linux及案例security安全第四天

NSDSecurityHTTPSTLS/SSL构建HTTPS使用openssl为服务器创建CSR签发申将CSR申请提交给CA服务器签署，签发好的数字文配置实现强制跳转的HTTPS服采用两台RHEL6虚拟机，其中svr5作为CA服务器，而www作为测试用的服务器。另外准备一台pc120作为的Windows测试机，如图-1所示。步骤一：使用openssl为服务器创建CSR签发申[root@www~]#cd/etc/pki/tls/private/[root@wwwprivate]#opensslgenrsa2048 GeneratingRSAprivatekey,2048bitlong eis65537[root@wwwprivate]#od[root@wwwprivate]#>opensslreq-new- > YouareabouttobeaskedtoenterinformationthatwillbeintoyourWhatyouareabouttoenteriswhatiscalledaDistinguishedNameoraTherearequiteafewfieldsbutyoucanleavesomeForsomefieldstherewillbeadefaultIfyouenter'.',thefieldwillbeleftblank.CountryName(2lettercode)StateorProvinceName(fullname)LocalityName(eg,city)[DefaultOrganizationName )[Default]:TarenaTechnologyOrganizationalUnitName(eg,section)CommonName(eg,yournameoryourserver'shostname)Address[]:wePleaseenterthefollowing'extra'tobesentwithyourAchallengepasswordAn name[root@www步骤二：将CSR申请提交给CA服务器签署，签发好的数字文[root@svr5~]#scp root@20's100%10581.0KB/s[root@svr5~]#opensslreq- -noout //查看请Request:Version:0 ,ST=Beijing,L=Beijing,O=TarenaTechnology/SubjectPublicKeyPublicKeyAlgorithm:Public-Key:(2048..SignatureAlgorithm:..在CA服务器svr5上，签署并发布文正式签署www服务器的CSR请求，生成文件。然后将文件给www服务器，此例中仍通过httpd服务提供。[root@svr5~]#cd[root@svr5certs]#opensslca-in Usingconfigurationfrom Enterpassphrasefor/etc/pki/CA/private/my- CheckthattherequestmatchestheSignatureDetails:SerialNumber:6NotBefore:Aug1906:48:142013NotAfter:Aug1906:48:142014countryName=stateOrProvinceName=organizationName=TarenaTechnologycommonNameAddress=we..istobecertifieduntilAug1906:48:142014GMT(365days)Signthe?[y/n]:youtof1requestscertified,commit?Writeoutdatabasewith1newDataBase[root@svr5certs]#cp //到Web3）在www服务器上，CA服务器签发好的文件[root@wwwprivate]#cd[root@wwwcerts]#wget..2015-05-1714:55:59(270MB/s)-已保存 ”步骤三：配置实现强制跳转的HTTPS服[root@www~]#ls-lh-rw1rootroot1.7K81914:13[root@www~]#ls-lh-rw-r--r1rootroot4.6K81914:51https://的设置[root@www~]#yum-yinstallhttpd..[root@www~]#vimLoadModulessl_moduleListen..<VirtualHost_defaultSSLEngine..SSLFile SSLKeyFile ..RewriteEngine RewriteCond%{SERVER_PORT} RewriteRule(.*)https://%{SERVER_NAME}/$1 [root@www~]#vim Include[root@www~]#servicehttpdhttpdhttpd：[root@www~]#netstat-anpt|greptcp00:::80:::*LISTENtcp00:::443:::*LISTEN在测试机pc120上，可以从浏览器直接 自动跳转为http 定”即可，如图-2所示。图-另外，由于这个的是企业自建CA颁发的，而并不是由互联网中合法、可信的CA机构所颁发，因此会出现关于问题的安全警报，如图-3所示，单击“是”即可。图-图-邮件TLS/SSLSMTP（postfix）TLS/SSLdovecotPOP3s+IMAPS使用两台RHEL6机，其中svr5CAmail测试Postfix+Dovecot邮件服务器。另外准备一台pc120作为收发邮件的Windows测试机，安装邮件客户端软件OutlookExpressOutlook2010，如图-5图-步骤一：准备一个简单的Postfix+Dovecot邮件服务器，支持SMTP认[root@www~]#yum-yinstallpostfixdovecotcyrus-..[root@www~]#vimpwcheck_method:mech_list:in[root@www~]#servicesaslauthdstart;chkconfigsaslauthdsaslauthd[root@www~]#useradd[root@www~]#echo123456|passwd--stdin更改用户mickeyy的passwd：所有的验证令牌已经成功更新[root@www~]#useradd[root@www~]#echo123456|passwd--stdin更改用户minnie的passwd：所有的验证令牌已经成功更新[root@mail~]#cd[root@mailpostfix]#cpmain.cf[root@mailpostfix]#vim..myhostnamemymyorigin=inet_interfaces=mydestination=$myhostname,localhost.$my,localhost,mynetworks=home_mailbox smtpd_sasl_auth_enable=smtpd_sasl_security_options=smtpd_recipient_restrictions[root@mailpostfix]#servicepostfixstart;chkconfigpostfixpostfix：[root@mailpostfix]#netstat-anpt|greptcp00::*LISTEN[root@maildovecot]#vim/etc/dovecot/conf.d/10-mail_location ..[root@maildovecot]#vim/etc/dovecot/conf.d/10-..ssl= #ssl_cert #ssl_key=[root@mailpostfix]#servicedovecotstart;chkconfigdovecotDovecotImap：[root@mailpostfix]#netstat-anpt|greptcp00:1:*LISTENtcp00:14:*LISTEN[root@mail~]#echo"oMickey"|mail-s"TestMail[root@mail~]#cat Return-Path: Delivered-Received: (Postfix,fromuserid EA;Mon,19Aug2013 Date:Mon,19Aug2013Subject:TestMailUser-Agent:Heirloommailx12.4MIME-Version:Content-Type:text/in;charset=us-Content-Transfer-Encoding:Message-Id: o步骤二：创建CSR签发申请，提交给CA服务器签署，签署后中也不好配置）[root@mail~]#cd[root@mailprivateopensslgenrsa2048 GeneratingRSAprivatekey,2048bitlong eis65537[root@mailprivate]#od600CSRCA[root@mailprivate]#opensslreq-new-keymail.key>YouareabouttobeaskedtoenterinformationthatwillbeintoyourWhatyouareabouttoenteriswhatiscalledaDistinguishedNameoraTherearequiteafewfieldsbutyoucanleavesomeForsomefieldstherewillbeadefaultIfyouenter'.',thefieldwillbeleftblank.CountryName(2lettercode)StateorProvinceName(fullname)LocalityName(eg,city)[DefaultOrganizationName )[Default]:TarenaTechnologyOrganizationalUnitName(eg,section)CommonName(eg,yournameoryourserver'shostname)Address[]:posPleaseenterthefollowing'extra'tobesentwithyourAchallengepasswordAn name服务提供[root@svr5~]#scp20:/root/mail.csrroot@20'smail.csr100%10621.0KB/s[root@svr5~]#cd[root@svr5certs]#opensslca-in~/mail.csr Usingconfigurationfrom Enterpassphrasefor/etc/pki/CA/private/my- CheckthattherequestmatchestheSignatureDetails:..istobecertifieduntilAug1908:31:122014GMT(365days)Signthe?[y/n]:y16.1outof1requestscertified,commit?Writeoutdatabasewith1newDataBase[root@svr5certs]#cpmail.crt/var/www/html/certs/ //到Web4）在mail服务器上，签发好的文件，确认私钥、的存放路径[root@mail~]#cd[root@mailcerts]#..2015-05-1716:35:27(300MB/s)mail.crt”[root@mailcerts]#ls-lh-rw-r--r1rootroot4.6K81916:32[root@mailcerts]#ls-lh-rw1rootroot1.7K81916:22步骤三：分别为postfix、dovecot添加TLS/SSL加密通信支TLS/SSL[root@svr5~]#..smtpd_use_tls=#smtpd_tls_auth_only smtpd_tls_key_file=smtpd_tls_cert_file=#smtpd_tls_loglevel [root@mail~]#servicepostfixpostfix：[root@mail~]#vim/etc/dovecot/conf.d/10-..ssl=#ssl_cert=#ssl_key=ssl_cert=ssl_key=[root@mail~]#netstat-anpt|greptcp00:1:*LISTENtcp00:14:*LISTENtcp00:99:*LISTENtcp00:99:*LISTEN[root@mail~]#vim/etc/dovecot/conf.d/10-inet_listenerimapport= }inet_listenerpop3port= }步骤四：在邮件客户端（OutlookExpress）设置好电子邮件地址、用户账号、收发信服务器等属性。接收邮件选POP3或IMAP，勾选安全连接（SSL），如图-6图- 次发送邮件时会出现安全提示，如图-7所示，选“是”继续即可。图-图-NMAP使用EtterCAP截获明文通信的、检测非加密通信的脆弱使用Tcpdump分析FTP中的明文交换信使用两台RHEL6虚拟机，其中svr5作为扫描、、抓包的操作用机，而mail作为测试用的靶Windowspc120，也可以作为靶机，如图-9图-步骤一：使用NMAP扫描来获取指定主机/网段的相关信[root@svr5~]#nmapStartingNmap5.51()at2015-05-1717:55NmapscanreportforHostisup(0.00028sNotshown:990closedPORTSTATE21/tcpopen22/tcpopen25/tcpopen80/tcpopen110/tcpopen111/tcpopen143/tcpopen443/tcpopen993/tcpopen995/tcpopenMACAddress:00:0C:29:74:BE:21Nmapdone:1IPaddress(1hostup)scannedin1.31seconds2）/24FTP、SSH[root@svr5~]#nmap-p21-22StartingNmap5.51()at2015-05-1718:00NmapscanreportforHostisup(0.000025sPORTSTATE21/tcpopen22/tcpopensshNmapscanreportforHostisPORTSTATE21/tcpfiltered22/tcpfilteredsshNmapscanreportforHostisup(0.00052sPORTSTATE21/tcpopen22/tcpopenMACAddress:00:0C:29:74:BE:21Nmapscanreport Hostisup(0.00038sPORTSTATE21/tcpclosed22/tcpclosedMACAddress:00:50:56:C0:00:01NmapscanreportforHostisup(0.00051sPORTSTATE21/tcpclosed22/tcpclosedMACAddress:00:0C:29:DB:84:46Nmapdone:256IPaddresses(5hostsup)scannedin4.88seconds3）检查/24网段内哪些主机可以通[root@svr5~]#nmap-n-sPStartingNmap5.51()at2015-05-1718:01NmapscanreportforHostisNmapscanreportforHostisNmapscanreportforHostisup(0.00027sMACAddress:00:0C:29:74:BE:21NmapscanreportforHostisup(0.00016sMACAddress:00:50:56:C0:00:01NmapscanreportforHostisup(0.00046sMACAddress:00:0C:29:DB:84:46Nmapdone:256IPaddresses(5hostsup)scannedin3.57seconds4）00、20[root@svr5~]#nmap-AStartingNmap5.51()at2015-05-1718:03Nmapscanreportfor Hostisup(0.0016sNotshown:990closedPORTSTATESERVICE21/tcpopenftpvsftpd|ftp-anon:AnonymousFTPloginallowed(FTPcode|-rw-r--r--1001719Aug1713:33|-rw-r--r--100122Aug1305:27|drwxr-xr-x21404096Aug1309:07|-rw-rw-r--1505505170Aug1713:18tools-|_-rw-rw-r--1505505287Aug1713:22tools-22/tcpopensshOpenSSH5.3(protocol|ssh-hostkey:102486:be:d6:89:c1:2d:d9:1f:57:2f:66:d1:af:a8:d3:c6|_204816:0a:15:01:fa:bb:91:1d:cc:ab:68:17:58:f9:49:4f25/tcpopensmtpPostfix80/tcpopenhttpApachehttpd2.2.15((Red|_http-methods:NoAlloworPublicheaderinOPTIONSresponse(statuscode|http-title:302|_Didnotfollowredirect110/tcpopenpop3Dovecot|_pop3-capabilities:USERCAPAUIDLTOPOK(K)RESP-CODESPIPELININGSTLSSASL(111/tcpopen143/tcpopenimapDovecot|_imap-capabilities:LOGIN-REFERRALSSTARTTLSIMAP4rev1ENABLEAUTH=INLIL+IDLESASL-IRID443/tcpopenssl/httpApachehttpd2.2.15((Red|http-methods:Potentiallyriskymethods:|_See|_http-title:Sitedoesn'thaveatitle(text/html;charset=UTF-993/tcpopenssl/imapDovecot|_imap-capabilities:IMAP4rev1AUTH=INENABLEIDLIL+IDLESASL-IRLOGIN-995/tcpopenssl/pop3Dovecot|_pop3-capabilities:OK(K)CAPARESP-CODESUIDLPIPELININGUSERTOPSASL(MACAddress:00:0C:29:74:BE:21NoexactOSmatchesforhost(IfyouknowwhatOSisrunningonit,TCP/IPNetworkDistance:1ServiceInfo:Host: ;OS:UnixHOPRTT55.11.55msNmapscanreportfor Hostisup(0.00047sNotshown:997closedPORTSTATESERVICE135/tcpopenmsrpcWindows139/tcpopennetbios-445/tcpopen-dsWindows MACAddress:00:0C:29:DB:84:46Devicetype:generalRunning:WindowsOSdetails:WindowsXPSP2-NetworkDistance:1ServiceInfo:OS:WindowsHostscript|_nbstat:NetBIOSname:PC-201307130328,NetBIOSuser:<unknown>,NetBIOSMAC:00:0c:29:db:84:46(VMware)|_smbv2-enabled:Serverdoesn'tsupportSMBv2|smb-os-|OS:WindowsXP(Windows2000LAN|Name:WORKGROUP\PC-|_Systemtime:2015-05-1718:04:40HOPRTT81.10.47msOSandServicedetectionperformed.Pleasereportanyincorrectresults.Nmapdone:2IPaddresses(2hostsup)scannedin43.01步骤二：使用EtterCAP截获明文通信的，检测非加密通信的脆弱[root@svr5~]#cd[root@svr5~]#rpm-ivhlibnet-1.1.5->ettercap-0.7.5- warning:libnet-1.1.5-1.el6.x86_64.rpm:HeaderV3RSA/SHA256Signature,keyID0608b895:NOKEYPreparing...###########################################1:libnet###########################################[2:ettercap###########################################EtterCAP工具令行模执行ettercap命令，主机20与主机00的FTP服务（21端口）之间的数据通信，收集用户名、信息。[root@svr5~]#ettercap-Tzq/00//21ettercap0.7.5copyright2001-2012EttercapDevelopmentListeningeth0->SSLdissectionneedsavalid mand_on'scriptintheetter.confPrivilegesdroppedtoUID65534GIDpluginec_sslstrip.socannotbe13.3014.40protocol15.55ports13861macvendor1766tcpOS2183knownStartingUnified //进入标准状TextonlyInterfaceHit'h'forinline图-..TextonlyInterfaceHit'h'forinlinehelp5.FTP:20:21->USER:mickeyPASS:GNOMEettercapGSniffer”-->“UnifiedSniffer”，指定网卡eth0；然后添加两个主机00、20作为目标图-步骤三：使用Tcpdump分析FTP中的明文交换信执行tcpdump命令行，添加适当的过滤条件，只抓取主机00的21端口的数据通ASCII[root@svr5~]#tcpdump-Ahost00andtcpporttcpdump:verboseoutputsuppressed,use-vor-vvforfullprotocollisteningoneth0,link-typeEN10MB(Ethernet),capturesize65535 执行FTP，并观察tcpdump抓包结..18:47:25.964110IP20.novation>00.ftp:Flags[S],,win65535,options[mss1460,nop,wscale0,nop,nop,sackOK],length18:47:25.964268IP00.ftp>20.novation:Flags[S.],,ack ,win14600,options[mss1460,nop,nop,sackOK,nop,wscale6],length018:47:25.964436IP20.novation>00.ftp:Flags[.],ack1,65535,lengthE..(..@.@..18:47:25.967592IP00.ftp>20.novation:Flags[P.],seqack1,win229,lengthE..<FJ@.@.jE...d...x...*.1BbG.\cP...V...220(vsFTPd18:47:26.117057IP20.novation>00.ftp:Flags[.],ackwin65515,length18:47:27.960530IP20.novation>00.ftp:Flags[P.],seqack2