|
临到下班,突然冒出来一个任务,说是甲方验收需要提供主机安全测试报告,我滴娘呀,这东西从来都没有做过呀,唉,苦逼的乙方呀。就像《辣手神探》中梁朝伟跟发哥说的台词一样:“枪在你手上,你就是要我抓头牛过来挤奶给你喝我也得照做啊。”真还不如去抓头奶牛呢。得,牢骚发完了,想法子吧。
最初搜到一个方法:OpenVAS。看看介绍:OpenVAS是开放式漏洞评估系统,也可以说它是一个包含着相关工具的网络扫描器。其核心部件是一个服务器,包括一套网络漏洞测试程序,可以检测远程系统和应用程序中的安全问题
用户需要一种自动测试的方法,并确保正在运行一种最恰当的最新测试。OpenVAS包括一个中央服务器和一个图形化的前端。这个服务器准许用户运行几种不同的网络漏洞测试(以Nessus攻击脚本语言编写),而且OpenVAS可以经常对其进行更新。OpenVAS所有的代码都符合GPL规范。
下载:http://www.openvas.org/install-packages.html#openvas_windows_gb
再仔细看看,需要客户端和服务器端,最省事的方案是先装一个backtrack5,然后apt-get install一个openvas,然后再去做那堆配置,但是现在没硬件没backtrack5,配置看起来也很折腾人,搞完都不知道啥时候了。两天后就要出报告,这个方法不行,光是走流程申请硬件就不知道什么时候能够到位。
立刻搜索其他方法,找到了一个简易的法子。
看简介: Project information Rootkit scanner is scanning tool to ensureyou for about 99.9%* you're clean of nasty tools. This tool scans for rootkits,backdoors and local exploits by running tests like:
- MD5 hash compare - Look for default files used by rootkits - Wrong file permissions for binaries - Look for suspected strings in LKM and KLDmodules - Look for hidden files - Optional scan within plaintext and binaryfiles
Rootkit Hunter is released as GPL licensedproject and free for everyone to use. * No, not really 99.9%.. It's just anothersecurity layer
解释:简单的说就是安全扫描的,做系统中重要文件的MD5值比对、检查rootkit经常攻击的档案、检查可执行文件的权限是否正常、检查隐藏档案、检查可疑的核心模组(LKM/KLD)、作业系统的特殊检测、检查已启动的监听埠号和特定分析等等功能。
System requirements: - Compatible operating system (see'Supported operating systems') - Bourne Again Shell (BASH)
Supported operating systems Supported: - Most Linux distributions - Most *BSD distributions
Currently unsupported: - NetBSD
Tested on: - AIX 4.1.5 / 4.3.3 - ALT Linux - Aurora Linux - CentOS 3.1 / 4.0 - Conectiva Linux 6.0 - Debian 3.x - FreeBSD 4.3 / 4.4 / 4.7 / 4.8 / 4.9 /4.10 - FreeBSD 5.0 / 5.1 / 5.2 / 5.2.1 / 5.3 - Fedora Core 1 / Core 2 / Core 3 - Gentoo 1.4, 2004.0, 2004.1 - Macintosh OS 10.3.4-10.3.8 - Mandrake 8.1 / 8.2 / 9.0-9.2 / 10.0 /10.1 - OpenBSD 3.4 / 3.5 - Red Hat Linux 7.0-7.3 / 8 / 9 - Red Hat Enterprise Linux 2.1 / 3.0 - Slackware 9.0 / 9.1 / 10.0 / 10.1 - SME 6.0 - Solaris (SunOS) - SuSE 7.3 / 8.0-8.2 / 9.0-9.2 - Ubuntu - Yellow Dog Linux 3.0 / 3.01
Confirmed to work also on: - CLFS - DaNix (Debian clone) - PCLinuxOS - VectorLinux SOHO 3.2 / 4.0 - CPUBuilders Linux - Virtuozzo (VPS)
看看系统需求,还好我这次是测试的ubuntu系统的主机,bash?当然有啦。嘿嘿,那看来可以开工了。
rkhunter 下載點: http://download.iyunv.com/detail/testingba/5102767
安装和使用示例: 安装步骤:
mkdir hostscan
cd /home/myname/hostscan
sudo tar -zxvf rkhunter-1.4.0.tar.gz
cd rkhunter-1.4.0
#看看/usr/local是否存在,通常都有的
ls -l /usr/local
sudo ./installer.sh --layout /usr/local –install
使用方法示例:
sudo /usr/local/bin/rkhunter --check --logfile /home/myname/hostscan/rkhunter-1.4.0/logfile.txt
|
参考信息: 安装参考:
Usage: ./installer.sh <parameters>
Ordered valid parameters:
--help (-h) : Show this help.
--examples : Show layout examples.
--layout <value> : Choose installation template.
The templates are:
- default: (FHS compliant; the default)
- /usr
- /usr/local
- oldschool: old version file locations
- custom: supply your own installation directory
- RPM: for building RPM's. Requires $RPM_BUILD_ROOT.
- DEB: for building DEB's. Requires $DEB_BUILD_ROOT.
- TGZ: for building Slackware TGZ's. Requires $TGZ_BUILD_ROOT.
- TXZ: for building Slackware TXZ's. Requires $TXZ_BUILD_ROOT.
--striproot : Strip path from custom layout (for package maintainers).
--install : Install according to chosen layout.
--overwrite : Overwrite the existing configuration file.
(Default is to create a separate configuration file.)
--show : Show chosen layout.
--remove : Uninstall according to chosen layout.
--version : Show the installer version.
| 安装和卸载的示例:
sudo ./installer.sh --examples
Rootkit Hunter installer
Examples:
1. Show layout, files in /usr:
installer.sh --layout /usr --show
2. Install in /usr/local:
installer.sh --layout /usr/local --install
3. Install in chosen (custom) directory /opt:
installer.sh --layout custom /opt --install
4. Install in temporary directory /tmp/rkhunter/usr/local,
with files in /usr/local (for package maintainers):
mkdir -p /tmp/rkhunter/usr/local
installer.sh --layout custom /tmp/rkhunter/usr/local \
--striproot /tmp/rkhunter --install
5. Remove files, layout /usr/local:
installer.sh --layout /usr/local –remove
|
扫描工具参考:
Usage: rkhunter {--check | --unlock | --update | --versioncheck |
--propupd [{filename | directory | package name},...] |
--list [{tests | {lang | languages} | rootkits | perl | propfiles}] |
--config-check | --version | --help} [options]
Current options are:
--append-log Append to the logfile, do not overwrite
--bindir <directory>... Use the specified command directories
-c, --check Check the local system
-C, --config-check Check the configuration file(s), then exit
--cs2, --color-set2 Use the second color set for output
--configfile <file> Use the specified configuration file
--cronjob Run as a cron job
(implies -c, --sk and --nocolors options)
--dbdir <directory> Use the specified database directory
--debug Debug mode
(Do not use unless asked to do so)
--disable <test>[,<test>...] Disable specific tests
(Default is to disable no tests)
--display-logfile Display the logfile at the end
--enable <test>[,<test>...] Enable specific tests
(Default is to enable all tests)
--hash {MD5 | SHA1 | SHA224 | SHA256 | SHA384 | SHA512 |
NONE | <command>} Use the specified file hash function
(Default is SHA1, then MD5)
-h, --help Display this help menu, then exit
--lang, --language <language> Specify the language to use
(Default is English)
--list [tests | languages | List the available test names, languages,
rootkits | perl | rootkit names, perl module status
propfiles] or file properties database, then exit
-l, --logfile [file] Write to a logfile
(Default is /var/log/rkhunter.log)
--noappend-log Do not append to the logfile, overwrite it
--nocf Do not use the configuration file entries
for disabled tests (only valid with --disable)
--nocolors Use black and white output
--nolog Do not write to a logfile
--nomow, --no-mail-on-warning Do not send a message if warnings occur
--ns, --nosummary Do not show the summary of check results
--novl, --no-verbose-logging No verbose logging
--pkgmgr {RPM | DPKG | BSD | Use the specified package manager to obtain or
SOLARIS | NONE} verify file property values. (Default is NONE)
--propupd [file | directory | Update the entire file properties database,
package]... or just for the specified entries
-q, --quiet Quiet mode (no output at all)
--rwo, --report-warnings-only Show only warning messages
--sk, --skip-keypress Don't wait for a keypress after each test
--summary Show the summary of system check results
(This is the default)
--syslog [facility.priority] Log the check start and finish times to syslog
(Default level is authpriv.notice)
--tmpdir <directory> Use the specified temporary directory
--unlock Unlock (remove) the lock file
--update Check for updates to database files
--vl, --verbose-logging Use verbose logging (on by default)
-V, --version Display the version number, then exit
--versioncheck Check for latest version of program
-x, --autox Automatically detect if X is in use
-X, --no-autox Do not automatically detect if X is in use
|
非常简单吧,至于那些警告,就慢慢翻资料吧。先对付过去再说,下次有空搭建一个openvas环境。
安全测试绝对是个吃力不讨好的活,防守始终被动,而且说不定对方是个大牛,你就算学了两年也未必扛得住。且不说要学习的东西特别多,就算你真做好了安全防御,不出事的话领导就觉得你是不是整天在玩呢,你要真那么强,领导说不定还怕你万一不爽了黑公司呢,出了事你铁定要背锅。所以同学们,可以多学,但是一定要少show,一定要低调。这个领域最好找个专业公司来背锅才是王道,离远点,安全第一。
| 
QQ群⑧:
窥视卡
雷达卡
发表于 2013-3-3 21:17:23
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
千斤顶
显身卡