Thông tin tài liệu
www.it-ebooks.info
www.it-ebooks.info
NETWORK
SECURITY
HACKSTM
www.it-ebooks.info
Other computer security resources from O’Reilly
Related titles Wireless Hacks
BSD Hacks
Knoppix Hacks
Ubuntu Hacks
Linux Desktop Hacks
Linux Server Hacks
Linux Server Hacks
,
Volume 2
Linux Multimedia Hacks
Windows XP Hacks
Windows Server Hacks
Hacks Series Home hacks.oreilly.com is a community site for developers and
power users of all stripes. Readers learn from each other
as they share their favorite tips and tools for Mac OS X,
Linux, Google, Windows XP, and more.
Security Books
Resource Center
security.oreilly.com is a complete catalog of O’Reilly’s
books on security and related technologies, including
sample chapters and code examples.
oreillynet.com is the essential portal for developers inter-
ested in open and emerging technologies, including new
platforms, programming languages, and operating
systems.
Conferences O’Reilly brings diverse innovators together to nurture
the ideas that spark revolutionary industries. We special-
ize in documenting the latest tools and systems,
translating the innovator’s knowledge into useful skills
for those in the trenches. Visit conferences.oreilly.com for
our upcoming events.
Safari Bookshelf (safari.oreilly.com) is the premier online
reference library for programmers and IT professionals.
Conduct searches across more than 1,000 books. Sub-
scribers can zero in on answers to time-critical questions
in a matter of seconds. Read the books on your Book-
shelf from cover to cover or simply flip to the page you
need. Try it today for free.
www.it-ebooks.info
NETWORK
SECURITY
HACKSTM
SECOND EDITION
Andrew Lockhart
Beijing
•
Cambridge
•
Farnham
•
Köln
•
Paris
•
Sebastopol
•
Taipei
•
Tokyo
www.it-ebooks.info
Network Security Hacks
™
, Second Edition
by Andrew Lockhart
Copyright © 2007, 2004 O’Reilly Media, Inc. All rights reserved.
Printed in the United States of America.
Published by O’Reilly Media, Inc., 1005 Gravenstein Highway North,
Sebastopol, CA 95472.
O’Reilly books may be purchased for educational, business, or sales promotional use. Online
editions are also available for most titles (safari.oreilly.com). For more information, contact our
corporate/institutional sales department: (800) 998-9938 or corporate@oreilly.com.
Editor: Brian Sawyer
Production Editor: Philip Dangler
Copyeditor: Rachel Wheeler
Indexer: Ellen Troutman-Zaig
Cover Designer: Karen Montgomery
Interior Designer: David Futato
Illustrators: Robert Romano
and Jessamyn Read
Printing History:
April 2004: First Edition.
November 2006: Second Edition.
Nutshell Handbook, the Nutshell Handbook logo, and the O’Reilly logo are registered trademarks
of O’Reilly Media, Inc. The Hacks series designations, Network Security Hacks, the image of barbed
wire, and related trade dress are trademarks of O’Reilly Media, Inc.
Many of the designations used by manufacturers and sellers to distinguish their products are
claimed as trademarks. Where those designations appear in this book, and O’Reilly Media, Inc. was
aware of a trademark claim, the designations have been printed in caps or initial caps.
While every precaution has been taken in the preparation of this book, the publisher and author
assume no responsibility for errors or omissions, or for damages resulting from the use of the
information contained herein.
Small print: The technologies discussed in this publication, the limitations on these technologies
that technology and content owners seek to impose, and the laws actually limiting the use of these
technologies are constantly changing. Thus, some of the hacks described in this publication may
not work, may cause unintended harm to systems on which they are used, or may not be consistent
with applicable user agreements. Your use of these hacks is at your own risk, and O’Reilly Media,
Inc. disclaims responsibility for any damage or expense resulting from their use. In any event, you
should take care that your use of these hacks does not violate any applicable laws, including
copyright laws.
This book uses RepKover
™
, a durable and flexible lay-flat binding.
ISBN 10: 0-596-52763-2
ISBN 13: 978-0-596-52763-1
[C]
www.it-ebooks.info
v
Contents
Credits . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xi
Preface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xv
Chapter 1. Unix Host Security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1
1. Secure Mount Points 2
2. Scan for SUID and SGID Programs 3
3. Scan for World- and Group-Writable Directories 5
4. Create Flexible Permissions Hierarchies with POSIX ACLs 5
5. Protect Your Logs from Tampering 9
6. Delegate Administrative Roles 11
7. Automate Cryptographic Signature Verification 13
8. Check for Listening Services 15
9. Prevent Services from Binding to an Interface 17
10. Restrict Services with Sandboxed Environments 19
11. Use proftpd with a MySQL Authentication Source 23
12. Prevent Stack-Smashing Attacks 26
13. Lock Down Your Kernel with grsecurity 28
14. Restrict Applications with grsecurity 33
15. Restrict System Calls with systrace 36
16. Create systrace Policies Automatically 39
17. Control Login Access with PAM 41
18. Restrict Users to SCP and SFTP 46
19. Use Single-Use Passwords for Authentication 49
20. Restrict Shell Environments 52
www.it-ebooks.info
vi
|
Contents
21. Enforce User and Group Resource Limits 54
22. Automate System Updates 55
Chapter 2. Windows Host Security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 58
23. Check Servers for Applied Patches 59
24. Use Group Policy to Configure Automatic Updates 63
25. List Open Files and Their Owning Processes 66
26. List Running Services and Open Ports 68
27. Enable Auditing 69
28. Enumerate Automatically Executed Programs 71
29. Secure Your Event Logs 73
30. Change Your Maximum Log File Sizes 73
31. Back Up and Clear the Event Logs 75
32. Disable Default Shares 78
33. Encrypt Your Temp Folder 79
34. Back Up EFS 80
35. Clear the Paging File at Shutdown 86
36. Check for Passwords That Never Expire 88
Chapter 3. Privacy and Anonymity . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 91
37. Evade Traffic Analysis 91
38. Tunnel SSH Through Tor 95
39. Encrypt Your Files Seamlessly 96
40. Guard Against Phishing 100
41. Use the Web with Fewer Passwords 105
42. Encrypt Your Email with Thunderbird 107
43. Encrypt Your Email in Mac OS X 112
Chapter 4. Firewalling . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 117
44. Firewall with Netfilter 117
45. Firewall with OpenBSD’s PacketFilter 122
46. Protect Your Computer with the Windows Firewall 128
47. Close Down Open Ports and Block Protocols 137
48. Replace the Windows Firewall 139
49. Create an Authenticated Gateway 147
50. Keep Your Network Self-Contained 149
www.it-ebooks.info
Contents
|
vii
51. Test Your Firewall 151
52. MAC Filter with Netfilter 154
53. Block Tor 156
Chapter 5. Encrypting and Securing Services . . . . . . . . . . . . . . . . . . . . . . . 158
54. Encrypt IMAP and POP with SSL 158
55. Use TLS-Enabled SMTP with Sendmail 161
56. Use TLS-Enabled SMTP with Qmail 163
57. Install Apache with SSL and suEXEC 164
58. Secure BIND 169
59. Set Up a Minimal and Secure DNS Server 172
60. Secure MySQL 176
61. Share Files Securely in Unix 178
Chapter 6. Network Security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 183
62. Detect ARP Spoofing 184
63. Create a Static ARP Table 186
64. Protect Against SSH Brute-Force Attacks 188
65. Fool Remote Operating System Detection Software 190
66. Keep an Inventory of Your Network 194
67. Scan Your Network for Vulnerabilities 197
68. Keep Server Clocks Synchronized 207
69. Create Your Own Certificate Authority 209
70. Distribute Your CA to Clients 213
71. Back Up and Restore a Certificate Authority with Certificate
Services 214
72. Detect Ethernet Sniffers Remotely 221
73. Help Track Attackers 227
74. Scan for Viruses on Your Unix Servers 229
75. Track Vulnerabilities 233
Chapter 7. Wireless Security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 236
76. Turn Your Commodity Wireless Routers into a Sophisticated
Security Platform 236
77. Use Fine-Grained Authentication for Your Wireless Network 240
78. Deploy a Captive Portal 244
www.it-ebooks.info
viii
|
Contents
Chapter 8. Logging . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 250
79. Run a Central Syslog Server 251
80. Steer Syslog 252
81. Integrate Windows into Your Syslog Infrastructure 254
82. Summarize Your Logs Automatically 262
83. Monitor Your Logs Automatically 263
84. Aggregate Logs from Remote Sites 266
85. Log User Activity with Process Accounting 272
86. Centrally Monitor the Security Posture of Your Servers 273
Chapter 9. Monitoring and Trending . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 282
87. Monitor Availability 283
88. Graph Trends 291
89. Get Real-Time Network Stats 293
90. Collect Statistics with Firewall Rules 295
91. Sniff the Ether Remotely 297
Chapter 10. Secure Tunnels . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 301
92. Set Up IPsec Under Linux 301
93. Set Up IPsec Under FreeBSD 306
94. Set Up IPsec in OpenBSD 309
95. Encrypt Traffic Automatically with Openswan 314
96. Forward and Encrypt Traffic with SSH 316
97. Automate Logins with SSH Client Keys 318
98. Use a Squid Proxy over SSH 320
99. Use SSH As a SOCKS Proxy 322
100. Encrypt and Tunnel Traffic with SSL 324
101. Tunnel Connections Inside HTTP 327
102. Tunnel with VTun and SSH 329
103. Generate VTun Configurations Automatically 334
104. Create a Cross-Platform VPN 339
105. Tunnel PPP 345
www.it-ebooks.info
[...]... Network Security Hacks? This second edition of Network Security Hacks is a grimoire of 125 powerful security techniques This volume demonstrates effective methods for defending your servers and networks from a variety of devious and subtle attacks Within this book are examples of how to detect the presence (and track every keystroke) of network intruders, methods for protecting your network and data... done security consulting for small businesses in the area When he’s not writing books, he’s a senior security analyst with Network Chemistry, a leading provider of wireless security solutions Andrew is also a member of the Wireless Vulnerabilities and Exploits project’s (http://www.wirelessve.org) editorial board and regularly contributes to their wireless security column at NetworkWorld (http://www.networkworld.com/topics/wireless -security. html)... home network landscape and continue to gain traction in enterprise networks However, warding off unauthorized users and attackers poses a greater challenge in a wireless network While this chapter includes only a handful of hacks, what can be learned from them is invaluable Whether you want to share your network with others (but still maintain a semblance of security) or lock down your wireless network. .. Secure Software and a security authority who has been programming for nearly two decades In addition to coauthoring the O’Reilly books Secure Programming Cookbook for C and C++ and Network Security with OpenSSL, Matt coauthored the Safe C String Library (SafeStr), XXL, RATS, and EGADS • Ivan Ristic (http://www.modsecurity.org) is a web security specialist and the author of mod _security, an open source... (http://www.securesoftware.com) is Director of Security Services at Secure Software He consults in the fields of secure development and wireless security and is a coauthor of O’Reilly’s 802.11 Security book The results of his more recent investigations into Bluetooth security can be found at http://bluetooth.shmoo.com • Rob Flickenger (http://nocat.net) is a writer and editor for O’Reilly’s Hacks series He currently spends... their continued encouragement xiv | Credits www.it-ebooks.info 0 Preface Nowhere is the term hacker more misconstrued than in the network security field This is understandable because the very same tools that network security professionals use to probe the robustness of their own networks also can be used to launch attacks on any machine on the Internet The difference between system administrators legitimately... http:/ /hacks. oreilly.com xx | Preface www.it-ebooks.info Chapter 1 C H A P T E R O N E Unix Host Security Hacks 1–22 Networking is all about connecting computers together, so it follows that a computer network is no more secure than the machines that it connects A single insecure host can make lots of trouble for your entire network, because it can act as a tool for reconnaissance or a strong base of attack if... and other advanced security measures are useless if your servers offer easily compromised services Before delving into the network part of network security, you should first make sure that the machines you are responsible for are as secure as possible This chapter offers many methods for reducing the risks involved in offering services on a Unix-based system Even though each of these hacks can stand on... aspect of server security It’s also vital that traffic between the service and the clients connecting to it remain confidential in order to protect data and users’ authentication credentials This chapter shows how to do that for several popular services, such as SMTP, IMAP, POP3, Apache, and MySQL Chapter 6, Network Security Regardless of the operating system your servers use, if your network is connected... communications Networking protocols can be subverted in a number of powerful and surprising ways, leading to attacks that can range from simple denial of service to unauthorized access with full privileges This chapter demonstrates some tools and techniques used to attack servers using the network itself, as well as methods for preventing these attacks Chapter 7, Wireless Security Wireless networks have . Hacks
Linux Desktop Hacks
Linux Server Hacks
Linux Server Hacks
,
Volume 2
Linux Multimedia Hacks
Windows XP Hacks
Windows Server Hacks
Hacks. www.it-ebooks.info
www.it-ebooks.info
NETWORK
SECURITY
HACKSTM
www.it-ebooks.info
Other computer security resources from O’Reilly
Related titles Wireless Hacks
BSD Hacks
Knoppix Hacks
Ubuntu
Ngày đăng: 20/02/2014, 02:20
Xem thêm: Tài liệu NETWORK SECURITY HACKS pdf