存档

文章标签 ‘Security’

一个有意思的“黑客自测站点”

2006年4月19日 没有评论

做系统管理员的
做好系统安全是很重要的工作
然知己知彼、百战不殆
因而了解一些黑客的基本知识是非常必要的
下面这个站点好像是专门做这个的
Hack This Site!
这个站点好像n久以前就有了的
居然还没有被封
真是不可思议
注册个帐号进去后
里面有n关(n>1)
必须得一关一关的过
挺有意思的
特别是前面几关都还比较简单
仅需要些小聪明就能搞定
但越到后面越难
要求的基础知识越扎实
哈哈不是基本功扎实的人
自然未能通关
(这是n年前对这个站点的印象:),现在不知道怎么样了)

分类: 未分类 标签:

lighttpd的新洞洞

2006年4月8日 没有评论

lighttpd是一小巧但功能并不缺少的开源的web server软件

最近出了一个洞洞

涉及到所有1.4.8及以下的跑在大小写不敏感文件系统下的系统

测试可以这样

wget http://www.example.com/index.php

如果这个将得到正常页面的话

那么

wget http://www.example.com/index.PHP

就将得到index.php的source code

解决方法:

1,升级lighttpd到1.4.9及以上(目前最新的是1.4.11,因为1.4.9也有洞洞了:)

2,添加static-file.exclude-extensions的所有大小写组合到static-file.exclude-extensions里

如这样:

static-file.exclude-extensions =
( ".php", ".Php", ".pHp",
".phP", ".PhP", ".pHP",
".PHp", ".PHP", ".PhP" )
分类: 未分类 标签: ,

What is the “TCP: Treason uncloaked” & what is the “tar-pit” attack

2005年9月21日 没有评论

一台as3u4的机器
跑的是apache
老当
log信息里有大量的像这样:
TCP: Treason uncloaked! Peer 219.159.0.206:38027/80 shrinks window 46627817:46628657. Repaired.
TCP: Treason uncloaked! Peer 211.95.123.92:1544/80 shrinks window 1102445781:1102447629. Repaired.
TCP: Treason uncloaked! Peer 211.95.123.92:1545/80 shrinks window 1105180279:1105182127. Repaired.
TCP: Treason uncloaked! Peer 211.95.123.92:1544/80 shrinks window 1102445781:1102447629. Repaired.
TCP: Treason uncloaked! Peer 211.95.123.92:1545/80 shrinks window 1105180279:1105182127. Repaired.
TCP: Treason uncloaked! Peer 211.95.123.92:1544/80 shrinks window 1102445781:1102447629. Repaired.
TCP: Treason uncloaked! Peer 211.95.123.92:1545/80 shrinks window 1105180279:1105182127. Repaired.
TCP: Treason uncloaked! Peer 218.61.124.147:1471/80 shrinks window 2337291759:2337304798. Repaired.
TCP: Treason uncloaked! Peer 218.61.124.147:1471/80 shrinks window 2337291759:2337304798. Repaired.
TCP: Treason uncloaked! Peer 218.86.185.83:45888/80 shrinks window 4264527395:4264531535. Repaired.
TCP: Treason uncloaked! Peer 218.86.185.83:45888/80 shrinks window 4264527395:4264531535. Repaired.
TCP: Treason uncloaked! Peer 218.86.185.83:45888/80 shrinks window 4264527395:4264531535. Repaired.
TCP: Treason uncloaked! Peer 211.161.137.254:39411/80 shrinks window 2639411767:2639413227. Repaired.

这样的信息
网上搜
大多说这可能有人在跑一种叫tar-pit的程序来攻击
这种攻击最后的结果就是让你当机
但好像没提到什么实用的解决方法

分类: 未分类 标签: ,

FreeBSD4.x下用ipf做的本机防火墙

2005年9月13日 没有评论

在文件/etc/rc.conf中设定:

ipfilter_enable=”YES”
ipfilter_rules=”/etc/ipf.rules”
ipmon_enable=”YES” # optional
ipmon_flags=”-Ds” # optional

bash-2.05b# cat /etc/ipf.rules
#######################################################
# No restrictions on Inside LAN Interface for private network
# Not needed unless you have LAN
#######################################################

#pass out quick on xl0 all
#pass in quick on xl0 all

#######################################################
# No restrictions on Loopback Interface
#######################################################
pass in quick on lo0 all
pass out quick on lo0 all

#######################################################
# Interface facing Public Internet (Outbound Section)
# Interrogate session start requests originating from behind the
# firewall on the private network
# or from this gateway server destine for the public Internet.
#######################################################

# Allow out access to my ISP’s Domain name server.
# xxx must be the IP address of your ISP’s DNS.
# Dup these lines if your ISP has more than one DNS server
# Get the IP addresses from /etc/resolv.conf file
pass out quick on xl0 proto tcp from any to xxx port = 53 flags S keep state
pass out quick on xl0 proto udp from any to xxx port = 53 keep state

# Allow out access to my ISP’s DHCP server for cable or DSL networks.
# This rule is not needed for ‘user ppp’ type connection to the
# public Internet, so you can delete this whole group.
# Use the following rule and check log for IP address.
# Then put IP address in commented out rule & delete first rule
pass out log quick on xl0 proto udp from any to any port = 67 keep state
#pass out quick on xl0 proto udp from any to z.z.z.z port = 67 keep state

# Allow out non-secure standard www function
pass out quick on xl0 proto tcp from any to any port = 80 flags S keep state

# Allow out secure www function https over TLS SSL
pass out quick on xl0 proto tcp from any to any port = 443 flags S keep state

# Allow out send & get email function
pass out quick on xl0 proto tcp from any to any port = 110 flags S keep state
pass out quick on xl0 proto tcp from any to any port = 25 flags S keep state

# Allow out Time
pass out quick on xl0 proto tcp from any to any port = 37 flags S keep state

# Allow out nntp news
pass out quick on xl0 proto tcp from any to any port = 119 flags S keep state

# Allow out gateway & LAN users non-secure FTP ( both passive & active modes)
# This function uses the IPNAT built in FTP proxy function coded in
# the nat rules file to make this single rule function correctly.
# If you want to use the pkg_add command to install application packages
# on your gateway system you need this rule.
pass out quick on xl0 proto tcp from any to any port = 21 flags S keep state

# Allow out secure FTP, Telnet, and SCP
# This function is using SSH (secure shell)
pass out quick on xl0 proto tcp from any to any port = 22 flags S keep state

# Allow out non-secure Telnet
pass out quick on xl0 proto tcp from any to any port = 23 flags S keep state

# Allow out FBSD CVSUP function
pass out quick on xl0 proto tcp from any to any port = 5999 flags S keep state

# Allow out ping to public Internet
pass out quick on xl0 proto icmp from any to any icmp-type 8 keep state

# Allow out whois for LAN PC to public Internet
pass out quick on xl0 proto tcp from any to any port = 43 flags S keep state

# Block and log only the first occurrence of everything
# else that’s trying to get out.
# This rule enforces the block all by default logic.
block out log first quick on xl0 all

#######################################################
# Interface facing Public Internet (Inbound Section)
# Interrogate packets originating from the public Internet
# destine for this gateway server or the private network.
#######################################################

# Block all inbound traffic from non-routable or reserved address spaces
block in quick on xl0 from 192.168.0.0/16 to any #RFC 1918 private IP
block in quick on xl0 from 172.16.0.0/12 to any #RFC 1918 private IP
block in quick on xl0 from 10.0.0.0/8 to any #RFC 1918 private IP
block in quick on xl0 from 127.0.0.0/8 to any #loopback
block in quick on xl0 from 0.0.0.0/8 to any #loopback
block in quick on xl0 from 169.254.0.0/16 to any #DHCP auto-config
block in quick on xl0 from 192.0.2.0/24 to any #reserved for docs
block in quick on xl0 from 204.152.64.0/23 to any #Sun cluster interconnect
block in quick on xl0 from 224.0.0.0/3 to any #Class D & E multicast

##### Block a bunch of different nasty things. ############
# That I do not want to see in the log

# Block frags
block in quick on xl0 all with frags

# Block short tcp packets
block in quick on xl0 proto tcp all with short

# block source routed packets
block in quick on xl0 all with opt lsrr
block in quick on xl0 all with opt ssrr

# Block nmap OS fingerprint attempts
# Log first occurrence of these so I can get their IP address
block in log first quick on xl0 proto tcp from any to any flags FUP

# Block anything with special options
block in quick on xl0 all with ipopts

# Block public pings
block in quick on xl0 proto icmp all icmp-type 8

# Block ident
block in quick on xl0 proto tcp from any to any port = 113

# Block all Netbios service. 137=name, 138=datagram, 139=session
# Netbios is MS/Windows sharing services.
# Block MS/Windows hosts2 name server requests 81
block in log first quick on xl0 proto tcp/udp from any to any port = 137
block in log first quick on xl0 proto tcp/udp from any to any port = 138
block in log first quick on xl0 proto tcp/udp from any to any port = 139
block in log first quick on xl0 proto tcp/udp from any to any port = 81

# Allow traffic in from ISP’s DHCP server. This rule must contain
# the IP address of your ISP’s DHCP server as it’s the only
# authorized source to send this packet type. Only necessary for
# cable or DSL configurations. This rule is not needed for
# ‘user ppp’ type connection to the public Internet.
# This is the same IP address you captured and
# used in the outbound section.
pass in quick on xl0 proto udp from z.z.z.z to any port = 68 keep state

# Allow in standard www function because I have apache server
pass in quick on xl0 proto tcp from any to any port = 80 flags S keep state

# Allow in non-secure Telnet session from public Internet
# labeled non-secure because ID/PW passed over public Internet as clear text.
# Delete this sample group if you do not have telnet server enabled.
#pass in quick on xl0 proto tcp from any to any port = 23 flags S keep state

# Allow in secure FTP, Telnet, and SCP from public Internet
# This function is using SSH (secure shell)
pass in quick on xl0 proto tcp from any to any port = 22 flags S keep state

# Block and log only first occurrence of all remaining traffic
# coming into the firewall. The logging of only the first
# occurrence stops a .denial of service. attack targeted
# at filling up your log file space.
# This rule enforces the block all by default logic.
block in log first quick on xl0 all
################### End of rules file ###########################

这是一个网上找的比较完善的ipf防火墙脚本范本

实际应用还得做一些小小的改动

比如网卡的设备号

防火墙的策略什么的

分类: 未分类 标签: ,

hp585的服务器的远程控制器ilo居然也有被远程控制的漏洞!

2005年8月12日 没有评论

日期: 05-8-9
文档描述: SSRT051005 rev.0 – HP ProLiant DL585 Servers Unauthorized Remote Access
文档代码: HPSBMA01220

你可以对此文档提供反馈

HP SECURITY BULLETIN
 

——————————————————————————–
 
HPSBMA01220     REVISION: 0
 
SSRT051005 rev.0 – HP ProLiant DL585 Servers Unauthorized Remote Access
 

——————————————————————————–
NOTICE:  
 There are no restrictions for distribution of this Security Bulletin provided that it remains complete and intact.
 
 The information in this Security Bulletin should be acted upon as soon as possible.
 
INITIAL RELEASE:    09 August 2005
 
LAST UPDATED: 11 August 2005
 
POTENTIAL SECURITY IMPACT:    Unauthorized remote access

 
SOURCE:    Hewlett-Packard Company
HP Software Security Response Team
 
VULNERABILITY SUMMARY:
A potential vulnerability has been identified with the HP ProLiant DL585 server, where a remote unauthorized user may gain access to the server controls, when the server is powered down. 
REFERENCES:    None
 
SUPPORTED SOFTWARE VERSIONS*:  ONLY impacted versions are listed.
HP ProLiant DL585 Integrated Lights Out (ILO) firmware prior to version 1.81 
BACKGROUND:
For a PGP signed version of this Security Bulletin please write to security-alert@hp.com
RESOLUTION:
Until a new version of the Integrated Lights-Out firmware (version 1.81) for ProLiant DL585 servers is available, HP is providing the following workaround:

To eliminate this vulnerability until ILO version 1.81 becomes available, unplug the power cord whenever the server is powered down. This will prohibit the remote access exploit.

This Bulletin will be updated when version 1.81 of the Integrated Lights-Out (ILO) firmware becomes available.
 
BULLETIN REVISION HISTORY:
Initial release
    9 August 2005 

SUPPORT: For further information, contact normal HP Services support channel.
 
REPORT: To report a potential security vulnerability with any HP supported product, send Email to: security-alert@hp.com. It is strongly recommended that security related information being communicated to HP be encrypted using PGP, especially exploit information. To obtain the security-alert PGP key please send an e-mail message to security-alert@hp.com with the Subject of ‘get key’ (no quotes).
 
SUBSCRIBE: To initiate a subscription to receive future HP Security Bulletins via Email:
http://h30046.www3.hp.com/driverAlertProfile.php?regioncode=NA&langcode=USENG&jumpid=in_SC-GEN__driverITRC&topiccode=ITRC
On the web page: ITRC security bulletins and patch sign-up
Under Step1: your IRTC security bulletins and patches
     – check ALL categories for which alerts are required and continue.
Under Step2: your IRTC operating systems
     – verify your operating system selections are checked and save.

To update an existing subscription:
http://h30046.www3.hp.com/subSignIn.php
Log in on the web page Subscriber’s choice for Business: sign-in.
On the Web page: Subscriber’s Choice: your profile summary – use Edit Profile to update appropriate sections.

To review previously published Security Bulletins visit: http://www.itrc.hp.com/service/cki/secBullArchive.do
 
* The Software Product Category that this Security Bulletin relates to is represented by the 5th and 6th characters of the Bulletin number:
GN = HP General SW, MA = HP Management Agents, MI = Misc. 3rd party SW, MP = HP MPE/iX, NS = HP NonStop Servers, OV = HP OpenVMS, PI = HP Printing & Imaging, ST = HP Storage SW, TL = HP Trusted Linux, TU = HP Tru64 UNIX, UX = HP-UX, VV = HP Virtual Vault
 
System management and security procedures must be reviewed frequently to maintain system integrity. HP is continually reviewing and enhancing the security features of software products to provide customers with current secure solutions.
 
"HP is broadly distributing this Security Bulletin in order to bring to the attention of users of the affected HP products the important security information contained in this Bulletin. HP recommends that all users determine the applicability of this information to their individual situations and take appropriate action. HP does not warrant that this information is necessarily accurate or complete for all user situations and, consequently, HP will not be responsible for any damages resulting from user’s use or disregard of the information provided in this Bulletin. To the extent permitted by law, HP disclaims all warranties, either express or implied, including the warranties of merchantability and fitness for a particular purpose, title and non-infringement."

分类: 未分类 标签: ,

自给常用的Linux下本地防火墙配置(iptables)

2005年6月20日 没有评论

RedHat机器

cat /etc/sysconfig/iptables

*filter
:INPUT ACCEPT [10276:1578052]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [13784:16761487]
-A INPUT -s 10.0.0.0/255.0.0.0 -i eth1 -j DROP
-A INPUT -s 172.16.0.0/255.240.0.0 -j DROP
-A INPUT -s 192.168.0.0/255.255.0.0 -i eth1 -j DROP #eth1 is interface to internet
# anti Sync Flood
-A FORWARD -p tcp -m tcp –tcp-flags SYN,RST,ACK SYN -m limit –limit 1/sec -j ACCEPT
# anti some port scan
-A FORWARD -p tcp -m tcp –tcp-flags FIN,SYN,RST,ACK RST -m limit –limit 1/sec -j ACCEPT
# anti ping of death
-A FORWARD -p icmp -m icmp –icmp-type 8 -m limit –limit 1/sec -j ACCEPT
COMMIT

 

chkconfig iptables on

以后每次启动iptables就会自动读取配置文件(/etc/sysconfig/iptables)

自动启动

或者是/etc/rc.d/init.d/iptables start手工启动

/etc/rc.d/init.d/iptables stop手工停止

分类: 未分类 标签: ,