TIS firewall details
Create time: 2001-03-02
Article attribute: original
Article submission:
Quack (QUACK_AT_XFOCUS.ORG)
TIS firewall details
By QUACK (QUACK@AndionLine.org)
What is a firewall - do not know;)
What is TIS? - This is a set of tools written by Trusted Information Systems.
Package, also called FireWall Toolkit, the software in this tool box is properly installed and configured to have a certain security policy
You can constitute basic firewalls, and it is free;) Take a look at it, maybe you can save the next
Philippine firewall purchase funds ...
First, compile operation
1, download
Can be downloaded to Tis Web Site
Http://www.tis.com, but it has some very troublesome certification process, suggestion
Turn directly to the domestic security site, or
Http://packetstorm.securify.com/ go to download, I
The obtained version is the version of fwtk2.1.tar.z, and the description will be taken as an example, and in Solaris7 x86
Pass, the GCC version is 2.95.2.
2, compile
# Gunzip fwtk2.1.tar.z
# tar vfx fwtk2.1.tar
# cd fwtk
After extracting fwtk2.1.tar.z, you can find a lot of makefile.config. * Files in the ./fwtk directory.
For example, the operating system you use is solaris2.7, then the makefile.config is changed directly,
Makefile.config.solaris is renamed makefile.config.
# mv makefile.config makefile.config.old
# mv makefile.config.solaris makefile.config
Compiling under Solaris is quite easy - at least Solaris7 and Solaris 8 do not have to modify anything
It can be compiled.
# Make && make Install
If you are using Linux, just make Makefile.config.Linux as the current makefile.config
Not enough, because if you want to use X GW. Then you have to have Athena Widget settings. Otherwise compile
Problem. Therefore, modifying makefile allows the system to compile X-GW.
So I can
# vi makefile
Find below:
# Directories To Build Executables in
DIRS = SMAP Smapd Netacl Plug-GW FTP-GW TN-GW RLogin-GW HTTP-GW X-GW
Once the following X-GW is removed.
If it is under BSD, pay special attention to the Make of BSD does not know like: .include "makefile.config"
This format, therefore, uses TIS to be provided with the fixmake to be processed under the BSD. Or use the designated
CC = GCC
Copt = -g -traditional -dbsdi
To adapt to the BSD system - such as my freebsd3.4.
If there is a definition declaration of Sys_ERRLIST in the compilation process, then modify the original program, such as:
Exter char * sys_ERRLIST [];
Comment this line out.
If "undefined symbol` _crypt 'refreternal from text segment "error,
Look in whether the AUXLIB settings in your makefile.config have "-lcrypt". If there is still a problem ... I am too lazy to translate so many things, you can go to the URL below:
http://fwtk.netimages.com/fwtk/faq/
Here is some common problems encountered when compiling and using TIS.
Second, the preparation work before configuration
1, understand some concepts
a, wrapper
My understanding, Wrapper should be a packaging program, saying that it is not essentially different from the backdoor of Login;)
For example, TCPD, we use it to guard some network service daemon, such as in the super service daemon
In ENETD configuration file, we can
Finger Stream TCP NOWAIT NOBOBODY /USR/ETC/IN.FINGER IN.FINGERD
This sentence is replaced, and it is packaged with TCPD.
Finger Stream TCP NOWAIT NOBODY / USR / ETC / TCPD IN.Fingerd
Sending a HUP signal to INETD, after it is restarted, TCPD will act if it receives a host
Finger request, TCPD start, first check the configuration file of the access control, that is, /etc/hosts.allow and
/etc/hosts.deny, if you are allowed, then start the true finger daemon to process the request.
How is it, is it the same compared with the principle of Login? For example, ulogin.c is to change the real login
Name back to another, use fake login packages, when you receive the login request, first judge that the visitor is
There is an environment variable set by setting Display. If the variable is the same as password, start / bin / sh, if not
Yes, it should be requested in normal login ... Hey, this is the topic, don't say ...
B, Gateway
Application Level Gateway is the establishment of protocol filtering and forwarding functions on the web application layer.
It uses the specified data filtering logic for a specific network application service protocol, and on the filtering,
Perform the necessary analysis, registration, and statistics to form a report.
Oh, this kind of textbook is like something that is difficult to understand, I have seen it for a long time. In fact, under TIS, it
Various GWs, such as TN-GW, is control Telnet, when you connect to the port of TN-GW, it will appear
Your own prompt ... as follows:
C: /> Telnet 192.168.0.2
Then the Telnet window will appear
Hi, I'm QUACK, Welcome to my 3cr19tki7's Website! <------------ This is my TN-Welcome.txt
TN-GW-> It will display when connected ...
When I type in question mark, I will have the following prompt information ...
TN-GW->?
Valid Commands Are: (Unique Abbreviations May BE)
Connect hostname [serv / port]
Telnet Hostname [Serv / Port]
X-GW [Hostname / Display]
Help /?
Password
Timeout Seconds
Quit / exit
TN-GW->
I understand, oh, yes, it provides Telnet access to other machines through this firewall host;) T11 192.168.0.2 55555
Trying 192.168.0.2 port -9981 ...
Connected to 192.168.0.2.
Sunos 5.7
Login: QUACK
PASSWORD:
Last login: fri jun 9 00:27:48 from 192.168.0.1
Sun Microsystems Inc. Sunos 5.7 Generic October 1998
Cracker%
This is clear ... Take a little more, and I will explain how this is configured.
C, Proxy
Proxy Service, also known as the link-level gateway or TCP channel (Circuit Level Gateways or TCP
Tunnels, also some people pay it to the application level gateway. It is for packet filtering and application gateway technology
The firewall technology introduced by the shortcomings is characterized by dividing all network communication links across the firewall into two segments. Defense
"Link" application layer between computer systems inside and outside the firewall, is implemented by "link" on the two termination proxy servers, outside
The network link of the computer can only reach the proxy server, which has played the work of computer systems inside and outside the firewall.
use. In addition, the agent service also analyzes, registered registration, and forms a report, and is found
When there is a sign, you will issue an alert to the network administrator and retain the attack marks.
2, file introduction
The default installation, TIS is installed in the / usr / local / etc directory, now let's take a look at what is there.
# cd / usr / local / etc
# ls -la
Total number 1092
DRWXR-XR-X 2 Root Other 512 June 6 17:05.
DRWXR-XR-X 11 Root Other 512 June 6 17:02 ..
-rwxr-xr-x 1 root other 17012 June 6 17:05 Authdump
-rwxr-xr-x 1 root other 18752 June 6 17:05 Authload
-RWXR-XR-x 1 root other 2322 June 6 17:05 Authmgr
-RWXR-XR-x 1 Root Other 47500 June 6 17:05 Authsrv
-RWXR-XR-X 1 root other 50952 June 6 17:05 FTP-GW
-RWXR-XR-X 1 Root Other 117712 June 6 17:05 HTTP-GW
-rwxr-x --- 1 root other 362 June 6 17:05 MQueue
-rwxr-xr-x 1 root other 26820 June 6 17:05 NetaCl
-rw-r - r - 1 Root Other 3101 June 6 17:05 Netperm-Table
-RWXR-XR-x 1 root other 30308 June 6 17:05 Plug-gw
-RWXR-XR-x 1 root other 45892 June 6 17:05 rlogin-gw
-RWXR-XR-X 1 Root Other 31436 June 6 17:05 SMAP
-RWXR-XR-X 1 Root Other 28772 June 6 17:05 Smapd-RWXR-XR-X 1 Root Other 49940 June 6 17:05 TN-GW
-RWXR-XR-x 1 Root Other 44792 June 6 17:05 X-GW
One one is explained ...
A.AUTHDUMP: This is a tool for managing TIS authentication databases, which can create information in the database.
Backup of ASCII text forms. The password is output after encryption.
B.AuthLoad: is also an authentication database management tool, which processes a single record in the database.
Order is especially available when you need to add a set of entries to the database or need to share the database between the two sites.
use.
C.AUTHMGR: Network-certified client, it is an interface with authentication party Authsrv. Is used to access the network
The authentication server is used when encrypted.
D.authsrv: Third-party network certification daemon, which provides a variety of comprehensive interfaces, such as passwords, one
Secondary password or token authentication system, there is a database containing users and group records, and there is another
The management interface allows an administrator to manage user records on the local or network. Later will say it
Configure.
E.FTP-GW:
It is an FTP proxy service that can be traversed with logging and access control.
F.http-gw:
Gopher and HTTP proxy services with logging and access control.
g.mqueue:
I don't know if Issage Queue? I don't understand ...(
H.NetaCl:
TCP Network Access Control, is called by inetd, and provides packaging of various services.
I.NetPerm-Table:
All all kinds of services configuration files.
J.PLUG-GW:
A generic TCP connection proxy service program.
K.Rlogin-GW:
This is a danger of providing a proxy service through rlogin - R1 system service, everyone knows, if you don't have
Yes, use it to provide packaging.
L.SMAP:
Sendmail Package - Client, it implements the smallest version of SMTP, accept messages from the network, and
Send SMAPD by it is further transmitted, it is usually running under Chroot.
m.smapd:
Sendmail Packaging - Daemon, which is turned from the mail buffer pool area maintained by SMAP regularly
Send a search and saved any message there.
N.TN-GW:
Telnet's proxy server.
O.x-gw:
X Gateway server.
3, system preparation
a. Remove IP forwarding
Do you have two network cards in your machine?
If you don't want your firewall to be passed through, you will have the old man to do the IP forwarding function, because IP forwarding
It will cause packets received from an interface to all other applicable interfaces - generally removal IP forwarding
May have to reconfigure the kernel.
By default, if the Solaris machine has more than one network card, it will forward the number of different network cards.
According to the package, this behavior can be controlled in /etc/init.d/inetinit. To be in Solaris 2.4 or more
Low version of the machine is turned off, you can add NDD -SET / DEV / IP ip_forwarding 0 to
/etc/init.d/inetinit has not been tail. In Solaris 2.5, as long as Touch / etc / notrouter.
If it is SunOS4.1x, run the ADB in the kernel, join in the core configuration file
Options "ipforwarding = -1" and recompile the new core.
As for Linux, you try to Make MenuConfig, find IP: Forwarding / Gatewaying,
CONFIG_IP_FORWARD is turned off and recompiled. Other similar, I don't think about it, I will not;) b. Remove /etc/inetd.conf and /etc/rc2.d/ unnecessary services
First of all
# ps -elf
See the service that is started when the system starts
You can temporarily block all services in /etc/inetd.conf - plus ## in front of each
Failure - Because we will use NetaCl or a variety of * -GW to package these services - started inetd.conf
Always change;)
Not all processes are started by inetd this super server daemon, some are directly in RC2.D
Definition, running directly when the system is started, if you have the following services, it is best to turn off:
PCNFSD
RWhod
Mountd
Protmap
Sendmail
Named
PRINTER
TIMED
NFSD
Rstatd
xntpd
NFSIOD
Some services have the shutdown may affect the system service, you need you to analyze it yourself ...
Third, configuration
1, NetPerm-Table
This is the configuration files such as all things - NetaCl, SMAP, FTP-GW, TN-GW, PLUG-GW, etc. in the firewall toolbox.
When an application is started, it will read the relevant configuration and license information from NetPerm-Table.
Policy file. Below the NetPerm-Table after the default installation is posted - it has many annotations
#
# NetPerm Configuration Table Sample File
#
# To be better to use this netperm-table, it is best to replace your host name by IP address.
# (e.g .; 666.777.888), this is not easy to be infringed by DNS spoof.
#
# NetaCl Example Rule:
# ---------------------
# 下 下 注 注 注 如果 去,,,,,,
# NetaCl-telnetd: permit-hosts 127.0.0.1 -exec / usr / libexec / telnetd
# NetaCl-telnetd: permit-hosts youraddress 198.6.73.2 -EXEC / USR / LIBEXEC / TELNETD
#
# 下 below this line is TN-GW
# NetaCl-telnetd: permit-hosts * -exec / usr / local / etc / tn-gw
#
# Below is Rlogin
# NetaCl-rlogind: permit-hosts 127.0.0.1 -exec / usr / libexec / rlogind -a
# Netacl-rlogind: permit-hosts youraddress 198.6.73.2 -EXEC / usr / libexec / rlogind -a
#
# rlogin-gw configuration
# NetaCl-rlogind: permit-hosts * -exec / usr / local / etc / rlogin -gw
#
# To enable the finger, remove the notes of the following two lines
# NetaCl-fingerd: permit-hosts yournet. * -exec / usr / libexec / fingerd
# NetaCl-fingerd: permit-hosts * -exec / bin / cat /usr/local/etc/finger.txt
# SMAP rule example:
# -------------------
SMAP, Smapd: UserID 6
SMAP, Smapd: Directory / Var / Spool / Smap
Smapd: Executable / USR / local / etc / smapd
Smapd: Sendmail / USR / Sbin / Sendmail
SMAP: Timeout 3600 # FTP Gateway rule example:
# --------------------------
# ftp-gw: denial-msg /usr/local/etc/ftp-de.txt
# ftp-gw: Welcome-msg /usr/local/etc/ftp-welcome.txt
# ftp-gw: Help-msg /usr/local/etc/ftp-help.txt
FTP-GW: TIMEOUT 3600
# uncomment the following line if you want innal users to be
# Able to do ftp with the Internet
# ftp-gw: permit-hosts yournet. *
# uncomment the following line if you want extel users to be
# Able to do ftp with the internal network using authentication
# ftp-gw: permit-hosts * -authall -log {retr 2
# Telnet Gateway rule example:
# -----------------------------
# TN-GW: Denial-msg /usr/local/tc/tn-deny.txt
# TN-GW: Welcome-msg /usr/local/tc/tn-welcome.txt
# TN-GW: Help-msg /usr/local/etc/tn-help.txt
TN-GW: TIMEOUT 3600
TN-GW: permit-hosts yournet. * -passok -xok
# i = line is uncommeted incoming traffic is permitted with
# Authentication request
# TN-GW: permit-hosts * -auth
# rlogin Gateway rules:
# -----------------------------
# rlogin-gw: denial-msg /usr/local/etc/rlogin-deny.txt
# rlogin-gw: welcome-msg /usr/local/etc/rlogin-welcome.txt
# rlogin-gw: Help-msg /usr/local/etc/rlogin-help.txt
Rlogin-GW: Timeout 3600
Rlogin-gw: permit-hosts yournet. * -passok -xok
# i = line is uncommeted incoming traffic is permitted with
# Authentication request
# rlogin-gw: permit-hosts * -auth -xok
# Auth Server and Client rules example
# ------------------------------------
Authsrv: Hosts 127.0.0.1
Authsrv: Database / USR / local / etc / fw-authdb
Authsrv: Badsleep 1200
Authsrv: Nobogus True # Clients Using The Auth Server
*: Authserver 127.0.0.1 7777
# X agent rules:
TN-GW, RLOGIN-GW: Xforwarder / USR / Local / etc / x-gw
A shot of water is ... I came to you ...
a. Each rule starts with the name of the program to use the rule, followed by a colon, when the program read
Only the relevant rules are only read.
b. Multiple applications can share a rule, each application name is spaced by commas or use an asterisk - of course
I don't recommend you to do this, so simple is simple, but maintain or read it is more annoying.
Not much to say, slowly talk about the configuration in various services.
2, NetaCl
Here I sample configured with NetaCl packaging Telnet and FTP daemon
First we add two rows in /etc/inetd.conf - remember, before we disable it;)
FTP Stream TCP NOWAIT ROOT / USR / LOCAL / ETC / NetAcl in.ftpd
Telnet Stream TCP NOWAIT ROOT / USR / LOCAL / ETC / NetAcl in.telnetd
This decides according to your own different, such as your daemon is ftpd and telnetd, change IN.FTPD and in.telnetd
It is good. Then PS-EF | GREP INETD finds the process number to send the HUP signal to restart.
Modify / usr / local / etc / netperm-Table related entries are as follows:
# Telnet Rules:
NetaCl-in.telnetd: permit-hosts 192.168.0.1 -exec /usr/sbin/in.telnetd
# Here I only allow it from 192.168.0.1 this machine Telnet, so even Localhost is not :)
NetaCl-in.telnetd: Deny-Hosts Unknow
# Pay attention to this information, this is an IP SpooF to prevent malicious users in the network.
# This, you can let the address 192.168.0.2 telnet to your machine, except all the addresses outside it
# Will be displayed a warning message. The last one guarantees if your host's In.Appr.arpa reverse DNS query host
# When the name is wrong, the unknown remote machine cannot come in. (DNS SPOOF)
NetaCl-in.telnetd: permit-hosts * -exec / bin / cat /usr/local/etc/notelnet.txt
# This will display a message when you are not allowed - you can edit your own content.
#
# FTP Rules:
NetaCl-in.ftpd: permit-hosts 127.0.0.1 -exec /usr/sbin/in.ftpd
# These only allows the FTP of local machine Localhost to be rejected
NetaCl-in.ftpd: permit-hosts * -exec / bin / cat /usr/local/etc/noftp.txt
# Display this information on the rejected machine
OK, now let's test whether our configuration works properly ...
I am from 192.168.0.1 Telnet target machine 192.168.0.2
Sunos 5.7
Login: Ronin
PASSWORD:
Last Login: Sat Jun 10 18:00:34 from 192.168.0.1
Sun Microsystems Inc. Sunos 5.7 Generic October 1998
Cracker%
Hey, normal, look at the rules of the blocking rules work, we will get from Localhost Telnet ... Cracker% Telnet localhost
Trying 127.0.0.1 ...
Connected to Localhost.
Escape Character is '^]'.
Here is notelnet.txt file, means you can't access this host. <--- My NOTELNET.TXT content
Connection Closed by Foreign Host.
Cracker%
FTP test is also similar, no more ...
Summary NetaCl rules have the following expression:
Permit-Host IP / HostName Specifies the host
Deny-Host IP / Hostname Specifies the rejection of the host, the host being rejected will be recorded by Syslogd
-EXEC EXECUTABLE [ARGS] A program activated for processing services
-User UserID program starts the identity of the time - ROOT or NOBODY, etc.
-chroot rootdir logo chroot directory before calling the service
3, certification system:
For this authentication system, you can also edit / etc / services, add
Authsrv 3333 / TCP
Then add a line in /etc/inetd.conf
Authsrv Stream TCP NOWAIT ROOT / USR / LOCAL / ETC / Authsrv Authsrv
# ./authsrv <----------------- Run Authsrv
Authsrv #? <----------------- it jumps out Authsrv # words, I want to see help,
Key? Get the following output
Command List:
(Commands May Be Invoked with Unique Leading Abbreviation)
Authorize username [comment]
Authenticate Username
Response
quit
exit
Display username
AddUser UserName [fullname] <---------- Add user
DELUSER Username
Enable username [ontime] <---------- Give users
Disable username
Password [username] passwordtext <---------- set password
Passwd [username] PasswordText
Proto Username Protoname <---------- The authentication protocol used by the logo user
Group username groupname <---------- set the group
Rename Username NewName [fullname]
WIZ Username
Unwiz UserName
Superwiz Username
Operation Group / User UserName Command Dest [tokens]
List [group]
LS [group]
?
Help
Authsrv # adduser WLJ <-------------- I am adding users
OK - User Added Initially Disabledauthsrv # Password WLJ WLJ <------------- Set Password, Xixi, Passwd = Username, So Easy to CRACK
Password for WLJ Changed.
Authsrv # group wlj other <------------
Set group
Authsrv # enable WLJ <------------- Enable
enabled
Authsrv # wiz wlj
Set group-wizard
Authsrv # superwiz wlj
SET WIZARD
Authsrv # ls <------------- Take a look now ...
Report for Uses in Database
User Group Longname Status Proto Last
---- ------------------ --------
User N Passw Never
WLJ Other Y G Passw Never
I can try thismgr's situation ...
The AUTHMGR mentioned earlier is the following:
Cracker # ./authmgr
Connected to Server
Authmgr-> login
Username: WLJ
PASSWORD:
Logged in
Authmgr-> list
Report for Uses in Database
User Group Longname Status Proto Last
---- ------------------ --------
Admin root y w Passw Never
WLJ Other Y G Passw Sat Jun 10 11:26:18 2000
Authmgr->
As for the authentication server, there is also its rules, such as the this:
# Example Auth Server and Client Rules
# ------------------------------------
Authsrv: Hosts 127.0.0.1
Authsrv: Database / USR / local / etc / fw-authdb
Authsrv: Badsleep 1200
Authsrv: NoBogus True
# Clients Using The Auth Server
*: Authserver 127.0.0.1 3333
Talk about its rules ... About AuthSRV can have the following rules:
Database Pathname Specifies the number of AUTHSRV Database
NOBOGUS TRUE When the user authentication failed to return a friendly error message
Badsleep Seconds Limit on the Try Password
Userid name Specifies the PID running by Authsrv
Hosts Host-pattern [key] is related to encryption
Operation User ID Telnet-GW Host ----> Operating Rules stored in NetPerm-Table
|
Operation User ID FTP-GW Host Put
How, do you understand? I wrote too messy, but I really express it; (I don't understand what I can help ...
4, FTP-GW
Now to configure FTP proxy, in general, you may want to run the FTP agent and run normal FTP services.
This way to process several files, first edit / etc / services, add the following:
Ronin 4444 / TCP
Then in the file /etc/inetd.conf, the row-related behavior is as follows:
FTP Stream TCP NOWAIT ROOT / USR / LOCAL / ETC / FTP-GW FTP-GW
Ronin Stream TCP NOWAIT ROOT / USR / LOCAL / ETC / NetAcl in.ftpd
The second line means with the / etc / service file, move the ordinary FTP port to 4444, and packaged in NetaCl.
The first line is our FTP-GW.
After restarting the process, you can see the 4444 port is open by the port scan and can communicate directly.
We should now configure the rules of FTP-GW - Open file / usr / local / etc / netperm-table:
# Example FTP Gateway Rules:
# --------------------------
FTP-GW: Denial-msg /usr/local/etc/ftp-de.txt
# 对 的
FTP-GW: Welcome-msg /usr/local/etc/ftp-welcome.txt
# Welcome information
# ftp-gw: Help-msg /usr/local/etc/ftp-help.txt
FTP-GW: TIMEOUT 3600
# 这里 设 时间 时间 时间.
# uncomment the following line if you want innal users to be
# Able to do ftp with the Internet
# ftp-gw: permit-hosts yournet. *
FTP-GW: Hosts 192.168.0. *
# Allow these machines that are 192.168.0. *
FTP-GW: Authserver Localhost 3333
# 认 认机 is a local machine, port is 3333 <--------- just defined in the authentication service
Its program rules are as follows:
Userid user specifies the user ID
Directory Pathname FTP-GW CHROOT directory
Denial-MSG FileName Access the file that is rejected
Welcome-MSG FileName Welcome Information Documents
Help-msg filename Help information file
DenyDest-MSG FileName restricted access display file
Timeout SecondValue timeout setting
The host access option is as follows:
-Dest Pattern logo a valid target
-Dest {pattern1 pattern2 ...} Logo set a set of valid targets
-auth Description Agent Requirements User Presence The valid ID certificate is allowed to use -Passok if you are from the mainster, allowing the password
Let's verify, first ftp to 4444 NetaCl control port ...
C: /> ftp
FTP> O 192.168.0.2 4444
Connected to 192.168.0.2.
Sorry, you can't allow to access the ftp site! <------- defined NoftP.txt ......
Connection closed by Remote Host.
FTP>
Blocking rules work ...
Then try the agent:
C: /> ftp 192.168.0.2
Connected to 192.168.0.2.
220 I am Quack, Welcome ^ & ^
User (192.168.0.2: (None)): WLJ @ localhost <--------- Remember the authentication user I just entered?
331 - (---- Gateway Connected to localhost ----)
331- (220 I am Quack, Welcome ^ & ^)
331 ENTER Authentication Password for WLJ
PASSWORD:
230 User Authenticated to Proxy
FTP>
Successfully connected ... As for the rules that allow and block the rules, let's go.
5, TN-GW
And configure ftp no two, edit /etc/services ,/etc/inetd.conf,
/ usr / local / etc / netperm-table, etc., define ports, rules ... not to say.
6, PLUG-GW / RLOGIN-GW / HTTP-GW / X-GW: The configuration of these agents is also small, and readers can study themselves.
7, smap / smapd: As for this, I didn't have Sendmail, too lazy to get it - I didn't try myself ...
Fourth, additional kit
In Tis ./Tools/Caters There are some management tools that use them to complete some system management functions.
However, it may be the reason for the download version, I can't compile directly in the version downloaded by PacketStorm.
Pack, the problem is two, one is ./tools/server/ there is a syslog, it is changed to syslogd, and there is
Is Make Install When the tool does not install the correct directory, you can modify your makefile or simply
Expeved copy - still faster :)
These tools are as follows:
./tools/admin/
1, FLOG
This thing is a tool that monitors real-time changes in a log file, and the author is often running during the console.
TAIL -F / USR / ADM / SYSLOG to see the change of the log file in real time to determine the operation of the system, and
Flog is a smarter tool - you can simply type Flog & to run it, by default it
Look at / var / log / messages - you can define it yourself when compiling.
Or you can look at other files with flog /var/log/auth.log /.
2, Portscan
This stuff doesn't seem to say more - anyone watching Portscan also knows that it is a port scan tool ...
USAGE: Portscan [-l low port] [-h high port] [-V] host
The simplest is: ./ portscan localhost ... Determine which ports are in providing services.
If you use the -v host parameter, you will get a redundant output - each port prints a small dot ... through this output you can judge whether it is still running ...
3, Netscan
This is a network ping program that uses the network address as a parameter and ping each address in the network.
Its default output is a set of address lists that respond to PING and the corresponding host name. For example, you can use the following way
run:
# ./netscan 202.101.103
It will ping each address again and will respond - it is the host of the survival.
It can also operate in redundancy. In this way, the address of the PING is placed with its name or left pair
Aligned, the address that does not respond will shrink, indent a tabular space in tab mode. Can use
# ./netscan -v 202.101.103
Get the output of redundancy.
4, Progmail
This is a simple program that sends an email. To install it, you can copy it to / usr / local / etc /,
Then modify the line in Sendmail.cf:
MProg, P = / bin / sh, f = LSDFMEUP, S = 10, R = 20, A = SH-C $ u
Change it to:
MPROG, P = / usr / local / etc / progmail, f = lsdfmeup, s = 10, r = 20, a = sh -c $ u
5, Reporting
# ls -la
-rw-r ----- 1 ronin other 2126 1994 November 5 authsrv-summ.sh
-rw-r ----- 1 Ronin Other 962 1994 November 5 daily-report.sh
-rw-r ------ 1 Ronin Other 4799 1996 November 27 de Ney-summ.sh
-rw-r ----- 1 Ronin Other 2757 1994 November 5 ftp-summ.sh
-rw-r ----- 1 Ronin Other 2796 1994 November 5 http-summ.sh
-rw-r ----- 1 Ronin Other 247 1994 November 5 login-summ.sh
-rw-r ----- 1 Ronin Other 2048 1994 November 5 Netacl-summ.sh
-rw-r ----- 1 Ronin Other 2017 1994 November 5 SMAP-SUMM.SH
-rw-r ----- 1 ronin other 2256 1994 November 5 TN-GW-SUMM.SH
-rw-r ----- 1 Ronin Other 960 1994 November 5 Today-Report.sh
-rw-r ----- 1 Ronin Other 962 1994 November 5 Weekly-Report.sh
These things are not boring, the log statistics written by Shell Script, look at the code ...
Then there is the following tools in the Client and Server directory - make a brief introduction:
FTPD - a Version of ftpd That Uses The Auth Server
Login-sh - a login shell wrapper thing buyes the auth server
(See the man pages)
Syslog - a Version of the 4.3bsd syslog That Uses regexpsgate-ftp - if INVOKED AS "GATE-FTP", The Environment Variable FTPServer IS
Searched for, AND is Contacted As a proxy ftp Gateway. Autologin in Done
Through the proxy. if ftpserverport is set, That is buy as the port
Number for the Gateway Server.
TN - a Simple "Expect" Script That Handles Telnetting Out THROUGH
The Proxy Automatically
Ok, I haven't been playing so many words for a long time ... Hand is sour ...
Conclusion: So much above, actually explains some basic configuration, as for your own network how to use this fire
The wall will block the invaders outside the gate, this requires you to analyze your safety strategy, network structure, etc.
Use these firewall tools and rules to ensure safety.
Attached 1, some TIP translated from FWTK FAQ
1, how do I use S / Keys in Toolkit?
First, You Must Obtain The SecureId Library from Axent Technology (Security Dynamics)
Or the Skey Library. in Order to Compile The Secureid with the Toolkit, Change T
"TIS_SD_INIT" REFERENCE IN Securid.c to "SD_INIT". The "TIS_" Variant Is A Tis Fix That
Ships with gauntlet Since The Securid Software Won't work Well with multi-homed hosts.
For Both, You NEED TO Edit The Makefile in The Auth Directory for the Proper Modules To BE
Compiled and linked. Remove the "#" from the "sKeydir =" (etc ..) Lines and re-make.
#if you are for useing the skey modules, define skeydir to be the source
#directory where the skey libraries and includes.
#Skeydir = .. / .. / SKEY
# SKEYINC = -i $ (SKEYDIR)
# SKEYLIB = $ (SKEYDIR) /LIBSKSKEY.A
# SKEYOBJ = SKEY.O
#if you all using the second module, define securdir to be the source
#directory where the securid libraries and incrude Files Are.
# Securdir = / var / ace / client
# Securlib = $ (securdir) /sdclient.a $ (fwlib) # securinc = -i $ (securdir)
# SECUROBJ = Securid.o
2, how do I specify a subnet mask in NetPerm-Table? Use the format as "Network-Number: Netmask", below is the example:
111.222.0.0:255.255.0.0
This feature is only valid in the version of FWTK 2.x.
3, why do I get an error message for "inetd: xxx-gw / tcp: unknown service" when I want to open Proxy?
This means that the services you want to open in /etc/inetd.conf have conflicts defined in / etc / services.
For example, your inetd.conf file is as follows:
FTP-GW Stream TCP NOWAIT ROOT / USR / LOCAL / ETC / FTP-GW FTP-GW
Finally, it means that the service - in the name of Services, it is OK to FTP.
If you run Solaris 2.x, you may also refer to the /etc/nsswitch.conf file.
4, how do I separate FWTK's log files with other standard syslog files?
You can edit FireWall.h:
Find the following line:
#define lfac log_daemon
Replace
#define lfac log_local6
followed by:
Local6. * / var / log / fwtk
Throw it in syslog.conf, then let the Dongdong like the following line
* .info; local6, mail.none / var / log / messages
Of course, in your NetPerm-Table, use -log's option to open the record function.
5. How do I establish a separate log file for different services?
To edit your /etc/syslog.conf file as follows - Details can be found in syslog.conf
Man Page.
# patterns to match for
"authsrv" / home / log / auth
"NetaCl. * Fingerd" / Home / log / in-fingerd
"NetaCl. * telnetd" / home / log / in-telnetd
"smap" / home / log / smap
"FTP-GW" / Home / LOG / FTP-GW
"plug-gw" / home / log / plug-gw
"rlogin-gw" / home / log / rlogin -gw
"TN-GW" / Home / Log / TN-GW
# Standard System Logs
* .emerg; *. alert; *. crit; *. err; *. Warning; *. Notice; *. info; *. debug / var /
* .emerg *
* .emerg; *. crit / dev / console
Finally, send the HUP signal to syslogd to restart the process is OK.
Attached 2, some related terms (taken from firewall selection, configuration, installation, and maintenance book)
1, firewall: one of the protected networks and the Internet, or between other networks
Or a series of components.
2, host (host): Connect to a computer system on the network, which can be a variety of machines, such as Sun workstations,
PC or IBM host, etc., can also run different operating systems.
3, the bastion host: It is a computer that is enhanced to defend offensive, exposed to the Internet, as a checkpoint entering the internal host. Usually, run some universal operations on the fortress host
system.
4, dual host host Dual HomeD Host): There are two hosts of the network interface.
5. Screned Router: The packet can be blocked and forwarded according to the filter principle.
6, shield host (screened host): The host is placed on the network behind the shield router, the host can be accessed
The degree of questioning depends on the shielding rules of the router.
7, screen subnet (SCREEN SUBNET): Located on the subnet behind the shield router, the degree of subnet can be accessed
The shielding rules.
8. Proxy Server: A program that represents the customer and the real server. Typical agent acceptance
User's customer request, then determine if the user or user's IP address is entitled to use the proxy server (it is also possible to support other
The authentication means) and then establish a connection between the customer and the real server.
9, IP spoof: This is a hacker's attack form, hackers use a machine, and another machine
The IP address of the device is dressed as another machine to deal with the server. For example, a firewall does not allow a competition
Site access to this site, but the competition site can use the IP and server communication of other sites, and the server does not know
Its machine is a host of a competitive site.
10, DNS spoof (DNS spoof): By destroying the name server on the attacker, or destroying a domain name
The server is forged by the IP address and the host name to pretend to be other machines.
11. TRNNELING ROUTER: It is a special router that encrypts packets,
Let the data can decrypt the same router with the same router with the same router in the same router.
12. Virtual private network (VPN): a way to connect two remote local area networks,
The connection should be achieved by a non-credit network, such as the Internet, so the interconnection is generally achieved by tunnel routers.
13, error and control message (ICMP): This is one of the TCP / IP protocol, built on the IP layer, between host or
The host transmits an error message between the router and the routing suggestions.
14. Defense in Depth: A security measures to ensure the usual as possible, generally with firewalls
In use.
15, Least Privilege: In the operation and maintenance system, reduce the privilege of users as much as possible, but the same
It is also necessary to make the user have enough permissions to do things, which will reduce the opportunity of privilege abuse. Internal personnel abuse privilege
It is likely to open a safe gap on the firewall, which is very dangerous, and many invasions are caused.
16, Package Filtering: Some devices such as routers, bridges or individual hosts,
Selectively control the traffic on the network. When the data packet is subject to these devices, these devices can check the packets.
The corresponding position is determined whether the packet is allowed to pass according to the established principles. Sometimes this is also called shielding.
====================
Improving, please enlighten me