存档

‘security’ 分类的存档

xp系统中NTFS文件经过EFS加密

2009年5月2日 评论已被关闭

xp重做了系统,发现一些文件夹显示绿色,双击无法打开文件,提示无权限,查找了一下原来是经过了EFS加密,google了一番好像有个什么证书备份的问题,否则,呵呵,就趴在那哭泣吧!
巧的是我根本不知道还有什么证书需要备份,所以正在哭泣ing,,,

网上也有一些解决方案,貌似可以解决,不过看起来有些复杂,如这篇文章
http://www.sjhf.net/Article/EnDecrypt/200608/166.html

还有国外的原版高手在这里,http://www.sjhf.net/Article/EnDecrypt/200608/166.html
希望可以解决大家的苦恼,因为最近比较忙,没有功夫处理这件事情,等俺腾出空来也研究研究这个EFS加密解密的问题。暂且记录一下,备忘!

分类: security 标签:

tcpping and Tcptraceroute’s use

2008年7月26日 1 条评论

tcpping使用TCP协议来检测网络状况,与平时使用的ping有所不同,ping使用的是ICMP协议。

tcpping是一个shell脚本,运行需要 tcptraceroute 的支持,所以真正起作用的是tcptraceroute

整体安装比较简单,具体顺序是先安装tcptraceroute,然后创建tcpping脚本。
注意: Tcptraceroute需要libcap和libnet的支持,这里暂不介绍。

假定已经编译好libcap和libnet
1.编译tcptraceroute
./configure –prefix=/usr/local/tcptraceroute –with-libpcap=/usr/local/libpcap –with-libnet=/usr/local/libnet –enable-static

安装好以后把tcptraceroute放到PATH路径,这样tcpping脚本可以找到tcptraceroute。

2.使用、语法
./tcptraceroute

tcptraceroute 1.5beta7
Copyright (c) 2001-2006 Michael C. Toren <mct@toren.net>
Updates are available from http://michael.toren.net/code/tcptraceroute/

Usage: tcptraceroute [-nNFSAE] [-i <interface>] [-f <first ttl>]
       [-l <packet length>] [-q <number of queries>] [-t <tos>]
       [-m <max ttl>] [-pP] <source port>] [-s <source address>]
       [-w <wait time>] <host> [destination port] [packet length]

#tcptraceroute www.google.com
Selected device eth0, address 212.106.15.83, port 40479 for outgoing packets
Tracing the path to www.google.com (64.233.189.99) on TCP port 80 (http), 30 hops max

 5  219.158.4.82  44.330 ms  44.258 ms  44.032 ms
 6  219.158.3.246  54.812 ms  54.760 ms  54.739 ms
 7  219.158.3.130  60.441 ms  60.436 ms  60.365 ms
 8  219.158.32.230  51.775 ms  49.505 ms  49.407 ms
 9  64.233.175.207  60.484 ms  60.637 ms  77.707 ms
10  66.249.94.34  49.639 ms  61.653 ms  54.145 ms
11  hk-in-f99.google.com (64.233.189.99) [open]  50.267 ms  50.059 ms  50.111 ms
 
和traceroute的区别
#traceroute www.google.com
traceroute: Warning: www.google.com has multiple addresses; using 64.233.189.104
traceroute to www-china.l.google.com (64.233.189.104), 30 hops max, 38 byte packets

 5  219.158.4.38 (219.158.4.38)  42.247 ms  42.551 ms  42.519 ms
 6  219.158.3.58 (219.158.3.58)  42.140 ms  42.107 ms  42.118 ms
 7  219.158.3.130 (219.158.3.130)  47.976 ms  47.900 ms  48.013 ms
 8  219.158.32.230 (219.158.32.230)  37.038 ms  36.947 ms  37.058 ms
 9  64.233.175.207 (64.233.175.207)  48.005 ms  47.987 ms  48.022 ms
10  66.249.94.6 (66.249.94.6)  50.673 ms 66.249.94.34 (66.249.94.34)  46.763 ms  37.104 ms
11  hk-in-f104.google.com (64.233.189.104)  47.841 ms  47.878 ms  47.826 ms

tcpping的使用:
./tcpping
tcpping v1.6 Richard van den Berg <richard@vdberg.org>

Usage: tcpping [-d] [-c] [-C] [-w sec] [-q num] [-x count] ipaddress [port]

        -d   print timestamp before every result
        -c   print a columned result line
        -C   print in the same format as fping’s -C option
        -w   wait time in seconds (defaults to 3)
        -r   repeat every n seconds (defaults to 1)
        -x   repeat n times (defaults to unlimited)

See also: man tcptraceroute
 http://michael.toren.net/code/tcptraceroute/

使用tcpping
#tcpping -c  www.google.com
0 1217065416 50.126 hk-in-f99.google.com (64.233.189.99)
1 1217065417 50.170 hk-in-f99.google.com (64.233.189.99)
2 1217065418 48.035 hk-in-f104.google.com (64.233.189.104)
3 1217065419 47.858 hk-in-f104.google.com (64.233.189.104)
4 1217065420 50.024 hk-in-f99.google.com (64.233.189.99)
5 1217065421 49.756 hk-in-f147.google.com (64.233.189.147)
6 1217065422 50.155 hk-in-f99.google.com (64.233.189.99)
7 1217065423 49.688 hk-in-f147.google.com (64.233.189.147)
可以看到google的几个不同IP。

使用ping
#ping www.google.com
PING www-china.l.google.com (64.233.189.147) 56(84) bytes of data.
64 bytes from hk-in-f147.google.com (64.233.189.147): icmp_seq=0 ttl=244 time=49.5 ms
64 bytes from hk-in-f147.google.com (64.233.189.147): icmp_seq=1 ttl=244 time=49.5 ms
64 bytes from hk-in-f147.google.com (64.233.189.147): icmp_seq=2 ttl=244 time=49.5 ms
64 bytes from hk-in-f147.google.com (64.233.189.147): icmp_seq=3 ttl=244 time=49.4 ms
64 bytes from hk-in-f147.google.com (64.233.189.147): icmp_seq=4 ttl=244 time=49.5 ms

其他具体的使用方法可以查看脚本的参数
      
# tcptraceroute –help

tcptraceroute 1.5beta7
Copyright (c) 2001-2006 Michael C. Toren <mct@toren.net>
Updates are available from http://michael.toren.net/code/tcptraceroute/

Usage: tcptraceroute [-nNFSAE] [-i <interface>] [-f <first ttl>]
       [-l <packet length>] [-q <number of queries>] [-t <tos>]
       [-m <max ttl>] [-pP] <source port>] [-s <source address>]
       [-w <wait time>] <host> [destination port] [packet length]
-n
    Display numeric output, rather than doing a reverse DNS lookup for each hop. By default, reverse lookups are never attempted on RFC1918
address space, regardless of the -n flag.
-N
    Perform a reverse DNS lookup for each hop, including RFC1918 addresses.
-f
    Set the initial TTL used in the first outgoing packet. The default is 1.
-m
    Set the maximum TTL used in outgoing packets. The default is 30.
-p
    Use the specified local TCP port in outgoing packets. The default is to obtain a free port from the kernel using bind(2). Unlike with traditional
traceroute(8), this number will not increase with each hop.
-s
    Set the source address for outgoing packets. See also the -i flag.
-i
    Use the specified interface for outgoing packets.
-q
    Set the number of probes to be sent to each hop. The default is 3.
-w
    Set the timeout, in seconds, to wait for a response for each probe. The default is 3.
-S
    Set the TCP SYN flag in outgoing packets. This is the default, if neither -S or -A is specified.
-A
    Set the TCP ACK flag in outgoing packets. By doing so, it is possible to trace through stateless firewalls which permit outgoing TCP connections.
-E
    Send ECN SYN packets, as described in RFC2481.
-t
    Set the IP TOS (type of service) to be used in outgoing packets. The default is not to set any TOS.
-F
    Set the IP “don’t fragment” bit in outgoing packets.
-l
    Set the total packet length to be used in outgoing packets. If the length is greater than the minimum size required to assemble the necessary probe
packet headers, this valu
e is automatically increased.
-d
    Enable debugging, which may or may not be useful.

下面是tcpping的脚本:
tcpping

分类: OpenSource, security 标签:

ssh无法登录的问题

2008年1月25日 评论已被关闭

今天遇到朋友问我这样一个问题,托管的服务器ssh不好用了,无法登录。

症状是: ssh 端口可以telnet 通,但是就是无法远程登录上去,用同网段的另外一台服务器可以登录上去,

比较奇怪,于是让我帮忙看看。

我中转登上去看了一下,经历了如下步骤:

  • iptables没有问题,iptables -vnL 看一了下规则,也没有问题,保险起见我把iptables停掉了,
  • 检查ssh服务,看了sshd的配置,重启服务,未果。
  • 查看了系统日志,检测一下是否被人入侵了,/var/log 全面检测,发现没有什么异样。

这就奇怪了,难道要我重装sshd吗?

  • 查看/etc/hosts.allow 和/etc/hosts.deny ,原来问题再这里,

里面有类似这样的设置:

[root@2hei.net ]# more /etc/hosts.allow
#
# hosts.allow   This file describes the names of the hosts which are
#               allowed to use the local INET services, as decided
#               by the ‘/usr/sbin/tcpd’ server.
#
sshd:192.168.1.100:allow
vsftpd:192.168.1.100:allow

[root@2hei.net ]# more /etc/hosts.deny
#
# hosts.deny    This file describes the names of the hosts which are
#               *not* allowed to use the local INET services, as decided
#               by the ‘/usr/sbin/tcpd’ server.
#
# The portmap line is redundant, but it is left to remind you that
# the new secure portmap uses hosts.deny and hosts.allow.  In particular
# you should know that NFS uses portmap!
sshd:ALL:deny
vsftpd:ALL:deny

 

把/etc/hosts.deny的注释掉,或者把/etc/hosts.allow加上允许的IP即可。

总结一下:

iptables和hosts文件共同使用是,注意ip段。

另外hosts并不能禁掉ssh的端口,其他人虽然无法登陆,但是telnet ssh端口却可以发现服务开着,所以iptables还是有必要使用的。

 

apache2使用dosevasive防dos攻击

2007年11月27日 评论已被关闭

Dosevasive 可以用在apache1.3.* apache2以上,能够有效的预防dos攻击,

下载地址:http://mirror.trouble-free.net/dosevasive/

Dosevasive 的配置安装鱼配置非常简单。

下面是我的配置(httpd.conf):

#add Apache DOS modules
#<IfModule mod_dosevasive20.c>
#    DOSHashTableSize    3097
#    DOSPageCount        3
#    DOSSiteCount        50
#    DOSPageInterval     1
#    DOSSiteInterval     1
#    DOSBlockingPeriod   10
#    #DOSEmailNotify 2hei.net
#    DOSWhitelist 127.0.0.1
#    DOSLogDir  “/tmp/mod_dosevasive”
#</IfModule>

其中一些参数可以自行修改设置。

我找了一些dos攻击的小工具,具体工具名称自己去网络上搜吧,这里不提供!(记住要先要关掉防火墙或者杀毒软件,否则,攻击工具无法正常运行!)

可以看到/var/log/message里的内容

说明如下:我设定的参数比较低,同样一个IP同一秒钟内访问统一url地址3次以上就被禁止,超过50次就被列入黑名单里面了,会禁止这个IP访问10秒钟时间。

Nov 22 11:04:56 localhost mod_dosevasive[5077]: Blacklisting address 192.168.1.110: possible DoS attack.
Nov 22 11:42:21 localhost mod_dosevasive[5555]: Blacklisting address 192.168.1.110: possible DoS attack

通过IE访问网站,页面会提示403错误,

分类: OpenSource, security 标签: ,