Recently in security Category
巧的是我根本不知道还有什么证书需要备份,所以正在哭泣ing,,,
网上也有一些解决方案,貌似可以解决,不过看起来有些复杂,如这篇文章
http://www.sjhf.net/Article/EnDecrypt/200608/166.html
还有国外的原版高手在这里,http://www.sjhf.net/Article/EnDecrypt/200608/166.html
希望可以解决大家的苦恼,因为最近比较忙,没有功夫处理这件事情,等俺腾出空来也研究研究这个EFS加密解密的问题。暂且记录一下,备忘!
tcpping是一个shell脚本,运行需要 tcptraceroute 的支持,所以真正起作用的是tcptraceroute
整体安装比较简单,具体顺序是先安装tcptraceroute,然后创建tcpping脚本。
注意: Tcptraceroute需要libcap和libnet的支持,这里暂不介绍。
假定已经编译好libcap和libnet
1.编译tcptraceroute
./configure --prefix=/usr/local/tcptraceroute --with-libpcap=/usr/local/libpcap --with-libnet=/usr/local/libnet --enable-static
安装好以后把tcptraceroute放到PATH路径,这样tcpping脚本可以找到tcptraceroute。
2.使用、语法
./tcptraceroute
tcptraceroute 1.5beta7
Copyright (c) 2001-2006 Michael C. Toren <mct@toren.net>
Updates are available from http://michael.toren.net/code/tcptraceroute/
Usage: tcptraceroute [-nNFSAE] [-i <interface>] [-f <first ttl>]
[-l <packet length>] [-q <number of queries>] [-t <tos>]
[-m <max ttl>] [-pP] <source port>] [-s <source address>]
[-w <wait time>] <host> [destination port] [packet length]
#tcptraceroute www.google.com
Selected device eth0, address 212.106.15.83, port 40479 for outgoing packets
Tracing the path to www.google.com (64.233.189.99) on TCP port 80 (http), 30 hops max
...
5 219.158.4.82 44.330 ms 44.258 ms 44.032 ms
6 219.158.3.246 54.812 ms 54.760 ms 54.739 ms
7 219.158.3.130 60.441 ms 60.436 ms 60.365 ms
8 219.158.32.230 51.775 ms 49.505 ms 49.407 ms
9 64.233.175.207 60.484 ms 60.637 ms 77.707 ms
10 66.249.94.34 49.639 ms 61.653 ms 54.145 ms
11 hk-in-f99.google.com (64.233.189.99) [open] 50.267 ms 50.059 ms 50.111 ms
和traceroute的区别
#traceroute www.google.com
traceroute: Warning: www.google.com has multiple addresses; using 64.233.189.104
traceroute to www-china.l.google.com (64.233.189.104), 30 hops max, 38 byte packets
...
5 219.158.4.38 (219.158.4.38) 42.247 ms 42.551 ms 42.519 ms
6 219.158.3.58 (219.158.3.58) 42.140 ms 42.107 ms 42.118 ms
7 219.158.3.130 (219.158.3.130) 47.976 ms 47.900 ms 48.013 ms
8 219.158.32.230 (219.158.32.230) 37.038 ms 36.947 ms 37.058 ms
9 64.233.175.207 (64.233.175.207) 48.005 ms 47.987 ms 48.022 ms
10 66.249.94.6 (66.249.94.6) 50.673 ms 66.249.94.34 (66.249.94.34) 46.763 ms 37.104 ms
11 hk-in-f104.google.com (64.233.189.104) 47.841 ms 47.878 ms 47.826 ms
tcpping的使用:
./tcpping
tcpping v1.6 Richard van den Berg <richard@vdberg.org>
Usage: tcpping [-d] [-c] [-C] [-w sec] [-q num] [-x count] ipaddress [port]
-d print timestamp before every result
-c print a columned result line
-C print in the same format as fping's -C option
-w wait time in seconds (defaults to 3)
-r repeat every n seconds (defaults to 1)
-x repeat n times (defaults to unlimited)
See also: man tcptraceroute
http://michael.toren.net/code/tcptraceroute/
使用tcpping
#tcpping -c www.google.com
0 1217065416 50.126 hk-in-f99.google.com (64.233.189.99)
1 1217065417 50.170 hk-in-f99.google.com (64.233.189.99)
2 1217065418 48.035 hk-in-f104.google.com (64.233.189.104)
3 1217065419 47.858 hk-in-f104.google.com (64.233.189.104)
4 1217065420 50.024 hk-in-f99.google.com (64.233.189.99)
5 1217065421 49.756 hk-in-f147.google.com (64.233.189.147)
6 1217065422 50.155 hk-in-f99.google.com (64.233.189.99)
7 1217065423 49.688 hk-in-f147.google.com (64.233.189.147)
可以看到google的几个不同IP。
使用ping
#ping www.google.com
PING www-china.l.google.com (64.233.189.147) 56(84) bytes of data.
64 bytes from hk-in-f147.google.com (64.233.189.147): icmp_seq=0 ttl=244 time=49.5 ms
64 bytes from hk-in-f147.google.com (64.233.189.147): icmp_seq=1 ttl=244 time=49.5 ms
64 bytes from hk-in-f147.google.com (64.233.189.147): icmp_seq=2 ttl=244 time=49.5 ms
64 bytes from hk-in-f147.google.com (64.233.189.147): icmp_seq=3 ttl=244 time=49.4 ms
64 bytes from hk-in-f147.google.com (64.233.189.147): icmp_seq=4 ttl=244 time=49.5 ms
其他具体的使用方法可以查看脚本的参数
# tcptraceroute --help
tcptraceroute 1.5beta7
Copyright (c) 2001-2006 Michael C. Toren <mct@toren.net>
Updates are available from http://michael.toren.net/code/tcptraceroute/
Usage: tcptraceroute [-nNFSAE] [-i <interface>] [-f <first ttl>]
[-l <packet length>] [-q <number of queries>] [-t <tos>]
[-m <max ttl>] [-pP] <source port>] [-s <source address>]
[-w <wait time>] <host> [destination port] [packet length]
-n
Display numeric output, rather than doing a reverse DNS lookup for each hop. By default, reverse lookups are never attempted on RFC1918
address space, regardless of the -n flag.
-N
Perform a reverse DNS lookup for each hop, including RFC1918 addresses.
-f
Set the initial TTL used in the first outgoing packet. The default is 1.
-m
Set the maximum TTL used in outgoing packets. The default is 30.
-p
Use the specified local TCP port in outgoing packets. The default is to obtain a free port from the kernel using bind(2). Unlike with traditional
traceroute(8), this number will not increase with each hop.
-s
Set the source address for outgoing packets. See also the -i flag.
-i
Use the specified interface for outgoing packets.
-q
Set the number of probes to be sent to each hop. The default is 3.
-w
Set the timeout, in seconds, to wait for a response for each probe. The default is 3.
-S
Set the TCP SYN flag in outgoing packets. This is the default, if neither -S or -A is specified.
-A
Set the TCP ACK flag in outgoing packets. By doing so, it is possible to trace through stateless firewalls which permit outgoing TCP connections.
-E
Send ECN SYN packets, as described in RFC2481.
-t
Set the IP TOS (type of service) to be used in outgoing packets. The default is not to set any TOS.
-F
Set the IP "don't fragment" bit in outgoing packets.
-l
Set the total packet length to be used in outgoing packets. If the length is greater than the minimum size required to assemble the necessary probe
packet headers, this value is automatically increased.
-d
Enable debugging, which may or may not be useful.
下面是tcpping的脚本:
tcpping
今天遇到朋友问我这样一个问题,托管的服务器ssh不好用了,无法登录。
症状是: ssh 端口可以telnet 通,但是就是无法远程登录上去,用同网段的另外一台服务器可以登录上去,
比较奇怪,于是让我帮忙看看。
我中转登上去看了一下,经历了如下步骤:
- iptables没有问题,iptables -vnL 看一了下规则,也没有问题,保险起见我把iptables停掉了,
- 检查ssh服务,看了sshd的配置,重启服务,未果。
- 查看了系统日志,检测一下是否被人入侵了,/var/log 全面检测,发现没有什么异样。
这就奇怪了,难道要我重装sshd吗?
- 查看/etc/hosts.allow 和/etc/hosts.deny ,原来问题再这里,
里面有类似这样的设置:
[root@2hei.net ]# more /etc/hosts.allow
#
# hosts.allow This file describes the names of the hosts which are
# allowed to use the local INET services, as decided
# by the '/usr/sbin/tcpd' server.
#
sshd:192.168.1.100:allow
vsftpd:192.168.1.100:allow
[root@2hei.net ]# more /etc/hosts.deny
#
# hosts.deny This file describes the names of the hosts which are
# *not* allowed to use the local INET services, as decided
# by the '/usr/sbin/tcpd' server.
#
# The portmap line is redundant, but it is left to remind you that
# the new secure portmap uses hosts.deny and hosts.allow. In particular
# you should know that NFS uses portmap!
sshd:ALL:deny
vsftpd:ALL:deny
把/etc/hosts.deny的注释掉,或者把/etc/hosts.allow加上允许的IP即可。
总结一下:
iptables和hosts文件共同使用是,注意ip段。
另外hosts并不能禁掉ssh的端口,其他人虽然无法登陆,但是telnet ssh端口却可以发现服务开着,所以iptables还是有必要使用的。
Dosevasive 可以用在apache1.3.* apache2以上,能够有效的预防dos攻击,
下载地址:http://mirror.trouble-free.net/dosevasive/
Dosevasive 的配置安装鱼配置非常简单。
下面是我的配置(httpd.conf):
#add Apache DOS modules
#<IfModule mod_dosevasive20.c>
# DOSHashTableSize 3097
# DOSPageCount 3
# DOSSiteCount 50
# DOSPageInterval 1
# DOSSiteInterval 1
# DOSBlockingPeriod 10
# #DOSEmailNotify 2hei.net
# DOSWhitelist 127.0.0.1
# DOSLogDir "/tmp/mod_dosevasive"
#</IfModule>
其中一些参数可以自行修改设置。
我找了一些dos攻击的小工具,具体工具名称自己去网络上搜吧,这里不提供!(记住要先要关掉防火墙或者杀毒软件,否则,攻击工具无法正常运行!)
可以看到/var/log/message里的内容
说明如下:我设定的参数比较低,同样一个IP同一秒钟内访问统一url地址3次以上就被禁止,超过50次就被列入黑名单里面了,会禁止这个IP访问10秒钟时间。
Nov 22 11:04:56 localhost mod_dosevasive[5077]: Blacklisting address 192.168.1.110: possible DoS attack.
Nov 22 11:42:21 localhost mod_dosevasive[5555]: Blacklisting address 192.168.1.110: possible DoS attack
通过IE访问网站,页面会提示403错误,
