港湾

16 �, 2006

用OpenSSL创建自己的证书 SSL是一种基于证书的协议，任何运行SSL服务的服务器都需要自己的证书。通常为了保证通用性，我们会向证书颁发机构(Certificate Authority, 简称CA, 如VeriSign、Thawte等等)申请证书，但这需要一笔费用。对于小型组织的内部邮件服务器而言，我们完全可以使用自行建立的证书颁发机构和证书来实现我们的需求。 下面的例子中，我们约定文件名如下： 服务器的key-pair mykey.pem 服务器的CA签名证书 mycert.pem CA自己的证书 cacert.pem 注意，如果使用证书颁发机构发行的证书，请务必向证书颁发机构声明不要使用DES编码，否则证书将无法在sendmail中使用！ 按照下面的操作创建自己的CA mkdir /usr/local/CA cd /usr/local/CA mkdir certs crl newcerts private echo “01” > serial cp /dev/null index.txt cp /etc/ssl/openssl.cnf openssl.cnf ee openssl.cnf 将光标移到38行左右，将 dir = ./demoCA # Where everything is kept 改为 dir = /usr/local/CA # Where everything is kept 接着生成CA证书 cd /usr/local/CA openssl req -new -x509 -keyout private/cakey.pem -out cacert.pem -days 1825 -config openssl.cnf 请根据自己的实际情况回答OpenSSL的问题。我们设定CA证书的有效期为5年(1825天)，这能够满足一般的要求，又不致经常更新CA证书造成麻烦；也可以根据需要延长或缩短。需要注意，在提示PEM Passphrase的时候，请牢记输入的这个密码。 然后，对CA证书进行自签名，然后生成新的服务器证书。注意，服务器证书的Common Name必须是服务器的FQDN名字，如mail.frontfree.net，而不可以是mail，否则今后用户每次连接服务器的时候都会得到警告，造成不必要的困扰。 cd /usr/local/CA openssl req -nodes -new -x509 -keyout mykey.pem -out myreq.pem -days 365 -config openssl.cnf openssl x509 -x509toreq -in myreq.pem -signkey mykey.pem -out tmp.pem openssl ca -config openssl.cnf -policy policy_anything -out mycert.pem -infiles tmp.pem rm -f tmp.pem

1 �, 2006

-----BEGIN PGP PUBLIC KEY BLOCK-----
Version: PGPfreeware 6.5.3 for non-commercial use <http://www.pgp.com>

mQGiBEVHDPoRBADcwjeeIwKKgsI3A7+4UKO8lLrQywbZIrwh0j94LgrA7awA+/s4
I0MkN03s7MQuCPRWMkuYflWkOK+ZaTnbggNSSfjeFwxgfaXzxXOpMAAzdTurAQjH
+tKn4py/z1/JmEyErV/gllrEKP6/Up/LwnZjIzqQLTL9RJrXdoN02c0e7wCg/5bH
aKy0gNxPy1w46M6RSW3ChecEALhjMygnUMWC+HoJAXtfPdSli0WsiK6zW57hFQwe
u6qbPei8mpSnUt+/m90fAuTFvWhGAIP6QRjuDLVzaMZTm5gi7HxsMfPfJX2QMIEl
DjRQt4aaXiwJ/89TODhex/7ehNmOXjSLqHpsR41kXy2bykfFkE4XwRxRYVrhzGgE
WoVtBADMWZTqmsoS1L46QdnI8U/Qhl2kFXobFCkld1I783G1k4/VxriTY/CyGBOJ
7g1I5znlN/+fxbJzDslk0aWx3W79VFWcjn6OdO4690VRRubOtVz9OZwc2WebLX6/
8JaaO1bl98Di5bFexw6j/zCXHiYOBdEr/DUaGIBWREwdoVwpM7QrT3V5YW5nLldl
bmZlbmcgPE91eWFuZ1dlbmZlbmdAa2luZ3NvZnQuY29tPokATgQQEQIADgUCRUcM
+gQLAQMCAhkBAAoJEJVsqqR1iM6xYvIAnA0mbgDghaOlj4pObNp7GWp5pLT5AJ0b
8ux4b1QlAn6pWDXOdUYYfVbkErkCDQRFRw0DEAgA7xYDX2v/9f7X893COnHlc178
h7Z1+sK8oG8m9QtUQe0O+AFq+4ThIRrjPExjSzllWFUMQgPuGTD7FVq+kTWOLtd2
O0tjBzI61LsCIu3dny2xRVmFRWsRJxsLztT4JWXlhi/kaZncyZdrlbW4HorVo8JR
BSniXOU4pVV725aLhApGtTEd0xbES8J7VRjnXn+ZPg+8lvyrUSvjho658or+RAAi
V4ywAwgcZaayI/0aVb7G6Gi/Ee9H35aGD9x7rQn2hx3ojQsyTAt7JN8vFeSjHAP0
P0DFjEaQ/sNZYQ1RCx6Y6LBRsVdO/794sKgw3X7EqZbMQgVe/i9NWi6Gvpu3PQAC
Agf+KfbjUsL+WdsXGbxw+krJUVuh7m3fga8PUNrv1IwqIn+VNTJ3kXQUjdPgHj5X
iD0bWMWqZ+8LvQIoYxCoGAYPxHYUAQBHQANNc3e9MR3EB5XQP85XWgFk3b4QX0L+
XPZDBwBJwULZAPX7wTYJrRw4OvSe5fQ0Abzk8ZMXqm912J5g6NEvWGKvxQojTWVT
Uj/zHSE8DTG7lVmD2TNg1yOVHt+KgSTDXnC+S9GZ+4yW6I7d2hqSpVK2DZDKvJL6
zpc4ejiveQfK6QzMHxBy56zf3rPKxu9vYo29yoEKL2ivLIGiMhGN60RlVCjbqkZw
GrWU4DqLNRCSC/JefTo2cU+MFYkARgQYEQIABgUCRUcNAwAKCRCVbKqkdYjOsfMh
AJ9DGZHYPInD53aLYRZrJH+c9Dw45wCaAngLILOpLFgQTlDFQmFwUCuD5Xs=
=MmBY
-----END PGP PUBLIC KEY BLOCK-----

5 �, 2006

所谓安全威胁是指某个人、物、事件或概念对某一资源的机密性、完整性、可用性或合法使用所造成的危害。从计算机信息系统的角度来讲，主要面临如下4个基本的安全威胁。
(1) 信息泄露: 信息被泄露或透露给某个未授权的实体。
(2) 完整性破坏: 数据的一致性通过未授权的创建、修改或破坏而受到损坏。
(3) 拒绝服务: 对信息或其他资源的合法访问被无条件的阻止。

(4) 非法使用: 某一资源被某个未授权的人或以某一种未授权的方式使用。
网络系统的概念涵盖了与计算机系统互连相关的软硬件等一切设施。我们将所有通过网络系统实施的，或针对网络系统本身的安全威胁称为网络安全威胁。网络安全威胁包含的范围很广，因为许多针对计算机系统内部的安全威胁也越来越多地是通过网络系统发起的，人们一说到安全威胁，大多指的就是网络安全威胁。网络安全威胁可以从如下角度划分成3大类。
● 针对数据传输的威胁: 会导致基本威胁(1) 和(2) ，例如数据信息的窃听、数据信息的篡改、数据传输的抵赖、中间人攻击，等等。
● 针对网络协议栈本身设计漏洞的威胁: 会导致基本威胁(3) ，例如地址欺骗攻击、Ping攻击、SYN攻击，等等。
● 以网络系统为通道的计算机系统内部威胁: 不破坏网络系统，仅仅是借助网络系统来对计算机内部系统进行非法的数据获取或修改，会导致基本威胁(1) 、(2) 和(4) ，例如旁路控制、特洛伊木马、授权侵犯，等等。
面对如此众多的网络安全威胁，任何信息系统都需要采取必要的安全防护措施，甚至应该包括必要的安全检测和响应措施，我们把这些主要的网络安全措施称作网络安全服务。以下是几种通用的网络安全服务。
● 认证服务: 提供某个实体的身份保证。
● 访问控制服务: 保护资源以免对其进行非法使用和操纵。
● 数据机密性服务: 保护信息不被泄露或暴露给未授权的实体。
● 数据完整性服务: 保护数据以防止未授权的改变、删除或替代。
● 非否认服务: 防止参与某次通信交换的一方事后否认本次交换曾经发生过。
● 网络安全检测服务: 对系统的运行状态进行监视，发现各种攻击企图、攻击行为或者攻击结果。
● 审计服务: 对系统记录和过程的检查和审查，协助攻击的分析，收集证据以用于起诉攻击者。
● 攻击监控和报警响应服务: 对攻击事件的监视与控制，提供对攻击事件的报警与响应。
各种安全服务是有一定的针对性的，例如认证服务用来防止假冒攻击，数据机密性服务用来防止数据信息泄露。同时各种安全服务之间存在着协同关系，单独一种安全服务并不一定能够防止某些安全威胁的发生，例如访问控制服务需要认证服务的配合，有时也需要数据机密性和完整性服务的支持。在安全防护服务未能阻止对系统的入侵攻击时，还需要有安全检测、审计和报警服务来进行后续处理。因此对系统提供全面安全保护，防止形形色色且不断增长的安全威胁的发生，是系统中多种安全服务综合作用的结果。
网络体系结构的分层特性使得安全服务的配置较为复杂。协议分层导致了数据项嵌在了数据项中，连接之中有连接，潜在地形成多重嵌套。严格地说，协议栈中的每一层和它的对等协议层构成了一个相对独立的信息子系统，每个信息子系统都有自己的主体和客体，应该通过提供某些安全服务来实现自身的安全性。但是如果在每一层都提供相同的安全服务，就会造成功能的重复与浪费。一个合理的思路是，按照不同的安全需求，在不同的协议层中设置相应的安全服务，使得各层之间的安全服务能够协同工作，从而达到网络系统的整体安全性。
基于实际网络中的安全实现，我们一般可以将OSI的7层模型划分成更加简单和更加实用的4个基本的安全结构级，它们是应用级、端系统级、子网络级和直接链路级。

实施网络安全服务的机制称为网络安全机制。网络安全机制种类很多，例如加密、数字签名、访问控制、数据完整性、认证交换、业务流填充、路由控制、公证，等等。一种安全服务有时要用到多种安全机制，一种安全机制也可能在多个安全服务的实现中被使用。在这些安全机制中，有两种被使用的安全技术最为关键。一种是密码技术，它是实现所有安全服务的重要基础。一种是访问控制技术，它是维护系统内部合法操作行为的基础。

31 �, 2006

该模型有6个环节和3大要素。6个环节是W、P、D、R、R、C，它们具有动态反馈关系。其中，P、D、R、R与PDRR模型中出现的保护、检测、反应、恢复等4个环节相同；W即预警（warning），就是根据已掌握的系统脆弱性以及当前的计算机犯罪趋势，去预测未来可能受到的攻击与危害；C（counterattack）则是反击——采用一切可能的高新技术手段，侦察、提取计算机犯罪分子的作案线索与犯罪证据，形成强有力的取证能力和依法打击手段。因此近年来出现的“计算机取证（computer forensics）”成为业界的研究热点之一。人、政策和技术是WPDRRC模型中具有层次关系的3大要素，其中“人”是内层，是基座；“政策”包括法律、法规、制度和管理，是中间层；“技术”是外层，它的操作必须受到人和政策这两个层面的制约。WPDRRC模型的核心是实现企业信息安全资源的综合管理(enterprise information security resource management，EISRM)。EISRM的重点是两大主要特征：

其一，信息安全是非常重要的企业基础资源，信息安全得不到保障，企业的信息化管理就是空中楼阁，从而影响到整个企业管理水平的提升，甚至是对生产经营造成危害，对国民经济具有重要意义的企业更是带来极其严重的社会影响。

其二，信息安全是一种综合资源，而非单一的技术系统，包括企业能力、人、技术、政策都是其密不可分的组成部分，只有将这些相关资源整合成一套体系，才是真正意义上的信息安全。以上两点是区分传统信息安全观念的根本特征，也是信息安全体系框架的基石。

25 �, 2006

OS：FreeBSD 6.0

Application Software：Mysql4.1 + Perl5.8 + Apache2.2.3+PHP5.1.5 + Nessus 3.0.3 + Nmap 4.11 + Nikto 1.35 + Inprotect 0.22.03 + Jpgraph-2.1.2

Recommend tools: Hydra+Nikto+John etc

Before installing, please ensure the following software is
installed on your host(s).

1) Perl v5.8

Perl libraries :
- DBI
- MIME::Lite
- Parallel::ForkManager
- Date::Calc

2) Apache2.2.3

3) PHP v5.1.5

Note: PHP with compiled with GD support (C) in /usr/ports/lang/php5-extensions/

4) MySQL v4.1
Note: #chown -R mysql:mysql /var/db/mysql

5) Nessus v3.0.3

6) Nmap v4.11

**********************************************************************
Please note, we assume you have already installed the above packages
and where services, they are already started. If you have not done so,
please complete before continuing.
**********************************************************************

Part I - Setup Inprotect "scanner"
----------------------------------

** N.B. There is no longer any need to setup the Inprotect software **
** on the "scanner" hosts any longer - useful for having multiple **
** drone "scanners" just running Nessus / Nmap. **

P.S. This can be installed on a separate host or the same one you will
be using to host the "web console" and "database".

1. Setup a Nessus user so the Inprotect "console" can login to the
Scanner (you'll need to remember the username / password to add
the "scanner" into the Inprotect "console":

$ nessus-adduser

Add a new nessusd user
----------------------
Login : <login for Inprotect to use>
Authentication (pass/cert) [pass] : pass
Login password : <password for Inprotect login to use>
Login password (again) : <password for Inprotect login to use>

User rules
----------
nessusd has a rules system which allows you to restrict the hosts
that admin has the right to test. For instance, you may want
him to be able to scan his own host only.

Please see the nessus-adduser(8) man page for the rules syntax

Enter the rules for this user, and hit ctrl-D once you are done :
(the user can have an empty rules set)

<simply press ctrl-D as no rules are required - policy
configuration will be completed through the Inprotect GUI>

Login : <login for Inprotect to use>
Password : *******************
DN :
Rules :

Is that ok ? (y/n) [y] y
user added.

2. Setup a cron job to run the Nessus update plugins script
("nessus-update-plugins") found in the <NESSUS_INSTALL>/sbin
directory.

N.B. This should be set to run by root on a daily basis. Where
you have multiple "scanners", ensure they run at the some time to
keep your "scanners" plugin archives consistent. An example line
for root's crontab is (this will run at 2am every morning):

00 2 * * * root /usr/local/sbin/nessus-update-plugins

3. Repeat if you have multiple "scanners".

modified install.sh so that runing on FreeBSD.
=================================================================================
cp -rf console/scripts/sched.pl /usr/local/bin
cp -rf console/scripts/inprotect.cfg /usr/local/etc

echo "/usr/local/bin/inprotect_reset.pl" >> /etc/rc.d/rc.local
echo "/usr/local/bin/sched.pl" >> /etc/rc.d/rc.local

crontab -l | grep -F -v -f console/crontab_web | grep -v ^# > /tmp/cron.tmp
cat console/crontab_web >> /tmp/cron.tmp
crontab /tmp/cron.tmp
rm /tmp/cron.tmp

crontab -l | grep -F -v -f scanner/crontab | grep -v ^# > /tmp/cron.tmp
cat scanner/crontab >> /tmp/cron.tmp
crontab /tmp/cron.tmp
rm /tmp/cron.tmp

echo "Web console setup finished."
echo "Please review settings in the files:"
echo " - /usr/local/etc/inprotect.cfg"
echo " - $web/config.php"

}

install_db(){
echo "Setting up Inprotect database"
echo "============================="

FAIL=1
while [ "$FAIL" -eq "1" ];
do
mysql -u root -p -e "show databases;" >>/dev/null 2>&1
if [ "$?" -eq "0" ]; then
mysql -h localhost -u root -p < console/sql/inprotect.sql
FAIL=0
else
echo "Please enter mysql root password:"
stty -echo
read mysql_pass < /dev/tty
stty echo
mysql -u root -p$mysql_pass -e "show databases;" >> /dev/null
if [ "$?" -eq "0" ]; then
mysql -u root -p$mysql_pass < console/sql/inprotect.sql
FAIL=0
else
FAIL=1
fi
fi
done

echo "Database setup finished."

}
=================================================================================
Part II - Setup Inprotect "database"
------------------------------------

N.B. This can be installed on a separate host or the same one you will
be using to host the "web console" and "scanner".

1. If you haven't already, it is recommended you set a password for
the "root" user in your MySQL installation:

Mysqladmin -uroot -p password "Newpassword"

2. Enter the directory where you un-tarred the Inprotect download
(N.B. If you are using CentOS Linux, you will not be able to
install from /tmp).

3. Run the "install.sh" script and select option 2:

$ ./install.sh

Inprotect installation
======================
Please run this installation as root user
1 - Install Web Console interface only
2 - Install Database only
3 - install Web Console & Database components
Q - Quit without installation

N.B. To install a Scanner, all you need is Nessus and required
components installed on a scanner host - see INSTALL file (part I)
for more details.

Make your selection [1-5] (Choose menu item 5.)
2

Database setup finished.

4. Create a MySQL user for the Inprotect Web Console to use:

mysql> GRANT ALL ON inprotect.* TO <inprotect_username>@localhost
IDENTIFIED BY <inprotect_password>;
mysql> exit

Part III - Setup Inprotect "web console"
----------------------------------------

N.B. This can be installed on a separate host or the same one you will
be using to host the "web console" and "scanner".

1. Enter the directory where you un-tarred the Inprotect download
(N.B. If you are using CentOS Linux, you will not be able to
install from /tmp).

2. Run the "install.sh" script and select option 1:
$ ./install.sh

Inprotect installation
======================
Please run this installation as root user
1 - Install Web Console interface only
2 - Install Database only
3 - install Web Console & Database components
Q - Quit without installation

N.B. To install a Scanner, all you need is Nessus and required
components installed on a scanner host - see INSTALL file (part I)
for more details.

Make your selection [1-5] (Choose menu item 5.)
1

Setting up Web Console interface
================================
Inprotect webroot path [/var/www/html]
<enter for the default above or type your own webroot>
/somewebroot does not exist - do you want to create it ? [y]
<enter for yes>

Web console setup finished.
Please review settings in the files:
- /usr/local/etc/inprotect.cfg
- /somewebroot/config.php"

3. Now edit the inprotect.cfg using your favourite editor (it can be
found in /usr/local/etc) and change the following lines to be:

NESSUSPATH=<path where "nessus" is>/nessus
DATABASEHOST=<localhost or hostname of MySQL server from Part II>
DATABASEUSER=<MySQL username setup in Part II, pt 4>
DATABASEPASSWORD=<Password for MySQL user setup in Part II, pt 4>
EMAILSUBJECT=<Subject of results e-mails sent by Inprotect>

4. You now need to edit the config.php installed in the webroot
location in point 2 using your favourite editor (using our
example, it would be /somewebroot/config.php). Change the
following lines to be:

$dbhost="<localhost or hostname of MySQL server from Part II>";
$dbuname="<MySQL username setup in Part II, pt 4>";
$dbpass="<Password for MySQL user setup in Part II, pt 4>";

5. If you wish your Inprotect Web console to only use encrypted HTTP
(i.e. HTTPS), change the following line in
/somewebroot/config.php:

$enablessl=1;

For this to work, you must make sure your webserver is configured
to run a HTTPS server at the virtual host you configure for
Inprotect.

6. Finally configure your web browser to server webpages giving it
permissions to execute PHP scripts within the webroot you
specified in point 2.

7. Login to the Inprotect Web Console using the username "Admin"
(case sensitive) and the password "password".

8. Add the "scanner" server you configured in Part I to the Inprotect
system by selecting:

Settings -> Nessus Servers -> Add new Nessus server

Enter the following information:

Server Name: <Insert a meaningful name for the scanner>
Server Description: <Insert your own description>
Server Hostname/IP address: <Insert the host/IP of the scanner
setup in Part I>
Server Port: <Enter the port of the Nessus daemon>
Server type: <Select Global>
Nessus Username: <Nessus user created in Part I point 1>
Nessus Password: <Nessus user's password setup in Part I point 1>
Max number of hosts to scan: <4 for a decent powered PC or higher
for better speced servers>

Click on Save.

9. Make sure you have internet access and have already configured
the nessus-fetch.rc file as part of the Nessus installation. Run:

$ updateplugins.pl

This will populate the Inprotect Database with Nessus plugin
information.

10. Download the JpGraph software from the link below and install it
into the <webroot directory>/jpgraph. Unfortunately we cannot
include it within this installation bundle:

http://www.aditus.nu/jpgraph/jpdownload.php

N.B. If you are running PHP 5.0x, you will need to modify
jpgraph.php for it to work - see the JpGraph website for details.

P.S. JpGraph will only work if you have compiled in GD support into
your PHP installation or have installed the "php-gd" package.

11. Reboot to get the Inprotect "sched.pl" daemon to initialise and
execute properly from the "rc.local" script.

Let's get scanning!
===================

Now login to the website with username: Admin, password: password
If the login does not work then start by looking at the
/var/www/logs/error_log or your web server error_log file to help double
check your settings.

To Perform a Nessus Scan:
-------------------------
A) You need to create a profile first
Select "Settings" -> "Nessus Scan Profiles" -> "Create New Profile" ->
Fill out details -> Click "Save".

B) Then assign it to a user
Select "Settings" -> "Nessus Scan Profiles" ->
Select a Profile to assign to a user -> "Edit" -> "Edit Users" ->
Select User(s) and "Add Users"

C) Pick a victim
"Security Scan" -> "Nessus Scan" -> "New Schedule" -> Give it a name ->
"Manage Hosts" -> Input IP(s) -> "Manage Schedule" ->
Enter Appropriate Data -> "Submit"

D) Then view your results
Check the "Reports" link
or
"Security Scan" -> "Nessus Scan" -> "View runnings scans details"

To Perform a nmap scan:
-----------------------
A) "Security Scan" -> "Nmap Port Scan"

25 �, 2006

#/usr/local/sbin/apachectl start

["date"] [warn] (2)No such file or directory: Failed to enable the 'httpready' Accept Filter

The solution to approach:

1) kldload /boot/kernel/accf*.ko or add it to rc.local.

2) echo 'accf_http_load="yes" ' >> /boot/loader.conf.