个开源的 IDS(入侵检测系统),可以监测出其它网络的入侵. http://www.snort.org
8.7 sendmail, qmail and MTA's
One of the most important services you can provide is a mail server. Unfortunately, it is also one of the most vulnerable to attack, simply due to the number of tasks it must perform and the privileges it typically needs.
mail 服务应该是您能提供最重要的服务.不幸的是, 它也是最易受到攻击, 仅仅是由于它所必须完成的任务数量和典型所需权限.
If you are using sendmail it is very important to keep up on current versions. sendmail has a long long history of security exploits. Always make sure you are running the most recent version from http://www.sendmail.org.
如果使用 sendmail, 及时更新非常重要. sendmail 的安全漏洞历史非常悠久. 确保您使用的是源自 http://www.sendmail.org 的最新版本.
Keep in mind that sendmail does not have to be running in order for you to send mail. If you are a home user, you can disable sendmail entirely, and simply use your mail client to send mail. You might also choose to remove the "-bd" flag from the sendmail startup file, thereby disabling incoming requests for mail. In other words, you can execute sendmail from your startup script using the following instead:
牢记要发送邮件并不一定要运行 sendmail. 如果您是家庭用户, 可以直接禁用 sendmail, 而是使用邮件客户端发送邮件. 也可以选择删除 sendmail 启动脚本的 "-bd" 标志, 这样就可以禁止邮件的连入请求. 也就说, 您对启动脚本中执行 sendmail 内容做如下修改:
# /usr/lib/sendmail -q15m
This will cause sendmail to flush the mail queue every fifteen minutes for any messages that could not be successfully delivered on the first attempt.
这会使 sendmail 每 15 分钟刷新一次邮件队列, 这样首次分发尝试将不可能成功.
Many administrators choose not to use sendmail, and instead choose one of the other mail transport agents. You might consider switching over to qmail. qmail was designed with security in mind from the ground up. It's fast, stable, and secure. Qmail can be found at http://www.qmail.org
很多管理员选择不使用 sendmail, 而选择其它邮件传输代理. 您可以考虑迁移到 qmail. qmail 是一开始设计时就考虑了安全问题. 快速, 稳定, 安全. 可以在 http://www.qmail.org 处找到 qmail.
In direct competition to qmail is "postfix", written by Wietse Venema, the author of tcp_wrappers and other security tools. Formerly called vmailer, and sponsored by IBM, this is also a mail transport agent written from the ground up with security in mind. You can find more information about postfix at http://www.postfix.org
qmail 的直接竞争对手是 "postfix", 由Wietse Venema编写, 他也是 tcp_wrappers 和其它一些安全工具的作者. 以前叫 vmailer, 由IBM资助, 也是一个一开始就考虑了安全因素的邮件传输代理. 有关 postfix 的更多信息, 请查阅 http://www.postfix.org
8.8 Denial of Service Attacks 拒绝服务攻击
A "Denial of Service" (DoS) attack is one where the attacker tries to make some resource too busy to answer legitimate requests, or to deny legitimate users access to your machine.
"拒绝服务"(DoS)攻击是指攻击者试图使某些资源过于繁忙, 以致无法响应合法用户的请求, 或者拒绝合法用户访问您的系统.
Denial of service attacks have increased greatly in recent years. Some of the more popular and recent ones are listed below. Note that new ones show up all the time, so this is just a few examples. Read the Linux security lists and the bugtraq list and archives for more current information.
拒绝服务攻击最近几年急剧增加.下边列出一些流行的和最新的攻击. 注意新型的攻击不断出现, 这里仅仅一些例子. 更多最新信息阅读 Linux 安全列表, bugtraq 列表和归档.
* SYN Flooding - SYN flooding is a network denial of service attack. It takes advantage of a "loophole" in the way TCP connections are created. The newer Linux kernels (2.0.30 and up) have several configurable options to prevent SYN flood attacks from denying people access to your machine or services. See Kernel Security for proper kernel protection options.
SYN Flooding - SYN 洪流是一种网络拒绝服务攻击. 最新的Linux内核 (2.0.30 和以上)提供几个配置选项用于防止 SYN 洪流攻击禁止用户访问您的机器或服务. 合适的 Linux 保护选项, 参阅< ref id="kernel-security" name="Kernel 安全">.
* Pentium "F00F" Bug - It was recently discovered that a series of assembly codes sent to a genuine Intel Pentium processor would reboot the machine. This affects every machine with a Pentium processor (not clones, not Pentium Pro or PII), no matter what operating system it's running. Linux kernels 2.0.32 and up contain a work around for this bug, preventing it from locking your machine. Kernel 2.0.33 has an improved version of the kernel fix, and is suggested over 2.0.32. If you are running on a Pentium, you should upgrade now!
Pentium "F00F" Bug - 这是最新发现的发送一系统汇编代码到真正的 Intel Pentium 处理器, 会引起机器重启. 这会影响使用Pentium处理器的所有计算机 (不是兼容处理器, 不是 Pentium Pro 或 PII), 不论其使用的是什么操作系统. Linux 2.0.32 或更高内核包含了针对这一缺陷的功能, 防止您的计算机被锁定. 2.0.33 内核是针对 2.0.32 内核的一个修正改善版本. 如果您使用的是 Pentium 处理器, 那么现在您需要升级了!
* Ping Flooding - Ping flooding is a simple brute-force denial of service attack. The attacker sends a "flood" of ICMP packets to your machine. If they are doing this from a host with better bandwidth than yours, your machine will be unable to send anything on the network. A variation on this attack, called "smurfing", sends ICMP packets to a host with your machine's return IP, allowing them to flood you less detectably. You can find more information about the "smurf" attack at http://www.quadrunner.com/~chuegen/smurf.txt
Ping Flooding - Ping flooding 是简单的暴力拒绝服务攻击. 攻击者向您的机器发送"大量"的 ICM P数据包. 如果攻击者使用的攻击计算机的带宽优于您的带宽, 您的计算机将无法向网络传送任何数据. "smurfing" 是这类攻击的一个变种, 发送返回地址为 您的 计算机的ICMP数据包到主机, 使他们难以察觉的进行洪流. 有关 "smurf" 攻击的更多信息, 参阅 http://www.quadrunner.com/~chuegen/smurf.txt
If you are ever under a ping flood attack, use a tool like tcpdump to determine where the packets are coming from (or appear to be coming from), then contact your provider with this information. Ping floods can most easily be stopped at the router level or by using a firewall.
如果您曾经遭受国 ping 洪流攻击, 使用类似 tcpdump 的攻击就可发现这些数据包源自何方 (看上去源自何方), 把这些信息反馈给您的提供商. Ping 洪流在路由级, 或使用防火墙可以很容易的禁止掉.
* Ping o' Death - The Ping o' Death attack sends ICMP ECHO REQUEST packets that are too large to fit in the kernel data structures intended to store them. Because sending a single, large (65,510 bytes) "ping" packet to many systems will cause them to hang or even crash, this problem was quickly dubbed the " ing o' Death." This one has long been fixed, and is no longer anything to worry about.
Ping o' Death - 死亡之 Ping 攻击发送 ICMP ECHO REQUEST 数据包, 其超过了存储它的内核数据结构规定大小. 因为发送了单个, 巨型(65,510 字节) "ping" 包, 可以引起很多系统挂起, 甚至崩溃, 因此这个问题被称作"死亡之 ping". 这个问题很久以前就被修复了, 无需再担心.
* Teardrop / New Tear - One of the most recent exploits involves a bug present in the IP fragmentation code on Linux and Windows platforms. It is fixed in kernel version 2.0.33, and does not require selecting any kernel compile-time options to utilize the fix. Linux is apparently not vulnerable to the "newtear" exploit.
Teardrop / New Tear - 最近发现的在 Linux 和 Windows 平台上, 出现在IP段中的缺陷. 在 2.0.33 内核中得以修复, 使用这一修复, 在编译时不需要任何选项. Linux 对 "newtear" 漏洞并不敏感.
You can find code for most exploits, and a more in-depth description of how they work, at http://www.rootshell.com using their search engine.
您可以使用 http://www.rootshell.com 的搜索引擎找到很多漏洞的代码, 和其工作原理的更详细的描述
8.9 NFS (Network File System) Security. NFS(网络文件系统)安全
NFS is a very widely-used file sharing protocol. It allows servers running nfsd and mountd to "export" entire file systems to other machines using NFS filesystem support built in to their kernels (or some other client support if they are not Linux machines). mountd keeps track of mounted file systems in /etc/mtab, and can display them with showmount.
NFS 是应用非常广泛的文件共享协议. 它允许服务器通过运行 nfsd 和 mountd 以向其它内核中内建支持的 NFS 文件系统的机器 (或其它非Linux机器上支持的客户端) "抛出(export)" 整个文件系统. mountd 跟踪由 /etc/mtab 中加载的文件系统, 并可通过 showmount 展示出来.
Many sites use NFS to serve home directories to users, so that no matter what machine in the cluster they login to, they will have all their home files.
很多站点使用 NFS 为用户提供家目录服务, 这样, 不论用户登录集群中的哪台计算机, 都可获取其所有的家目录文件.
There is some small amount of security allowed in exporting file systems. You can make your nfsd map the remote root user (uid=0) to the nobody user, denying them total access to the files exported. However, since individual users have access to their own (or at least the same uid) files, the remote root user can login or su to their account and have total access to their files. This is only a small hindrance to an attacker that has access to mount your remote file systems.
在抛出的文件系统中存在一些安全问题. 您可以使 nfsd 映射远程 root 用户(uid=0) 到 nobody 用户, 拒绝它们访问抛出的文件系统. 但是, 因为个人用户可以访问它们自己 (至少 UID 相同)的文件,远程 root 用户可以登录或 su 到他们的账号, 就可以获取对他们的文件的完全权限. 这对加载了您远程文件系统的攻击者来说只是一个小小的障碍.
If you must use NFS, make sure you export to only those machines that you really need to. Never export your entire root directory; export only directories you need to export.
如果您必须使用 NFS, 确保您只对必须的机器抛出文件系统. 绝对不要抛出您的整个根目录; 只抛出您需要抛出的目录.
See the NFS HOWTO for more information on NFS, available at http://metalab.unc.edu/mdw/HOWTO/NFS-HOWTO.html
有关NFS的更多信息, 参阅 NFS HOWTO http://metalab.unc.edu/mdw/HOWTO/NFS-HOWTO.html
8.10 NIS (Network Information Service) (formerly YP). 网络信息服务(以前的YP)
Network Information service (formerly YP) is a means of distributing information to a group of machines. The NIS master holds the information tables and converts them into NIS map files. These maps are then served over the network, allowing NIS client machines to get login, password, home directory and shell information (all the information in a standard /etc/passwd file). This allows users to change their password once and have it take effect on all the machines in the NIS domain.
网络信息服务(以前的YP)是一种对机器群分发信息的方式. NIS 主机处理信息表, 并转换为 NIS 映射文件. 这些映射文件通过网络提供, 允许 NIS 客户机获取登录, 密码, 家目录和 shell 信息(所有的信息都在标准的 /etc/passwd 文件中). 允许用户修改密码, 并会在 NIS 域的所有机器上生效.
NIS is not at all secure. It was never meant to be. It was meant to be handy and useful. Anyone that can guess the name of your NIS domain (anywhere on the net) can get a copy of your passwd file, and use "crack" and "John the Ripper" against your users' passwords. Also, it is possible to spoof NIS and do all sorts of nasty tricks. If you must use NIS, make sure you are aware of the dangers.
NIS 并不十分安全. 它也从未如此承诺. 只是为了方便和有用. 能猜测您的NIS域名称的任何人 (网上的任何地方)都可以获取 passwd 文件的拷贝, 使用 "crack" 和 "John the Ripper" 进行暴力破解密码. 也可以伪装 NIS, 做很多卑鄙的事情. 如果您必须使用 NIS, 应当清楚您的危险.
There is a much more secure replacement for NIS, called NIS+. Check out the NIS HOWTO for more information: http://metalab.unc.edu/mdw/HOWTO/NIS-HOWTO.html
有一个更安全的 NIS 替代品, 叫做 NIS+. 检查 NIS HOWTO 获取更多信息: http://metalab.unc.edu/mdw/HOWTO/NIS-HOWTO.html
8.11 Firewalls 防火墙
Firewalls are a means of controlling what information is allowed into and out of your local network. Typically the firewall host is connected to the Internet and your local LAN, and the only access from your LAN to the Internet is through the firewall. This way the firewall can control what passes back and forth from the Internet and your LAN.
防火墙意味着控制哪些信息允许进入和输出您的本地网络. 典型的防火墙主机是将互联网同您的本地网络相连, 并仅允许您的本地网络通过防火墙访问互联网. 通过这种方式, 防火墙可以控制互联网和本地网之间的数据流.
There are a number of types of firewalls and methods of setting them up. Linux machines make pretty good firewalls. Firewall code can be built right into 2.0 and higher kernels. The user-space tools ipfwadm for 2.0 kernels and ipchains for 2.2 kernels, allows you to change, on the fly, the types of network traffic you allow. You can also log particular types of network traffic.
有很多种防火墙和方法对其进行配置. Linux 主机可以配置成相当好的防火墙. 防火墙代码可以内置到 2.0 或更高内核. 用户空间工具 2.0 内核的 ipfwadm, 和 2.2 内核的 ipchains 允许您随时修改允许通过网络流量类型. 您还可以记录特定的网络流量类型.
Firewalls are a very useful and important technique in securing your network. However, never think that because you have a firewall, you don't need to secure the machines behind it. This is a fatal mistake. Check out the very good Firewall-HOWTO at your latest metalab archive for more information on firewalls and Linux. http://metalab.unc.edu/mdw/HOWTO/Firewall-HOWTO.html
防火墙对于安全化您的网络来说是非常有用, 和重要的技术. 但是, 从不要因为您有防火墙, 而不对其后的主机进行安全化设置. 这是一种致命的错误. 查看非常棒的 Firewall-HOWTO 以获取有关防火墙和Linux的更多相关信息. http://metalab.unc.edu/mdw/HOWTO/Firewall-HOWTO.html
More information can also be found in the IP-Masquerade mini-howto: http://metalab.unc.edu/mdw/HOWTO/mini/IP-Masquerade.html
More information on ipfwadm (the tool that lets you change settings on your firewall, can be found at it's home page: http://www.xos.nl/linux/ipfwadm/
If you have no experience with firewalls, and plan to set up one for more than just a simple security policy, the Firewalls book by O'Reilly and Associates or other online firewall document is mandatory reading. Check out http://www.ora.com for more information. The National Institute of Standards and Technology have put together an excellent document on firewalls. Although dated 1995, it is still quite good. You can find it at http://csrc.nist.gov/nistpubs/800-10/main.html. Also of interest:
如果您对防火墙不是很有经验, 但是要设置一个或多个基于稍微复杂的安全策略的防火墙. 可以从 O'Reilly 提供的有关防火墙的图书, 或其它一些在线防火墙文档获取帮助. 检查 http://www.ora.com 获取更多信息. National Institute of Standards and Technology 已经组织了一些非常优秀的防火墙文档. 尽管是 1995 年的, 但还是不错的: http://csrc.nist.gov/nistpubs/800-10/main.html. 下边这些也不错:
* The Freefire Project -- a list of freely-available firewall tools, available at http://sites.inka.de/sites/lina/freefire-l/index_en.html
* SunWorld Firewall Design -- written by the authors of the O'Reilly book, this provides a rough introduction to the different firewall types. It's available at http://www.sunworld.com/swol-01-1996/swol-01-firewall.html
* Mason - the automated firewall builder for Linux. This is a firewall script that learns as you do the things you need to do on your network! More info at: http://www.pobox.com/~wstearns/mason/
8.12 IP Chains - Linux Kernel 2.2.x Firewalling
Linux IP Firewalling Chains is an update to the 2.0 Linux firewalling code for the 2.2 kernel. It has many more features than previous implementations, including:
Linux IP Firewalling Chains 是 2.2 内核中, 对 2.0 Linux 防火墙代码的更新. 比以前的版本增加了更多的功能, 包括:
* More flexible packet manipulations 更灵活的数据包操作
* More complex accounting 更复杂的记账功能
* Simple policy changes possible atomically 简单的策略修改
* Fragments can be explicitly blocked, denied, etc. 可以对数据段进行阻塞, 禁止, 等待.
* Logs suspicious packets. 记录可疑数据包.
* Can handle protocols other than ICMP/TCP/UDP. 处理更多的协议.
If you are currently using ipfwadm on your 2.0 kernel, there are scripts available to convert the ipfwadm command format to the format ipchains uses.
如果您正在2.0内核上使用 ipfwadm, 有些脚本可用于将 ipfwadm 命令格式转换为 ipchains.
Be sure to read the IP Chains HOWTO for further information. It is available at http://www.adelaide.net.au/~rustcorp/ipfwchains/ipfwchains.html
更多信息请参阅 IP Chains HOWTO. http://www.adelaide.net.au/~rustcorp/ipfwchains/ipfwchains.html
8.13 Netfilter - Linux Kernel 2.4.x Firewalling Linux 2.4.x防火墙
In yet another set of advancements to the kernel IP packet filtering code, netfilter allows users to set up, maintain, and inspect the packet filtering rules in the new 2.4 kernel.
尽管还有其它改进中的内核IP数据包过滤代码, netfilter 允许用户设置, 维护, 检查新的 2.4 内核的数据包过滤规则
The netfilter subsystem is a complete rewrite of previous packet filtering implementations including ipchains and ipfwadm. Netfilter provides a large number of improvements, and it has now become an even more mature and robust solution for protecting corporate networks.
netfilter 系统是对以前的数据包过滤工具包括 ipchains 和 ipfwadm 的完全重写. netfilter 更加完善, 它现在甚至已经成为完善的强健的保护公司网络的解决方案.
iptables
is the command-line interface used to manipulate the firewall tables within the kernel.
iptables
是用于操作内核中的防火墙列表的命令行接口.
Netfilter provides a raw framework for manipulating packets as they traverse through various parts of the kernel. Part of this framework includes support for masquerading, standard packet filtering, and now more complete network address translation. It even includes improved support for load balancing requests for a particular service among a group of servers behind the firewall.
Netfilter 提供了一个原始框架, 用于实现对通过内核的各个部分的数据包的操作. 这个框架包括支持伪装, 标准数据包过滤, 更加完善的网络地址翻译. 甚至包含了改进负载均衡需求, 特别是防火墙后的对于某服务提供了服务器群.
The stateful inspection features are especially powerful. Stateful inspection provides the ability to track and control the flow of communication passing through the filter. The ability to keep track of state and context information about a session makes rules simpler and tries to interpret higher-level protocols.
状态检查特性特别有用. 状态检查提供了跟踪和控制经过过滤器的信息流的能力. 这种跟踪有关会话的状态和信息内容的能力可以是规则简单化, 并可理解更高级的协议.
Additionally, small modules can be developed to perform additional specific functions, such as passing packets to programs in userspace for processing then reinjecting back into the normal packet flow. The ability to develop these programs in userspace reduces the level of complexity that was previously associated with having to make changes directly at the kernel level.
另外,可以开发小型模块用于完成附加的特定功能, 比如把数据包传到用户空间进行处理, 然后重新插入正常的数据流. 这可用于开发用户空间程序, 以减少在内核级进行直接数据处理的复杂程度.
Other IP Tables references include:
其它的IP表参考包括:
* Oskar Andreasson IP Tables Tutorial -- Oskar Andreasson speaks with LinuxSecurity.com about his comprehensive IP Tables tutorial and how this document can be used to build a robust firewall for your organization.
Oskar Andreasson IP Tables Tutorial -- Oskar Andreasson 在 LinuxSecurity.com 上讲述了他的IP表指导, 以及如何利用该文档为您的组织构建一个健壮的防火墙.
* Hal Burgiss Introduces Linux Security Quick-Start Guides -- Hal Burgiss has written two authoritative guides on securing Linux, including managing firewalling.
* Netfilter Homepage -- The netfilter/iptables homepage.
Netfilter 主页 -- netfilter/iptables 的主页.
* Linux Kernel 2.4 Firewalling Matures: netfilter -- This LinuxSecurity.com article describes the basics of packet filtering, how to get started using iptables, and a list of the new features available in the latest generation of firewalling for Linux.
Linux Kernel 2.4 智能防火墙: netfilter -- 这篇 LinuxSecurity.com的文档描述了基本数据包的过滤, 如何使用 iptables 开始工作, 并给出了这个新一代 Linux 防火墙的新功能列表.
8.14 VPNs - Virtual Private Networks 虚拟专用网
VPN's are a way to establish a "virtual" network on top of some already-existing network. This virtual network often is encrypted and passes traffic only to and from some known entities that have joined the network. VPNs are often used to connect someone working at home over the public Internet to an internal company network.
VPN's 是一种在现存网络上建立虚拟网络的方法. 这种虚拟网络通常是加密的, 并且该网络只允许已知网络加入. VPNs通常用于将家庭用户通过公共互联网连入一个公司的内部网络.
If you are running a Linux masquerading firewall and need to pass MS PPTP (Microsoft's VPN point-to-point product) packets, there is a Linux kernel patch out to do just that. See: ip-masq-vpn.
如果您正在使用 Linux 伪装(masquerading)防火墙, 并需要通过 MS PPTP 数据包(微软的VPN点对点产品), 则需要一个 Linux 内核补丁来解决这一问题.参阅 ip-masq-vpn.
There are several Linux VPN solutions available:
这里有几款 Linux VPN 方案:
* vpnd. See the http://sunsite.auc.dk/vpnd/.
* Free S/Wan, available at http://www.xs4all.nl/~freeswan/
* ssh can be used to construct a VPN. See the VPN mini-howto for more information.
* vps (virtual private server) at http://www.strongcrypto.com.
* yawipin at http://yavipin.sourceforge.net
See also the section on IPSEC for pointers and more information.
更多信息可以参阅 IPSEC 部分. |
|
IP卡
狗仔卡
发表于 2006-3-20 13:30:47
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
显身卡