linux 系統管理與安全:系統防駭與資訊安全
TRANSCRIPT
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
• authorized_keys
• id_rsa
• id_rsa.pub
• known_hosts
•$ ssh-‐keygen -‐t rsa -‐b 2048
• 600 .ssh 700
•
•
•~/.ssh/authorized_keys
• ssh-‐copy-‐id
•
• /etc/ssh/sshd_config
• PasswordAuthentication no
•$ last
•$ who
•$ lastlog
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
• <Directory /var/www>Options –Indexes
</Directory>
• /etc/apache2/httpd-‐conf
• ServerTokens Prod
• ServerSignature Off
• /etc/php5/php.ini
• expose_php = Off
•
•
•
•
SQL $SQL = "SELECT * FROM users WHERE (name = '" + $user + "')and (pw = '"+ $pass +"');"
$user $pass 1' OR '1'='1SQL
$SQL = "SELECT * FROM users WHERE (name = '1' OR '1'='1')and (pw = '1' OR '1'='1');"
$SQL = "SELECT * FROM users;"
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
• phpMyAdmin
•
•
•
•
•
• firewalld iptables-‐service
• # systemctl stop firewalld
• # systemctl mask firewalld
• # yum install iptables-‐services
• iptables-‐service# systemctl enable iptables
• / / iptables# systemctl [stop|start|restart] iptables
• iptable# service iptables save
• iptables# iptables -‐L
• ssh
•
• INPUT -‐
• OUTPUT -‐
• FORWARD -‐
• (first match)
• vs.
• # vim my_firewall.sh
#!/bin/bash# iptablesiptables -‐F# SSH tcp 22iptables -‐A INPUT -‐p tcp -‐-‐dport 22 -‐j ACCEPT# INPUT FORWARD OUTPUT iptables -‐P INPUT DROPiptables -‐P FORWARD DROPiptables -‐P OUTPUT ACCEPT
# localhost iptables -‐A INPUT -‐i lo -‐j ACCEPT# iptables -‐A INPUT -‐m state -‐-‐state ESTABLISHED,RELATED -‐j ACCEPT
-‐i < >
-‐p < >-‐-‐dport < >-‐-‐sport < >
-‐m < >-‐A ( )-‐I ( )-‐D ( )
-‐-‐state INVALID
-‐-‐state ESTABLISHED
-‐-‐state NEW -‐-‐state RELATED
# IP iptables -‐A INPUT -‐s 192.168.0.100 -‐j ACCEPTiptables -‐A INPUT -‐s 140.115.0.0/16 -‐j ACCEPT
# 6881-‐6890 bittorrent tcpiptables -‐A INPUT -‐p tcp -‐-‐dport 6881:6890 -‐j ACCEPT
# IP 21 tcpiptables -‐A INPUT -‐s 192.168.0.20 -‐p tcp -‐-‐dport 21 -‐j ACCEPT
# /sbin/service iptables save
# iptables -‐L -‐v
-‐s < IP>-‐d < IP>
Q REJECT DROP
-‐j ACCEPT ( )-‐j REJECT ( )-‐j DROP ( )
•
•
•
# echo 1 > /proc/sys/net/ipv4/ip_forward
# port 80 172.31.0.23 port 80iptables -‐t nat -‐A PREROUTING -‐i eth0 -‐p tcp -‐-‐dport 80 -‐j DNAT -‐-‐to 172.31.0.23:80# IP 192.168.1.0/24 eth0 IP 1.2.3.0/24iptables -‐t nat -‐A POSTROUTING -‐s 192.168.1.0/24 -‐o eth1 -‐j SNAT -‐-‐to 1.2.3.0/24# IP 192.168.1.0/24 eth0 IP eth1 IPiptables -‐t nat -‐A POSTROUTING -‐s 192.168.1.0/24 -‐o eth1 -‐j MASQUERADE
Q SNAT DNAT MASQUERADE A SNAT IPDNAT IPMASQUERADE IP
1. # iptables -‐A INPUT -‐s 140.115.1.1 -‐j REJECT
2. # iptables -‐A INPUT -‐s 140.115.1.31 -‐p UDP -‐-‐dport 5566 -‐j ACCEPT
•
•
•
•
•
# ls -‐Z
•
•# chcon [-‐R] [-‐t type] [-‐u user] [-‐r role]
•# restorecon [-‐Rv]
root:~/ # ls -‐Z-‐rw-‐-‐-‐-‐-‐-‐-‐. root root system_u:object_r:admin_home_t:s0 anaconda-‐ks.cfg-‐rw-‐r-‐-‐r-‐-‐. root root unconfined_u:object_r:admin_home_t:s0 latest.zip-‐rw-‐r-‐-‐r-‐-‐. root root unconfined_u:object_r:admin_home_t:s0 number-‐rw-‐r-‐-‐r-‐-‐. root root unconfined_u:object_r:admin_home_t:s0 phpmyadmin_4.4.0.zip
Identify : Role : Type: :
•
•
•
•
• Fail2ban# yum install fail2ban
•# vim /etc/fail2ban/jail.local
•# systemctl enable fail2ban && systemctl start fail2ban
•# fail2ban-‐client status
•# fail2ban-‐client status sshd
# fail2ban-‐client status sshdStatus for the jail: sshd|-‐ Filter| |-‐ Currently failed: 1| |-‐ Total failed: 1| `-‐ File list: /var/log/secure`-‐ Actions
|-‐ Currently banned: 0|-‐ Total banned: 0`-‐ Banned IP list:
