[安全运维向]模拟搭建小型企业内网

VSole2022-08-20 16:58:39

实验目的

根据小型企业实际情况,模拟搭建小型局域网,针对常见内网渗透攻击手段(如ddos、ssh爆破等)做相应配置。实验目标是提高运维新手的安全运维能力。

网络拓扑

场景介绍

局域网下含有物理机、proxy server主机。物理机即普通客户主机,proxy server即企业提供的代理,此网络模拟的是公网环境。

Nat网络下含有HTTP server、Backup server、nis server、Client主机。此网络模拟的是公司内网环境。

主机介绍

物理机:设置浏览器代理为同一网段下的192.168.1.10,可访问192.168.56.102门户网站。

Proxy server:关停一切不必要的端口,伪装ssh端口为1022,需要重点考虑防火墙的设置,检测日志信息,短时间内登录ssh超过一定失败次数则给root用户发邮件提醒,提供squid代理服务。

Http server:架设由https协议保护的门户网站,并提供rsync服务,需要考虑防火墙的设置,设置iptables,仅仅让proxy server访问80、443端口。

Backup server:rsync保存http server的日志信息。

Nis server:为client、backup server这两个服务器提供账号管理服务。

client:配置简易防火墙。

详细配置

特殊配置

在192.168.56.0/24这个网段下,除了proxy server这个服务器可以被物理机访问,其他主机需要设置不能被局域网以外的其他ip访问。这个可以通过设置iptables实现:

# ban 物理机iptables -A INPUT -p TCP -i enp0s8 -s 192.168.56.1 -j DROP# 只允许同网段的ip连接iptables -A INPUT -p TCP -i enp0s8 -s 192.168.56.0/24 -j ACCEPT

Proxy server

1.防火墙配置

# 清空原有配置iptables -Fiptables -Xiptables -Z
# input 表默认策略 丢弃iptables -P INPUT DROPiptables -P OUTPUT ACCEPTiptables -P FORWARD ACCEPT
# -A 增加规则,-i 指定网卡,-j 指示动作,-m 模组,-p 协议# --dport 目标端口,--sport 源端口#-m state --state RELATED,ESTABLISHED 指定要匹配包的的状态,当前有4种状态可用:INVALID,ESTABLISHED,NEW和RELATED。 INVALID意味着这个包没有已知的流或连接与之关联,也可能是它包含的数据或包头有问题。ESTABLISHED意思是包是完全有效的,而且属于一个已建立的连接,这个连接的两端都已经有数据发送。NEW表示包将要或已经开始建立一个新的连接,或者是这个包和一个还没有在两端都有数据发送的连接有关。RELATED说明包正在建立一个新的连接,这个连接是和一个已建立的连接相关的。iptables -A INPUT -i lo -j ACCEPTiptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPTiptables -A INPUT -p TCP -i enp0s3 --dport 111 --sport 1024:65534 -j ACCEPTiptables -A INPUT -p TCP -i enp0s3 --dport 1022 --sport 1024:65534 -j ACCEPTiptables -A INPUT -p TCP -i enp0s3 --dport 3128 --sport 1024:65534 -j ACCEPTiptables-save > /home/dc/iptables.mysettings

并设置/etc/crontab文件

ELL=/bin/bashPATH=/sbin:/bin:/usr/sbin:/usr/binMAILTO=root
# For details see man 4 crontabs
# Example of job definition:# .---------------- minute (0 - 59)# |  .------------- hour (0 - 23)# |  |  .---------- day of month (1 - 31)# |  |  |  .------- month (1 - 12) OR jan,feb,mar,apr ...# |  |  |  |  .---- day of week (0 - 6) (Sunday=0 or 7) OR sun,mon,tue,wed,thu,fri,sat# |  |  |  |  |# *  *  *  *  * user-name  command to be executed# apply my iptables from file per minute.  *  *  *  *  * root            /sbin/iptables-restore /home/dc/iptables.mysettings

开启内核管理功能:

[root@localhost dc]# vim /etc/sysctl.conf[root@localhost dc]# cat /etc/sysctl.conf# sysctl settings are defined through files in# /usr/lib/sysctl.d/, /run/sysctl.d/, and /etc/sysctl.d/.## Vendors settings live in /usr/lib/sysctl.d/.# To override a whole file, create a new file with the same in# /etc/sysctl.d/ and put new settings there. To override# only specific settings, add a file with a lexically later# name in /etc/sysctl.d/ and put new settings there.## For more information, see sysctl.conf(5) and sysctl.d(5).
# Turn on syncookies for SYN flood attack protection#net.ipv4.tcp_syncookies = 1
# Avoid a smurf attack#net.ipv4.icmp_echo_ignore_broadcasts = 1
# Turn on reverse path filtering#net.ipv4.conf.all.rp_filter = 1net.ipv4.conf.default.rp_filter = 1net.ipv4.conf.enp0s8.rp_filter = 1net.ipv4.conf.lo.rp_filter = 1# Turn on and log spoofed, source routed, and redirect packetsnet.ipv4.conf.all.log_martians = 1net.ipv4.conf.default.log_martians = 1net.ipv4.conf.enp0s8.log_martians = 1net.ipv4.conf.lo.log_martians = 1
# Make sure no one can alter the routing tables#net.ipv4.conf.all.accept_redirects = 0net.ipv4.conf.default.accept_redirects = 0net.ipv4.conf.enp0s8.accept_redirects = 0net.ipv4.conf.lo.accept_redirects = 0
# redirects projectnet.ipv4.conf.all.send_redirects = 0net.ipv4.conf.default.send_redirects = 0net.ipv4.conf.enp0s8.send_redirects = 0net.ipv4.conf.lo.send_redirects = 0[root@localhost dc]# sysctl -p

设置完毕之后可以重启查看防火墙设置是否生效。

2.关停一切不必要的端口

查看开启的端口发现这一项:

[root@localhost dc]# netstat -tulnptcp6       0      0 ::1:631                 :::*                    LISTEN      1267/cupsd

根据鸟哥的书中提示,我利用systemctl命令关闭了cups服务。systemctl disable cups.service,也可以使用ntsysv命令查看、关闭不必要的服务。

3.伪装ssh端口为1022

/etc/ssh/sshd_config:

```Port 1022#AddressFamily any#ListenAddress 0.0.0.0#ListenAddress ::
HostKey /etc/ssh/ssh_host_rsa_key#HostKey /etc/ssh/ssh_host_dsa_keyHostKey /etc/ssh/ssh_host_ecdsa_keyHostKey /etc/ssh/ssh_host_ed25519_key
# Ciphers and keying#RekeyLimit default none
# Logging#SyslogFacility AUTHSyslogFacility AUTHPRIV#LogLevel INFO
# Authentication:
#LoginGraceTime 2mPermitRootLogin no#StrictModes yes#MaxAuthTries 6#MaxSessions 10```

在selinux中添加 1022端口作为ssh服务端口的权限。

[root@localhost dc]# semanage port -a -t ssh_port_t -p tcp 1022[root@localhost dc]#[root@localhost dc]# semanage port -l | grep sshssh_port_t                     tcp      1022, 22

4.检测日志信息,短时间内超过一定失败测试则给root用户发邮件提醒

使用kali测试爆破ssh端口

date ; hydra -l dc -P /usr/share/wordlists/fasttrack.txt -v ssh://192.168.1.10:1022 ; date
    2022年 07月 29日 星期五 22:23:15 CST    [WARNING] Many SSH configurations limit the number of parallel tasks, it is recommended to reduce the tasks: use -t 4    [ERROR] could not connect to target port 1022: Socket error: Connection reset by peer    [ERROR] ssh protocol error    [ERROR] could not connect to target port 1022: Socket error: Connection reset by peer    [ERROR] ssh protocol error    2022年 07月 29日 星期五 22:25:26 CST
    cat /usr/share/wordlists/fasttrack.txt | wc -l    222
    >>> (222/(2*60+10))    1.7076923076923076

平均每秒1.7个失败登录。可以看出一分钟内ssh登录次数超过60次,说明极有可能正在被黑客暴力破解账户密码。

编写自动化工具智能探测是否被爆破ssh密码,立即封禁可疑ip、发邮件给系统管理员。

具体功能:定时检测lastb命令的输出,如果发现1分钟内某ip登录失败次数超过60次则用mail命令通知root用户,并将立即使用iptables封禁该ip。(将封禁嫌疑ip的命令加入/home/dc/iptables.mysettings)

脚本内容:

import os,datetime
def is_this_ip_in_field(ip,field):    in_field = False    for element in field:        if element[0] == ip:            in_field = True            return in_field
    return in_field
def compose_time_str(date_time_t):    month_str = date_time_t.strftime("%b")    day_str = date_time_t.strftime("%d").replace('0','')    time_str = date_time_t.strftime("%H:%M")    date_str = month_str+'-'+day_str+'-'+time_str    return date_str
now_time = datetime.datetime.now()month_str = now_time.strftime("%b")
current_time_1_min_ago = now_time-datetime.timedelta(minutes=1)current_time_2_min_ago = now_time-datetime.timedelta(minutes=2)current_time_3_min_ago = now_time-datetime.timedelta(minutes=3)
current_time_1_min_ago_str = compose_time_str(current_time_1_min_ago)current_time_2_min_ago_str = compose_time_str(current_time_2_min_ago)current_time_3_min_ago_str = compose_time_str(current_time_3_min_ago)
time_str_list = [current_time_1_min_ago_str,current_time_2_min_ago_str,current_time_3_min_ago_str]#print(time_str_list)
cmdline = "lastb | awk \'{printf \"%s-%s-%s %s\\",$5,$6,$7,$3}\' | less"
a = os.popen(cmdline)login_failed_infomation = a.read().split('')suspect_ip_and_attack_time_dict = {}
# { time:{ip:number,ip2:number},time2:{ip:number} }for line in login_failed_infomation:    if not line.startswith(month_str):        continue
    detail_time,ip = line.split(' ')
    #print(detail_time)
    if detail_time in time_str_list:        # has detail time segemnt.        if suspect_ip_and_attack_time_dict.has_key(detail_time):            time_dict = suspect_ip_and_attack_time_dict[detail_time]            if time_dict.has_key(ip):                time_dict[ip] += 1            else:                time_dict[ip] = 1        else:            # add ip            tmp_dict = {}            tmp_dict[ip] = 1            suspect_ip_and_attack_time_dict[detail_time] = tmp_dict
report_message = ""black_list = []message = ""
for keys,values in suspect_ip_and_attack_time_dict.items():    for ip,failed_times in values.items():        if failed_times > 60:            black_list.append(ip)            format_str = "{} attacked {} times at {}"            message += format_str.format(ip,failed_times,keys)            #print(message)
black_list = list(set(black_list))ban_ip_list = []tmp_list = []
f = open("black_list.txt","r")for line in f:    ban_ip_list.append(line)f.close()
for element in black_list:    if element not in ban_ip_list:        tmp_list.append(element)
black_list = tmp_listf = open("black_list.txt","a")
#iptables -I INPUT 3 -i enp0s3 -s 192.168.1.1 -j DROPfor ip in black_list:    ban_cmd = "iptables -I INPUT 3 -i enp0s3 -s " + ip + " -j DROP"    f.write(ip+'')    os.popen(ban_cmd)f.close()
os.popen("iptables-save > /home/dc/iptables.mysettings")
if message != "":    mail_cmd = "echo \"" + message + "\" | mail -s \"security report\" root@localhost"    os.system(mail_cmd)

/etc/crontab 文件的内容:

ELL=/bin/bashPATH=/sbin:/bin:/usr/sbin:/usr/binMAILTO=root
# For details see man 4 crontabs
# Example of job definition:# .---------------- minute (0 - 59)# |  .------------- hour (0 - 23)# |  |  .---------- day of month (1 - 31)# |  |  |  .------- month (1 - 12) OR jan,feb,mar,apr ...# |  |  |  |  .---- day of week (0 - 6) (Sunday=0 or 7) OR sun,mon,tue,wed,thu,fri,sat# |  |  |  |  |# *  *  *  *  * user-name  command to be executed# apply my iptables from file per minute.  *  *  *  *  * root            /sbin/iptables-restore /home/dc/iptables.mysettings# detect attack beheviour every 3 minutes.  */3  *  *  *  * root           /usr/bin/python /root/detect_ssh_port_hacking.py

分别在两台主机上使用hydra爆破1022端口

date ; hydra -l dc -P /usr/share/nmap/nselib/data/passwords.lst -v ssh://192.168.1.10:1022 ; date

完成后在本机查看root邮箱

[root@localhost ~]# cat /var/spool/mail/root
From root@localhost.localdomain  Thu Aug  4 10:33:02 2022Return-Path: X-Original-To: root@localhostDelivered-To: root@localhost.localdomainReceived: by localhost.localdomain (Postfix, from userid 0)    id 130BE12010FD; Thu,  4 Aug 2022 10:33:02 -0400 (EDT)Date: Thu, 04 Aug 2022 10:33:02 -0400To: root@localhost.localdomainSubject: security reportUser-Agent: Heirloom mailx 12.5 7/5/10MIME-Version: 1.0Content-Type: text/plain; charset=us-asciiContent-Transfer-Encoding: 7bitMessage-Id: <20220804143302.130BE12010FD@localhost.localdomain>From: root@localhost.localdomain (root)
192.168.1.3 attacked 142 times at Aug-4-10:30192.168.1.16 attacked 142 times at Aug-4-10:30192.168.1.3 attacked 146 times at Aug-4-10:31192.168.1.16 attacked 96 times at Aug-4-10:31192.168.1.3 attacked 64 times at Aug-4-10:32

脚本发现了攻击行为之后,马上拉黑了两台正在攻击的主机。

再看看攻击机的输出:

┌──(root㉿kali)-[/usr/share/nmap/nselib/data]└─# date ; hydra -l dc -P /usr/share/nmap/nselib/data/passwords.lst -v ssh://192.168.1.10:1022 ; date2022年 08月 04日 星期四 22:32:55 CSTHydra v9.2 (c) 2021 by van Hauser/THC & David Maciejak - Please do not use in military or secret service organizations, or for illegal purposes (this is non-binding, these *** ignore laws and ethics anyway).
Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2022-08-04 22:32:55[WARNING] Many SSH configurations limit the number of parallel tasks, it is recommended to reduce the tasks: use -t 4[WARNING] Restorefile (you have 10 seconds to abort... (use option -I to skip waiting)) from a previous session found, to prevent overwriting, ./hydra.restore[DATA] max 16 tasks per 1 server, overall 16 tasks, 5010 login tries (l:1/p:5010), ~314 tries per task[DATA] attacking ssh://192.168.1.10:1022/[VERBOSE] Resolving addresses ... [VERBOSE] resolving done[INFO] Testing if password authentication is supported by ssh://dc@192.168.1.10:1022[ERROR] could not connect to ssh://192.168.1.10:1022 - Timeout connecting to 192.168.1.102022年 08月 04日 星期四 22:33:37 CST

本来是要测试完五千条密码,由于脚本的存在,只测试了不到三四百条条就被ban了:

dc@LAPTOP-J3UJRUOC:/usr/share/nmap/nselib/data$ wc -l /usr/share/nmap/nselib/data/passwords.lst5084 /usr/share/nmap/nselib/data/passwords.lst

再查看本机iptables配置:

[root@localhost ~]# iptables -L  --line-numberChain INPUT (policy DROP)num  target     prot opt source               destination        1    ACCEPT     all  --  anywhere             anywhere           2    ACCEPT     all  --  anywhere             anywhere             state RELATED,ESTABLISHED3    DROP       all  --  192.168.1.16         anywhere           4    DROP       all  --  192.168.1.3          anywhere           5    ACCEPT     tcp  --  anywhere             anywhere             tcp spts:1024:65534 dpt:sunrpc6    ACCEPT     tcp  --  anywhere             anywhere             tcp spts:1024:65534 dpt:exp27    ACCEPT     tcp  --  anywhere             anywhere             tcp spts:1024:65534 dpt:squid
Chain FORWARD (policy ACCEPT)num  target     prot opt source               destination        
Chain OUTPUT (policy ACCEPT)num  target     prot opt source               destination        [root@localhost ~]#

5.搭建squid代理

安装squid:

yum install squid

取消配置文件中一行注释:

vim /etc/squid/squid.conf: Uncomment and adjust the following to add a disk cache directory.cache_dir ufs /var/spool/squid 100 16 256

启动服务并设置开机自启:

[root@localhost ~]# systemctl start squid.service[root@localhost ~]# systemctl enable squid.service

最后别忘了重新设置一下防火墙,因为物理机还需要访问proxy server:

iptables -Fiptables -Xiptables -Ziptables -P INPUT DROPiptables -P OUTPUT ACCEPTiptables -P FORWARD ACCEPTiptables -A INPUT -i lo -j ACCEPTiptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPTiptables -A INPUT -p TCP -i enp0s3 --dport 111 --sport 1024:65534 -j ACCEPTiptables -A INPUT -p TCP -i enp0s3 --dport 1022 --sport 1024:65534 -j ACCEPTiptables -A INPUT -p TCP -i enp0s3 --dport 3128 --sport 1024:65534 -j ACCEPTiptables-save > /home/dc/iptables.mysettingsiptables -L  --line-number

client

配置防火墙:

iptables -Fiptables -Xiptables -Ziptables -P INPUT DROPiptables -P OUTPUT ACCEPTiptables -P FORWARD ACCEPTiptables -A INPUT -i lo -j ACCEPTiptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPTiptables -A INPUT -p TCP -i enp0s8 -s 192.168.56.1 -j DROPiptables -A INPUT -p TCP -i enp0s8 -s 192.168.56.0/24 -j ACCEPTiptables-save > /home/dc/iptables.mysettings

允许接受来自lo网卡的数据包,允许接受来自56网段、以及和自身发出的数据包相关的数据包。ban掉56.1这个ip(物理机),以及其他所有数据包。

写入计划任务:

[root@localhost dc]# vim /etc/crontab[root@localhost dc]# cat /etc/crontabSHELL=/bin/bashPATH=/sbin:/bin:/usr/sbin:/usr/binMAILTO=root
# For details see man 4 crontabs
# Example of job definition:# .---------------- minute (0 - 59)# |  .------------- hour (0 - 23)# |  |  .---------- day of month (1 - 31)# |  |  |  .------- month (1 - 12) OR jan,feb,mar,apr ...# |  |  |  |  .---- day of week (0 - 6) (Sunday=0 or 7) OR sun,mon,tue,wed,thu,fri,sat# |  |  |  |  |# *  *  *  *  * user-name  command to be executed  *  *  *  *  * root            /sbin/iptables-restore /home/dc/iptables.mysettings

http server

1.防火墙配置

iptables -Fiptables -Xiptables -Ziptables -P INPUT DROPiptables -P OUTPUT ACCEPTiptables -P FORWARD ACCEPTiptables -A INPUT -i lo -j ACCEPTiptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPTiptables -A INPUT -p TCP -i enp0s8 -s 192.168.56.1 -j DROPiptables -A INPUT -p TCP -i enp0s8 -s 192.168.56.106 --dport 80 --sport 1024:65534 -j ACCEPTiptables -A INPUT -p TCP -i enp0s8 -s 192.168.56.106 --dport 443 --sport 1024:65534 -j ACCEPTiptables -A INPUT -p TCP -i enp0s8 --dport 80 -j DROPiptables -A INPUT -p TCP -i enp0s8 --dport 443 -j DROPiptables -A INPUT -p TCP -i enp0s8 --dport 111 --sport 1024:65534 -j ACCEPTiptables -A INPUT -p TCP -i enp0s8 --dport 22 --sport 1024:65534 -j ACCEPTiptables -A INPUT -p TCP -i enp0s8 --dport 631 --sport 1024:65534 -j ACCEPTiptables -A INPUT -p TCP -i enp0s8 --dport 25 --sport 1024:65534 -j ACCEPTiptables -A INPUT -p TCP -i enp0s8 -s 192.168.56.0/24 -j ACCEPT

保存配置并且安排上定时任务:

iptables-save > /root/my_iptables_seetings.rule/usr/sbin/iptables-restore < /root/my_iptables_seetings.rule[root@localhost html]# cat /etc/crontabSHELL=/bin/bashPATH=/sbin:/bin:/usr/sbin:/usr/binMAILTO=root
# For details see man 4 crontabs
# Example of job definition:# .---------------- minute (0 - 59)# |  .------------- hour (0 - 23)# |  |  .---------- day of month (1 - 31)# |  |  |  .------- month (1 - 12) OR jan,feb,mar,apr ...# |  |  |  |  .---- day of week (0 - 6) (Sunday=0 or 7) OR sun,mon,tue,wed,thu,fri,sat# |  |  |  |  |# *  *  *  *  * user-name  command to be executed  *  *  *  *  * root /usr/sbin/iptables-restore < /root/my_iptables_seetings.rule

2.安装httpd服务,启动该服务,并设置开机启动:

yum install httpdsystemctl start httpdsystemctl enable httpdsystemctl status httpd

简单设置网站首页:

cd /var/www/html/cat index.htmlThis is my first page.

安排上https:

yum install mod_sslsystemctl restart httpd

备份服务器

在这个服务器上设置定时备份http服务器的网站内容。

1.首先做免密登录http服务器的设置:

[dc@localhost ~]$ suPassword:[root@localhost dc]# ssh-keygenGenerating public/private rsa key pair.Enter file in which to save the key (/root/.ssh/id_rsa):Created directory '/root/.ssh'.Enter passphrase (empty for no passphrase):Enter same passphrase again:Your identification has been saved in /root/.ssh/id_rsa.Your public key has been saved in /root/.ssh/id_rsa.pub.The key fingerprint is:SHA256:iQiHtrt1CpVCi/9tUepSWVziMnhw/Zk9CASepiHvr2s root@localhost.localdomainThe key's randomart image is:+---[RSA 2048]----+|      .+.        ||   .....+ .      ||  * o++o = =     || + B.*+.=.= o    ||. + *..BS    .   || . =  =          ||  + oo..         ||   =E=o          ||  ..==o          |+----[SHA256]-----+[root@localhost dc]# scp ~/.ssh/id_rsa.pub root@192.168.56.102:~The authenticity of host '192.168.56.102 (192.168.56.102)' can't be established.ECDSA key fingerprint is SHA256:fXKVGvaS/isxJ+u6655e5dyTap2YDAgEgdrbs96gcoU.ECDSA key fingerprint is MD5:6d:28:85:28:3a:2d:2e:be:cb:e9:cd:87:ad:9a:ea:22.Are you sure you want to continue connecting (yes/no)? yesWarning: Permanently added '192.168.56.102' (ECDSA) to the list of known hosts.root@192.168.56.102's password:id_rsa.pub                                       100%  408   489.5KB/s   00:00

在http server上添加相关公钥信息:

[root@localhost ~]# ls -ld id_rsa.pub .ssh/-rw-r--r--. 1 root root 406 Aug  3 01:38 id_rsa.pubdrwx------. 2 root root  25 Aug  1 03:17 .ssh/[root@localhost ~]# cat id_rsa.pub >> ~/.ssh/known_hosts123.txt          .bash_profile    .cshrc           original-ks.cfg  .viminfo        anaconda-ks.cfg  .bashrc          id_rsa.pub       .rnd             .wireshark/     .bash_history    .cache/          .lesshst         .ssh/            .xauthTIyBog    .bash_logout     .config/         .local/          .tcshrc         [root@localhost ~]# cat id_rsa.pub >> ~/.ssh/authorized_keys[root@localhost ~]# chmod 644 ~/.ssh/authorized_keys

回到备份服务器测试下:

[dc@localhost ~]$ ssh root@192.168.32.146Last login: Sat Jul 30 06:48:47 2022[root@localhost ~]# exitlogoutConnection to 192.168.32.146 closed.

2.做完免密登录后,直接以root身份添加系统定时任务,每隔一小时同步备份http server的网站内容到本地/tmp下。

[root@localhost .ssh]# /usr/bin/rsync -av -e ssh root@192.168.56.102:/var/www/html /tmpreceiving incremental file listhtml/html/index.html
sent 47 bytes  received 151 bytes  132.00 bytes/sectotal size is 23  speedup is 0.12

添加计划任务:

[root@localhost ~]# cat /etc/crontabSHELL=/bin/bashPATH=/sbin:/bin:/usr/sbin:/usr/binMAILTO=root
# For details see man 4 crontabs
# Example of job definition:# .---------------- minute (0 - 59)# |  .------------- hour (0 - 23)# |  |  .---------- day of month (1 - 31)# |  |  |  .------- month (1 - 12) OR jan,feb,mar,apr ...# |  |  |  |  .---- day of week (0 - 6) (Sunday=0 or 7) OR sun,mon,tue,wed,thu,fri,sat# |  |  |  |  |# *  *  *  *  * user-name  command to be executed*  *  *  *  *     root    /usr/bin/rsync -av -e ssh root@192.168.56.102:/var/www/html /tmp &> /root/rsync_res.txt

可以监视脚本的输出、以及crontab的日志文件来观察运行情况。主要是这两个日志文件:

/root/rsync_res.txt/var/log/cron

nis server

1.安装nis

yum install yp-toolsyum install ypbindyum install ypservyum install rpcbind

2.设置nis域名。

这里参考鸟哥的书,配置如下:

nis 域名 vbirdnis整个内部的信任网络为 192.168.56.0/24nis master server 的ip 为 192.168.56.103,主机名为 www.centos.vbirdnis client 的ip为192.168.56.105,主机名为client.centos.vbirdnis client 2 的ip为192.168.56.104,主机名为backup.centos.vbird

编辑/etc/sysconfig/network,设置域名,并配置nis启动在固定的端口上:

[root@localhost ~]# cat /etc/sysconfig/network# Created by anacondaNISDOMAIN=vbirdnisYPSERV_ARGS="-p 1011"

在两台客户机上也做同样的设置。

3.设置主要配置文件:

[root@localhost dc]# cat /etc/ypserv.conf## ypserv.conf    In this file you can set certain options for the NIS server,#        and you can deny or restrict access to certain maps based#        on the originating host.##        See ypserv.conf(5) for a description of the syntax.#
# Some options for ypserv. This things are all not needed, if# you have a Linux net.
# How many map file handles should be cached ?files: 30
# Should we register ypserv with SLP ?# slp: no# After how many seconds we should re-register ypserv with SLP ?# slp_timeout: 3600
# xfr requests are only allowed from ports < 1024xfr_check_port: yes
# The following, when uncommented,  will give you shadow like passwords.# Note that it will not work if you have slave NIS servers in your# network that do not run the same server as you.
# Host                     : Domain  : Map              : Security## *                        : *       : passwd.byname    : port# *                        : *       : passwd.byuid     : port
# Not everybody should see the shadow passwords, not secure, since# under MSDOG everbody is root and can access ports < 1024 !!!*               : *       : shadow.byname    : port*               : *       : passwd.adjunct.byname : port
# If you comment out the next rule, ypserv and rpc.ypxfrd will# look for YP_SECURE and YP_AUTHDES in the maps. This will make# the security check a little bit slower, but you only have to# change the keys on the master server, not the configuration files# on each NIS server.# If you have maps with YP_SECURE or YP_AUTHDES, you should create# a rule for them above, that's much faster. *                        : *       : *                : none

4.设置主机名与ip的对应

配置对应文件:

[root@localhost dc]# cat /etc/hosts127.0.0.1   localhost localhost.localdomain localhost4 localhost4.localdomain4::1         localhost localhost.localdomain localhost6 localhost6.localdomain6192.168.56.103 www.centos.vbird192.168.56.105 client.centos.vbird192.168.56.104 backup.centos.vbird

使用hostname查看主机名,发现没有设置成功,用hostnamectl命令重新设置:

[root@localhost dc]# hostnamelocalhost.localdomain[root@localhost dc]# hostnamectl set-hostname www.centos.vbird[root@localhost dc]# hostnamewww.centos.vbird

5.启动所有相关服务

[root@localhost dc]# cat /etc/sysconfig/yppasswdd# The passwd and shadow files are located under the specified# directory path. rpc.yppasswdd will use these files, not /etc/passwd# and /etc/shadow.#ETCDIR=/etc
# This option tells rpc.yppasswdd to use a different source file# instead of /etc/passwd# You can't mix usage of this with ETCDIR#PASSWDFILE=/etc/passwd
# This option tells rpc.yppasswdd to use a different source file# instead of /etc/passwd.# You can't mix usage of this with ETCDIR#SHADOWFILE=/etc/shadow
# Additional arguments passed to yppasswdYPPASSWDD_ARGS="--port 1012"[root@localhost dc]# systemctl status ypserv.service● ypserv.service - NIS/YP (Network Information Service) Server   Loaded: loaded (/usr/lib/systemd/system/ypserv.service; disabled; vendor preset: disabled)   Active: inactive (dead)[root@localhost dc]# systemctl start ypserv.service[root@localhost dc]# systemctl enable ypserv.serviceCreated symlink from /etc/systemd/system/multi-user.target.wants/ypserv.service to /usr/lib/systemd/system/ypserv.service.[root@localhost dc]# systemctl status ypserv.service● ypserv.service - NIS/YP (Network Information Service) Server   Loaded: loaded (/usr/lib/systemd/system/ypserv.service; enabled; vendor preset: disabled)   Active: active (running) since Fri 2022-08-05 08:07:36 EDT; 13s ago Main PID: 32494 (ypserv)   Status: "Processing requests..."   CGroup: /system.slice/ypserv.service           └─32494 /usr/sbin/ypserv -f -p 1011
Aug 05 08:07:36 www.centos.vbird systemd[1]: Starting NIS/YP (Network Information Service) Server...Aug 05 08:07:36 www.centos.vbird ypserv[32494]: WARNING: no securenets file found!Aug 05 08:07:36 www.centos.vbird systemd[1]: Started NIS/YP (Network Information Service) Server.[root@localhost dc]# systemctl status yppasswdd.service● yppasswdd.service - NIS/YP (Network Information Service) Users Passwords Change Server   Loaded: loaded (/usr/lib/systemd/system/yppasswdd.service; disabled; vendor preset: disabled)   Active: inactive (dead)[root@localhost dc]# systemctl start yppasswdd.service[root@localhost dc]# systemctl enable yppasswdd.serviceCreated symlink from /etc/systemd/system/multi-user.target.wants/yppasswdd.service to /usr/lib/systemd/system/yppasswdd.service.[root@localhost dc]# systemctl status yppasswdd.service● yppasswdd.service - NIS/YP (Network Information Service) Users Passwords Change Server   Loaded: loaded (/usr/lib/systemd/system/yppasswdd.service; enabled; vendor preset: disabled)   Active: active (running) since Fri 2022-08-05 08:08:06 EDT; 9s ago Main PID: 32611 (rpc.yppasswdd)   Status: "Processing requests..."   CGroup: /system.slice/yppasswdd.service           └─32611 /usr/sbin/rpc.yppasswdd -f --port 1012
Aug 05 08:08:06 www.centos.vbird systemd[1]: Starting NIS/YP (Network Information Service) Users Passwords Change Server...Aug 05 08:08:06 www.centos.vbird yppasswdd-pre-setdomain[32606]: Setting NIS domain: 'vbirdnis' (environment variable)Aug 05 08:08:06 www.centos.vbird systemd[1]: Started NIS/YP (Network Information Service) Users Passwords Change Server.

检查看看是否有异常:

[root@localhost dc]# rpcinfo -p localhost   program vers proto   port  service    100000    4   tcp    111  portmapper    100000    3   tcp    111  portmapper    100000    2   tcp    111  portmapper    100000    4   udp    111  portmapper    100000    3   udp    111  portmapper    100000    2   udp    111  portmapper    100004    2   udp   1011  ypserv    100004    1   udp   1011  ypserv    100004    2   tcp   1011  ypserv    100004    1   tcp   1011  ypserv    100009    1   udp   1012  yppasswdd[root@localhost dc]# rpcinfo -u localhost ypservprogram 100004 version 1 ready and waitingprogram 100004 version 2 ready and waiting

6.处理账号并建立数据库

[root@localhost dc]# useradd -u 1001 nisuser1[root@localhost dc]# useradd -u 1002 nisuser2[root@localhost dc]# useradd -u 1003 nisuser3[root@localhost dc]# vim /etc/passwd[root@localhost dc]# echo password | passwd --stdin nisuser1Changing password for user nisuser1.passwd: all authentication tokens updated successfully.[root@localhost dc]# echo password | passwd --stdin nisuser2Changing password for user nisuser2.passwd: all authentication tokens updated successfully.[root@localhost dc]# echo password | passwd --stdin nisuser3Changing password for user nisuser3.passwd: all authentication tokens updated successfully.[root@localhost dc]# /usr/lib64/yp/ypinit -m
At this point, we have to construct a list of the hosts which will run NISservers.  www.centos.vbird is in the list of NIS server hosts.  Please continue to addthe names for the other hosts, one per line.  When you are done with thelist, type a .    next host to add:  www.centos.vbird    next host to add: The current list of NIS servers looks like this:
www.centos.vbird
Is this correct?  [y/n: y]  yWe need a few minutes to build the databases...Building /var/yp/vbirdnis/ypservers...Running /var/yp/Makefile...gmake[1]: Entering directory `/var/yp/vbirdnis'Updating passwd.byname...Updating passwd.byuid...Updating group.byname...Updating group.bygid...Updating hosts.byname...Updating hosts.byaddr...Updating rpc.byname...Updating rpc.bynumber...Updating services.byname...Updating services.byservicename...Updating netid.byname...Updating protocols.bynumber...Updating protocols.byname...Updating mail.aliases...gmake[1]: Leaving directory `/var/yp/vbirdnis'
www.centos.vbird has been set up as a NIS master server.
Now you can run ypinit -s www.centos.vbird on all slave server.

7.防火墙设置

iptables -Fiptables -Xiptables -Ziptables -P INPUT DROPiptables -P OUTPUT ACCEPTiptables -P FORWARD ACCEPTiptables -A INPUT -i lo -j ACCEPTiptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPTiptables -A INPUT -p TCP -i enp0s8 -s 192.168.56.1 -j DROPiptables -A INPUT -p TCP -i enp0s8 -s 192.168.56.0/24 -j ACCEPTiptables -A INPUT -p UDP -i enp0s8 -s 192.168.56.0/24 -j ACCEPT

保存配置并且安排上定时任务:

iptables-save > /root/my_iptables_seetings.rule/usr/sbin/iptables-restore < /root/my_iptables_seetings.rule[root@localhost html]# cat /etc/crontabSHELL=/bin/bashPATH=/sbin:/bin:/usr/sbin:/usr/binMAILTO=root
# For details see man 4 crontabs
# Example of job definition:# .---------------- minute (0 - 59)# |  .------------- hour (0 - 23)# |  |  .---------- day of month (1 - 31)# |  |  |  .------- month (1 - 12) OR jan,feb,mar,apr ...# |  |  |  |  .---- day of week (0 - 6) (Sunday=0 or 7) OR sun,mon,tue,wed,thu,fri,sat# |  |  |  |  |# *  *  *  *  * user-name  command to be executed  *  *  *  *  * root /usr/sbin/iptables-restore < /root/my_iptables_seetings.rule

8.客户端配置

安装必须软件:

[root@localhost dc]# yum install ypbindLoaded plugins: fastestmirror, langpacksLoading mirror speeds from cached hostfile * base: mirrors.nju.edu.cn * extras: mirrors.ustc.edu.cn * updates: mirrors.ustc.edu.cnbase                                                            | 3.6 kB  00:00:00    extras                                                          | 2.9 kB  00:00:00    updates                                                         | 2.9 kB  00:00:00    updates/7/x86_64/primary_db                                     |  16 MB  00:00:03    Resolving Dependencies--> Running transaction check---> Package ypbind.x86_64 3:1.37.1-9.el7 will be installed--> Processing Dependency: yp-tools for package: 3:ypbind-1.37.1-9.el7.x86_64--> Running transaction check---> Package yp-tools.x86_64 0:2.14-5.el7 will be installed--> Finished Dependency Resolution
Dependencies Resolved
======================================================================================= Package             Arch              Version                   Repository       Size=======================================================================================Installing: ypbind              x86_64            3:1.37.1-9.el7            base             62 kInstalling for dependencies: yp-tools            x86_64            2.14-5.el7                base             79 k
Transaction Summary=======================================================================================Install  1 Package (+1 Dependent package)
Total download size: 142 kInstalled size: 299 kIs this ok [y/d/N]: yDownloading packages:warning: /var/cache/yum/x86_64/7/base/packages/ypbind-1.37.1-9.el7.x86_64.rpm: Header V3 RSA/SHA256 Signature, key ID f4a80eb5: NOKEYPublic key for ypbind-1.37.1-9.el7.x86_64.rpm is not installed(1/2): ypbind-1.37.1-9.el7.x86_64.rpm                           |  62 kB  00:00:00    (2/2): yp-tools-2.14-5.el7.x86_64.rpm                           |  79 kB  00:00:00    ---------------------------------------------------------------------------------------Total                                                     209 kB/s | 142 kB  00:00    Retrieving key from file:///etc/pki/rpm-gpg/RPM-GPG-KEY-CentOS-7Importing GPG key 0xF4A80EB5: Userid     : "CentOS-7 Key (CentOS 7 Official Signing Key) " Fingerprint: 6341 ab27 53d7 8a78 a7c2 7bb1 24c6 a8a7 f4a8 0eb5 Package    : centos-release-7-9.2009.0.el7.centos.x86_64 (@anaconda) From       : /etc/pki/rpm-gpg/RPM-GPG-KEY-CentOS-7Is this ok [y/N]: yRunning transaction checkRunning transaction testTransaction test succeededRunning transaction  Installing : yp-tools-2.14-5.el7.x86_64                                          1/2  Installing : 3:ypbind-1.37.1-9.el7.x86_64                                        2/2  Verifying  : 3:ypbind-1.37.1-9.el7.x86_64                                        1/2  Verifying  : yp-tools-2.14-5.el7.x86_64                                          2/2
Installed:  ypbind.x86_64 3:1.37.1-9.el7                                                        
Dependency Installed:  yp-tools.x86_64 0:2.14-5.el7                                                        
Complete![root@localhost dc]# yum install yp-toolsLoaded plugins: fastestmirror, langpacksLoading mirror speeds from cached hostfile * base: mirrors.nju.edu.cn * extras: mirrors.ustc.edu.cn * updates: mirrors.ustc.edu.cnPackage yp-tools-2.14-5.el7.x86_64 already installed and latest versionNothing to do

可以使用setup命令快速设置配置文件。

使用yptest命令验证数据库。

使用ypwhich检查数据库数量。

使用su - nisuser1 切换身份。

安全运维iptables
本作品采用《CC 协议》,转载必须注明作者和本文链接
但由于客户在没有给被入侵主机做快照的情况下,回滚了之前的快照,导致无法进一步入侵溯源排查。因此在腾讯云公网上上搭建了redis未授权的漏洞环境并在控制台安全组放行端口。随后很短时间内便收到了云镜的告警通知。0x01 确定最早入侵时间点通常根据云镜的告警短信,基本可以确定最早入侵时间点。毕竟应急响应的核心点是及时止损。先给出分析结论,TeamTNT挖矿家族主要通过两种方式入侵:对外扫描6379端口redis未授权入侵写入定时任务
网络拓扑场景介绍局域网下含有物理机、proxy server主机。物理机即普通客户主机,proxy server即企业提供的代理,此网络模拟的是公网环境。
本文介绍几款 Linux 比较实用的工具,希望对 Linux 人员有所帮助。 1. 查看进程占用带宽情况 - Nethogs Nethogs 是一个终端下的网络流量监控工具可以直观的显示每个进程占用的带宽。
黑客为了得到更多的算力资源,一般都会对全网进行无差别扫描,同时利用SSH爆破和漏洞利用等手段攻击主机。部分挖矿木马还具备蠕虫化的特点,在主机被成功入侵之后,挖矿木马还会向内网渗透,并在被入侵的服务器上持久化驻留以获取最大收益。
因此做为人员,就必须了解一些安全准则,同时,要保护自己所负责的业务,首先要站在攻击者的角度思考问题,修补任何潜在的威胁和漏洞。 本文主要分为如下部分展开:
蓝队初级防护总结
2023-01-09 10:11:55
三. 网站被上传webshell如何处理?工具方面比如使用D盾webshellkill,河马webshell查杀,百度在线webshell查杀等工具对网站目录进行排查查杀,如果是在护网期间可以将样本备份再进行查杀。堡垒机是针对内部人员的安全审计系统。WAFWAF是以网站或应用系统为核心的安全产品,通过对HTTP或HTTPS的Web攻击行为进行分析并拦截,有效的降低网站安全风险。
堡垒机是针对内部人员的安全审计系统。WAFWAF是以网站或应用系统为核心的安全产品,通过对HTTP或HTTPS的Web攻击行为进行分析并拦截,有效的降低网站安全风险。设置账户锁定策略,比如说登录行为限制次数,达到次数后锁定多长时间。
作为安全工程师,工作中多多少少会遇见这样那样的问题或故障,从中总结经验,查找问题,汇总并分析故障的原因,这是一个安全工程师良好的习惯。每一次技术的突破,都经历着苦闷,伴随着快乐,可我们还是执着的继续努力,从中也积累了更多的经验。 下面汇总了可能出现的故障及解决方法,看看你是否遇到过?并对你有帮助?
本文介绍几款Linux比较实用的工具,希望对Linux管理员有所帮助。-a使用全自动模式-n为自动模式设置最小文件大小。
本文介绍几款Linux比较实用的工具,希望对Linux管理员有所帮助。
VSole
网络安全专家