Here are some security tools that can be used for Linux, which will play a certain role to cure your servers, can solve all aspects of problems. Our focus is just to let you know these tools, which will give a detailed introduction to the installation configuration and use. Some security issues such as SUID, what is conceptual things such as buffering overflows are not the scope of this article.
Introduction These tools is just to give you a direction of tips, not letting you stick to these tools. After all, safety is a process, not a product. First, SXID
SXID is a system monitor. It can monitor the SUID, SGID files, and changes in the system. And report these changes in an optional form, you can do these changes in the form of Email in the configuration file, or you can display these changes directly on the standard output without using email. SUID, SGID files and files without the owner are likely to be laminated by others, all of which are paying special attention.
You can get SXID: ftp://marcus.seva.net/pub/sxid/ from the following URL
If you have installed other tools, you will also install this tool, it is nothing special place on the installation.
When the default installation, the configuration file is /usr/local/etc/sxid.conf, which is obvious in this file. It is easy to understand. Define SxID's work mode in this file. The log file defaults to /var/log/sxid.log, and the number of loops in the log file is defined in the sxid.conf file. You can set the SXID.conf to not change after configuring fixed, set SXID.LOG to simply add (using the chattr command).
You can use the SXID -K plus -k option to check, then check is very flexible, neither remember to log, or email. This way you can check it at any time. But I still recommend that you put the check into the crontab, add the following entry using crontab -e editing:
0 4 * * * / usr / bin / sxid means executing this program at 4 am every day.
If you still want to know more detailed information, you can refer to:
MAN SXID MAN 5 SXID.CONF II, SKEY
Do you think your password is safe? Even if your password is very long, there are many special characters, the decryption tool is difficult to cracked, but your password is transmitted in the form of the network, and a sniffer can be intercepted in the Ethernet. You can intercept your password. This technology can now be implemented in the exchange environment. In this case, SKEY is a choice for you.
SKEY is a tool for a sexual password. It is a customer / server-based application. First, you can use the keyinit command to create a SKEY customer for each user with the keyinit command. This command needs to specify a secret password, and then you can generate a one-time password list for the client's users. When the user connects to the server via Telnet, FTP, you can enter your own password according to the password in a one-time password list. When the next time you connect, the password is replaced with the next one in the list.
You can get SKEY: ftp://ftp.cc.gatech.edu/ac121/linux/system/neetwork/sunacm/other/skey
SKEY's server side uses the steps below:
1. Use the following command to initialize the user Mary:
KEYINIT MARY Keynit Generates 99 one-time passwords for users each time. At this time, it will establish this user in the / etc / sKeyKeys file, which saves some information about the server side to calculate the next disposable password. When using the keyinit command above, there is a record in / etc / sKeyKeys:
Mary 0099 TO25065 BE9406D891AC86FB Mar 11, 2001 04:23:12 The above record is the user name from left to right, the one-time password number, the type of password, the password indicated by the password, date and time.
2. Provide a disposable password list to Mary You can print the export order list and then give Mary. This is more secure, the password will not be delivered in the network.
3. Modify the default landing shell for Mary to / usr / local / bin / keysh due to PAM's role, Mary is entered when you enter a password, after you enter this one-time password, the server side should check, check this password. It is licensed by the connection.
Some users may do not like a written password list, and users can use the key command to get a one-time password in their own client. You can connect the servers to get the type and serial number of a disposable password by connecting the server, then use the key command in another window to obtain the desired password according to the type and serial number of the password. But you must remind you that your convenience is at the expense of certain dangeous.
If your default 99 password is run, you can use the keyinit -s refresh password list.
There are many other programs that replace KeySH to provide other services, such as SU, Login, FTP, and more. This allows you to cope with different service connections.
For security, you'd better set the properties and permissions of the / etc / sKeyKeys file.
Third, three log management tools
3.1 logrotate
The general Linux distribution comes with this tool. Excessive log files are excessive processing is a problem. It automatically causes the log loop to delete the longest log. You can put it in crontab and run regularly every day. This is default in many Linux distributions.
You can get the new version of the new version from the following URL: ftp://ftp.redhat.com/pub/redhat
Its configuration file is /etc/logrotate.conf we can set the log of the log cycle, the number of backups of the log, and how to back up the log, and so on.
In /etc/logrotate.d directory, including some of the log loop settings files. For example: syslog, samba, cron, etc., specify how to make log loops according to /etc/logrotate.conf, you can add other files to cyclic logs in this file.
For more information on configuration files You can see Man Logrotate.
Finally, I still remind you to run logrotate using cron. 3.2 Swatch
SWATCH is a real-time log monitoring tool. You can set the event you are interested in, which can tell you when the event occurs. Swatch has two ways of operation: a kind of exits that can be exited in the check log, another can continue to monitor new information in the log.
Swatch provides a number of notices, such as email, rings, terminal output, multiple colors, and more.
You can download from the following site: ftp://ftp.stanford.edu/general/security-tools/swatch/
Swatch installation requires some of the Perl library support. Be sure before installing your system can support Perl.
Swatch can make some simple settings in the command line, such as log cycles, telling Swatch to restart after the loop is completed.
Profile SwatchMessage is the focus of Swatch software. This text file tells SWATCH to monitor what log, what trigger is needed, and the action to be performed when triggering. When the SWATCH is found to match the trigger regular expression defined in SwatchMessage, it will execute the notification program defined in the SwatchRC. SWATCH monitors log files in real time by using / usr / bin / tail -f. Here we don't want to configure how to configure, configure SWATCH, and you can refer to the configuration file comes with SWATCH. For each service, for example: FTP, Sendmail, etc., you must configure a swatchMessage file for each service you care.
Swatch can bring a lot of parameters while starting, but use it usually to start it as follows:
/ usr / local / bin / swatch -c / var / log / syslogMessage -t / var / log / syslog -r 06: 00 & -c parameter is used to specify the configuration file, the -t parameter specifies the log file, -r Specify the restart time, "&" makes SWATCH run in the background. After startup, the SWATCH generates a child process, so the swatch is running in two processes, and two processes must be killed when stopping SWATCH.
You can also restart swatch after log cycles through logrotate, you can create a loop file that you want to care at /etc/logrotate.d, where is the most critical is to join the following:
/ usr / local / bin / swatch -c / var / log / syslogMessage -t / var / log / syslog -r 0
Other places can simulate other files in the same directory.
3.3 Logcheck
The event of reviewing and recording systems is very important. Especially after your computer is connected to the Internet, the system administrator can prevent the system from being invaded if the "exception" event is warned. In the UNIX system, if you only record the system event as a log, you don't want to see it, or no doing things. Logchek can automatically check the log files, first remove the normal log information, keep some problematic logs, and put this information Email to the system administrator. Logcheck is designed to run automatically, regularly check log files to discover violations of security rules and exceptions. Logcheck uses the LogTail program to remember the location of the log file you have read last time, then start processing new log information from this location.
You can get logcheck at http://www.psionic.com/abacus/logcheck/
Logcheck is mainly based on the following major documents:
1.Logcheck.sh This is an executable script file that logs LogCheck checks the information necessary for logcheck operations such as log files. You can run it when you add it to crontab.
2. Logcheck.hacking is the same as the three files below, is the mode file checking the logcheck. The four files are executed in order from top to bottom. This file indicates the mode of intrusion activity.
3.Logcheck.violations This document indicates a problem, violating the mode of activities of the common sense. The priority is less than the pattern file above.
4.logcheck.violations.ignore This file and the logcheck.violations above are relative, which is the pattern file you don't care.
5.logcheck.ignore This is the last mode file for the check. If there is no match with the first three mode files, there is no matching this mode file, then output to the report. 6.logtail This file logs log file information. Logcheck reads all the contents of the relevant log files for the first time. Logtail creates a logfile.offset offset file for each careless log file in the directory of the log file to be checked from this offset when the next check. The content that has not been ignored when the logcheck is executed, sent to the user specified by sysadmin in logcheck.sh.
Logcheck notices are not so real, but it is more suitable for distributed log file systems relative to SWATCH. Because it doesn't have to create a process for each log file. The Logcheck tool is integrated in TurboLinux.
Four, SSH
Traditional web services, such as: FTP, POP and Telnet are inherently unsafe because they use clear text to transfer passwords and data on the network, and those who have careless people can intercept these passwords and data. Moreover, the security verification method of these servles has its weakness, which is very susceptible to attacks of "man-in-middle). The so-called "middleman" attack is the "middleman" posing as a real server to receive the data of your pass, and then pretend that you will pass the data to the real server.
By using SSH, you can encrypt all transferred data, which is impossible to achieve this kind of attack mode, and also prevent DNS and IP spoofing. There is also an additional advantage that the data transmitted is compressed, so the speed of the transmission can be accelerated. SSH has a lot of features that can be used in place of Telnet, but also providing a secure "channel" for FTP, POP, and even PPP.
The initial SSH was developed by a company in Finland. But because of the restrictions of copyright and encryption algorithms, many people now turn to use OpenSSH. OpenSSH is an alternative software for SSH, free, which is expected to have more and more people in the future instead of SSH.
From the client, SSH provides two levels of security verification.
The first level is a password-based security verification, which is equivalent to a password authentication mechanism of a service such as a normal Telnet.
The second level is based on the key-based security verification. You must create a pair of keys for yourself and put the utility key on the server that needs to be accessed. If you want to connect to the SSH server, the client software will send a request to the server, requiring safety verification with your key. After the server receives the request, first look for your public key in your home directory, then compare it with the public key you sent. If the two keys are consistent, the server encrypts "challenge" with a common key and sends it to the client software. After the client software receives "challenge", you can use your private key to decrypt and send it to the server.
You can download below: http://violet.ibs.com.au/openssh/
The "/ etc / ssh / ssh_config" file is the OpenSSH client configuration file, allowing you to change the way the client program is running by setting different options. Each line of this file contains the match match of "Keyword-Value", where "Keyword" is ignored. Use the Man command to view the help page (SSH (1)) can be detailed.
"/ etc / ssh / sshd_config" is the OpenSSH server-side configuration file that allows the setting option to change this Daemon's run. Each line of this file contains the match match of "Keyword-Value", where "Keyword" is ignored. Use the Man command to view the help page (SSHD (8)) can be described in detail. Configure OpenSSH to make it use the TCP-Wrappers inetd super server, edit the "inetd.conf" file (vi /etc/inetd.conf) and join this line:
SSH Stream TCP NOWAIT ROOT / USR / SBIN / TCPD SSHD-I
Note: "- i" parameters are important, it shows that SSHD is running by inetd.
Now we create private and public mobilities for the local server, perform the following command:
[root @ Sound] # SU Username [username @ Sound] $ ssh-keygen1
After generating a key, copy the utility of this unit to the "/Home / ISERNAME/.SSH" directory of the remote host, for example, using "Authorized_Keys" name.
The initial password can be changed at any time with the "SSH-Key" command of "-P" parameters.
The following is some of the orders we often use, and of course there are still many other commands, more detailed information can view the Man Help page or other documentation.
SSH
SSH (Secure Shell) is a program used to log in to a remote computer and execute the command on a remote computer. It is used to replace Rlogin and RSH, and provide security and encryption information exchange between two computers in an insecure network environment.
Use the following command to connect to the remote host Server from the client:
[root @ Sound /] # su admin [admin @ Sound /] $ ssh server2.scp
You can use this command to copy the file from the local computer to the remote computer, or in turn, even between the two remote computers to copy files with the "SCP" command.
Use the following command to copy the file from the remote host on the local host:
[root @ Sound /] # SU admin [admin @ Sound /] $ scp -p: / dir / for / file localdir / to / filelocation
Use the following command to copy the file from the local host on the remote host:
[root @ Sound /] # SU admin [admin @ Sound /] $ scp -p localdir / to / filelocation: / dir / for / file
Note: "- P" option indicates the change and access time properties of the file, and the permissions are retained during the copy. It is usually in this way.
V. TripWire
If someone invades your system, put the Trojans and the back door in your system, how can you know? TripWire is a tool for making integrity checking for the system. It is a software tool that is currently the most famous UNIX file system integrity check. This software adopts the core of which generates a digital signature for each file to be monitored, keeping down. When the current digital signature is inconsistent with the reserved digital signature, then this file must be changed.
When TripWire is running in the database generation mode, the file specified to monitor is read according to a configuration file set by the administrator, generates the corresponding digital signature for each file, and saves these results in their own database, in the lack In state, MD5 and SNCFRN (Xerox's safety hash function) encryption means are combined with digital signatures that generate files. In addition, the administrator can also use a hash function such as MD4, CRC32, SHA, but in fact, the reliability of the above two hash functions is quite high, and two algorithms of MD5 and SNCFRN (especially SNCFRN) ) The cost of system resources has been large, so they can make hosted according to the importance of the document during use. When the system is invaded, you can make a digital signature comparison by TripWire, if the file is replaced, if the file is replaced, the corresponding digital signature within the TripWire database does not match, and TripWire will report the corresponding file being faster. The administrator will understand that the system is not "clean". You can get tripwire from below: http://www.tripwiresecurity.com
"/usr/tss/policy/twpol.txt" file is a plain text policy file, setting TripWire, which files and directories (also called system objects). One of these rules set how to detect objects that need to monitor, and there is a property setting how to detect. Property Mask Sets the Features of Separation when performing consistency tests. Attributes helps how to set the strategy of grouping.
You can modify the twpol.txt this policy file based on your needs, and then install it below when you first prepare the policy file:
[root @ Sound] # twadmin --create-polfile /usr/tss/policy/twpol.txt
Create a reference database for the first time: with the following command
[root @ Sound] # TripWire {--init}
Consistency Check the objects and their properties in the current file system and their properties and TripWire databases. Once an abnormal situation is found, it will be displayed on the standard output, and the report file will be saved, and you can use the "Twprint" command in the future:
[root @ Sound] # TripWire {--check} Interactively checks with the following command:
[root @ Sound] # TripWire --Check - InterACTIV to consistency with the following command and send reports with Email:
[root @ Sound] # tripwire --check --email-report Updates the database with the following command:
[root @ Sound] # Tripwire --Update -r/usr/tss/report/sound.openarch.com-200001-021854.TWR "-r" parameter reads the specified report file (Deep.openarch.com-200001- 021854.twr). Because the ReportFile variable of the current profile uses $ (DATE), "-r" is required.
Update the policy file with the following command:
[root @ Deep] # Tripwire --Update-policy /usr/tss/policy/newtwpol.txt
By default, policy update mode uses "- Secure-mode High". If the file system has changed after the recent primary database update, and this change will violate the rules defined in the policy file, then run some problems in the high security level mode. For example, this situation: Other administrators change some files during the policy update. To solve this problem, it is sure that all changes in high security levels are normal, you can use a low-level security mode update policy file: Use the following command to update the policy file in low level security mode:
[root @ Sound] # tripwire --update-policy - subs/policy/newtwpol.txt
If you want to find a detailed information, you can use the Man command to check the help page to read the relevant information. Sixth, PortSentry
We can limit what port is open in your system through the firewall, and what port is not open. For external people, this information is confidential. In order to get the ports open in your machine, hackers tend to scan in a variety of ways, such scanning software is also everywhere on the Internet. The general scanning activities are in the prelude of invasion, which is greatly dangerous to safety.
PortSentry is an anti-scanning tool. It can discover and analyze records in real time and analyze the scan of this machine, it mainly does the following work:
Making records through Syslog Add /etc/hosts.deny to immediately prohibit all network traffic to scan hosts to filter out all network traffic from scan hosts You can get portSentry: http://www.psionic .com / abacus / portsentry /
"/usr/psionic/portsentry/portsentry.conf" is the main configuration file of PortSentry. You can set the port you want to listen in this file and which IP addresses are rejected, which are ignored and so on. If you understand the detailed information, you can view the "Readme.Install" file.
The "/usr/psionic/portsentry/portsentry.ignore" file defines the host that must be ignored when performing port scan analysis, that is to say, even if these hosts are scanned, PortSentry will not take any action.
PortSentry has the following 6 types of start-up mode:
portsentry -tcp (basic port-bound TCP mode) portsentry -udp (basic port-bound UDP mode) portsentry -stcp (Stealth TCP scan detection) portsentry -atcp (Advanced TCP stealth scan detection) portsentry -sudp ( "Stealth" UDP scan Detection) PortSentry -Audp (Advanced "Stealth" UDP Scan Detection) It is recommended that you can start Portsntry using the following two ways:
PortSentry -atcp (Advanced TCP Stealth Scan Detection) PortSentry -Sudp ("Stealth" UDP Scan Detection) A TCP startup mode and a UDP startup method can be performed simultaneously.
You can add the following two commands to "/etc/rc.d/rc.local", start automatically when the system restarts:
[root @ Sound /] # / usr / psionic / portsentry / portsentry -atcp [root @ Sound /] # / usr / psionic / portsentry / portsentry -sUDP For more detailed information you can review the help of the Manbook and PortSentry file.
7. OpenSSL
Some server-side software, for example: IMAP & POP, Samba, OpenLDAP, FTP, Apache, etc. When you provide services to users, you can authenticate the user, only after the authentication is passed, the service will be licensed. The service client and server communication between the client / server mode is in a clear text, and OpenSSL is an encryption method for providing data for transmission. OpenSSL can be installed on the Linux server, which requires some third-party applications to provide encryption for the service.
Look at some benefits to us using OpenSSL encryption:
Data confidentiality
OpenSSL actually uses a symmetric algorithm in real data encryption, and a key is used to encrypt and decrypt. We are not expressly transferable on the public network media, even if someone can intercept these data, there is no key to decrypt.
2. Data integrity
OpenSSL is a message digest for data with a Hash algorithm, and then uses the other party's public key to do digital signatures, and the encryption of message information is the non-symmetric algorithm. Then the message digests are passed to the recipient together, and the recipient is decrypted with the digital signature with their own key, so that the integrity of the data is guaranteed.
Openssl: http://www.openssl.org/ from the site
Several commands below after compiling installation:
[root @ Sound OpenSSL-0.9.5A] # mv / etc / ssl / misc / * / usr / bin / [root @ Sound openssl-0.9.5a] # install -m 644 librsaglue.a / usr / lib / [root @so. OpenSSL-0.9.5A] # install -m 644 rsaref / rsaref.h / usr / include / openssl /
"/etc/ssl/openssl.cnf" is the main configuration file of OpenSSL, which is mainly [ca_default] and [REQ_DISTINGUISHED_NAME] to be changed.
If you want to use the "OpenSSL CA" command to make a CA certificate, you need to build a script of "Sign.sh", this script actually exists, "/usr/bin/sign.sh", you have to do What is added in this file. You can also find this script in the MOD_SSL release.
Let's take an example to describe the OpenSSL app, we use your own CA to make a certificate for your own Apache Web Server to sign our own certificate Signature Request (CSR). 1. Create a password-protected RSA private key for Apache Web Server
[root @ Sound SSL] # OpenSSL Genrsa -Des3 -out Server.Key 1024
2. Generate a certificate sign request request (CSR) with the above RSA private key (CSR)
[root @ Sound SSL] # OpenSSL Req -new -Key Server.Key -Out Server.csr
3. Create a RSA private key for our own CA
[root @ Sound SSL] # OpenSSL Genrsa -Des3 -out Ca.Key 1024
4. Make a self-signed X509 format certificate with CA's RSA key [root @ Sound SSL] #okeenssl Req -new -x509 -days 365 -key ca.key -out ca.crt
5. Move the private key and certificate generated above to the appropriate directory
[root @ Deep SSL] # mv server.key private / [root @ Deep SSL] # mv ca.key private / [root @ deep ssl] # mv ca.crt certificate /
6. Finally, use our own CA to sign the certificate
[root @ Sound SSL] # /usr/bin/sign.sh server.csr
For more detailed information, please refer to the help of Man Help and Programs.
Eight. Linux FREES / WAN VPN
The communication between the client and the server is encrypted with SSL is a good choice, but many cases need to establish an enterprise-class communication channel. The Internet is extremely private data between the Internet between the two gateways, for this encryption and authentication, IPsec is born.
IPSec is the intent protocol security, which provides authentication and encryption services using a strong password system. IPSec is encrypted in the IP layer, so it is not much dependent on the link layer. It can work on a variety of underlying networks. IPSec can provide protection for protocols above IP. This protection seems to be transparent to the user.
IPSec can provide this capability of secure channels on both gateways. The data transmitted in such channels is data that requires very high confidentiality, and the data is encrypted at the gateway of the sender, and decrypts at the receiver's gateway. This is the VPN (Virtual Private Network). FreeESWAN is a tool for IPSec under Linux.
You can download freewan: http://www.freeswan.org/
Since FreeESWAN is provided in the form of kernel patches, you must first download the Linux kernel and download the FREESWAN corresponding to the kernel. We must first modify the FREESWAN's Makefile file according to your own system, and then compile with the following command and add FreeSwan to the source code of the Linux kernel:
[root @ Sound FreeESwan-1.3] # make insert [root @ Sound FreeSwan-1.3] # make programs [root @ Sound FreeSwan-1.3] # make install
Then we need to compile the kernel. Here you don't want to introduce how to compile the kernel, just prompt to change the kernel options, the following options you have to select "Y":
IPSec Options (FREES / WAN) IP Security Protocol (FREES / WAN IPSEC) (config_ipsec) [Y / N /?] IPSEC: IP-in-IP encapsulation (config_ipsec_ipip) [y / n /?] Ipsec: pf_keyv2 kernel / user interface (CONFIG_IPSEC_PFKEYv2) [Y / n /?] IPSEC: Enable ICMP PMTU messages (CONFIG_IPSEC_ICMP) [Y / n /?] IPSEC: authentication Header (CONFIG_IPSEC_AH) [Y / n /?] HMAC-MD5 authentication algorithm (CONFIG_IPSEC_AUTH_HMAC_MD5) [ Y / n /] HMAC-SHA1 authentication algorithm (CONFIG_IPSEC_AUTH_HMAC_SHA1) [Y / n /] IPSEC:?? Encapsulating Security Payload (CONFIG_IPSEC_ESP) [Y / n /] 3DES encryption algorithm (CONFIG_IPSEC_ENC_3DES) [Y / n /] IPSEC?? DEBUGGING OPTION [Y / N /?] Some kernel options are automatically opened by FreeESWAN, even if these options are turned off. Although this still recommends that you don't turn off the following options:
KERNEL / user netlink socket (config_netlink) [y / n /?] NetLink Device Emulation (config_netlink_dev) [y / n /?]
FREESWAN's configuration file "/etc/ipsec.conf" license you set your IPSec setting, connection type, and control information. IPsec currently supports two types of connections: manual connection and automatic connection. The key required by manual connection is saved in the "/etc/ipsec.conf" file, which does not have automatic connection security. For a commercial application, it is unsafe and unreliable using a manual (fixed) key. A 256-bit shared key is generated in the automatic key connection mode, and after copying it to the various nodes of the connection channel, those network attackers attempt to intercept the packet will be difficult to break this security connection. In the automatic key connection mode, the validity period of a key is 8 hours, which effectively blocks attackers that are attempting to specify the key with violence. The auto-connected key is generated by a key negotiation wait process called PLUTO, and the key negotiation protocol called IKE is default. This protocol determines different systems according to the information in the /etc/ipsec.secrets file. We will give an example discuss the entire process of configuration and use. If we have the following VPN channel:
SubnetDeep === Deep ------ Deepgate .. ......... .... mailgate ------- mail === SubnetMail Untrusted Net left sonnet = SubnetdeEP (192.168.1.0/24) Host = Deep (Deep.openna.com) (202.164.186.1) Gateway = Deepgate (205.151.222.250) Internet = Untrusted Net Net Right Gateway = Mailgate (205151.222.251) Right Host = Mail (mail.openna.com (208.164.186.2) Subnet = SubnetMail (192.168.1.0/24) We want to edit the IPsec.conf file to meet our needs. There are two major paragraphs in this document. The first "config" is some normal configuration information about IPsec, and the latter "conn" specifies a specific IPSec connection channel. The specific configuration information can be found at the Man Help page.
"ipsec.secrets" contains the key communication between the PLUTO Sighting Process Authentication Gateway. There are two types of keys, one is a shared key, one is the private key of the RSA. The following command produces 256-bit shared keys:
[root @ deskp /] # ipsec ranbits 256> TEMP
Now this shared key is in the TEMP file, we have to copy it to the IPsec.Secrets file. "IPsec.conf" and "ipsec.secrets" are copied to the gateway of the other end of the VPN channel. The "Config Setup" field in the "ipsec.conf" file may have changed depending on the interface.
Next, we have to create the RSA's key pair:
We have established a key pair on both gateways:
[root @ weep /] # ipsec rsasigkey --verbose 1024> Deep-keys [root @ mail /] # ipsec rsasigkey --verbose 1024> mailbose 1024> mail-keys
Then we put the shared key in the previous TEMP file in the "IPsec.conf" file of each gateway, add the following lines in the "conn" in the file:
Authby = rsasig leftrsasigkey =
Then process Deep-Keys and Mail-Keys on both gateways, and copies the "# pubkey =" section in this file to the respective "ipsec.conf", as follows:
authby = rsasig leftrsasigkey = 0x010395daee1be05f3038ae529ef2668afd79f5ff1b16203c9ceaef801cea9cb74bcfb51a6ecc08890d3 eb4b5470c0fc35465c8ba2ce9d1145ff07b5427e04cf4a38ef98a7f29edcb4d7689f2da7a69199e4318b4c8d0ea25d33e4f 084186a2a54f4b4cec12cca1a5deac3b19d561c16a76bab772888f1fd71aa08f08502a141b611frightrsasigkey = 0x01037631b81f00d5e6f888c542d44dbb784cd3646f084ed96f942d341c7c4686cbd405b805dc728f86 97475f11e8b1dd797550153a3f0d4ff0f2b274b70a2ebc88f073748d1c1c8821dc6be6a2f0064f3be7f8e4549f8ab9af649 44f829b014788dd202cf7d2e320cab666f5e7a197e64efe0bfee94e92ce4dad82d5230c57b89edf last remaining portion of the deep-keys and mail-keys includes two files (including the private key) into "ipsec.secrets" go.
Then restart the system with the kernel supported by IPSec. Several errors occur when the system is restarted, which is primarily IPsec using the ETH999 interface that does not exist in the default. It is recommended that you add the path to the IPSec program to the user environment variable.
IPSec's Network Settings First, you need to allow TCP-IP forwarding of the gateway server. Implementation method in the Red Hat Linux system:
Change Forward_IPv4 = "false" to forward_ipv4 = "yes".
Another method is to directly modify the / proc file system, execute the following command:
Cat 1> / proc / sys / net / ipv4 / ip_forward then we have to restart the network:
[root @ deskp /] # /etc/rc.d/init.d/network restart
At this time, the plut wait process is to start, it tries to connect to the PLUTO waiter on the other side, so that a connection can be established. So we have to join some of the protocols under the IPchains configuration file to pass the gateway to the gateway to the other side:
UDP Port 500 for Ike IkeMENTED by The Pluto daemPtion and / or Authentication Protocol 51 for ah packet-level authentication must ensure that the IP spoofer is not opened, you can add the following command to /etc/rc.d/ Rc.local file:
[root @ deskp /] # echo 0> / proc / sys / net / ipv4 / conf / ipsec0 / rp_filter [root @ deskp /] # echo 0> / proc / sys / net / ipv4 / conf / eth0 / rp_filter
Finally, it is important to note that all camouflages that use IPsec's internal networks, the rules must be permitted after allowing the IPSec rules, otherwise the host will try to camouflage (Masquerade) packets instead of passing them to IPsec. So we have to add the following settings to the ipchains profile of both sides, to ensure the normal forwarding IPsec data packets: # Masquerade Internal Traffic. # All interface interface - ipchains -a forward -i $ external_interface - S $ localnet_1 -j masq where external_interface = "eth0" # you extel interface to the Internet. Where localnet_1 = "192.168.1.0/24" # wherever private range you us.
Now you can restart your machine, all the settings we have to do is completed, and a VPN has constructed.
Detailed information See the help files that come with the Mana Help and Tools. summary
The above content we have discussed is to better cure our Linux system, we discussed the problem in the installation and security settings of Linux servers, and we also talked about Linux log system, summary some security tool. Since the space is not possible, there is a very detailed thoroughness, there are many other good security tools that have not been listed. A list of security tools is given for your reference, and detailed instructions can be detailed in detail documentation and Man Documents and Man Documents.
Tool Name Tools SxID Check SUID, SGID, and No Master's File SKEY Tools Logrotate Log Cycle Tool Logcheck Log Management Tool SWATCH Log Management Tools, providing secure connection authentication OpenSSL provides encryption than logcheck live SSH (OpenSSH) Data Transfer and Certification PortSentry Anti-scanning tool, monitor your UDP and TCP port Tripwire provides system integrity checking Gnupg to encrypt a single file and create digital signature HostSentry host-based intrusion detection, will connect to log IPchains Linux release Band Filter Firewall CFS and TCFS Password File System and Transparent Password File System Implementation Directory All Files Encryption, Based on NFS Anti-Sniff Anti-Slock Tools, check if there is a sniffer FREESWAN in Linux to implement VPN in Linux Syslog-Ng Replacing the Syslog Log File System ScandNs for DNS Checking Tools WHISKER CGI Scanner Snoopy By tracking the command Linux Kernel Patch kernel's security patch execution by tracking the Execve system calling record, anti-buffer, etc. Krnsniff, such as KRNSNIFF, etc. KRNSNIFF-based listening module IPTable The package filter firewall IMSAFE for replacing IPChains is detected by tracking system call to detect the problem of buffering. IPLOG logs the Solaris Designer keris Designer keris Designer keris Designer kernel patch, prevents buffer from repairing the GCC to prevent buffering DTK Honey Port spoofing Defense Antiroute Blind and Record Based Route Tracking
Security tool introduction
I hope that you can always care about the latest security vulnerabilities and safety news, without any system is completely secure. The purpose of this article is that everyone has a clear understanding of security, so that security can really get your attention and do deep into the heart.
