Javi Polo §@ªÌ²¤¶¡G §Ú¤µ¦~¤Q¤K·³¡A ¦b¤E¤ë¤§«e¡A ¤´µM¬O Catalan ¾Ç®Õ¸Ì¡u·Î¼õ¤¤¡vªº¤¤¾Ç¥Í¡C ³Ì¤jªº¿³½ì¬O¹q¸£¬ì¾Ç¡A §Ú§Æ±æ¥Ó½Ð UIB ³q¹L¡A ¥H»²×¹q¶Ç³q°T¡A ¨Ã¥D×¹q¸£¬ì¾Ç¡C §Ú³ßÅwµw¿¶µ¼Ö¡A ¨Ã¥B¥[¤J¤F¤@Ó¥s°µ Niko-Chan's Kingdom ªº¼Ö¹Î¡C §Ú¦³Ó«Ü¦nªº¤kªB¤Í¥s°µ Xiska¡A ¤j·§´N³o¼Ë¡A ¨S¨ä¥L¦n»¡ªº¤F 0:) »P§@ªÌÁpô |
TCPD »P¨Ï¥Î IPFWADM ¨Ó³]©w¨¾¤õÀ𤺮eºKn¡G ¥»¤å§ãn¦a¤¶²Ð¡A ¦b¨t²Î¸Ì³]©w inetd ªA°È¡A ¥H¼W¶i¨t²Î¦w¥þªº¤èªk¡A §Ú̧âµJÂI©ñ¦b IPFWADM ³oÓ¨t²ÎºÞ²z¤u¨ã¡A ¥H¤Î inetd ªA°Èªº³]©w¤W±¡C º¥ý¡A §ÚÌ¥²¶·Âç²M¤°»ò¬O inetd¡C ²³æ¦a»¡¡A inetd ¬O¤@Ó¦øªAµ{¦¡¡A ¥Î¥H±±¨î¥D¾÷³s¤Wºô¸ô®É¡A ©Ò´£¨Ñªº¦U¶µªA°È¡C ±z¦³¥i¯à·|¹J¨ì¤@³¡¹q¸£¡A ¨ä¹w³]ª¬ªp¨Ã¥¼³]©w¦n inetd ¨Ó±±¨î©Ò¦³ªºªA°È¡A ¦]¦¹¡A ²Ä¤@¥ó¨Æ¡A «K¬O§ä¥X /etc/inetd.conf ÀɮסA ¨ÃÀˬd¦³þ¨Ç²{¦sªºªA°È¥Ñ¥¦±±¨î ( ¤]´N¬O¨S¦³ "#" ²Å¸¹¶}ÀYªº¨º´X¦æ¤º®e )¡C µ¹±zªº²Ä¤@Ó©¾§i´N¬O¡A °£«D¯uªº»Ýn³o¶µªA°È¡A ¤£µM¤d¸U§O±Ò°Ê¥¦¡A ¨º¨Ç±q¥¼¨Ï¥Îªº¦øªAµ{¦¡¸Ì¡A ¥i¯àÂ泯ä¦ä¡A ÁקK¦³¤H§Q¥Î¦¹Ãþº|¬}¤J«Iªº³Ì¦n¤èªk¡A ´N¬O¤£n¥Î¥¦¡C °²³]ŪªÌ¤âÃ䦳¤@¥÷ inet.conf Àɮתº¤º®e¡A ±µ¤U¨Ó§Ú´N¸ÑĶ¤@¤U¸ÌÀYªº·N¸q¡C Á|¨Ò¨Ó»¡¡A ¤U±³o¤@¦æ¡Gftp stream tcp nowait root /usr/sbin/tcpd in.ftpd -l -a ²Ä¤@Ó¦r¬O©Ò´£¨ÑªºªA°È¦WºÙ ( ¥»¨Ò¤¤«üªº¬O "ftp"¡A §ÚÌ¥i¥H¥t¥~¦b /etc/services Àɮ׸̡A ¬d¥X¥¦©Ò³sµ²ªº¬Oþ¤@Ӱ𸹠)¡C ²Ä¤GÓÄæ¦ì¬O©Ò¶}±Òªº socket Ãþ«¬¡A¥¦¥i¥H¬O¡G stream ( ¦p¥»¨Ò§Y¬O )¡B dgram¡B raw¡B rdm¡B ©Î seqpacket¡C ±µ¤U¨ÓªºÄæ¦ì¬O©Ò¨Ï¥Îªº³q°T¨ó©w¡A ±z¥²¶·¥ý¦b /etc/protocols Àɮפ¤«Å§i¡A ¦b«e¨Ò¤¤¡A §ÚÌ°²©w±z¤w¸g¦b¦¹Àɸ̫ŧi¤F TCP ³q°T¨ó©w¡C ¦b³q°T¨ó©w¤§«á¡A ±µµÛ¬O wait/nowait ªºÄæ¦ì¡C °£¤F datagram (dgram) Ãþ«¬¤§¥~ªº socket¡A ¨ä¥L³£À³¸Ó¬O nowait¡A ¦Ü©ó datagram Ãþ«¬ªº socket¡A ¦pªG¦øªAµ{¦¡¤ä´©¦h°õ¦æºü¡A ¨º»ò§ÚÌÀ³¸Ó³]©w nowait¡A ¦pªG¦øªAµ{¦¡¶È¤ä´©³æ¤@°õ¦æºü¡A ¨º»ò½Ð³]©w¬° wait¡C ì¦]¬O¦h°õ¦æºü¨t²Î¡A ·í¨ä¦¬¨ì³s½un¨D®É¡A ¥¦·|±Ò°Ê¤@Ó·sªº process¡A µM«á¦A§â쥻ªº socket ÄÀ©ñ±¼¡A Åý inetd ¥i¥HÄ~Äò listen ¨ä¥Lªº³s½un¨D¡A ¦]¦¹n¨Ï¥Î nowait¡C ¦b³æ¤@°õ¦æºü¨t²Îªº³õ¦X¡A «h»Ýn³]©w¬° wait¡A ¦]¬°¦øªAµ{¦¡·|¤@ª½¦uµÛ¦P¤@Ó socket¡A ¦Ó¤£¯à¥t¥~²£¥Í process ¥H¨Ñ³sµ²¡C °£¦¹¤§¥~¡A ÁÙ¦³¤@¨Ç®æ¦¡¤WªºÅܤơA §ÚÌ¥i¥H¼g¦¨ nowait.50 ¡Ð¡Ð ¥Nªíµu®É¶¡¤º¡A ³Ì¦h¥i¥H±Ò°Ê 50 Ó¦øªAµ{¦¡ ( ±q¥t¤@Ó¨¤«×¨Ó¬Ý¡A ©ÎªÌ¥i¥H»¡¡A ¬O±µ¨ü³o»ò¦hÓ³s½un¨D )¡C ¨ä¹w³]ȬO 40 Ó¡C ²Ä¤ÓÄæ¦ì¡A «ü©ú¤F¦øªAµ{¦¡¡A ¬O¥Hþ¦ì¨Ï¥ÎªÌªº¦WºÙ¨Ó°õ¦æ¡A ¦b³oÓ¨Ò¤l¤¤¡A ftp ¬O¥H root ³oӨϥΪ̦WºÙ¨Ó°õ¦æ¡C ²Ä¤»Ó¥H¤Î±µ¤U¨ÓªºÄæ¦ì¡A «K¬O°õ¦æªºµ{¦¡»P¨ä©Ò±µªº°Ñ¼Æ¤F¡C ¦b§Ú̪º¨Ò¤l·í¤¤¡A ¦øªAµ{¦¡ tcpd ³Q±Ò°Ê¡A «áÀY±µ¤F¦øªAµ{¦¡ in.ftpd »P -l -a ¬°°Ñ¼Æ¡C ±µ¤U¨Ó¡A §ÚÌ´Nn¨Ó½Í½Í³Ì¦³½ìªº³¡¥÷¡A TCPD ªº³]©w°ÝÃD¡C ¶â¡A tcpd ¬OӥΨӹLÂo³s½un¨Dªº¦øªAµ{¦¡¡A ¥¦·|®Ú¾ÚþÓ¦øªAµ{¦¡§Y±N³Q±Ò°Ê¡A ¨Ó¨M©w°µþ¨Ç¨Æ¡A ¥H¦V´£¥X³o¨Ç³s½un¨Dªº IP ¦ì§}¡A °µ¥X¦^À³ªº°Ê§@¡C ¦Ó¨s³º·|«ç»ò°µ¨M©w¡A «hµø /etc/hosts.allow »P /etc/hosts.deny ³o¨âÓÀɮצp¦ó³]©w¡C ì«h¤W¡A /etc/hosts.deny Àɮ׬O¥Î¨Ó«ü©w©Úµ´¦Vþ¨Ç¥D¾÷´£¨ÑªA°È¡A ¦Ó /etc/hosts.allow Àɮ׫h¬O¥Î¨Ó«ü©w¤¹³\¦Vþ¨Çɧ¾÷´£¨ÑªA°È¡C ³o¨âÓÀɮתº³]©w®æ¦¡¦p¤U¡GDAEMON: IP[: OPTION1 [: OPTION2 ]] ¤Wzªº DAEMON¡A ¥i¥H¬O·Qn±Ò°Êªº¦øªAµ{¦¡¦WºÙ¡A ¦p«e¨Ò¤¤©Ò¥Üªº in.ftpd¡A ©ÎªÌ¬O ALL ³oÓ¦r¡A ¥¦¥NªíµÛ©Ò¦³ªº¦øªAµ{¦¡¡C IP ¥i¥H¬O¬YÓ¯S©wªº IP¡A ©Î¬O¬YÓ URL¡A ©Î¬O¬Y¤@½d³òªº IP ( ©Î URL )¡A ©ÎªÌ¬Oµ¥¤@¤U·|¸ÑÄÀ¨ìªº¸U¥Î¦r¡C ¬°¤F¯à°÷«ü©w¬Y¤@½d³òªº IP ¦ì§}¡A ¨Ò¦p»¡¡A §ÚÌ¥i¥H³o¼Ë¼g¡G `123.32'¡A ³oÓªí¥Ü¤è¦¡¡A ¥Nªí¤F 123.32.XXX.XXX ªº©Ò¦³ IP¡A ¦P¼Ë¦a¡A ¹³ `.ml.org' ¥i¥H¥Î¨Ó«ü©w¬Y¤@½d³òªº URL¡A ¥¦¥Nªí©Ò¦³ ml.org ©³¤Uªº¤lºô¸ô¡C ¥H IP/MASK ¤§®æ¦¡¨Ó«ü©w¬Y¤@½d³òªº IP¡A «h¬O§ó¬°¶Ç²Îªº¤èªk¡A Á|¨Ò¨Ó»¡¡A ±q 127.0.0.0 ¨ì 127.0.255.255¡A ¦¹¤@½d³òªº IP ¥i³Q«ü©w¬° 127.0.0.0/255.255.0.0 «e±´£¨ìªº¸U¥Î¦r¦³¡G
«e±´£¨ìªº¿ï¶µ¦³¡G
¤Wzªº³Ì«á¨âӿﶵ¡A ÁÙ¥i¥H°t¦X¾A·íªºÂX¥R¦r¤¸µ¹ tcpd ¨Ï¥Î¡A ³o¨ÇÂX¥R¦r¤¸¦³¡G
°t¦X³o¨ÇÂX¥R¦r¤¸»P¿ï¶¡A ±z¤w¸g¥i¥H°µ«Ü¦h¨Æ¤F¡A ¨Ò¦p¡A §Úª¾¹D¦³¤H³]©w¦¨¡A ¤@¥¹¦³¤H·Qn¸g¥Ñ telnet ³s¶i¥Lªº¥D¾÷¡A «K¦Û°Ê°e¥X¤@Ó teardrop §ðÀ» :)
ªþµù¡G teardrop ¬O¤@ºØ Dos ( Denial of Service¡A ·|³y¦¨¨t²Î«·s¶}¾÷¡A
©Î«·s°_©l¤Æªº§ðÀ»¤è¦¡ )¡C ¥¦¬O¦]¬° TCP «Ê¥]«²Õ®Éªº¯ä¦ä¦Ó°_¡A
¦h¼Æªº§@·~¨t²Î³£¦³³oÓ°ÝÃD ( ©ÎªÌ»¡¡A ¥H©¹ªº§@·~¨t²Î¬O¦p¦¹¡A
¦]¬°³\¦hªº®Ö¤ßµ{¦¡¤w¸g°w¹ï¦¹°ÝÃD¡A ¥[¥H×¥¿¤F )¡A ¦b InterNet ¤Wªº¸ê®Æ¡A
¬O³z¹L TCP/IP ³q°T¨ó©w¨Ó¶Ç°e ( ¦¹¤@³q°T©w¡A ¦b¨ä¥LÃþ«¬ªººô¸ô¤W¤]¥i¥H¬Ý¨ì¡A
Ä´¦p¹³ intranet ´N¬O )¡A ¹ê»Ú¤W¡A ¥¦¬O¨âºØ³q°T¨ó©w¡G TCP t³d±N¸ê®Æ¡A
¥[¥H¤À³Î¦¨¤@¬q¬qªº«Ê¥]¡A µM«á¦A§â¥¦¶Çµ¹ IP ³q°T¨ó©w¡A ¥Ñ¥¦°e©¹¥Øªº¦a¡F
¤@¥¹¸ê®Æ°e¹F¥Øªº¥D¾÷«á¡A TCP ³q°T¨ó©w·|Àˬd¡A ¬O§_©Ò¦³«Ê¥]³£§¹¾ã¡A
µM«á¦A±N¥¦Ì«²Õ¦¨ì¥»ªº¸ê®Æ¡C µM¦Ó¡A ¤Wz ( ¥H¤Î³\¦h®Ú¾Ú¦¹¤@ì²z )
ªº§ðÀ»¤è¦¡¡A §Q¥Î¦h¼Æªº§@·~¨t²Î¡A ¦b«²Õ«Ê¥]¤§«e¡A ¤£·|Àˬd«Ê¥]¹L¤pªº°ÝÃD¡A
¦]¦¹¡A ³o¼Ëªº¾÷¾¹¦b«²Õ«Ê¥]«á¡A ´N·|µo¥Í¿ù¶Ãªºª¬ªp¡C
#hosts.allow ALL: 127.0.0.1 # ¤¹³\ localhost ¶i¤J°µ©Ò¦³¨Æ in.ftpd: ALL: spawn (wavplay /usr/share/sounds/intruder.wav & ) # Åý©Ò¦³¤H³£¥i¥H³z¹L ftp ¶i¤J¡A # ¦ý·|±Ò°Ê¤@ÓÁnµÀÉ ( ¦]¦¹¥¦¥i¥Hĵ§i§Ú ) in.telnetd: ALL: twist ( teardrop %h %h ) # ©Ò¦³¤H·Qn³z¹L telnet ªº¸Ü¡A # °e¦^¤@Ó teardrop ªº§ðÀ» #fin #hosts.deny ALL: `.bsa.org' # ¸T¤î¨Ó¦Û bsa.org ºô°ìªº©Ò¦³³s½u in.fingerd: ALL # ¸T¤î©Ò¦³ªº fingerd ªA°È :) #fin Ãö©ó tcpd¡A §Ú·Q»¡ªº´N¬O³o¨Ç¤F¡A ¦]¬°©Ò¾Ç¦³¡A ¥i¯àÁ¿±o¤£°÷¦n¡C ¦b¤Uªº«Øij¬O¡A ¸ÕµÛ¥h¹êÅç¤@¨Ç³]©w¶µ¥Ø¡A ¨Ã¥B¼ôŪ½u¤W¤â¥U ( tcpd, host_acess(5) ªº manual pages )¡A ¬Û«HŪªÌ¥i¥H¾Ç±o¤ñ§Ú©Ò±ÐªºÁÙn¦h¡C ±µ¤U¨Ó¡A Åý§Ú̶i¤J IPFWADM ¤u¨ãµ{¦¡ªº³¡¤À¡Cº¥ý¡A ¤£¥i©Î¯Êªº¬O¡A n§â®Ö¤ßµ{¦¡¤¤¡A ¦³Ãö IP Firewalling ªº¤ä´©¥[¤J ( Networking -> Network firewalls + IP: firewalling )¡C ±µ¤U¨Ó¡A «·s½sĶ¤Î¨t²Î«·s¶}¾÷«á¡A §ÚÌ´N·Ç³Æ¦n¥i¥H¨Ï¥Î³oÓ¤u¨ã¤F¡C IPFWADM ¥i¥HÅý§Ú̺޲z¬Y¨Çµ{¦¡ ( ³o¨ÇÀ³¥Îµ{¦¡¡A ¨Ã¤£©ó§Ú¦b¥»¤å¤¤©Ò¤¶²Ðªº )¡A ¨ä TCP¡B UDP¡B ICMP «Ê¥]ªº¶i¥Xª¬ªp¡C ²³æ¦a»¡¡A ºÞ²zû¥i¥H³W©wþ¨Ç«Ê¥]¤~¤¹³\¶i¤J¡A ¥i¥H«ü©wªº±ø¥ó¥]¬A¡G ¨Ó¦Û©ó¬YÓ IP¡B ©Î¬Y¬q IP ½d³òªº¥D¾÷¡A þ¤@Ó¯S©wªº°ð¸¹¡A þ¤@ºØ¯S©wªº³q°T¨ó©w¡A ©Î¬O¤Wz¦UºØ±ø¥óªº²Õ¦X... ¦P¼Ë¦a¡A ¹ï©ó·Ç³Æ°e©¹¥D¾÷¥~ªº«Ê¥]¡A §Ṳ́]¥i¥H¨ã¦³¬Û¦Pµ{«×ªººÞ²z±±¨î¡C ipfwadm ¦³´XºØ¥Dnªº°Ñ¼Æ¡G
¥»¤å¤¤¡A §Ú¥u¥´ºâ¤¶²Ð -I »P -O °Ñ¼Æ¡A ¥¦Ì¨âªÌ³£¨ã¦³¬Û¦Pªº»yªk¡C ³o¨Ç°Ñ¼Æªº¿ï¶µ¦³¡G
ì«h¤W¡A ³o¨Ç³£¬O³Ì°ò¥»ªº°Ñ¼Æ¡A ¦]¦¹¡A ·QnÅý©Ò¦³±q§Úªº¹q¸£µo¥Xªº«Ê¥]¡A ¯à°÷¨ì¹F§Ú¦Û¤vªº¹q¸£¡A ¥i¥H³o¼Ë³]©w³B²z¤è¦¡¡G ipfwadm -I -i a -S 127.0.0.1ÁÙ·Qn¾×±¼¨Ó¦Û©ó 123.34.22.XXX ªº«Ê¥]¡A ¥i¥H³o¼Ë³]©w¡G ipfwadm -I -a d -S 123.34.22.0/255.255.255.0±µ¤U¨Ó¡A ¦pªG°£¤F 111.222.123.221 ³oÓ IP ¤§¥~¡A §Ú·Qn¾×±¼©Ò¦³¨ä¥L¹ï©ó netbios °ð¸¹ªº³s½un¨D¡A ¥i¥H³o¼Ë³]©w¡G ipfwadm -I -a a -P tcp -S 111.222.123.221 139ipfwadm -I -a d -P tcp -D 0.0.0.0/0 139 ¦n§a¡A §Ú·Q³o´N¬O¤å³¹ªº¥þ³¡¤F¡A ¼g±o¦³ÂI¤£¦n¡A ©Ò¾Ç¤£ºëÅo O:) |
¥Dºô¯¸¥Ñ Miguel Angel Sepulveda ºûÅ@ © Javi Polo 1998 LinuxFocus 1998 |