Personal Server Security Program
Http://nightcat.3322.orgwrited by nightcat 2004/2/16
Preface:
The article is for some summary of yourself in building and management. I also hope that some friends who like to build a server. Server security is a big topic, and there is no way to do it in short articles. I have no such ability. I just want to give you a security concept. If you want to get more detailed information, you can search for other articles to learn, too You can refer to the reference website I have given, maybe in my article, please refer to it. My contact information: liwenfei@163.net.
Catalog: Basic Case 2. Installing System 3. Delete unnecessary services 4. Compile the kernel or upgrade the kernel .5. Establish a firewall script iptables6. Remote landing && another firewall SSH TCP_Wrapper hosts.allow hosts.dey7. Monitor && scan MRTG Snort PortSentry Logsentry NESSUS8. Verify File MD5Sum PGP && GPG TripWire
text:
1. Basic situation: Installation Linux first is important to understand your hardware information, look at my server configuration, you can try your hardware: 17 inch IBM display: Type IBM 6547 horizontal refresh rate 30 -69 Vertical refresh rate 50-1202. Graphics: Type NVIDIA GeForce 2 MX (Gener) Memory: Type DIMM HY256CPU: Type Intel Piii 1.0G hard drive: Type Cool fish 6.4G motherboard: 英 英 英 3 3 声 声: 英 英 英 英 3 3 82801IBA / BAM AC'97 Audio NIC: Realtek RTL-8029 With these configuration details, you can have enough preparations for future work.
Network situation: a. Single network card B. Bring two Internet access, need to share, use IP camouflage to implement c. Use RP-PPPoe to Dial
2. Installation system is more likely to use Redhat according to I use Linux, especially redhat 8.0, I usually install this system, reason - stability. The installation system is also relatively simple. If you have not installed, let's take a look at some other articles, this is no way to teach you how to install. Talking about the problem of installation: It is important to be partitioned. How to divide, this is to see personal needs, mine is this / dev / hdb1 / boot 100m / dev / hdb2 / 6.4g-100m-256 * 2m / dev / hdb3 swap 256 * 2M huh, too small only It can be divided, / boot is separated as a zone. You can also divide several districts into several districts into several districts in several districts / us from / usr. These are the fastest expansion. It is basically installed by default. Secondly, it is installed, what do you need to install? Don't install anything, download the Tar installation in the future. I like this, download the Tar package back to install. Data reference:
3. Delete unnecessary services. This is also what people need. However, those network applications that have been installed for too long should delete it. Deleted method rpm -e * downloads new tar.gz, I recommend this because it can play the role of the PC. See if there are those services, what deletes unnecessary services or turn off it, setup look at the service you start. Understand the role of the service: AMD runs the Automount Elf program, which automatically installs some local devices and NFS file systems if necessary. The APMD APMD is used to monitor the system's electricity status and write related information to the log via Syslogd. It can also be used to shut down ARPWATCH. ARPWATCH is mainly used to maintain the correspondence of the Ethernet physical address and IP address. ATD runs the task that the user scheduling with the AT command. Batch tasks are also run when the system load is relatively low. Autofs automatically reprints the file system when you need it, and automatically uninstall when you don't need it. Bootparamd This service allows old Sun workstations to start from Linux network, which is rarely used with RARP, basically being replaced by bootp and dhcp. Crond cron is a traditional program under UNIX, which runs user scheduling tasks. Compared to traditional UNIX versions, ViXie versions have added a lot of properties, and more secure and simpler. DHCPD This wizard provides access support for dynamic host control protocols (Dynamic Host Control Protocol). FTPD FTP is a referms of the file transfer protocol. It defines how many common system platforms provide FTP service programs and client programs, which provide FTP service, and client program Gated Gated through a database from a computer to another computers. Provides network routing function support. It supports various routing protocols, including RIP versions 1 and 2, DCN Hello protocols, OSPF versions 2, and EGP versions 2 to 4. GPM GPM provides a mouse support for Linux programs such as MC (Midnight Commander) for text mode. It also supports copy, paste operation, and pop-up menu of the console mouse. HTTPD HTTP is a famous WWW server that can be used to provide HTML files and CGI dynamic memory services. Inet Internet Operating Server. Monitor the network to the needs of various services that it managed, and start the corresponding service programs when you want. Typically, the Inet management program has Telnet, FTP, RSH, and Rlogin. Turning off inet also closes these services managed by it. InND Inn is the most popular user group news server. It allows you to build a local news server. Configure a certain difficulty, you can read the / usr / doc / inn * document first. The keytable functionality is to reproduce the keyboard mapping table you explained in / etc / sysconfig / keyboards, which can be selected by the KbdConfig tool. You should make the program in an activation state. LDAP LDAP represents Lightweight Directory Access Protocol. Executive Directory Access Protocol industry standard. LPD LPD is the system print daemon, which is responsible for submitting LPRs and other programs to the print job. The MCSERV MIDNIGHT COMMANDER service process allows users on the remote machine to operate the native files via the Midnight Commander File Manager. The service process uses PAM to verify the user, and "User Name / Password" needs to be given by verifying a fast and efficient and reliable light SQL database engine that mysql. Named Domain Name Server, resolve the Internet hostname into points of the IP address. Netfs is responsible for loading / unloading NFS, Samba, NCP (NetWare) file systems. Network activation / closes all network interfaces at startup. NFS is a popular file sharing protocol based on TCP / IP network. This service provides NFS file sharing services, which are configured in the / etc / exports file. NSCD This service is responsible for password and group query and buffer query results.
If your system has a relatively slow service (such as NIS and NIS ), you should start the service. PCMCIA PCMCIA is mainly used to support laptops. Portmap portmap is used to support RPC connections, RPC is used for NFS and NIS and other services. PostgreSQL PostgreSQL Relational Database Engine. Qmail It is also a Internet mail transport mechanism based on UNIX operating system (INTA). It uses the standard simple mail transmission protocol (Simple Mail Transfer Protocol SMTP) and other MTA exchange information on the Internet, with secure, reliable, efficient, and simple features. Random saves and recovers high quality random number generators, which are some random behavior of the system. Routed This daemon supports automatic IP routing table maintenance of the RIP protocol. RIP is primarily used on a small network, and the big network needs a complicated protocol. The RSTATD RSTAT protocol allows users on the network to get performance parameters of each machine on the same network. RUSERSD This service allows network users to locate other users on the same network. The RWALLD RWALL protocol allows remote users to send messages to terminals that are active in the same system, similar to Wall local behavior. RWHOD allows remote users to get a list of all logged in users on the machine running the RWHo wizard, similar to finger. Sendmail's famous Mail server. SMB starts and closes the SMB and NMBD wizards to provide SMB network services. Snmpd Simple Network Management Protocol (SNMP) Guardian Wizard. Syslog syslog is a mechanism provided by operating systems, and daemons typically use this mechanism to write various information to each system log file. This service should usually start. Webmin Webmin is a powerful management tool based on Web-based integration system management and network management. Using WebMin's powerful features, users can easily set their own servers, DNS, Samba, NFS, local / remote file system through web browsers. And many other services. There are still many other, to be more detailed, you want you to find information to see if you need to open service. I generally opened the service anacron apmd ATD Autofs Crond GMP Iptables Keytable Kudzu Network Random Rawdevices Services Syslog XFS Xinetd.
4. Compile the kernel and upgrade, do not understand compilation or find related articles to see. Steps are also simple: Determine the kernel in / usr / src / linux directory Make MrPropermake Depmake Cleanmake Bzimage & Make Modules && Make Make MODULES_INSTALL I like to perform I compiled together with the bucket of 2.4.22. The above is added to describe the driver of hardware, delete excess hardware drivers and the drivers of the plurality of fuse walls. Do you want to take care of what is in the end of the kernel. After compiling, use the new kernel. Still write a simple shell script. Save as kernel.sh #! / Bin / shecho "change kernel ..." echo "change vmlinuz!" Rm /boot/vmlinuz-2.4.22.oldmv /boot/VMLINUZ-2.4.22.NEW / Boot /VMLINUZ-2.4.22.OLDCP /BOOT /VMLINUZ-2.4.22 /Boot/Vmlinuz-2.4.22.newcp / usr / src / linux / arch / i386 / boot / bzimage /boot/vmlinuz-2.4.22echo "Change VMLinuz Finished !! "Sleep 2echo" Change System.map! "RM /Boot/system.map-2.4.22.oldmv /boot/system.map-2.4.22.new /boot/system.map-2.4.22. Oldcp /boot/system.map-2.4.22 /boot/system.map-2.4.22.newcp /usr/src/linux/system.map /boot/system.map-2.4.22ec oto "Change System.map finished! "echo" install kernel! "new-kernel-pkg - Mkinitrd - DepMod - Install 2.4.22ec" finished all !!! "5. Building a safe server for firewalls, firewall is essential. I used iptables as their own firewall, which inherited in the Linux system, which is very powerful and easy to use.
Take a look at the basic command format: [*********] # iptables --helpiptables v1.2.6ausage: iptables - [adc] chain rule-specification [options] iptables - [ri] chain rulenum rule Specification [options] iptables -d chain rulenum [options] iptables - [LFZ] [chain] [options] iptables - [NX] chain iptables -E iptables-name new-chain-name iptables -p chain target [options] iptables-h (Print this help information) Commands: Either long or short options are allowed. --append -a chain append to chain --dete -d chain delete matching rule from chain - Delete -d Chain Rulenum Delete Rule Rulenum 1 = first) from chain - INSERT -I CHAIN [Rulenum] INSERT IN CHAIN As Rulenum (Default 1 = first) - Replace Rulenum (1 = first) in chain --list -l [Chain " ] List the rules in a chain or all chains --flush -f [chain] delete All rules in chain or all chains - zeoro -z [chain] zero counters in chain or all chains --check -c Chain Test this packet on chain --new -n chain create a new user-defined chain --delete- CHAIN -X [Chain] delete a user-defined chain --Policy -p Chain target --Rename-chain -e old-chain new-chain change chain name, (moving any references) Options: -Cromb -Proto -P [!] protocol: by number or name, eg. `TCP '
--Source -s [!] address --dness -d [!] address [/ mask] destination specification --in-interface -i [!] infut name [ ] network interface name ([ ] for wildcard) --Jump -j target extension --Match -m match extensted match (may load extension) --NUMERIC-Numeric Output of Addresses and ports --out-interface - o [!] OUTPUT NAME [ ] Network interface name ([ ] for wildcard) --Table -t Table Table to manipulate (default: `filter ') --verbose -v verbose mode --Line-NumBers Print Line NumBers When Listing --Exact -x Expand NumBers (Display Exact Values) [!] --fragment -f match second second or further fragments only --Modprobe =
#Modprobe modules / sbin / modprobe ip_tables / sbin / modprobe ip_nat_ftp / sbin / modprobe ip_conntrack / sbin / modprobe ip_conntrack_ftp
#Enable fake ./sbin/iptables -t nat -a postrouting -s 172.19.16.1/24 -o ppp0 -j masquerade
#Set Up New Chain / Sbin / iptables -n Mine
#Permit to set up new session / sbin / iptables -a mine -m state --state established, Related -j account / sbin / iptables -a mine -m state --state new -i! ppp0 -j accept # enable Visit My apache / sbin / iptables -a mine -p tcp --dport 80 -i ppp0 -j acid
#Enable visit openssh / sbin / iptables -a mine -p tcp --dport 22 -i PPP0 -J ACCEPT
#ENABLE VIT FTP / SBIN / IPTABLES -A MINE -P TCP - DPORT FTP -I PPP0 -J ACCEPT / SBIN / IPTABLES -A MINE -P TCP - DPORT FTP-DATA-I PPP0 -J Accept
#Disable ping host / sbin / iptables -a mine -p iCMP -I PPP0 -J ACCEPT
#### / sbin / iptables -a mine -i ppp0 -m limit -j log --log-prefix "Bad packet from PPP0:" / sbin / iptables -a mine -i! PPP0 -M Limit -j log - -log-prefix "Bad Packet NOT from PPP0:" # forbid all / sbin / iptables -a mine -j drop / sbin / iptables -a input -j mine / sbin / iptables -a forward -j mine
Look at the English explanation in my inside, I am too lazy to type, don't flat me. : (Take a better look at the information I will give the reference. This script I also borrow others, then modify some. Restrictions can only access the open port host, but can't limit the ping because of the later introduction to MRTG, to resolve the domain name.
6. Remote login and another firewall If you want to manage it remotely, it is essential. Most of the Telnet is now replaced by SSH, the purpose - security. Install it, and set your hosts.allows and hosts.deny. Limit the access of the remote machine. Do you have any firewall? Let's take this. Multiple lock-safety points.
Take a look at another firewall TCP_Wrapper. I don't know what this is, let's take a look! Installation is simple, compress the TCP_Wrapper software to either directory, type: tar xvf tcp_wrappers_7.6.tar Open the Makefile file with VI, modify # real_daemon_dir = / etc, the previous comment # remove, then enter: make Sys-typesys-type is a system type. Other System Types Refer to the Makefile file. After the compilation is completed, there will be executable files such as TCPD. First use TCPDCHK to check if TCPD has problems. If there is, the warning message is listed, and you need to recompile until no warning is not.
Let's talk about his configuration, mainly to set up /etc/hosts.deny two files, the default installation should have. Hosts.allows and hosts.deny set format, simple example. Just Access hosts in the 192.168.0 network segment is set in /etc/hosts.deny Set all: 192.168.0 in /etc/hosts.allow.
If you want a machine to allow access to a service or you can set it with this /etc/hosts.allowss: 192.168.0.2, then restart TCPD, you can check your settings with TCPDMatch, the RPM package is not necessarily this tool. You can download the tar.gz bag to install #. / Tcpdmatch sshd 192.168.0.2client: address 192.168.0.2server: process sshdmatch: /etc/hosts.allow line 1 (match: /etc/hosts.allow file 1 line) Access: granted only 192.168.0.2 this IP access to SSHD. At the same time, you can look at the log file, there will be records. How, this firewall, simple, may wish to try! 7. Monitoring Monitoring is an important item in network maintenance. If an attack can be attacked, the first-hand information is obtained. Let's introduce a few more tools and simple usage: first is MRTG. This powerful monitoring software. Specific installation and configuration Take a look at http://aspx.crcec.com/show.aspx?id=113. Simple Installation Description: Requires package: GCC, Perl, GD, LIBPNG and ZLIB SNMP can use the following command to determine if the system is installed with these packages: [*** # rpm -qa | GREP GD GD-1.8.4-4 GD-Devel-1.8.4-4
[***] # rpm -qa | grep perl perl-5.6.0-17 mod_perserl-1.24_01-3
[***] # rpm -qa | grep libl libpng-1.0.12-2 libpng-debpng-devel-1.0.12-2
[***] # rpm -qa | grep zlib zlib-1.1.3-24 zlib-devel-1.1.3-24
[***] # rpm -qa | GREP GCC GCC-2.96-98 GCC-G77-2.96-98 GCC-C - 2.96-98
[***] # rpm -qa | grep snmp UCD-SNMP-4.2.1-7 UCD-SNMP-UTILS-4.2.1-7 UCD-SNMP-DEVEL-4.2.1-7
Install MRTG [***] # tar xvfz mrtg-2.9.17.tar.gz [***] # CD MRTG-2.9.17 [***] # ./configure --prefix = / usr / local / mrtg -2 [***] # Make [***] # make install
Configure snmpd.confvi /etc/snmp/snmpd.conf to modify the contents of #VIEW SYSTEMVIEW INCLUDED MIB2 to: view mib2 include .iso.dod.internet.mgmt.minb-2 FC then use Access NotconfigGroup "ANY NoAuth EXACT SystemView None None Modified To: Access NotconfigGroup "" Any NoAuth Exact Mib2 None None and then restart SNMPD: /etc/rc.d/init.d/snmpd restart
Configure MRTG.cfg to configure MRTG.cfg files, monitor the device. In MRTG installation directory / usr / local / mRTG-2 [****] # cd bin [*****] #. / Cfgmaker - Global "WorkDir: / VAR / WWW / HTML / MRTG" / --Global "options [_]: growright, bits" / - iFref = IP / // --- name - Output / etc / mrtg .cfg /public@172.19.16.24 /[***] /[***] /mrtg /etc/mrtg.cfg may report the alarm message of the lost log file at the top three runtime, do not pay attention to this, only need to run three times It will not generate alarm information without running.
You can access the generated statistics by accessing http: // localhost / mrtg. Automatic operation: VI / etc / crontab is running once every three minutes * / 3 * * * * / usr / local / mRTG-2 / bin / mrtg /etc/mrtg.cfg restart crred [***] # / etc / rc.d / init.d / crd restart
This is followed by Snort, which is a powerful lightweight network intrusion detection system. It has the ability to real-time data traffic analysis and log IP network packets, which can make protocol analysis, search / match the content. It can detect a variety of different attack methods, and conduct real-time alarms for attacks. Installation instructions: First need to be installed LibPCAP-0.8.1.tar.gz can be installed at http://www.tcpdump.org/ to install Snort. [***] # tar zxvf snort-1.8.6.tar.gz [* **] # CD Snort-1.8.6 [***] # ./configure --prefix = / usr / local / snort [***] # Make [***] # make install
Snort has three working modes: sniffer, packet recorder, network intrusion detection system. Sniff mode Direct output to screen [***] #. / SNORT -D -V -E packet recorder mode, Record the file first to create a directory, enter the / usr / local / snort / bin directory [***] # mkdir log [***] #. / Snort -dev -l ./log network intrusion detection system is necessary to configure: Snort.conf configuration file is placed in Snort-1.8.6 directory [***] # cp ./etc/snort.conf /root/.snorTRC to establish rule directory, copy rules [***] # MKDIR / USR / LOCAL / Snort / Rules [***] # cp ./rules/* / usr / local / snort / rules copy rule classification documentation to the user home directory [***] # cp ./etc/classification.config / root [***] # cp ./etc/reference.config / root Create a directory for the storage log [***] # mkdir / var / log / snort modification configuration file [***] # vi /root/.snorTRC modification Rule_path value / usr / local / snort / rules Check if it is correct [***] # / usr / local / snort / bin / snort-t finally appears Rule Application Order: -> Activation-> Dynamic-> Alert- > Pass-> log
- == INITIALIZATION COMPLETE == -
- *> Snort! <* - Version 2.0.6 (build 100) by martin roesch (Roesch@sourcefire.com, www.snort.org)
Snort successfully loaded all rules! Snort EXITING is successful. Finally, [***] # ./snortr -d -c / root/.snortrc View Your / Var / Log / Snort get results
Third, if there is such a tool, you can smart discovery attacks, automatically block the attacker's IP, then, there is such a tool. That is PortSentry. His can do, make records through syslog, add the scanned host to /etc/hosts.deny, and immediately disable all network traffic to scan the host, filter out all network traffic from the scan host. The previous TCP_Wrapper's hosts.allow and hosts.deny are unnecessarily set. Installation method Take a look at this http://www.linuxaid.com.cn/Engineer/brimmer/html/portsentry.htm can also look at PortSentry's readme. Install files for more information Simple installation: [***] # make Linux [***] # make install default installation directory is / usr / local / psionic / need to listen port, need to disable, monitor IP address You can modify the configuration file /usr/local/psionic/portsentry.conf hopes that the host of PortSentry ignore is set in /usr/psionic/portsentry/portSentry.Ignore file.
Start PortSentry: PortSentry: PortSentry -ATCP (Advanced TCP Stealth Scan Detection) PortSentry -Sudp ("Stealth" UDP Scan Detection) A TCP startup method and a UDP startup method can be made simultaneously. The following command is added to "/etc/rc.d/rc.local", automatically starts automatically when the system restarts: [***] # / usr / psionic / portsentry / portsentry -atcp [***] # / usr / Psionic / PortSentry / PortSentry -Sudp
Fourth, the days have been long, so many log files, I can find those problems? LogSentry can do it. It will summarize the log's logs to the administrator. Simple installation: [***] # Make Linux wants to know which directory installed can open the Makefile file, you can also modify the installation directory launched logsenrty [***] # / usr / local / etc / logcheck how to configure the file Please see Install.
Fifth, come to analyze it, is there any vulnerability in your host? Install NESSUS to check, details to their website to see http://www.nessus.org/demo/first.html
Simple installation: [***] # ilnx -source http://install.nessus.org | SH will be installed automatically, and you want to enter the root password.
Create a NESSUSD account [***] # Nessus-adduSeraddition of a new nonsSUSD User ---------------------------- Login: renaudAuthentication (pass / cert) [pass]: passPassword: secretUser rules ---------- nessusd has a rules system which allows you to restrict the hoststhat renaud2 has the right to test For instance, you may wanthim to. Be able to scan his own host.
Please see the net inus-adduser (8) Man Page for the rules Syntax
Enter the rules for this user, and hit ctrl-D once you are done: (the user can have an empty rules set) deny 10.163.156.1allow 10.163.156.0/24default denyLogin: renaudPassword: secretDN: Rules: deny 10.163.156.1allow "10.14Default denyis That OK (Y / N)? [Y] yused.
Start service [***] # Nessusd -d
Connect to Nessusd [***] # NESSUS opens a window and can be prompted.
8. Check the file
The first is MD5Sum:
Download the file, I don't know if there is any change. Then come to a check. Under Linux is MD5Sum. This tool check is very simple. Let's take a look at MD5SUM Help [***] # md5sum --helpusage: md5sum [option] [file] ... or: md5sum [option] --check [file ] Print or Check MD5 (128-bit) Checksums.with No file, or when file is -, Read Standard Input.
-b, - binary read files in binary mode (default on dos / windows) -c, --check check md5 sums against given list -t, --text read files in text mode (default)
The Following Two Options Are Useful Only When Verifying Checksums: --Status Don't Output Anything, Status Code Shows Success -w, --Warn Warn About Improperly Formated Checksum Lines
--Help Display this help and exit --Version Output version information and exit
Simple use: Generate a verification file, such as the Kernel.sh inspection file. [***] # md5sum kernel.sh> kernel.sh.md5 is so simple. The inspection is also very simple, let the downloaded files and inspection files together. [***] # md5sum -c kernel.sh.md5 is simple enough!
Second, PGP && GPG. Please download the software and signature people (Keys.asc), put together with the software PGP or GPG, import the public key, verify the file. [***] # pgp -ka keys [**] # pgp apache_1.3.24.tar.gz.asc or [***] # gpg - IMPORT Keys [***] # GPG --verify Apache_1. 3.24. Tar.gz.asc More Usage, then look at the Help file!
Finally, the software downloaded by Tripwire can basically guarantee that it is safe, then those software running on the host will be safe? If there is a hacker already entered your machine, then your software is not safe and complete. TripWire can be used to view the integrity of the file inside the system.
Simple installation: I use Tripwire-2.3-47.bin.tar.gz to enter the directory execution, before reading Readme. [***] #. / Install.sh follows the prompt installation. I have a version of the version. If you have any questions, you can modify the install.cfg file accordingly .twmailprogram = "/ usr / lib / sendmail -oc" path error, modified to: twmailprogram = "/ Usr / sbin / sendmail -oi -t "use: see the description, man tripwire. Let's take a look: [***] # Tripwire --HelpTripwire: File Integrity Assessment Application.tripwire (r) 2.3.0.47 for LinuxTripwire 2.3 Portions copyright 2000 Tripwire, Inc. Tripwire is a registeredtrademark of Tripwire, Inc. This software comes with ABSOLUTELY NO WARRANTY; for details use --version This is free software which may be redistributedor modified only under certain conditions;. see COPYING for Details.all Rights Reserved.usage:
Database Initialization: Tripwire [-mi | --init] [options] integrity checking: tripwire [-mc | --check] [object1 [object2 ...]] Database Update: Tripwire [-MU | --Update] Policy Update : Tripwire [-mp | - ipdate-policy] policyfile.txttest: Tripwire [-mt | - Test] --email address
TYPE 'Tripwire [Mode] - Help' OR 'Tripwire - Help Mode [Mode ...]' OR 'Tripwire - Help All' for Extended Help
Use: Initialize the database, generate a signature database file, generally saved in / var / lib / tripwire / [***] # tripwire --init please enter your local passphrase: <- Enter password Parsing Policy File: / etc / TripWire /tw.pol generating the database ... *** Processing UNIX file system *** There are many error messages that can be ignored due to improper writing of policy files. In order to reduce the appearance of these error messages, you should carefully edit your policy file according to your own system. Successful will display ### continuing ... wrote Database file: /var/lib/tripwire/***.twdthe database was successfully generated.
Check file integrity: [***] # Tripwire - CHECK From the report, you can see the system that is changed. After the check is complete, if the system does not have an abnormal situation, use TripWire's upgrade mode to upgrade the signature database, and the report is saved in the / var / lib / tripwire / report / directory. There are other things, you go to explore!
Here is just how you define someone else to invade your own host, as long as you do this, your host is relatively safe. However, you need to know what work should be done after understanding, it is also important. Some information is provided below.
Data reference:
LinuxAid Technical Support Center http://www.linuxaid.com.cn/Articles/4/1/410879828.SHTML
Network traffic monitor MRTG full Raiders http://aspx.crcec.com/show.aspx?id=113
[Forever Unix Unix File Security Checklope - Tripwire] http://www.fanqiang.com/a5/b6/20011006/0805011408.html
Data Integrity Detection Tools: Tripwire http://pkucert.pku.edu.cn/lecture/sec/tripwire.htm
Tripwire.org - Home of the Tripwire Open Source Project http://www.tripwire.org/
Tripwire-2.3.1-2 http://lfs.linuxsir.org/htdocs/blfscvs/postlfs/tripwire.html
MHDN.NET Minghui Developer Network [UNIX Back Door Security Policy]
Http://www.mhdn.net/se/2002-07-05/5429.Html common two signatures and verification
http://hedong.3322.org/archives/000064.html
MHDN.NET Minghui Developer Network [PortSentry installation] http://www.mhdn.net/se/2002-06-14/5304.html
MHDN.NET Minghui Developer Network [TCP_Wrapper installation and use] http://www.mhdn.net/se/2002-06-14/5300.html
Install and configure the installation and configuration of PortSentry in the Linux system http://www.linuxaid.com.cn/Engineer/brimmer/html/portsentry.htm
Snort Chinese Manual http://www.fengnet.com/showart.asp?art_id=589&cat_id=10
Safe log record server http://www.fengnet.com/showart.asp?art_id=586&cat_id=10
TCP_Wrapper firewall installation and configuration http://www.wxygzs.com/yc002.html
TCPDUMP public repository http://www.tcpdump.org/ 绿 盟 科技 --www.nsfocus.com - Security Technology http://www.nsfocus.net/index.php?act=sec_self&do=view&doccuC_ID=728
Snort Users Manual Snort Release 2.0.0 http://www.snort.org/docs/writing_rules/
Logsentry http://www.gnu.org/directory/security/misc/logsentry.html
Tripwire.org - Downloads http://www.tripwire.org/downloads/index.phpiptables information http://cmpp.linuxforum.net/NetSnake/iptables_man1.txt ready iptables firewall script http: //www.freelamp. COM / New / Publish / 1003249502 / INDEX_HTML