linux及案例security安全第四天

NSDSecurityHTTPSTLS/SSL構(gòu)建HTTPS使用openssl為服務(wù)器創(chuàng)建CSR簽發(fā)申將CSR申請(qǐng)?zhí)峤唤oCA服務(wù)器簽署，簽發(fā)好的數(shù)字文配置實(shí)現(xiàn)強(qiáng)制跳轉(zhuǎn)的HTTPS服采用兩臺(tái)RHEL6虛擬機(jī)，其中svr5作為CA服務(wù)器，而www作為測試用的服務(wù)器。另外準(zhǔn)備一臺(tái)pc120作為的Windows測試機(jī)，如圖-1所示。步驟一：使用openssl為服務(wù)器創(chuàng)建CSR簽發(fā)申[root@www~]#cd/etc/pki/tls/private/[root@wwwprivate]#opensslgenrsa2048 GeneratingRSAprivatekey,2048bitlong eis65537[root@wwwprivate]#od[root@wwwprivate]#>opensslreq-new- > YouareabouttobeaskedtoenterinformationthatwillbeintoyourWhatyouareabouttoenteriswhatiscalledaDistinguishedNameoraTherearequiteafewfieldsbutyoucanleavesomeForsomefieldstherewillbeadefaultIfyouenter'.',thefieldwillbeleftblank.CountryName(2lettercode)StateorProvinceName(fullname)LocalityName(eg,city)[DefaultOrganizationName )[Default]:TarenaTechnologyOrganizationalUnitName(eg,section)CommonName(eg,yournameoryourserver'shostname)Address[]:wePleaseenterthefollowing'extra'tobesentwithyourAchallengepasswordAn name[root@www步驟二：將CSR申請(qǐng)?zhí)峤唤oCA服務(wù)器簽署，簽發(fā)好的數(shù)字文[root@svr5~]#scp root@20's100%10581.0KB/s[root@svr5~]#opensslreq- -noout //查看請(qǐng)Request:Version:0 ,ST=Beijing,L=Beijing,O=TarenaTechnology/SubjectPublicKeyPublicKeyAlgorithm:Public-Key:(2048..SignatureAlgorithm:..在CA服務(wù)器svr5上，簽署并發(fā)布文正式簽署www服務(wù)器的CSR請(qǐng)求，生成文件。然后將文件給www服務(wù)器，此例中仍通過httpd服務(wù)提供。[root@svr5~]#cd[root@svr5certs]#opensslca-in Usingconfigurationfrom Enterpassphrasefor/etc/pki/CA/private/my- CheckthattherequestmatchestheSignatureDetails:SerialNumber:6NotBefore:Aug1906:48:142013NotAfter:Aug1906:48:142014countryName=stateOrProvinceName=organizationName=TarenaTechnologycommonNameAddress=we..istobecertifieduntilAug1906:48:142014GMT(365days)Signthe?[y/n]:youtof1requestscertified,commit?Writeoutdatabasewith1newDataBase[root@svr5certs]#cp //到Web3）在www服務(wù)器上，CA服務(wù)器簽發(fā)好的文件[root@wwwprivate]#cd[root@wwwcerts]#wget..2015-05-1714:55:59(270MB/s)-已保存 ”步驟三：配置實(shí)現(xiàn)強(qiáng)制跳轉(zhuǎn)的HTTPS服[root@www~]#ls-lh-rw1rootroot1.7K81914:13[root@www~]#ls-lh-rw-r--r1rootroot4.6K81914:51https://的設(shè)置[root@www~]#yum-yinstallhttpd..[root@www~]#vimLoadModulessl_moduleListen..<VirtualHost_defaultSSLEngine..SSLFile SSLKeyFile ..RewriteEngine RewriteCond%{SERVER_PORT} RewriteRule(.*)https://%{SERVER_NAME}/$1 [root@www~]#vim Include[root@www~]#servicehttpdhttpdhttpd：[root@www~]#netstat-anpt|greptcp00:::80:::*LISTENtcp00:::443:::*LISTEN在測試機(jī)pc120上，可以從瀏覽器直接 自動(dòng)跳轉(zhuǎn)為http 定”即可，如圖-2所示。圖-另外，由于這個(gè)的是企業(yè)自建CA頒發(fā)的，而并不是由互聯(lián)網(wǎng)中合法、可信的CA機(jī)構(gòu)所頒發(fā)，因此會(huì)出現(xiàn)關(guān)于問題的安全警報(bào)，如圖-3所示，單擊“是”即可。圖-圖-郵件TLS/SSLSMTP（postfix）TLS/SSLdovecotPOP3s+IMAPS使用兩臺(tái)RHEL6機(jī)，其中svr5CAmail測試Postfix+Dovecot郵件服務(wù)器。另外準(zhǔn)備一臺(tái)pc120作為收發(fā)郵件的Windows測試機(jī)，安裝郵件客戶端軟件OutlookExpressOutlook2010，如圖-5圖-步驟一：準(zhǔn)備一個(gè)簡單的Postfix+Dovecot郵件服務(wù)器，支持SMTP認(rèn)[root@www~]#yum-yinstallpostfixdovecotcyrus-..[root@www~]#vimpwcheck_method:mech_list:in[root@www~]#servicesaslauthdstart;chkconfigsaslauthdsaslauthd[root@www~]#useradd[root@www~]#echo123456|passwd--stdin更改用戶mickeyy的passwd：所有的驗(yàn)證令牌已經(jīng)成功更新[root@www~]#useradd[root@www~]#echo123456|passwd--stdin更改用戶minnie的passwd：所有的驗(yàn)證令牌已經(jīng)成功更新[root@mail~]#cd[root@mailpostfix]#cpmain.cf[root@mailpostfix]#vim..myhostnamemymyorigin=inet_interfaces=mydestination=$myhostname,localhost.$my,localhost,mynetworks=home_mailbox smtpd_sasl_auth_enable=smtpd_sasl_security_options=smtpd_recipient_restrictions[root@mailpostfix]#servicepostfixstart;chkconfigpostfixpostfix：[root@mailpostfix]#netstat-anpt|greptcp00::*LISTEN[root@maildovecot]#vim/etc/dovecot/conf.d/10-mail_location ..[root@maildovecot]#vim/etc/dovecot/conf.d/10-..ssl= #ssl_cert #ssl_key=[root@mailpostfix]#servicedovecotstart;chkconfigdovecotDovecotImap：[root@mailpostfix]#netstat-anpt|greptcp00:1:*LISTENtcp00:14:*LISTEN[root@mail~]#echo"oMickey"|mail-s"TestMail[root@mail~]#cat Return-Path: Delivered-Received: (Postfix,fromuserid EA;Mon,19Aug2013 Date:Mon,19Aug2013Subject:TestMailUser-Agent:Heirloommailx12.4MIME-Version:Content-Type:text/in;charset=us-Content-Transfer-Encoding:Message-Id: o步驟二：創(chuàng)建CSR簽發(fā)申請(qǐng)，提交給CA服務(wù)器簽署，簽署后中也不好配置）[root@mail~]#cd[root@mailprivateopensslgenrsa2048 GeneratingRSAprivatekey,2048bitlong eis65537[root@mailprivate]#od600CSRCA[root@mailprivate]#opensslreq-new-keymail.key>YouareabouttobeaskedtoenterinformationthatwillbeintoyourWhatyouareabouttoenteriswhatiscalledaDistinguishedNameoraTherearequiteafewfieldsbutyoucanleavesomeForsomefieldstherewillbeadefaultIfyouenter'.',thefieldwillbeleftblank.CountryName(2lettercode)StateorProvinceName(fullname)LocalityName(eg,city)[DefaultOrganizationName )[Default]:TarenaTechnologyOrganizationalUnitName(eg,section)CommonName(eg,yournameoryourserver'shostname)Address[]:posPleaseenterthefollowing'extra'tobesentwithyourAchallengepasswordAn name服務(wù)提供[root@svr5~]#scp20:/root/mail.csrroot@20'smail.csr100%10621.0KB/s[root@svr5~]#cd[root@svr5certs]#opensslca-in~/mail.csr Usingconfigurationfrom Enterpassphrasefor/etc/pki/CA/private/my- CheckthattherequestmatchestheSignatureDetails:..istobecertifieduntilAug1908:31:122014GMT(365days)Signthe?[y/n]:y16.1outof1requestscertified,commit?Writeoutdatabasewith1newDataBase[root@svr5certs]#cpmail.crt/var/www/html/certs/ //到Web4）在mail服務(wù)器上，簽發(fā)好的文件，確認(rèn)私鑰、的存放路徑[root@mail~]#cd[root@mailcerts]#..2015-05-1716:35:27(300MB/s)mail.crt”[root@mailcerts]#ls-lh-rw-r--r1rootroot4.6K81916:32[root@mailcerts]#ls-lh-rw1rootroot1.7K81916:22步驟三：分別為postfix、dovecot添加TLS/SSL加密通信支TLS/SSL[root@svr5~]#..smtpd_use_tls=#smtpd_tls_auth_only smtpd_tls_key_file=smtpd_tls_cert_file=#smtpd_tls_loglevel [root@mail~]#servicepostfixpostfix：[root@mail~]#vim/etc/dovecot/conf.d/10-..ssl=#ssl_cert=#ssl_key=ssl_cert=ssl_key=[root@mail~]#netstat-anpt|greptcp00:1:*LISTENtcp00:14:*LISTENtcp00:99:*LISTENtcp00:99:*LISTEN[root@mail~]#vim/etc/dovecot/conf.d/10-inet_listenerimapport= }inet_listenerpop3port= }步驟四：在郵件客戶端（OutlookExpress）設(shè)置好電子郵件地址、用戶賬號(hào)、收發(fā)信服務(wù)器等屬性。接收郵件選POP3或IMAP，勾選安全連接（SSL），如圖-6圖- 次發(fā)送郵件時(shí)會(huì)出現(xiàn)安全提示，如圖-7所示，選“是”繼續(xù)即可。圖-圖-NMAP使用EtterCAP截獲明文通信的、檢測非加密通信的脆弱使用Tcpdump分析FTP中的明文交換信使用兩臺(tái)RHEL6虛擬機(jī)，其中svr5作為掃描、、抓包的操作用機(jī)，而mail作為測試用的靶Windowspc120，也可以作為靶機(jī)，如圖-9圖-步驟一：使用NMAP掃描來獲取指定主機(jī)/網(wǎng)段的相關(guān)信[root@svr5~]#nmapStartingNmap5.51()at2015-05-1717:55NmapscanreportforHostisup(0.00028sNotshown:990closedPORTSTATE21/tcpopen22/tcpopen25/tcpopen80/tcpopen110/tcpopen111/tcpopen143/tcpopen443/tcpopen993/tcpopen995/tcpopenMACAddress:00:0C:29:74:BE:21Nmapdone:1IPaddress(1hostup)scannedin1.31seconds2）/24FTP、SSH[root@svr5~]#nmap-p21-22StartingNmap5.51()at2015-05-1718:00NmapscanreportforHostisup(0.000025sPORTSTATE21/tcpopen22/tcpopensshNmapscanreportforHostisPORTSTATE21/tcpfiltered22/tcpfilteredsshNmapscanreportforHostisup(0.00052sPORTSTATE21/tcpopen22/tcpopenMACAddress:00:0C:29:74:BE:21Nmapscanreport Hostisup(0.00038sPORTSTATE21/tcpclosed22/tcpclosedMACAddress:00:50:56:C0:00:01NmapscanreportforHostisup(0.00051sPORTSTATE21/tcpclosed22/tcpclosedMACAddress:00:0C:29:DB:84:46Nmapdone:256IPaddresses(5hostsup)scannedin4.88seconds3）檢查/24網(wǎng)段內(nèi)哪些主機(jī)可以通[root@svr5~]#nmap-n-sPStartingNmap5.51()at2015-05-1718:01NmapscanreportforHostisNmapscanreportforHostisNmapscanreportforHostisup(0.00027sMACAddress:00:0C:29:74:BE:21NmapscanreportforHostisup(0.00016sMACAddress:00:50:56:C0:00:01NmapscanreportforHostisup(0.00046sMACAddress:00:0C:29:DB:84:46Nmapdone:256IPaddresses(5hostsup)scannedin3.57seconds4）00、20[root@svr5~]#nmap-AStartingNmap5.51()at2015-05-1718:03Nmapscanreportfor Hostisup(0.0016sNotshown:990closedPORTSTATESERVICE21/tcpopenftpvsftpd|ftp-anon:AnonymousFTPloginallowed(FTPcode|-rw-r--r--1001719Aug1713:33|-rw-r--r--100122Aug1305:27|drwxr-xr-x21404096Aug1309:07|-rw-rw-r--1505505170Aug1713:18tools-|_-rw-rw-r--1505505287Aug1713:22tools-22/tcpopensshOpenSSH5.3(protocol|ssh-hostkey:102486:be:d6:89:c1:2d:d9:1f:57:2f:66:d1:af:a8:d3:c6|_204816:0a:15:01:fa:bb:91:1d:cc:ab:68:17:58:f9:49:4f25/tcpopensmtpPostfix80/tcpopenhttpApachehttpd2.2.15((Red|_http-methods:NoAlloworPublicheaderinOPTIONSresponse(statuscode|http-title:302|_Didnotfollowredirect110/tcpopenpop3Dovecot|_pop3-capabilities:USERCAPAUIDLTOPOK(K)RESP-CODESPIPELININGSTLSSASL(111/tcpopen143/tcpopenimapDovecot|_imap-capabilities:LOGIN-REFERRALSSTARTTLSIMAP4rev1ENABLEAUTH=INLIL+IDLESASL-IRID443/tcpopenssl/httpApachehttpd2.2.15((Red|http-methods:Potentiallyriskymethods:|_See|_http-title:Sitedoesn'thaveatitle(text/html;charset=UTF-993/tcpopenssl/imapDovecot|_imap-capabilities:IMAP4rev1AUTH=INENABLEIDLIL+IDLESASL-IRLOGIN-995/tcpopenssl/pop3Dovecot|_pop3-capabilities:OK(K)CAPARESP-CODESUIDLPIPELININGUSERTOPSASL(MACAddress:00:0C:29:74:BE:21NoexactOSmatchesforhost(IfyouknowwhatOSisrunningonit,TCP/IPNetworkDistance:1ServiceInfo:Host: ;OS:UnixHOPRTT55.11.55msNmapscanreportfor Hostisup(0.00047sNotshown:997closedPORTSTATESERVICE135/tcpopenmsrpcWindows139/tcpopennetbios-445/tcpopen-dsWindows MACAddress:00:0C:29:DB:84:46Devicetype:generalRunning:WindowsOSdetails:WindowsXPSP2-NetworkDistance:1ServiceInfo:OS:WindowsHostscript|_nbstat:NetBIOSname:PC-201307130328,NetBIOSuser:<unknown>,NetBIOSMAC:00:0c:29:db:84:46(VMware)|_smbv2-enabled:Serverdoesn'tsupportSMBv2|smb-os-|OS:WindowsXP(Windows2000LAN|Name:WORKGROUP\PC-|_Systemtime:2015-05-1718:04:40HOPRTT81.10.47msOSandServicedetectionperformed.Pleasereportanyincorrectresults.Nmapdone:2IPaddresses(2hostsup)scannedin43.01步驟二：使用EtterCAP截獲明文通信的，檢測非加密通信的脆弱[root@svr5~]#cd[root@svr5~]#rpm-ivhlibnet-1.1.5->ettercap-0.7.5- warning:libnet-1.1.5-1.el6.x86_64.rpm:HeaderV3RSA/SHA256Signature,keyID0608b895:NOKEYPreparing...###########################################1:libnet###########################################[2:ettercap###########################################EtterCAP工具令行模執(zhí)行ettercap命令，主機(jī)20與主機(jī)00的FTP服務(wù)（21端口）之間的數(shù)據(jù)通信，收集用戶名、信息。[root@svr5~]#ettercap-Tzq/00//21ettercap0.7.5copyright2001-2012EttercapDevelopmentListeningeth0->SSLdissectionneedsavalid mand_on'scriptintheetter.confPrivilegesdroppedtoUID65534GIDpluginec_sslstrip.socannotbe13.3014.40protocol15.55ports13861macvendor1766tcpOS2183knownStartingUnified //進(jìn)入標(biāo)準(zhǔn)狀TextonlyInterfaceHit'h'forinline圖-..TextonlyInterfaceHit'h'forinlinehelp5.FTP:20:21->USER:mickeyPASS:GNOMEettercapGSniffer”-->“UnifiedSniffer”，指定網(wǎng)卡eth0；然后添加兩個(gè)主機(jī)00、20作為目標(biāo)圖-步驟三：使用Tcpdump分析FTP中的明文交換信執(zhí)行tcpdump命令行，添加適當(dāng)?shù)倪^濾條件，只抓取主機(jī)00的21端口的數(shù)據(jù)通ASCII[root@svr5~]#tcpdump-Ahost00andtcpporttcpdump:verboseoutputsuppressed,use-vor-vvforfullprotocollisteningoneth0,link-typeEN10MB(Ethernet),capturesize65535 執(zhí)行FTP，并觀察tcpdump抓包結(jié)..18:47:25.964110IP20.novation>00.ftp:Flags[S],,win65535,options[mss1460,nop,wscale0,nop,nop,sackOK],length18:47:25.964268IP00.ftp>20.novation:Flags[S.],,ack ,win14600,options[mss1460,nop,nop,sackOK,nop,wscale6],length018:47:25.964436IP20.novation>00.ftp:Flags[.],ack1,65535,lengthE..(..@.@..18:47:25.967592IP00.ftp>20.novation:Flags[P.],seqack1,win229,lengthE..<FJ@.@.jE...d...x...*.1BbG.\cP...V...220(vsFTPd18:47:26.117057IP20.novation>00.ftp:Flags[.],ackwin65515,length18:47:27.960530IP20.novation>00.ftp:Flags[P.],seqack2