Prosmotret' otkrytye TCP-porty
Spisok
netstat -an
netstat -an | grep LISTEN
netstat -a | grep ESTABLISH
Kto rabotaet s portom:
lsof -i tcp:3128
Konfigurirovanie tcp-wrapper'a
Perekryt' dostup snaruzhi na uzlovuyu mashinu:
V fajl /etc/hosts.deny vstavit' strochku
ALL : ALL
Otkryt' dostup na uzlovuyu mashinu s mashin lokal'noj seti
195.0.1.0
V fajl /etc/hosts.allow vstavit' strochki
ALL : \
127.0.0.1
ALL : \
195.0.1.0/255.255.255.0
Nachinaya s RedHat 7.3 inetd zamenen na xinetd, kofigur teper' lezhit ne v
/etc/inetd.conf a v
/etc/xinetd.d/
dlya kazhdogo servisa - otdel'nyj fajl, naprimer:
/etc/xinetd.d/swat
service swat
{
disable = yes
port = 901
socket_type = stream
wait = no
only_from = 127.0.0.1 www.lib.ru 195.0.0.0/24
# only_from = 195.0.0.0/255.255.255.0 127.0 - a vot tak nel'zya
user = root
server = /usr/sbin/swat
log_on_failure += USERID
}
# A tak delaetsya probros porta
service russianproxy
{
port = 8888
bind = 195.0.0.3
socket_type = stream
protocol = tcp
user = root
group = root
redirect = 195.0.0.1 80
type = UNLISTED
wait = no
only_from = 195.0.0.0/24 127.0.0.0/24
}
# esli zahochetsya otklyuchit' logging konnektov, to zakommentirovat'
# v fajle /etc/xinetd.conf stroku
# log_type = SYSLOG auth
HTTPS deshevo i serdito s pomoshch'yu stunnel
esli nedosug podnimat' HTTPS v samoom apache, mozhno prosto zavernut' ego
v SSL-wrapper stunnel: DObavlyaem v konfigur xinetd.conf
service https
{
port = 443
socket_type = stream
protocol = tcp
user = root
wait = no
disable = no
type = UNLISTED
server = /usr/sbin/stunnel
server_args = -p /etc/webmin/miniserv.pem -r 80
}
Konfigurim sendmail, pop3, imap4 s SSL
stunnel -d 465 -r smtp
stunnel -d 993 -r localhost:imap
stunnel -d 993 -l /usr/sbin/imapd imapd
stunnel -d 995 -l /usr/sbin/in.pop3d -- in.pop3d -s
-d port - daemon mode
-r port - connect to port
-l programm - start inetd-style programm
I dobavlyaem v /etc/services
https 443/tcp
smtps 465/tcp
imaps 993/tcp
pop3s 995/tcp
I dobavlyaem v /etc/hosts.allow
localhost.imap : ALL
Server (-L for pty mode)
stunnel -d 2020 -L /usr/sbin/pppd -- pppd local
Client system
stunnel -c -r server:2020 -L /usr/sbin/pppd -- pppd local
A kakoj versii sendmail na vashej mashine?
Date: 10 apr 97
Kstati CERT sovetuet stavit' Sendmail 8.8.5. Bolee rannie
versii pozvolyayut udalenno vypolnyat' lyubye komandy ot imeni
superpol'zovatelya na vashej mashine.
* Imeyushchij dostup k konsoli Linux mozhet stat' superyuzerom *
Sposoby:
0. Zagruzka so svoej zagruzochnoj diskety
1. Zagruzka s single user mode
2. Ukazat' al'ternativnuyu programmu init
3. Zadat' drugoj root-partition
1. Booting to single-user mode
LILO: linux single
ili
LILO: linux 1
Debian obhodit eto popravkami v /etc/initab, a RedHat - propuskaet
# What to do in single-user mode.
~~:S:wait:/sbin/sulogin
2. Ukazat' al'ternativnuyu programmu init
Protiv loma net priema:
LILO: linux init=/bin/bash
mount -o remount,rw /
3. Zadat' drugoj root-partition
LILO: linux root=/dev/hda1
Esli sozdat' v otdel'noj particii vsyu polozhennuyu dlya kornya
strukturu, to mozhno budet s nee zagruzit'sya.
|tu vozmozhnost' mozhno poluchit', naprimer, esli /tmp
montiruetsya v otdel'nuyu particiyu. Ili mashina podderzhivaet UMS
DOS i imeet dosovskij razdel.
Zakryt' parolem BIOS-setting i otklyuchit' vozmozhnost'
zagruzit'sya s diskety.
Zakryvajte vozmozhnost' perehvata LILO-prompt
A workaround can be achieved by using PASSWORD and
RESTRICT options in /etc/lilo.conf.
Vnimanie: /etc/lilo.conf dolzhen byt' root.root 600, chtob
nikto ne smog etot parol' podsmotret'.
Komanda
/sbin/ifconfig module-name
pozvolyaet _lyubomu_ pol'zovatelyu zagruzit' modul' iz kataloga
/lib/modules ispol'zuya kerneld.
Lechenie: Poka ne zalecheno v promyshlennom masshtabe. Otklyuchajte
kerneld ili yavno ukazyvajte moduli, kotorye mozhno gruzit',
uberite vse lishnie moduli dostavshiesya vam posle installyacii.
Xserver -xkbdir 'id > /tmp/I_WAS_HERE;'
Quick fix:
1. as usual chmod u-s,g-s all installed Xserver binaries (*)
2. use xdm or a SAFE and PARANOID wrapper to start Xserver
A vy znaete, chto zagruzchik lilo mozhet zapustit' posle zagruzki
root-ovyj shell?
Lilo boot: linux init=/bin/sh rw
Koe kakie zakryvashki v RedHat 5.2
chmod 700 /usr/sbin
chmod 700 /usr/X11R6
chmod -s /usr/lib/emacs/20.3/i386-redhat-linux/movemail
rm /usr/libexec/mail.local # -- eto nado? vrode, procmail uzhe est'.
rm /usr/sbin/userhelper # - dyryav - kusok GUI dlya adminov novichkov
rpm -Uvf lpr-0.48-0.5.2.i386.rpm # vzyat' iz updates
http://www.openwall.com/bind/
rpm -U vixie-cron-3.0.1-37.5.2.i386.rpm
ps axuw|grep -i cron
root 1151 0.0 0.1 864 416 ? S 21:03 0:00 CROND
root 1804 1.5 0.1 864 496 ? S 21:04 0:00 crond
neploho by sozdat' gruppu crontab i
-rwsr-x--- 1 root crontab 20200 Aug 27 19:12 crontab
ii na fajl crontab togda root.crontab,
chmod 4710 /usr./bin/crontab
crond'a.
popravit' ftpaccess'ovyj regex (chtoby iz .fajlov daval tol'ko .forward)
sozdavat', a luchshe - voobshche nikakih.
i sendmail (chtoby u takih .forward ne pozvolyal zapuskat' skripty)
Podozritel'nye services: Kakoj process visit na portu
netstat -an | egrep -v ':80 |udp|:53 '
lsof: prodvinutyj fuser (otkrytye fajly, porty i t.d. ftp://vic.cc.purdue.edu/pub/tools/unix/lsof/
sockstat: (poslabee, no poproshche)
fuser -v 6012/tcp
http://www.bog.pp.ru/work/linux.html#firewall
Generaciya klyuchej dlya besparol'nogo vhoda po ssh2
na kliente:
1) ssh-keygen -t dsa -b 2048 -f ~/.ssh/id_dsa
2)
Host *
# dlya novyh versij ssh
AddressFamily inet
# komp'yuter s neskol'kimi interfejsami ili aliasami
BindAddress ishodyashchij-adres
ChallengeResponseAuthentication no
HostKeyAlgorithms ssh-dss
PreferredAuthentications publickey,password
Protocol 2
RSAAuthentication no
StrictHostKeyChecking yes
ForwardAgent yes
ForwardX11 yes
# esli obzav£lsya publickey na t02
PasswordAuthentication no
PreferredAuthentications publickey
3) v sistemnyj ili svoj known_hosts dobavlyaem pablik klyuch servera dsa
(ssh-keyscan -t dsa server)
na servere
1) v .ssh/authorized_keys dobavlyaem klientskij ~/.ssh/id_dsa.pub
krovavye podrobnosti tut:
http://bog.pp.ru/work/ssh.html#config
/etc/ssh/ssh_config ili ~/.ssh/config
Last-modified: Mon, 14 Feb 2005 20:07:12 GMT