TIS firewall details

xiaoxiao2021-03-06  108

TIS firewall details

Create time: 2001-03-02

Article attribute: original

Article submission:

Quack (QUACK_AT_XFOCUS.ORG)

TIS firewall details

By QUACK (QUACK@AndionLine.org)

What is a firewall - do not know;)

What is TIS? - This is a set of tools written by Trusted Information Systems.

Package, also called FireWall Toolkit, the software in this tool box is properly installed and configured to have a certain security policy

You can constitute basic firewalls, and it is free;) Take a look at it, maybe you can save the next

Philippine firewall purchase funds ...

First, compile operation

1, download

Can be downloaded to Tis Web Site

Http://www.tis.com, but it has some very troublesome certification process, suggestion

Turn directly to the domestic security site, or

Http://packetstorm.securify.com/ go to download, I

The obtained version is the version of fwtk2.1.tar.z, and the description will be taken as an example, and in Solaris7 x86

Pass, the GCC version is 2.95.2.

2, compile

# Gunzip fwtk2.1.tar.z

# tar vfx fwtk2.1.tar

# cd fwtk

After extracting fwtk2.1.tar.z, you can find a lot of makefile.config. * Files in the ./fwtk directory.

For example, the operating system you use is solaris2.7, then the makefile.config is changed directly,

Makefile.config.solaris is renamed makefile.config.

# mv makefile.config makefile.config.old

# mv makefile.config.solaris makefile.config

Compiling under Solaris is quite easy - at least Solaris7 and Solaris 8 do not have to modify anything

It can be compiled.

# Make && make Install

If you are using Linux, just make Makefile.config.Linux as the current makefile.config

Not enough, because if you want to use X GW. Then you have to have Athena Widget settings. Otherwise compile

Problem. Therefore, modifying makefile allows the system to compile X-GW.

So I can

# vi makefile

Find below:

# Directories To Build Executables in

DIRS = SMAP Smapd Netacl Plug-GW FTP-GW TN-GW RLogin-GW HTTP-GW X-GW

Once the following X-GW is removed.

If it is under BSD, pay special attention to the Make of BSD does not know like: .include "makefile.config"

This format, therefore, uses TIS to be provided with the fixmake to be processed under the BSD. Or use the designated

CC = GCC

Copt = -g -traditional -dbsdi

To adapt to the BSD system - such as my freebsd3.4.

If there is a definition declaration of Sys_ERRLIST in the compilation process, then modify the original program, such as:

Exter char * sys_ERRLIST [];

Comment this line out.

If "undefined symbol` _crypt 'refreternal from text segment "error,

Look in whether the AUXLIB settings in your makefile.config have "-lcrypt". If there is still a problem ... I am too lazy to translate so many things, you can go to the URL below:

http://fwtk.netimages.com/fwtk/faq/

Here is some common problems encountered when compiling and using TIS.

Second, the preparation work before configuration

1, understand some concepts

a, wrapper

My understanding, Wrapper should be a packaging program, saying that it is not essentially different from the backdoor of Login;)

For example, TCPD, we use it to guard some network service daemon, such as in the super service daemon

In ENETD configuration file, we can

Finger Stream TCP NOWAIT NOBOBODY /USR/ETC/IN.FINGER IN.FINGERD

This sentence is replaced, and it is packaged with TCPD.

Finger Stream TCP NOWAIT NOBODY / USR / ETC / TCPD IN.Fingerd

Sending a HUP signal to INETD, after it is restarted, TCPD will act if it receives a host

Finger request, TCPD start, first check the configuration file of the access control, that is, /etc/hosts.allow and

/etc/hosts.deny, if you are allowed, then start the true finger daemon to process the request.

How is it, is it the same compared with the principle of Login? For example, ulogin.c is to change the real login

Name back to another, use fake login packages, when you receive the login request, first judge that the visitor is

There is an environment variable set by setting Display. If the variable is the same as password, start / bin / sh, if not

Yes, it should be requested in normal login ... Hey, this is the topic, don't say ...

B, Gateway

Application Level Gateway is the establishment of protocol filtering and forwarding functions on the web application layer.

It uses the specified data filtering logic for a specific network application service protocol, and on the filtering,

Perform the necessary analysis, registration, and statistics to form a report.

Oh, this kind of textbook is like something that is difficult to understand, I have seen it for a long time. In fact, under TIS, it

Various GWs, such as TN-GW, is control Telnet, when you connect to the port of TN-GW, it will appear

Your own prompt ... as follows:

C: /> Telnet 192.168.0.2

Then the Telnet window will appear

Hi, I'm QUACK, Welcome to my 3cr19tki7's Website! <------------ This is my TN-Welcome.txt

TN-GW-> It will display when connected ...

When I type in question mark, I will have the following prompt information ...

TN-GW->?

Valid Commands Are: (Unique Abbreviations May BE)

Connect hostname [serv / port]

Telnet Hostname [Serv / Port]

X-GW [Hostname / Display]

Help /?

Password

Timeout Seconds

Quit / exit

TN-GW->

I understand, oh, yes, it provides Telnet access to other machines through this firewall host;) T11 192.168.0.2 55555

Trying 192.168.0.2 port -9981 ...

Connected to 192.168.0.2.

Sunos 5.7

Login: QUACK

PASSWORD:

Last login: fri jun 9 00:27:48 from 192.168.0.1

Sun Microsystems Inc. Sunos 5.7 Generic October 1998

Cracker%

This is clear ... Take a little more, and I will explain how this is configured.

C, Proxy

Proxy Service, also known as the link-level gateway or TCP channel (Circuit Level Gateways or TCP

Tunnels, also some people pay it to the application level gateway. It is for packet filtering and application gateway technology

The firewall technology introduced by the shortcomings is characterized by dividing all network communication links across the firewall into two segments. Defense

"Link" application layer between computer systems inside and outside the firewall, is implemented by "link" on the two termination proxy servers, outside

The network link of the computer can only reach the proxy server, which has played the work of computer systems inside and outside the firewall.

use. In addition, the agent service also analyzes, registered registration, and forms a report, and is found

When there is a sign, you will issue an alert to the network administrator and retain the attack marks.

2, file introduction

The default installation, TIS is installed in the / usr / local / etc directory, now let's take a look at what is there.

# cd / usr / local / etc

# ls -la

Total number 1092

DRWXR-XR-X 2 Root Other 512 June 6 17:05.

DRWXR-XR-X 11 Root Other 512 June 6 17:02 ..

-rwxr-xr-x 1 root other 17012 June 6 17:05 Authdump

-rwxr-xr-x 1 root other 18752 June 6 17:05 Authload

-RWXR-XR-x 1 root other 2322 June 6 17:05 Authmgr

-RWXR-XR-x 1 Root Other 47500 June 6 17:05 Authsrv

-RWXR-XR-X 1 root other 50952 June 6 17:05 FTP-GW

-RWXR-XR-X 1 Root Other 117712 June 6 17:05 HTTP-GW

-rwxr-x --- 1 root other 362 June 6 17:05 MQueue

-rwxr-xr-x 1 root other 26820 June 6 17:05 NetaCl

-rw-r - r - 1 Root Other 3101 June 6 17:05 Netperm-Table

-RWXR-XR-x 1 root other 30308 June 6 17:05 Plug-gw

-RWXR-XR-x 1 root other 45892 June 6 17:05 rlogin-gw

-RWXR-XR-X 1 Root Other 31436 June 6 17:05 SMAP

-RWXR-XR-X 1 Root Other 28772 June 6 17:05 Smapd-RWXR-XR-X 1 Root Other 49940 June 6 17:05 TN-GW

-RWXR-XR-x 1 Root Other 44792 June 6 17:05 X-GW

One one is explained ...

A.AUTHDUMP: This is a tool for managing TIS authentication databases, which can create information in the database.

Backup of ASCII text forms. The password is output after encryption.

B.AuthLoad: is also an authentication database management tool, which processes a single record in the database.

Order is especially available when you need to add a set of entries to the database or need to share the database between the two sites.

use.

C.AUTHMGR: Network-certified client, it is an interface with authentication party Authsrv. Is used to access the network

The authentication server is used when encrypted.

D.authsrv: Third-party network certification daemon, which provides a variety of comprehensive interfaces, such as passwords, one

Secondary password or token authentication system, there is a database containing users and group records, and there is another

The management interface allows an administrator to manage user records on the local or network. Later will say it

Configure.

E.FTP-GW:

It is an FTP proxy service that can be traversed with logging and access control.

F.http-gw:

Gopher and HTTP proxy services with logging and access control.

g.mqueue:

I don't know if Issage Queue? I don't understand ...(

H.NetaCl:

TCP Network Access Control, is called by inetd, and provides packaging of various services.

I.NetPerm-Table:

All all kinds of services configuration files.

J.PLUG-GW:

A generic TCP connection proxy service program.

K.Rlogin-GW:

This is a danger of providing a proxy service through rlogin - R1 system service, everyone knows, if you don't have

Yes, use it to provide packaging.

L.SMAP:

Sendmail Package - Client, it implements the smallest version of SMTP, accept messages from the network, and

Send SMAPD by it is further transmitted, it is usually running under Chroot.

m.smapd:

Sendmail Packaging - Daemon, which is turned from the mail buffer pool area maintained by SMAP regularly

Send a search and saved any message there.

N.TN-GW:

Telnet's proxy server.

O.x-gw:

X Gateway server.

3, system preparation

a. Remove IP forwarding

Do you have two network cards in your machine?

If you don't want your firewall to be passed through, you will have the old man to do the IP forwarding function, because IP forwarding

It will cause packets received from an interface to all other applicable interfaces - generally removal IP forwarding

May have to reconfigure the kernel.

By default, if the Solaris machine has more than one network card, it will forward the number of different network cards.

According to the package, this behavior can be controlled in /etc/init.d/inetinit. To be in Solaris 2.4 or more

Low version of the machine is turned off, you can add NDD -SET / DEV / IP ip_forwarding 0 to

/etc/init.d/inetinit has not been tail. In Solaris 2.5, as long as Touch / etc / notrouter.

If it is SunOS4.1x, run the ADB in the kernel, join in the core configuration file

Options "ipforwarding = -1" and recompile the new core.

As for Linux, you try to Make MenuConfig, find IP: Forwarding / Gatewaying,

CONFIG_IP_FORWARD is turned off and recompiled. Other similar, I don't think about it, I will not;) b. Remove /etc/inetd.conf and /etc/rc2.d/ unnecessary services

First of all

# ps -elf

See the service that is started when the system starts

You can temporarily block all services in /etc/inetd.conf - plus ## in front of each

Failure - Because we will use NetaCl or a variety of * -GW to package these services - started inetd.conf

Always change;)

Not all processes are started by inetd this super server daemon, some are directly in RC2.D

Definition, running directly when the system is started, if you have the following services, it is best to turn off:

PCNFSD

RWhod

Mountd

Protmap

Sendmail

Named

PRINTER

TIMED

NFSD

Rstatd

xntpd

NFSIOD

Some services have the shutdown may affect the system service, you need you to analyze it yourself ...

Third, configuration

1, NetPerm-Table

This is the configuration files such as all things - NetaCl, SMAP, FTP-GW, TN-GW, PLUG-GW, etc. in the firewall toolbox.

When an application is started, it will read the relevant configuration and license information from NetPerm-Table.

Policy file. Below the NetPerm-Table after the default installation is posted - it has many annotations

#

# NetPerm Configuration Table Sample File

#

# To be better to use this netperm-table, it is best to replace your host name by IP address.

# (e.g .; 666.777.888), this is not easy to be infringed by DNS spoof.

#

# NetaCl Example Rule:

# ---------------------

# 下 下 注 注 注 如果 去,,,,,,

# NetaCl-telnetd: permit-hosts 127.0.0.1 -exec / usr / libexec / telnetd

# NetaCl-telnetd: permit-hosts youraddress 198.6.73.2 -EXEC / USR / LIBEXEC / TELNETD

#

# 下 below this line is TN-GW

# NetaCl-telnetd: permit-hosts * -exec / usr / local / etc / tn-gw

#

# Below is Rlogin

# NetaCl-rlogind: permit-hosts 127.0.0.1 -exec / usr / libexec / rlogind -a

# Netacl-rlogind: permit-hosts youraddress 198.6.73.2 -EXEC / usr / libexec / rlogind -a

#

# rlogin-gw configuration

# NetaCl-rlogind: permit-hosts * -exec / usr / local / etc / rlogin -gw

#

# To enable the finger, remove the notes of the following two lines

# NetaCl-fingerd: permit-hosts yournet. * -exec / usr / libexec / fingerd

# NetaCl-fingerd: permit-hosts * -exec / bin / cat /usr/local/etc/finger.txt

# SMAP rule example:

# -------------------

SMAP, Smapd: UserID 6

SMAP, Smapd: Directory / Var / Spool / Smap

Smapd: Executable / USR / local / etc / smapd

Smapd: Sendmail / USR / Sbin / Sendmail

SMAP: Timeout 3600 # FTP Gateway rule example:

# --------------------------

# ftp-gw: denial-msg /usr/local/etc/ftp-de.txt

# ftp-gw: Welcome-msg /usr/local/etc/ftp-welcome.txt

# ftp-gw: Help-msg /usr/local/etc/ftp-help.txt

FTP-GW: TIMEOUT 3600

# uncomment the following line if you want innal users to be

# Able to do ftp with the Internet

# ftp-gw: permit-hosts yournet. *

# uncomment the following line if you want extel users to be

# Able to do ftp with the internal network using authentication

# ftp-gw: permit-hosts * -authall -log {retr 2

# Telnet Gateway rule example:

# -----------------------------

# TN-GW: Denial-msg /usr/local/tc/tn-deny.txt

# TN-GW: Welcome-msg /usr/local/tc/tn-welcome.txt

# TN-GW: Help-msg /usr/local/etc/tn-help.txt

TN-GW: TIMEOUT 3600

TN-GW: permit-hosts yournet. * -passok -xok

# i = line is uncommeted incoming traffic is permitted with

# Authentication request

# TN-GW: permit-hosts * -auth

# rlogin Gateway rules:

# -----------------------------

# rlogin-gw: denial-msg /usr/local/etc/rlogin-deny.txt

# rlogin-gw: welcome-msg /usr/local/etc/rlogin-welcome.txt

# rlogin-gw: Help-msg /usr/local/etc/rlogin-help.txt

Rlogin-GW: Timeout 3600

Rlogin-gw: permit-hosts yournet. * -passok -xok

# i = line is uncommeted incoming traffic is permitted with

# Authentication request

# rlogin-gw: permit-hosts * -auth -xok

# Auth Server and Client rules example

# ------------------------------------

Authsrv: Hosts 127.0.0.1

Authsrv: Database / USR / local / etc / fw-authdb

Authsrv: Badsleep 1200

Authsrv: Nobogus True # Clients Using The Auth Server

*: Authserver 127.0.0.1 7777

# X agent rules:

TN-GW, RLOGIN-GW: Xforwarder / USR / Local / etc / x-gw

A shot of water is ... I came to you ...

a. Each rule starts with the name of the program to use the rule, followed by a colon, when the program read

Only the relevant rules are only read.

b. Multiple applications can share a rule, each application name is spaced by commas or use an asterisk - of course

I don't recommend you to do this, so simple is simple, but maintain or read it is more annoying.

Not much to say, slowly talk about the configuration in various services.

2, NetaCl

Here I sample configured with NetaCl packaging Telnet and FTP daemon

First we add two rows in /etc/inetd.conf - remember, before we disable it;)

FTP Stream TCP NOWAIT ROOT / USR / LOCAL / ETC / NetAcl in.ftpd

Telnet Stream TCP NOWAIT ROOT / USR / LOCAL / ETC / NetAcl in.telnetd

This decides according to your own different, such as your daemon is ftpd and telnetd, change IN.FTPD and in.telnetd

It is good. Then PS-EF | GREP INETD finds the process number to send the HUP signal to restart.

Modify / usr / local / etc / netperm-Table related entries are as follows:

# Telnet Rules:

NetaCl-in.telnetd: permit-hosts 192.168.0.1 -exec /usr/sbin/in.telnetd

# Here I only allow it from 192.168.0.1 this machine Telnet, so even Localhost is not :)

NetaCl-in.telnetd: Deny-Hosts Unknow

# Pay attention to this information, this is an IP SpooF to prevent malicious users in the network.

# This, you can let the address 192.168.0.2 telnet to your machine, except all the addresses outside it

# Will be displayed a warning message. The last one guarantees if your host's In.Appr.arpa reverse DNS query host

# When the name is wrong, the unknown remote machine cannot come in. (DNS SPOOF)

NetaCl-in.telnetd: permit-hosts * -exec / bin / cat /usr/local/etc/notelnet.txt

# This will display a message when you are not allowed - you can edit your own content.

#

# FTP Rules:

NetaCl-in.ftpd: permit-hosts 127.0.0.1 -exec /usr/sbin/in.ftpd

# These only allows the FTP of local machine Localhost to be rejected

NetaCl-in.ftpd: permit-hosts * -exec / bin / cat /usr/local/etc/noftp.txt

# Display this information on the rejected machine

OK, now let's test whether our configuration works properly ...

I am from 192.168.0.1 Telnet target machine 192.168.0.2

Sunos 5.7

Login: Ronin

PASSWORD:

Last Login: Sat Jun 10 18:00:34 from 192.168.0.1

Sun Microsystems Inc. Sunos 5.7 Generic October 1998

Cracker%

Hey, normal, look at the rules of the blocking rules work, we will get from Localhost Telnet ... Cracker% Telnet localhost

Trying 127.0.0.1 ...

Connected to Localhost.

Escape Character is '^]'.

Here is notelnet.txt file, means you can't access this host. <--- My NOTELNET.TXT content

Connection Closed by Foreign Host.

Cracker%

FTP test is also similar, no more ...

Summary NetaCl rules have the following expression:

Permit-Host IP / HostName Specifies the host

Deny-Host IP / Hostname Specifies the rejection of the host, the host being rejected will be recorded by Syslogd

-EXEC EXECUTABLE [ARGS] A program activated for processing services

-User UserID program starts the identity of the time - ROOT or NOBODY, etc.

-chroot rootdir logo chroot directory before calling the service

3, certification system:

For this authentication system, you can also edit / etc / services, add

Authsrv 3333 / TCP

Then add a line in /etc/inetd.conf

Authsrv Stream TCP NOWAIT ROOT / USR / LOCAL / ETC / Authsrv Authsrv

# ./authsrv <----------------- Run Authsrv

Authsrv #? <----------------- it jumps out Authsrv # words, I want to see help,

Key? Get the following output

Command List:

(Commands May Be Invoked with Unique Leading Abbreviation)

Authorize username [comment]

Authenticate Username

Response

quit

exit

Display username

AddUser UserName [fullname] <---------- Add user

DELUSER Username

Enable username [ontime] <---------- Give users

Disable username

Password [username] passwordtext <---------- set password

Passwd [username] PasswordText

Proto Username Protoname <---------- The authentication protocol used by the logo user

Group username groupname <---------- set the group

Rename Username NewName [fullname]

WIZ Username

Unwiz UserName

Superwiz Username

Operation Group / User UserName Command Dest [tokens]

List [group]

LS [group]

?

Help

Authsrv # adduser WLJ <-------------- I am adding users

OK - User Added Initially Disabledauthsrv # Password WLJ WLJ <------------- Set Password, Xixi, Passwd = Username, So Easy to CRACK

Password for WLJ Changed.

Authsrv # group wlj other <------------

Set group

Authsrv # enable WLJ <------------- Enable

enabled

Authsrv # wiz wlj

Set group-wizard

Authsrv # superwiz wlj

SET WIZARD

Authsrv # ls <------------- Take a look now ...

Report for Uses in Database

User Group Longname Status Proto Last

---- ------------------ --------

User N Passw Never

WLJ Other Y G Passw Never

I can try thismgr's situation ...

The AUTHMGR mentioned earlier is the following:

Cracker # ./authmgr

Connected to Server

Authmgr-> login

Username: WLJ

PASSWORD:

Logged in

Authmgr-> list

Report for Uses in Database

User Group Longname Status Proto Last

---- ------------------ --------

Admin root y w Passw Never

WLJ Other Y G Passw Sat Jun 10 11:26:18 2000

Authmgr->

As for the authentication server, there is also its rules, such as the this:

# Example Auth Server and Client Rules

# ------------------------------------

Authsrv: Hosts 127.0.0.1

Authsrv: Database / USR / local / etc / fw-authdb

Authsrv: Badsleep 1200

Authsrv: NoBogus True

# Clients Using The Auth Server

*: Authserver 127.0.0.1 3333

Talk about its rules ... About AuthSRV can have the following rules:

Database Pathname Specifies the number of AUTHSRV Database

NOBOGUS TRUE When the user authentication failed to return a friendly error message

Badsleep Seconds Limit on the Try Password

Userid name Specifies the PID running by Authsrv

Hosts Host-pattern [key] is related to encryption

Operation User ID Telnet-GW Host ----> Operating Rules stored in NetPerm-Table

|

Operation User ID FTP-GW Host Put

How, do you understand? I wrote too messy, but I really express it; (I don't understand what I can help ...

4, FTP-GW

Now to configure FTP proxy, in general, you may want to run the FTP agent and run normal FTP services.

This way to process several files, first edit / etc / services, add the following:

Ronin 4444 / TCP

Then in the file /etc/inetd.conf, the row-related behavior is as follows:

FTP Stream TCP NOWAIT ROOT / USR / LOCAL / ETC / FTP-GW FTP-GW

Ronin Stream TCP NOWAIT ROOT / USR / LOCAL / ETC / NetAcl in.ftpd

The second line means with the / etc / service file, move the ordinary FTP port to 4444, and packaged in NetaCl.

The first line is our FTP-GW.

After restarting the process, you can see the 4444 port is open by the port scan and can communicate directly.

We should now configure the rules of FTP-GW - Open file / usr / local / etc / netperm-table:

# Example FTP Gateway Rules:

# --------------------------

FTP-GW: Denial-msg /usr/local/etc/ftp-de.txt

# 对 的

FTP-GW: Welcome-msg /usr/local/etc/ftp-welcome.txt

# Welcome information

# ftp-gw: Help-msg /usr/local/etc/ftp-help.txt

FTP-GW: TIMEOUT 3600

# 这里 设 时间 时间 时间.

# uncomment the following line if you want innal users to be

# Able to do ftp with the Internet

# ftp-gw: permit-hosts yournet. *

FTP-GW: Hosts 192.168.0. *

# Allow these machines that are 192.168.0. *

FTP-GW: Authserver Localhost 3333

# 认 认机 is a local machine, port is 3333 <--------- just defined in the authentication service

Its program rules are as follows:

Userid user specifies the user ID

Directory Pathname FTP-GW CHROOT directory

Denial-MSG FileName Access the file that is rejected

Welcome-MSG FileName Welcome Information Documents

Help-msg filename Help information file

DenyDest-MSG FileName restricted access display file

Timeout SecondValue timeout setting

The host access option is as follows:

-Dest Pattern logo a valid target

-Dest {pattern1 pattern2 ...} Logo set a set of valid targets

-auth Description Agent Requirements User Presence The valid ID certificate is allowed to use -Passok if you are from the mainster, allowing the password

Let's verify, first ftp to 4444 NetaCl control port ...

C: /> ftp

FTP> O 192.168.0.2 4444

Connected to 192.168.0.2.

Sorry, you can't allow to access the ftp site! <------- defined NoftP.txt ......

Connection closed by Remote Host.

FTP>

Blocking rules work ...

Then try the agent:

C: /> ftp 192.168.0.2

Connected to 192.168.0.2.

220 I am Quack, Welcome ^ & ^

User (192.168.0.2: (None)): WLJ @ localhost <--------- Remember the authentication user I just entered?

331 - (---- Gateway Connected to localhost ----)

331- (220 I am Quack, Welcome ^ & ^)

331 ENTER Authentication Password for WLJ

PASSWORD:

230 User Authenticated to Proxy

FTP>

Successfully connected ... As for the rules that allow and block the rules, let's go.

5, TN-GW

And configure ftp no two, edit /etc/services ,/etc/inetd.conf,

/ usr / local / etc / netperm-table, etc., define ports, rules ... not to say.

6, PLUG-GW / RLOGIN-GW / HTTP-GW / X-GW: The configuration of these agents is also small, and readers can study themselves.

7, smap / smapd: As for this, I didn't have Sendmail, too lazy to get it - I didn't try myself ...

Fourth, additional kit

In Tis ./Tools/Caters There are some management tools that use them to complete some system management functions.

However, it may be the reason for the download version, I can't compile directly in the version downloaded by PacketStorm.

Pack, the problem is two, one is ./tools/server/ there is a syslog, it is changed to syslogd, and there is

Is Make Install When the tool does not install the correct directory, you can modify your makefile or simply

Expeved copy - still faster :)

These tools are as follows:

./tools/admin/

1, FLOG

This thing is a tool that monitors real-time changes in a log file, and the author is often running during the console.

TAIL -F / USR / ADM / SYSLOG to see the change of the log file in real time to determine the operation of the system, and

Flog is a smarter tool - you can simply type Flog & to run it, by default it

Look at / var / log / messages - you can define it yourself when compiling.

Or you can look at other files with flog /var/log/auth.log /.

2, Portscan

This stuff doesn't seem to say more - anyone watching Portscan also knows that it is a port scan tool ...

USAGE: Portscan [-l low port] [-h high port] [-V] host

The simplest is: ./ portscan localhost ... Determine which ports are in providing services.

If you use the -v host parameter, you will get a redundant output - each port prints a small dot ... through this output you can judge whether it is still running ...

3, Netscan

This is a network ping program that uses the network address as a parameter and ping each address in the network.

Its default output is a set of address lists that respond to PING and the corresponding host name. For example, you can use the following way

run:

# ./netscan 202.101.103

It will ping each address again and will respond - it is the host of the survival.

It can also operate in redundancy. In this way, the address of the PING is placed with its name or left pair

Aligned, the address that does not respond will shrink, indent a tabular space in tab mode. Can use

# ./netscan -v 202.101.103

Get the output of redundancy.

4, Progmail

This is a simple program that sends an email. To install it, you can copy it to / usr / local / etc /,

Then modify the line in Sendmail.cf:

MProg, P = / bin / sh, f = LSDFMEUP, S = 10, R = 20, A = SH-C $ u

Change it to:

MPROG, P = / usr / local / etc / progmail, f = lsdfmeup, s = 10, r = 20, a = sh -c $ u

5, Reporting

# ls -la

-rw-r ----- 1 ronin other 2126 1994 November 5 authsrv-summ.sh

-rw-r ----- 1 Ronin Other 962 1994 November 5 daily-report.sh

-rw-r ------ 1 Ronin Other 4799 1996 November 27 de Ney-summ.sh

-rw-r ----- 1 Ronin Other 2757 1994 November 5 ftp-summ.sh

-rw-r ----- 1 Ronin Other 2796 1994 November 5 http-summ.sh

-rw-r ----- 1 Ronin Other 247 1994 November 5 login-summ.sh

-rw-r ----- 1 Ronin Other 2048 1994 November 5 Netacl-summ.sh

-rw-r ----- 1 Ronin Other 2017 1994 November 5 SMAP-SUMM.SH

-rw-r ----- 1 ronin other 2256 1994 November 5 TN-GW-SUMM.SH

-rw-r ----- 1 Ronin Other 960 1994 November 5 Today-Report.sh

-rw-r ----- 1 Ronin Other 962 1994 November 5 Weekly-Report.sh

These things are not boring, the log statistics written by Shell Script, look at the code ...

Then there is the following tools in the Client and Server directory - make a brief introduction:

FTPD - a Version of ftpd That Uses The Auth Server

Login-sh - a login shell wrapper thing buyes the auth server

(See the man pages)

Syslog - a Version of the 4.3bsd syslog That Uses regexpsgate-ftp - if INVOKED AS "GATE-FTP", The Environment Variable FTPServer IS

Searched for, AND is Contacted As a proxy ftp Gateway. Autologin in Done

Through the proxy. if ftpserverport is set, That is buy as the port

Number for the Gateway Server.

TN - a Simple "Expect" Script That Handles Telnetting Out THROUGH

The Proxy Automatically

Ok, I haven't been playing so many words for a long time ... Hand is sour ...

Conclusion: So much above, actually explains some basic configuration, as for your own network how to use this fire

The wall will block the invaders outside the gate, this requires you to analyze your safety strategy, network structure, etc.

Use these firewall tools and rules to ensure safety.

Attached 1, some TIP translated from FWTK FAQ

1, how do I use S / Keys in Toolkit?

First, You Must Obtain The SecureId Library from Axent Technology (Security Dynamics)

Or the Skey Library. in Order to Compile The Secureid with the Toolkit, Change T

"TIS_SD_INIT" REFERENCE IN Securid.c to "SD_INIT". The "TIS_" Variant Is A Tis Fix That

Ships with gauntlet Since The Securid Software Won't work Well with multi-homed hosts.

For Both, You NEED TO Edit The Makefile in The Auth Directory for the Proper Modules To BE

Compiled and linked. Remove the "#" from the "sKeydir =" (etc ..) Lines and re-make.

#if you are for useing the skey modules, define skeydir to be the source

#directory where the skey libraries and includes.

#Skeydir = .. / .. / SKEY

# SKEYINC = -i $ (SKEYDIR)

# SKEYLIB = $ (SKEYDIR) /LIBSKSKEY.A

# SKEYOBJ = SKEY.O

#if you all using the second module, define securdir to be the source

#directory where the securid libraries and incrude Files Are.

# Securdir = / var / ace / client

# Securlib = $ (securdir) /sdclient.a $ (fwlib) # securinc = -i $ (securdir)

# SECUROBJ = Securid.o

2, how do I specify a subnet mask in NetPerm-Table? Use the format as "Network-Number: Netmask", below is the example:

111.222.0.0:255.255.0.0

This feature is only valid in the version of FWTK 2.x.

3, why do I get an error message for "inetd: xxx-gw / tcp: unknown service" when I want to open Proxy?

This means that the services you want to open in /etc/inetd.conf have conflicts defined in / etc / services.

For example, your inetd.conf file is as follows:

FTP-GW Stream TCP NOWAIT ROOT / USR / LOCAL / ETC / FTP-GW FTP-GW

Finally, it means that the service - in the name of Services, it is OK to FTP.

If you run Solaris 2.x, you may also refer to the /etc/nsswitch.conf file.

4, how do I separate FWTK's log files with other standard syslog files?

You can edit FireWall.h:

Find the following line:

#define lfac log_daemon

Replace

#define lfac log_local6

followed by:

Local6. * / var / log / fwtk

Throw it in syslog.conf, then let the Dongdong like the following line

* .info; local6, mail.none / var / log / messages

Of course, in your NetPerm-Table, use -log's option to open the record function.

5. How do I establish a separate log file for different services?

To edit your /etc/syslog.conf file as follows - Details can be found in syslog.conf

Man Page.

# patterns to match for

"authsrv" / home / log / auth

"NetaCl. * Fingerd" / Home / log / in-fingerd

"NetaCl. * telnetd" / home / log / in-telnetd

"smap" / home / log / smap

"FTP-GW" / Home / LOG / FTP-GW

"plug-gw" / home / log / plug-gw

"rlogin-gw" / home / log / rlogin -gw

"TN-GW" / Home / Log / TN-GW

# Standard System Logs

* .emerg; *. alert; *. crit; *. err; *. Warning; *. Notice; *. info; *. debug / var /

* .emerg *

* .emerg; *. crit / dev / console

Finally, send the HUP signal to syslogd to restart the process is OK.

Attached 2, some related terms (taken from firewall selection, configuration, installation, and maintenance book)

1, firewall: one of the protected networks and the Internet, or between other networks

Or a series of components.

2, host (host): Connect to a computer system on the network, which can be a variety of machines, such as Sun workstations,

PC or IBM host, etc., can also run different operating systems.

3, the bastion host: It is a computer that is enhanced to defend offensive, exposed to the Internet, as a checkpoint entering the internal host. Usually, run some universal operations on the fortress host

system.

4, dual host host Dual HomeD Host): There are two hosts of the network interface.

5. Screned Router: The packet can be blocked and forwarded according to the filter principle.

6, shield host (screened host): The host is placed on the network behind the shield router, the host can be accessed

The degree of questioning depends on the shielding rules of the router.

7, screen subnet (SCREEN SUBNET): Located on the subnet behind the shield router, the degree of subnet can be accessed

The shielding rules.

8. Proxy Server: A program that represents the customer and the real server. Typical agent acceptance

User's customer request, then determine if the user or user's IP address is entitled to use the proxy server (it is also possible to support other

The authentication means) and then establish a connection between the customer and the real server.

9, IP spoof: This is a hacker's attack form, hackers use a machine, and another machine

The IP address of the device is dressed as another machine to deal with the server. For example, a firewall does not allow a competition

Site access to this site, but the competition site can use the IP and server communication of other sites, and the server does not know

Its machine is a host of a competitive site.

10, DNS spoof (DNS spoof): By destroying the name server on the attacker, or destroying a domain name

The server is forged by the IP address and the host name to pretend to be other machines.

11. TRNNELING ROUTER: It is a special router that encrypts packets,

Let the data can decrypt the same router with the same router with the same router in the same router.

12. Virtual private network (VPN): a way to connect two remote local area networks,

The connection should be achieved by a non-credit network, such as the Internet, so the interconnection is generally achieved by tunnel routers.

13, error and control message (ICMP): This is one of the TCP / IP protocol, built on the IP layer, between host or

The host transmits an error message between the router and the routing suggestions.

14. Defense in Depth: A security measures to ensure the usual as possible, generally with firewalls

In use.

15, Least Privilege: In the operation and maintenance system, reduce the privilege of users as much as possible, but the same

It is also necessary to make the user have enough permissions to do things, which will reduce the opportunity of privilege abuse. Internal personnel abuse privilege

It is likely to open a safe gap on the firewall, which is very dangerous, and many invasions are caused.

16, Package Filtering: Some devices such as routers, bridges or individual hosts,

Selectively control the traffic on the network. When the data packet is subject to these devices, these devices can check the packets.

The corresponding position is determined whether the packet is allowed to pass according to the established principles. Sometimes this is also called shielding.

====================

Improving, please enlighten me

转载请注明原文地址:https://www.9cbs.com/read-124672.html

New Post(0)