Use Rsync and SSH implementation Snapshot type incremental backup

Author:StephanJauBasedupontheworksof:FalkoTimme&MikeRubelIntroductionAsneitherhumannorcomputersareperfect(humanserr/computersmayfail)itisquiteobviousthatagoodbackupsystemwillpreventtoomuchdamageoncethecomputermaygodown.Thiscouldbeeitherbecausetheharddriveisfailing,becauseofhackers,becauseyouaccidentallydeletedsomethingimportant,...InthistutorialIwillshowyouhowtoautomatebackupsinanincrementalsnapshot-stylewaybyusingrSync.1.SettinguprSyncoverSS Firstofallyouneedarunningrsyncserverandclientthatconnecttoeachotherwithoutbeingrequiredtoenterapassword.MoresuitableeventohaveitrunthroughSSH(youmighttransfersensitivedata).Forthis,FalkoTimmehasalreadywrittenanexcellenhowto.YoucanfindithereMirrorYourWebSiteWithrsyncSincethathowtoisalreadyexcellentthere'snopointinwritinganotheroneaboutthissubject.FollowthishowtountilStep6(6TestrsyncOnmirror.example.com)andtestwhetheryoursetupworks.AsIwillusetwodifferentmethodsofmakingthisincrementalsnapshot-stylebackupsitisnecessaryforonethatthatthebackupservercanaccesstoproductionserverwithoutbeingpromptedforapasswordandfortheotheroneit'svice-versa.Note:InmycaseIdobackupmydataonafriendsserverandhebacksuphisdataonmine.SoinmycaseIneededtosetbothanyway.2.Non-RotatingBackupsInthissetupIwilltellyouhowyoujustkeepmakingbackupswithoutrotatingthemhenceneverdeleteanything.Forthissetupitismandatory,thattheproductionservercanaccessthebackupserverwithoutbeingpromptedforapassword.Onceyouhaveensured,thatyourproductionservercanconnecttoyourbackupserverwithoutbeingaskedforapasswordthenallyouneedisasmallshellscriptandacronjobtoactuallyaccomplishthebackup.backup.sh(backupshellscript)#!/bin/basunsetPAT#USERVARIABLESBACKUPDIR=/backup#FolderonthebackupserverKEY=/root/.ssh/id_rsaMYSQLUSER=rootMYSQLPWD=**********************MYSQLHOST=localostMYSQLBACKUPDIR=/mysql_backupBACKUP_USERroot@backup.server.comEXCLUDES=/backup/backup_exclude#Filecontainingexludes#PATHVARIABLESCP=/bin/cp;MK=/bin/mkdir;SSH=/usr/bin/ss;DATE=/bin/date;RM=/bin/rm;GREP=/bin/grep;MYSQL=/usr/bin/mysql;MYSQLDUMP=/usr/bin/mysqldump;RSYNC=/usr/bin/rsync;TOUCH=/bin/touc;######--DONOTEDITBELOWTHISHERE--#######CREATINGCURRENTDATE/TIMENOW=`$DATE'+%Y-%m'-%d_%:%M`MKDIR=$BACKUPDIR/$NOW/#CREATEMYSQLBACKUP#Removeexistingbackupdir$RM-Rf$MYSQLBACKUPDIR#Createnewbackupdir$MK$MYSQLBACKUPDIR#Dumpnewilesforiin$(echo'SHOWDATABASES;'|$MYSQL-u$MYSQLUSER-p$MYSQLPWD-h$MYSQLHOST|$GREP-v'^Database$');do$MYSQLDUMP\-u$MYSQLUSER-p$MYSQLPWD-h$MYSQLHOST\-Q-c-C--add-drop-table--add-locks--quick--lock-tables\$i>$MYSQLBACKUPDIR/$i.sql;done;#CREATENEWBACKUPDIR$SSH-i$KEY$BACKUP_USER"$MK$MKDIR"#RUNRSYNCINTOCURRENT$RSYNC\-avz--delete--delete-excluded\--exclude-from="$EXCLUDES"\-e"$SSH-i$KEY"\/$BACKUP_USER:/$BACKUPDIR/current;#UPDATETHEMTIMETOREFELCTTHESNAPSHOTTIME$SSH-I$KEY$BACKUP_USER"$TOUCH$$BACKUPDIR/current"#MAKEHARDLINKCOPY$SSH-i$KEY$BACKUP_USER"$CP-al$BACKUPDIR/current/*$MKDIR"Explanations:#!/bin/basunsetPAT#USERVARIABLESBACKUPDIR=/backup#FolderonthebackupserverKEY=/root/.ssh/id_rsaMYSQLUSER=rootMYSQLPWD=**********************MYSQLHOST=localostMYSQLBACKUPDIR=/mysql_backupBACKUP_USERroot@backup.server.comEXCLUDES=/backup/backup_exclude#Filecontainingexludes#PATHVARIABLESCP=/bin/cp;MK=/bin/mkdir;SSH=/usr/bin/ss;DATE=/bin/date;RM=/bin/rm;GREP=/bin/grep;MYSQL=/usr/bin/mysql;MYSQLDUMP=/usr/bin/mysqldump;RSYNC=/usr/bin/rsync;TOUCH=/bin/touc;Justsettheaccordingvariablesabove.NomuchexplanationneededIthink#CREATINGCURRENTDATE/TIMENOW=`$DATE'+%Y-%m'-%d_%:%M`MKDIR=$BACKUPDIR/$NOW/[...]#CREATENEWBACKUPDIR$SSH-i$KEY$BACKUP_USER"$MK$MKDIR"ThiswillcreateacurrentfolderforthebackupYYYY-MM-DD_HH:MM-ifyouwanttoyoucanaltertheformatofthis...Ijustthinkthisisteasytoread.#CREATEMYSQLBACKUP#Removeexistingbackupdir$RM-Rf$MYSQLBACKUPDIR#Createnewbackupdir$MK$MYSQLBACKUPDIR#Dumpnewilesforiin$(echo'SHOWDATABASES;'|$MYSQL-u$MYSQLUSER-p$MYSQLPWD-h$MYSQLHOST|$GREP-v'^Database$');do$MYSQLDUMP\-u$MYSQLUSER-p$MYSQLPWD-h$MYSQLHOST\-Q-c-C--add-drop-table--add-locks--quick--lock-tables\$i>$MYSQLBACKUPDIR/$i.sql;done;Thiswillfirstremoveallfilesinyourpreviousmysql-backup-dir.Thenitwillre-createit(Ichosetodoitthiswaybecauseonedoesnothavetoworryaboutanexistingfolderornot...).Thenitwillloop(asroot)throughallthedatabasesandcreateanown.sqlfileforeachdatabase.Youmaywanttoadjusttheparametersforthebackupofthedatabasesoryoumayjustwanttouseamysqldump--all-databaseswhichisprobablyquickerthanthelooping.HoweverIpreferhavingsingle.sqlfilesforallDBs#RUNRSYNCINTOCURRENT$RSYNC\-avz--delete--delete-excluded\--exclude-from="$EXCLUDES"\-e"$SSH-i$KEY"\/$BACKUP_USER:/$BACKUPDIR/current;#UPDATETHETIMETOREFLECTTHESNAPSHOTTIME$SSH-I$KEY$BACKUP_USER"$TOUCH$$BACKUPDIR/current"#MAKEHARDLINKCOPY$SSH-i$KEY$BACKUP_USER"$CP-al$BACKUPDIR/current/*$MKDIR"Thisnowmakesaanincrementalsyncofthefilesofyourproductionservertothebackupserver.Itwillallbestoredinthe"current"folder,afterwardsitwillcreateahardlinkcopytothepreviouslycreatednew"timestamp"folder.--exclude-from="$EXCLUDES"EXCLUDES=/backup/backup_excludeThiswillactasexclusionforthebackup.Iattachheremycurrentcontentofthisfile./backup//bin//boot//dev//lib//lost+found//mnt//opt//proc//sbin//sys//tmp//usr//var/log//var/spool//var/lib/pp4//var/lib/mysql/Thelastthingnowneededisacronthatwilldoallthebackups.Youcanusesomethingliketis:cron.txt(croncontrolfile)#MakeBackups00,6,12,18***sh/backup/backup.s Theabovewouldmakeabackupevery6hours.

Linux system security tool details

Security is a system administrator, one of the main issues of concern, however, because of the danger caused by intrusion into the internet become more and more high.

According to statistics, the number of users if you join, the number of hackers increases. Consequently, the security tools an exponential increase. would like to thank once again free software community, because they provide us with we can see the best tools and extensive documentation. At the end of the section of this article references area you will find many interesting joins, obviously, this article is to be mentioned without omission, I mentioned I picked some good tools. This article was not written for the individual user, also is to system administrators, although some tools designed to protect hosts and improve network security specifically designed. most tools can work in many UNIX (if not all, of UNIX), regardless of the unix is commercial or free. Finally, this article is an article entitled "how to make your network or host security" article, which is about what you can (must) use to improve the security of a network or machine tools of introduction. General tools let us put this section referred to as "white hat protection Red Hat, repel Black Hat tool (toolsforwhitehatstoprotectredhatfromblackhats):-). most Linux distributions (not just the redhat) are guaranteed with some good security tools, they are used to make your machine more secure. In these tools, we can count out PAM, TCPWrapper, shadow password tool, and so on, because they are part of the release, you can find on their many things: HOWTO, man man, so we do not want their body of too much time. Let us start from the shadow password tool, simply put, they allow password encryption, file is the file/etc/shadow/etc/passwd instead. More than a shadow password tool is fine, just like the name PAM has said, this is another authentication method that is used to configure access control on the service. You can define the number of documents, so many restrictions can easily manage these files are usually placed in the/etc/pam.d directory. TCPWrapper, put simply, by ip address or hostname to limit service access-rely on the two files have decided to allow access or deny access, the two files is/etc/host.allow and/etc/host.deny TCPWrapper can be configured for two working mode: the process by running the caretaker, or modify/etc/inetd.conf file if your unix system does not contain the TCPWrapper, you can get it from ftp://ftp.porcupine.org/pub/security/. Now, I will tell you why I am not introduce these tools mentioned above, because there is a tool you can complete all of the features on the service, this is Bastille-Linux, if you only want to install a security tool, install it, the current common linux version also does not include it, but you can download the http://bastille-linux.sourceforge.net Web site. By the way, we will not be in this article describes Bastille-Linux, doing nothing, because my colleagues in September LinuxFocus has a very good article has been introduced it has introduced he everything. go take a look, let us put Bastille-Linux join your life indispensable tool! Another commonly used to increase security tools is xinetd, it exists in http://www.xinetd.org, sorry, I do not intend to introduce it, also because my colleagues in the LinuxFocus November on finished this work. Now, let's take a look at some special things. Second, the firewall tools free software Linux with your machine into the firewall software .2.2 kernel is iptables, while 2.0 kernel is ipfwadm. for iptables or ipfwadm work, the kernel must be compiled correctly select the options on this issue, in addition to the HOWTOS, there are many more related articles, therefore, as I do not intend to raise. Simply put, we can put the firewall as a packet filtering tool, the most important part of the work is concerned about the firewall configuration, similarly, an improperly configured firewall can become very dangerous. However, a firewall is important. For example, Bastille-Linux can give you provide an ipchains firewall. If you visit http://www.linuxapps.com, and the search area, type "firewall", at least you can get answers to more than 40-many of which are based on ipchains or ipfwadm management graphical interface, also some really great tool, contains a lot of features, for example, like T.REX, http://www.opensourcefirewall.com tool is such a thing. remind once a firewall in a network is indispensable, but network security cannot only rely on it, tell you that a hacker can break it within 15 minutes. 3. port scanning here we reach the heart of the problem, this idea is: like a hacker to do so, use the same tools to monitor your machine or network weaknesses is located. In this area, we can in two well-Great tool, but also on the benefit of other more. The first is called nmap, you can download from http://www.insecure.org, while much of the information and links, and so on. Use nmap you can check your network or machine which ports are open. of course, you can use other commands to do this, for example lsof or netstat, but you can test your own machine. obvious, nmap, of course, you can check your own machine. Nmap can provide you lots of information, for example, it can tell you are running the operating system, notify you of the danger of an open port, finally, at least, nmap is fairly easy use. Nmap is running under the shell, or by a man called nmapfe graphical interface to run the graphical interface is based on the gtk library, the current version of nmap is 2.53, it can run on many UNIX platforms, providing the original code, RPM package, with or without a graphical interface. Nmap is a system management will not indispensable tool. I would like to thank Mr. Fyodor, and congratulated his great work.

Use Rsync and SSH implementation Snapshot type incremental backup

3.RotatingBackupsInthissetupIwilltellyouhowcanmakerotationbackups,sothatoldoneswillbedeletedeventually.Forthissetupitismandatory,thatthebackupservercanaccesstheproductionserverwithoutbeingpromptedforapasswordOnceyouhaveensured,thatyourbackupservercanconnecttoyourproductionserverwithoutbeingaskedforapasswordthenallyouneedisareacoupleofsmallshellscriptsandcronjobstoactuallyaccomplishthebackups.Indetailthishowtowillmake4backupsperday,then7backupsperweek(1perday)and4backupspermonth(1perweek)my_backup.sh(mysqlbackupshellscript)Thisfileneedstobeontheremote(production)serverthatyouwanttobackupfrom!Allotherfilesinthissectionneedtobeonthebackupserver!IcouldsomehowintegratethisshellscriptinthehourlybackupscriptthatwillfollowbelowbutIjustdidn'tworkoutyethowtodo.InsteadofincludingmysqlbackupscriptintothehourlybackupscriptIjustmakeanownshellscriptoutofitandIwilljustcallthatscriptfromthehourlybackupscript.Intheenditisthesamething.#!/bin/basunsetPAT#USERVARIABLESMYSQLUSER=rootMYSQLPWD=**********************MYSQLHOST=localostMYSQLBACKUPDIR=/mysql_backup#PATHVARIABLESMK=/bin/mkdir;RM=/bin/rm;GREP=/bin/grep;MYSQL=/usr/bin/mysql;MYSQLDUMP=/usr/bin/mysqldump;#CREATEMYSQLBACKUP#Removeexistingbackupdir$RM-Rf$MYSQLBACKUPDIR#Createnewbackupdir$MK$MYSQLBACKUPDIR#Dumpnewilesforiin$(echo'SHOWDATABASES;'|$MYSQL-u$MYSQLUSER-p$MYSQLPWD-h$MYSQLHOST|$GREP-v'^Database$');do$MYSQLDUMP\-u$MYSQLUSER-p$MYSQLPWD-h$MYSQLHOST\-Q-c-C--add-drop-table--add-locks--quick--lock-tables\$i>$MYSQLBACKUPDIR/$i.sql;done;Asyoucanseethisisthesameprocedureasbefore.backup_hourly.sh(backupshellscript)ThisscriptismostlybasedonMikeshandyrotating-filesystem-snapshotutilityscript#!/bin/basunsetPAT#USERVARIABLESBACKUPDIR=/backup#FolderwherethebackupsshallbesavedtoKEY=/root/.ssh/id_rsaMYSQL_BACKUPSCRIPT=/backup/my_backup.sPRODUCTION_USERroot@production.server.comEXCLUDES=/backup/backup_exclude#Filecontainingexludes#PATHVARIABLESCP=/bin/cp;MK=/bin/mkdir;SSH=/usr/bin/ss;DATE=/bin/date;RM=/bin/rm;RSYNC=/usr/bin/rsync;TOUCH=/bin/touc;SH=/bin/sh;#PathontheremoteserverMV=/bin/mv;######--DONOTEDITBELOWTHISHERE--#######CREATEMYSQLBACKUP#Runremotemysqlbackupscript$SSH-i$KEY$PRODUCTION_USER"$SH$MYSQL_BACKUPSCRIPT"#Rotatingthehourlysnapsots#step1:deletetheoldestsnapshot,ifitexists:if[-d$BACKUPDIR/hourly.3];then\$RM-Rf$BACKUPDIR//hourly.3;\i;#step2:shiftthemiddlesnapshots(s)backbyone,iftheyexistif[-d$BACKUPDIR/hourly.2];then\$MV$BACKUPDIR/hourly.2$BACKUPDIR/hourly.3;\i;#step3:shiftthemiddlesnapshots(s)backbyone,iftheyexistif[-d$BACKUPDIR/hourly.1];then\$MV$BACKUPDIR/hourly.1$BACKUPDIR/hourly.2;\i;#step4:makeahard-link-only(exceptfordirs)copyofthelatestsnapsot,#ifthatexistsif[-d$BACKUPDIR/hourly.0];then\$CP-al$BACKUPDIR/hourly.0$BACKUPDIR/hourly.1;\i;#step5:rsyncfromthesystem$RSYNC\-avz--delete--delete-excluded\--exclude-from="$EXCLUDES"\-e"$SSH-i$KEY"\$PRODUCTION_USER:/$BACKUPDIR/hourly.0;#step6:updatethemtimeofhourly.0toreflectthesnapshottime$TOUCH$BACKUPDIR/hourly.0;Well,prettymuchthescriptdoesthesameasthefirstone,justitwillrotatefolders....howeverthisisnowintendedfora6h-backupcycle(24dividedby4=6)...howeverwewanttohaveafewmorebackups.Sothenextthingisascriptthatcyclesbackupsonadailylevel.backup_daily.sh(dailyrotationshellscript)#!/bin/basunsetPAT#USERVARIABLESBACKUPDIR=/backup#Folderwherethebackupsshallbesavedto#PATHVARIABLESRM=/bin/rm;MV=/bin/mv;CP=/bin/cp;TOUCH=/bin/touc;#Rotatingthedailysnapsots#step1:deletetheoldestsnapshot,ifitexists:if[-d$BACKUPDIR/daily.6];then\$RM-Rf$BACKUPDIR/daily.6;\i;#step2:shiftthemiddlesnapshots(s)backbyone,iftheyexistif[-d$BACKUPDIR/daily.5];then\$MV$BACKUPDIR/daily.5$BACKUPDIR/daily.6;\i;#step3:shiftthemiddlesnapshots(s)backbyone,iftheyexistif[-d$BACKUPDIR/daily.4];then\$MV$BACKUPDIR/daily.4$BACKUPDIR/daily.5;\i;#step4:shiftthemiddlesnapshots(s)backbyone,iftheyexistif[-d$BACKUPDIR/daily.3];then\$MV$BACKUPDIR/daily.3$BACKUPDIR/daily.4;\i;#step5:shiftthemiddlesnapshots(s)backbyone,iftheyexistif[-d$BACKUPDIR/daily.2];then\$MV$BACKUPDIR/daily.2$BACKUPDIR/daily.3;\i;#step6:shiftthemiddlesnapshots(s)backbyone,iftheyexistif[-d$BACKUPDIR/daily.1];then\$MV$BACKUPDIR/daily.1$BACKUPDIR/daily.2;\i;#step7:shiftthemiddlesnapshots(s)backbyone,iftheyexistif[-d$BACKUPDIR/daily.0];then\$MV$BACKUPDIR/daily.0$BACKUPDIR/daily.1;\i;#step8:makeahard-link-only(exceptfordirs)copyofthelatesthourlysnapsot,#ifthatexistsif[-d$BACKUPDIR/hourly.3];then\$CP-al$BACKUPDIR/hourly.3$BACKUPDIR/daily.0;\i;#step9:updatethemtimeofdaily.0toreflectthesnapshottime$TOUCH$BACKUPDIR/daily.0;So,nowwehaveascriptthatdoes4backupsadayand7backupsaweek.Nowthelastonewillmake4backupsamonth.backup_weekly.sh(weeklyrotationshellscript)#!/bin/basunsetPAT#USERVARIABLESBACKUPDIR=/backup#Folderwherethebackupsshallbesavedto#PATHVARIABLESRM=/bin/rm;MV=/bin/mv;CP=/bin/cp;TOUCH=/bin/touc;#Rotatingtheweeklysnapsots#step1:deletetheoldestsnapshot,ifitexists:if[-d$BACKUPDIR/weekly.3];then\$RM-Rf$BACKUPDIR/weekly.3;\i;#step2:shiftthemiddlesnapshots(s)backbyone,iftheyexistif[-d$BACKUPDIR/weekly.2];then\$MV$BACKUPDIR/weekly.2$BACKUPDIR/weekly.3;\i;#step3:shiftthemiddlesnapshots(s)backbyone,iftheyexistif[-d$BACKUPDIR/weekly.1];then\$MV$BACKUPDIR/weekly.1$BACKUPDIR/weekly.2;\i;#step4:shiftthemiddlesnapshots(s)backbyone,iftheyexistif[-d$BACKUPDIR/weekly.0];then\$MV$BACKUPDIR/weekly.0$BACKUPDIR/weekly.1;\i;#step5:makeahard-link-only(exceptfordirs)copyofthelatestsnapsot,#ifthatexistsif[-d$BACKUPDIR/daily.6];then\$CP-al$BACKUPDIR/daily.6$BACKUPDIR/weekly.0;\i;#step4:updatethemtimeofweekly.0toreflectthesnapshottime$TOUCH$BACKUPDIR/weekly.0;Somuchtothescripts.cron.txt(crontabcontrolfile)Thelastthingthatismissingnowisacron.Iusethishere:#MakeBackups00**Sunsh/backup/backup_weekly.s |/usr/bin/mail-s"WeeklyCron" recipient@domain.com150***sh/backup/backup_daily.s |/usr/bin/mail-s"DailyCron" recipient@domain.com450,6,12,18***sh/backup/backup_hourly.s |/usr/bin/mail-s"HourlyCron" recipient@domain.com Well,Iruntheweeklycronatmidnightonsundaysandthedailycroneverydayaquarterpastmidnight.ThehourlycronsIrunaquartertomidnight,6am,noonand6pm.Ichosethistogiveenoughtimetocompleteallthetransfersiftherearenewadditions.Ofcourseyoucansetthisallindividually.Don'tforgettocreatetheexclusionfile(seeexplanationsinStep2)Youcanaddthiscronsimplybyissuingthefollowingcommand:crontabcron.txtJustmakesurethatyoucheckfirstthatyouhavenoothercronsrunning.Ifso,justaddthemtothecroncontrolfile.Listingthecronsforthecurrentuser:crontab-lWell,nowenjoythebackups.

Linux system security tool details

6. script here, we do not want to mention what tools, scripting is a system administrator of one of the major skills.

In your management network, shell scripts, perl scripts, etc are all part of your daily work. It is obvious that the script can be used to automate the task, however, we also can put its application in the security monitoring, every system administrator has his own needs and he always tried to fit his way to manage these. This is usually not so easy, there is one thing that can give you help: subscribe to sysadmin magazine! this magazine is for system administrators to write to the system administrator to give you a number of programs and scripts, each issue even equipped with a computer CD-ROM, the course contains all programs and scripts. This is not an advertisement, but tell you an find many solutions to enhance safety of diagrams. If you are a system administrator, go to http://www.samag.com see it, you should try it, of course, this is just a suggestion. 7. what this article is very much about security issues, however, as we said, this article is an article "how to make your network or host security" article. On the subject, a book is not enough, security is not just rely on tools, and many acts, for example, some of the usual habits that we make mistakes. When people would understand that M $ office file is actually a security bombs, they not only fit great and full of macro viruses. Wintel users, please don't put word, execl file as email attachment delivered, in addition, if you receive them, please do not open it, this is just a suggestion, however, you have been warned, and you receive or download the executable file as dangerous as (in my opinion, more dangerous). By the way, plain text and HTML files in size than the office file much smaller, but they are not dangerous. Of course, I know this work: wintelword when you download a separate drive, it usually is executable, let us admit that we can believe this great company ... But do you know your downloaded files possible? Yes, think a little bit paranoid, but is not a crazy? why do you think that many files have a correction value to verify correctness? The following may "hurt" to many people, but this is the fact that Java is dangerous! javascript applet is not safe, is not secure, however, interesting that many websites use JAVA, and Java is when you visit the Web site, the browser often die of the source of the problem. This is the purpose of the site? Not to mention the ActiveX from M $!, replace it with Rebol. (Http://www.rebol.com) because of this fact: the new internet expert, stop using wintelword and IE5 to station. I note that this website spill, after all, many people use many different operating systems and many different browsers like internet, joining, equal to deny people access to your Web site. The goal is to share the internet, using a dedicated stuff is meaningless in my opinion, when the construction of rough a website, the first thing to do is get access to the operating system, which the browser ..., but this is only my personal point of view. Think about it, if you use unix machines and netscape access that Web site, you are not Home! sorry, a little off. Another important point is not likely to be 100% secure. We leave it still early. What you can do is raise it, in fact, you probably can we mention tools are used, but the back door driving big! don't be silly, hackers will not go to attempt to undo the first 128-bit key, but they can in one place to find a small hole. So be careful suid or sgid programs, and access permissions, run the service, cancel useless account number, etc. UNIX version has much in common, they have many different safety to off. Some like a sieve-like defects, you must pay attention to this point. For example, a join of M $ internetcable is great, but you will appear in the hacker's machine, and my network places, M $ will you sell to the hacker, I'm not kidding ... Network and computer security has a long way to go, if you are interested in this area, you can learn new things. Fortunately, here are some resources you can use. Reference httpp://www.linuxsecurity.com http://www.sans.org http://www.infosyssec.org http://www.securityfocus.com http://www.cs.purdue.edu/coast/hotlist/

Use OpenSSH to establish more effective safety performance

The old Linux administrators are aware of the SSH (Secure shell protocol), this is their software Toolbox most convenient and most useful tools.

In the workstation XWindows use more under or through end-to-competition, Linux server administrator Screenutility or other UNIX based operating system the server administrator can easily manage several systems at the same time. Network Management shell or Perl scripts, can use SSH on multiple servers automatically perform simple safely. Network shell effects RSH than SSh. But in its functional SSH adds powerful encryption and compression functions, and most modern SSH implementations in the same package provides SFTP and SCP for network security file transfer. The most popular the most common SSH implementation in the form of OpenSSH, which is determined by the OpenBSD community ideas and maintenance projects. OpenSSH is imported for each operating system platform, including Microsoft Windows, although the Window environment it is the most widely used: for UNIX-based systems on the OpenSSH server and client. The UNIX-based systems including: Linux, Solaris and OpenBSD. SSH SSH functions use strong encryption to protect data in the remote session is not a malicious hacker attacks. From the beginning to provide end-to-end security protection, including client contact with the host, and the computer between user name and password before the password key conference dedicated to Exchange. It can use several different password scheme: AES, 3DES, Blowfish, and other programmes. A trusted host identification scheme and key exchange between systems, improving security OpenSSH does not require a security certificate or priority key exchange to create secure encrypted remote session. In addition, use SSH to resolve certain types of network congestion, significantly accelerating the network because it transmits data before the data is compressed. It provides SFTP encrypts, similar to FTP, interactive file transfer ability, so that even the password and user name in the network are not hindered. For file transfer operations, SCP also similarly provides safe and convenient way to do this — the encrypted file copy command, the command action network connection, it is part of the SSH implementation. SSH encrypted communication known as the network protocol. Development it is intended to replace RSH RSH utility, also with a dense, but not enough security. SSH not only inherited the functions of RSH, and extend its functionality, particularly with regard to safety. Linux install OpenSSH on Linux OpenSS is easy. For example, in DebianGNU/Linux system, install OpenSSH, do as the root user login, and then enter the command apt-getinstallssh. Similarly, in FedoraCoreLinux system, install OpenSSH, do as the root user login, and then enter the command yuminstallssh. You don't even need to do these things because in Debian and FedoraCore, their default installation configuration already includes OpenSSH. For Linux systems, if you want to determine whether the system is already installed OoenSSH, just enter the command: ssh. If you have OpenSSH installed in the system, it will give you simple use the Guide information (ListingA): ListingA $ ss ssh usage: [-1246AaCfgkMNnqsTtVvXxY] [-bbind_address] [-ccipher_spec] [-Dport] [-eescape_char] [-Fconfigfile] [-iidentity_file] [-L [bind_address:] port: host: hostport] [-llogin_name] [-mmac_spec] [-Octl_cmd] [-ooption] [-pport] [-R [bind_address:] port: host: hostport] [-Sctl_pat] user @] hostname [command] OpenSSH manual has more complete usage information. This manual is a handbook for the traditional UNIX file system, and in command line mode input manssh command, you can access OpenSSH manual. Guide gives the OpenSSH client command line option, the associated configuration file information, the current version of the known Bug information, affecting its operation of the shell environment variable information and instructions are included in the list. As shown in the list, above sshd's instructions, the instructions, as well as ssh-agent OpenSSH tool set in the other application's instructions. Configure and use the Linux client in the OpenSSH client, from the command line access OpenSSH server on another system, you only need enter sshhost command, here the "host" is the host name of the target system. Sometimes the host name cannot be resolved to an IP address because you do not have the system's DNS and it is not in the local system's listed in/etc/hosts file. At this point it is necessary to specify the target system's IP address instead of host names, for example: enter ssh192.168.0.1 command, the connection represented by the IP system. More SSH command as follows: general use SSH port 22. If SSH server listens on a nonstandard port, use the following command example port number is 1234: ssh-p1234ost unless you specify a user name, Otherwise it will try to log on to a remote system, the user name and user name on the local system. You can use the command option to specify a different user name. The following gives a general form, the "user" means that the user name. Ssh-luserost a more general method of the specified user names is to use the following format: ssh user @ host by SSH without having to open the shell interface that you can execute commands on the target system. The following example of the "command" indicates that the command you want to perform: sshhostcommand can target Specifies the current working path. In the following example specifies that the current working path/home/user: sshhost:/home/user above can be a combination of multiple options to a piece, the formation of a more complex custom: ssh-p1234 user @ host:/home/user ssh-luserhostcommandOpenSSH configuration file is located in the path/etc/ssh. OpenSSH client main profile/etc/ssh/ssh_config path, most release contains enough information to tell you how to use a configuration file. For a broad and complex manual system version, such as Debian, you can use the get command, manssh_config enough of the OpenSSH client configuration information. For security purposes, a widespread and important configuration option is the ForwardX11, it should be set to "NO" to block SSH client to the network automatically send XWindows system information, even in through SSH connection without XWindows, used is the same. Use this setting, you can specify specific SSH connection, by using the-X command options, shipping XWindows system information. In etc/ssh/ssh_config file other configuration options can be implemented and to obey the security policies, and services to the specific security needs. Windows SSH client Microsoft Window system has many SSH client program, some are private and commercial applications, some of them are freeware or shareware, and some are open source software, for example: OpenSSH. There is a command-line client program, which some of the program is installed as part of similar UNIXshell, now the most commonly used SSH's graphical user interface program. Among them, WinSCP for SCP and SFTP performance, PuTTY for SSHshell performance. By reading the OpenSSH on Linux using the information, you can easily understand the WinSCP and PuTTY user interfaces and their configuration. Can also be called actual OpenSSHforWindows Microsoft WindowsOpenSSH ports. Configure and use the Linux server in General, OpenSSH server running Liunx system. It can in DebianGNU/Linux system commands via/etc/init.d/ssh restart. Similarly, in the start and stop, just need to "restart" replacement "start" and "stop". FedoraCoreLinux systems use the same command format, but you will need to ssh/etc/init.d/ssh "into the" sshd "replacement". And OpenSSH client configuration file similar to the OpenSSH server configuration can be done through/etc/ssh/sshd_config file. Its format is very similar with/etc/ssh/ssh_config, but there are many different options. Configuration details can be viewed by entering mansshd_config command. Typically IgnoreRhosts the UsePrivilegeSeparation and option set to "YES," but the PermitRootLogin and PermitEmptyPasswords option set to "NO". And the OpenSSH client, use SSH transport XWindows system information risk is very low, if not necessary, it to any system should be inactive. In this way, you will typically set X11Forwarding into "NO". On Linux, they are usually quite have the safety consciousness of people for maintenance, these configuration options should be properly configured. General should include PermitRootLogin and X11Forwarding configuration options. Use OpenSS OpenSSH also features. For example: other network protocol can OpenSSH Protocol tunneling "on", providing increased security, this has some tips in this article. Ssh-agent tool can simplify the OpenSSH client management and use. There are no related tools, including SSH tunneling support, for example: Subversion version control system. Its potential is endless, it is not possible to find them. Use more than one computer, the new users of Linux may not be immediately aware of the value of SSH. They are used in Microsoft Windows, Windows interface is optimized well, to some extent, but not easy for remote administration. That is a server management and remote technical support, use such as WindowsRemoteDesktop and TerminalServicesforWindows and other remote management tools, its effectiveness is also very limited, and does not encourage the use of Windows directly over a network. On the contrary, the Linux user in a single run their daily program and the computer after the simple installation can visit via SSHAsk these programs. Many Linux administrator will sit in front of a computer, do not in the same place more than one computer, including email, writing, programming, this is not a one or two network applications. On the more familiar SSH's performance, its uses, but also the more trust it. But come out from the Windows of the Linux users also cannot immediately felt the ability to promote productivity through SSH. OpenSSH configuration and use are worth learning, even if you cannot immediately see the effect, over time, you cannot do without it. Original link: http://www.zdnet.com.cn/developer/code/story/0,3800066897,39524195-2,00.htm

Linux system security tool details

The second is called nessus, you can download from the Web site, on http://www.nessus.org nessus use client/server architecture to work, the source code follows the posix standard, can run on many unix versions-even a client based on win32 .nessus rely on nmap (you know, no nmap, nessus will not be able to run), GUI clients also need GTK library function support.

Nessus is the current version by nessus, 1.06, you can use a command scans the entire network. This command is the network address, for example, in the target box, type 192.168.1.0/24, will scan the entire subnet 255 machine. Although not less than the nessus, nmap complex but it is not only easy to use, features many. for example, it can generate reports that compare the differences in the reports, another feature ... is quite interesting: nessus to port scanning problems discovered in the solution, as long as these machines are unix systems, these proposals generally useful for other operating systems, not so right, but this is not a problem. The following is a very vulnerable machine example nessus there is another great feature is that it can run the plug-ins, so that every time in any place to discover new vulnerabilities, it can quickly upgrade. Nessus is a system management tool that really need and Mr. Deraison Mercibeaucoup do terrific. Both tools in a linux machine and other different operating systems network tested, LinuxRH6.2, Irix6.5.7, Solaris2.6, NeXTStep3.3, QNXRT, BeOS5.0, AmigaOS3.5, NotTerminated4.0. in most of the platform test results impressive, of course, there was no real Amiga system has been certified, (because it looks like a printer or a router!), but who now's network has the operating system yet (other than us)? Anyway, the whole some tools is today the network must have tools. In order to put an end to this chapter, let's mention some other tools like SARA (http://www-arc.com/sara/), or its predecessor SATAN (http://www.porcupine.org/satan/) or AINT (http://www.wwdsi.com). they do not however port scanners and they are very useful to improve network security. Fourth, sniffing system some tools to find a port scan or intrusion. standard systems management can not live without this tool (it's a little paranoid!). The first set of tool set from the abacus project you can get these tools from http://www.psionic.com. contains three tools: portsentry, hostsentry and logcheck. Logcheck version is version 1.1.1, portsentry, hostsentry is 1.0 version is 0.0.2alpa. Portsentry is a port scan found tools, like the name says, if the port is a scan, portsentrt immediately blocking race host, or is using a firewall discards routing (or an unused ip address), or as long as TCPWrapper is installed on your machine, the hacker's IP address to write into the/etc/hosts.deny file, the reaction is fairly efficient! Portsentry relies on one of the main configuration file and some special files, these special files are used to ignore some hosts (that is not blocking them), or is blocking certain ports on some hosts. Through the configuration file, you can define portsentry work. First, you must select a coconut palm to portsentry on port is TCP or UDP, (or both), note that if you use X11, it cannot bind to port 6000! follow the unix system you use, you have two different actions to monitor port, now only linux support advanced mode. The next step is plugging the option either to jam or not blocking scan, or to run an external command. Then select the discard routing, or redirect the attacker to a network does not use the IP address or a port on the firewall. The next step is associated with TCPWrapper, that is, you have to decide is not writing a denial of entry into the/etc/hosts.deny file. Then you can define an external command to run, and finally, you can choose to scan a single trigger value (the default is 0). The above is you have to do, we will assume that you know everything about logging. Because, obviously, all the warning is logged. This means that if you want to put the final warning to/var/log/messages or var/log/syslog or/var/adm/messages etc file somewhere outside, you can modify your syslog.conf file. You can choose to run in the background, portsentry, this option depends on your system, in most unix versions you can use the-tcp, udp option,-linux machine you can use-atcp,-audp options. (A representation of the Advanced) Let's take a look at the scan of a computer running a machine when portsentry. If you are a each week to see a log of the system administrator (you should change the work), the abacus project providesAnother tool: logcheck. If in the journal of abnormal phenomena found, the tool performs a cron task and send an e-mail to the administrator. This suite is the latest tool called hostsentry, looks pretty interesting, but I have not tested. If you want a great, simple and efficient tools, selected portsentry! Thank you Mr. Rowland, his work is very great, by the way, I like his sense of humor. In addition a system administrator is really indispensable tool called snort. Snort is an IDS (intrusion detection system) and very precise lightweight tools-you can download from http://www.snort.org 1.6.3 version of snort. it is said can be and libpcap work platform run-it is best to use the latest versions of libpcap. Incidentally, you can get the win32 version of snort. Snort can analyze ip streams, provides a very robust logging capabilities .snort relies on rules scripts, you can monitor you want to monitor. Even give you a rules database, so that you will have to make an important decision: the place where the detector, or if you ask, well kind of traffic you want to monitor, this, out buildings in firewall external or internal? We prefer to recommend any one place!!! This to me, is a serious problem, if you are a "standard" systems administrator, probes, the more the better. Now you decided to listen to somewhere that you must select the apply rule .snort with lots of basic rules, backdoor, ddos, finger, ftp ... These rules are put in snort-lib file, you can get snort website for new and upgrade rules. You just make a snort set option to run as a background task on it, if you want to run snort as a daemon, option D is-because you can redirect the log, so you can define the log record where, or even another machine. In this article refers to all the features of snort is impossible, this article can only tell you part. regardless of the so to speak. Nort is another you essential tools .snort is very great tool-I would like to thank Mr Roesch. some free tools: for example http://www.cs.tut.fi/~rammer/aide.html introduced AIDE. 5. encryption in this area there are many tools that we can't all said to them, anyway, we at least want to talk about SSH, especially the free version of openSSH from http://www.openssh.com on get it now version is 2.3.0, this great product originally developed on the openbsd, you can now run on many Unix versions. Openssh is telnet and other remote commands such as rsh, rlogin and other alternatives. it contains the scp the ftp and rcp alternatives .openssh can network transmission of data is encrypted, rsh, etc .telnet clear, of course, contains the password for transfer! Therefore, you should no longer use these tools, but should instead use openssh. This was a bit forced, let us little fascist! The problem is that this kind of tools and encryption method, some countries are very strict, does not allow such things are software changes, but in many countries you still can not use the software freely. For example, some time ago, if you are in countries such as France use ssh, you will be deemed to be a spy, (according to the national human rights law) fortunately now is not the case, however, I recommend the use of such tools at the first reading of the relevant provisions. You can found on the Web at http://www2.epic.org/reports/crypto2000/countries.html different countries with regard to the report. After all, the encryption is very concerned about the topic, and there are many tools available to consider, let us mention http://www.openssl.org on openssl (Secure Sockets Layer) or http://www.strongcrypto.com StrongCrypto, an open source code of the VPN tool on Linux. Vpn is another solution that is worthy of a separate article for details. (Like most of the above topics and tools) for this reason, we do not wish to say anything. Obviously, we can't forget to mention the http://www.ietf.org/html.charters/openpgp-charter.html Web page openPGP and GNUpg in http://www.gnupg.org Web site.

Use mod_proxy improved safety LAMP

ApacheSoftwareFoundation HTTP Server project (often called Apache) is taking advantage of the Internet Web server, it takes up more than 60% of market share.

Apache server is increasingly popular part of the LAMP software configuration. LAMP is a free software program that is in Linux?, Apache, MySQL and PHP and other open source technologies built Web platform. In this article, you will learn a use mod_proxy module and multiple back-end server to improve the security of the LAMP. I will discuss the advantages and disadvantages, and provides a sample configurations. PHP and Apache: security challenges in the face of a LAMP administrators is providing complete all of the PHP system, while ensuring that all users of the system to provide a secure environment. Use PHP's safe mode is the one technology, but it also unduly restricting the users, and after this facility enabled, some PHP application will not be able to play a role. PHP security at the root of the problem is that most Apache servers are configured. Because most Apache configuration run in special www-data user ID, the Web site for hosting all of the users default must ensure that the user can read the file. Therefore, the system of all other users can access a user has access to all the Web files; therefore, the system is independent of the original and you will become a security vulnerability to attack your Web site's breakthrough. If the file or directory must be set to www-data user writable, this situation will be more serious. By using the CGI program, such as Perl and Python, and other popular languages program, you can use the suEXEC mechanism to eliminate some of the issues. Simply put, suEXEC uses a special intermediate program to program owner's user ID execute CGI programs. (For more details see reference links in the article. ) This is a very effective mechanism has been used for many years. However, when using mod_php module hosting, PHP page as part of the main Apache process. Therefore, they inherit all of the Apache process, and they perform on the file system and any work required as users perform. www-data In more than one user ID to run Apace for the problem described above, the obvious solution is to require a user domain of all requests from one only have this user credentials instance of Apache. Apache can be configured to startup gets any user credentials. For each user is assigned a separate Internet-visible IP address/port combination of simple settings, this approach can solve the problem. For more complex settings (where IP address is precious), this method is invalid. When a single Apache instance can control a specific IP address/port combination, you can only use virtual hosts, this is an Apache system widely used a technique. This eliminates that belong to multiple users, multiple domains using the same IP address/port combination possibilities. Apache2.0 introduces multiple processing module (multiprocessingmodule, MPM) concept. In the basic package offers MPM Apache2.0 has an experimental module perchild, it can be a distributor thread is assigned to the IP address/port combination, and pass the request to the individual user's credentials to run the child thread, thereby achieving multiple user ID of the virtual host. Unfortunately, perchild remained is experimental, it may not be able to play a role, and formal publications from Apache2.2 Apache distribution. Prior to this, recognizing that still need a stable functioning with the perchild MPM, similar to the Apache community began to develop many MPM to compensate for this lack. MetuxMPM and process-oriented peruser are efforts in that direction. (On MetuxMPM and for more information, see peruserMPM references). One solution: mod_proxy although no formal ApacheMPM can directly provide multiple user ID of the virtual host, but can still be configured and managed through some Apache system implements this behavior. The core of this approach is to use the mod_proxy module concept, this module (plus other features) so that Apache can use the page requests to other servers, and pass the response back to the requesting client. Listing 1-Basic request forwarding reverse proxy configuration example ProxyRequestsOfProxyPass/foohttp://foo.example.com/barproxypassreverse/foohttp://foo.example.com/bar the code in Listing 1 is a simple example, it will be a host of/foo hierarchy under any page request to the corresponding page of http://foo.example.com/bar. For example, to request the page/foo/index.htm would be forwarded to http://foo.example.com/bar/index.htm. You can use this principle to solve the problem. Sample scenario Let's consider a scene: the Apache administrator must be two separate clients to establish both domains. A customer is online venture, very concerned about online security. The other is a personal account, he in site security, more generous, may be unsafe code uploaded to this stationPoints. Therefore, the Apache administrator must take steps to isolate the two sites. Therefore, administrators have two domains: www.startup.tld, it belongs to an online venture (user IDstartup); and www.reckless.tld, it belongs to the individual (user IDnimrod). To solve this problem, the administrator decides to use the mod_proxy solution. Administrator to assign each user a separate Apache instance, the instance is running on the user's own user ID, use the private IP address/port combination, and use mod_proxy solution through a facade Server provides both the access the user's domain, the server runs as www-data uses a public IP address/port combination. Figure 1 illustrates the entire scene. The example in Figure 1. scene Apache version recommended for example application configuration for each element, the Apache administrator should use table 1 lists the version of Apache. Table 1-sample application uses the Apache version element causes Apache version facade Server Apache2, running the worker or the mod_proxy module eventMPMApache2 made important improvements. Worker and eventMPM is threaded, helping to reduce the memory overhead of a facade server. Back-end server, or run Apache1.3 preforkMPM of Apache2Apache administrators must be aware of the PHP module should not be run in a threaded environment. These two solutions for PHP module provides an environment based on process. Backend Apache instance configuration list 2 and list 3 of the code fragment demonstrates the standard Apache configuration of basic differences. Should you need to add them to the appropriate configuration, such as the PHP function here ignored. 2. online venture Enterprise Apache configuration # StuffeveryApacheconfigurationneedsServerTypestandaloneLockFile/var/lock/apache/accept.startup.lockpidfile/var/run/apache.startup.pidServerNamenecessaryevil.startup.tldDocumentRoot "/home/startup/web" # EssentialmodulesLoadModuleaccess_module/usr/lib/apache/1.3/mod_access.so # WhichusertorunthisApacheconfigurationasUserstartupGroupstartup # Thismustbeoffelsethehostisn'tpassedcorrectlyUseCanonicalNameOf # TheIP/portcombinationtolistenonListen127.0.0.2: 10000 # Usingname-basedvirtualhostingallowsyoutohostmultiplesitesperIP/portcomboNameVirtualHost127.0.0.2: 10000 servernamewww.startup.tld # Youcanaddaliasessolongasthefacadeserverisawareoftem! ServerAliasstartup.tldDocumentRoot "/home/startup/web/www.startup.tld" OptionsIndexesFollowSymLinksMultiViewsExecCGIIncludesAllowOverrideAllOrderallow, denyAllowfromall

Linux system build SNORT Intrusion detection system

1. install apache tarzxvfapache-(version number) — extract apace into the extracted directory.

/Configure--prefix =/usr/local/apache — enable-so — enable-rewrite make makeinstall/usr/local/apache/bin/apachectlstart start APACE http://xxx.xxx.xxx.xxx (server IP address) of the test 2, installing mysql APACE groupaddmysql useradd-gmysqlmysql tarzxvfmysql-(version number) — extract mysql into the extracted directory. /Configure--prefix =/usr/local/mysql — with-charset = gb2312 gbk make makeinstall enter/supportsfiles directory cpmy_medium.cnf/etc/my.cn/usr/local/mysql/bin/mysql_install_db--user = mysql chown-Rroot/usr/local/mysql chown-Rmysql/usr/local/mysql/var chgrp-Rmysql/usr/local/mysql/usr/local/mysql/share/mysql/bin/mysql.serverstart start MYSQL/usr/local/mysql/bin/mysqladmin-urootpasswordXXXX/usr/local/mysql/bin/mysql-uroot-p password: install mysql > 3, PP tarzxvfphp-(version number) into the extracted directory. /Configure--prefix =/usr/local/php--with-apxs2 =/usr/local/apache/bin/apxs\--with-mysql =/usr/local/mysql\--with-config_file_path =/usr/local/p \makemakeinstallcpphp.ini_dist/usr/local/lib/pp.inivi/usr/local/lib/365 rows of pp.ini change to usr/onvi/local/apache/conf/httpd.conDireltoryIndex added index.pAddTypeapplicontion/X-httpd-php.pvi/usr/local/apache/htdocs/test/pphpin ()? > restart APACE http://xxx.xxx.xxx.xxx/test.php 4, install pcre tarzxvfpcre-(version number) into the extracted directory. /configure　　make　　makeinstall

Use mod_proxy improved safety LAMP

3. the personal customer list of Apache configuration # StuffeveryApacheconfigurationneedsServerTypestandaloneLockFile/var/lock/apache/accept.nimrod.lockpidfile/var/run/apache.nimrod.pidServerNamenecessaryevil.nimrod.tldDocumentRoot "/home/nimrod/web" # EssentialmodulesLoadModuleaccess_module/usr/lib/apache/1.3/mod_access.so # WhichusertorunthisApacheconfigurationasUsernimrodGroupnimrod # Thismustbeoffelsethehostisn'tpassedcorrectlyUseCanonicalNameOf # TheIP/portcombinationtolistenonListen127.0.0.2: 10001 # Usingname-basedvirtualhostingallowsyoutohostmultiplesitesperIP/portcomboNameVirtualHost127.0.0.2: 10001 servernamewww.reckless.tld # Youcanaddaliasessolongasthefacadeserverisawareoftem! ServerAliasreckless.tldDocumentRoot "/home/nimrod/web/www.reckless.tld" OptionsIndexesFollowSymLinksMultiViewsExecCGIIncludesAllowOverrideAllOrderallow, denyAllowfromall listing 4 illustrates the facade Apache instance configuration.

Listing 4. facade Apache instance of Apache configuration # StuffeveryApacheconfigurationneedsLockFile/var/lock/apache/accept.www-data.lockPidFile/var/run/apache.www-data.pidServerNamenecessaryevil.facade.serverDocumentRoot "/home/www-data" # EssentialmodulesLoadModuleproxy_module/usr/lib/modules/apache2/usr/lib/mod_proxy.soLoadModuleproxy_http_module/apache2/modules/mod_proxy_http.so # WhichusertorunthisApacheconfigurationasUserwww-dataGroupwww-data # Thesemustbesetelsethehostisn'tpassedcorrectlyUseCanonicalNameOfProxyViaOnProxyRequestsOf # Thismustalsobeset, thoughit'sonlyanoptioninApace2ProxyPreserveHostOn # TheIP/portcombinationtolistenonListen9.20.1.1: 80 # Usingname-basedvirtualhostingallowsyoutohostmultiplesitesperIP/portcomboNameVirtualHost9.20.1.1: 80 # Configurationtoforwardrequestsforstartup.tld ServerNamewww.startup.tldServerAliasstartup.tldProxyPass/http://127.0.0.2:10000/proxypassreverse/http://127.0.0.2:10000/proxypassreverse/http://www.startup.tld:10000/proxypassreverse/http://startup.tld:10000/#configurationtoforwardrequestsfOrreckless.tld ServerNamewww.reckless.tldServerAliasreckless.tldProxyPass/http://127.0.0.2:10001/proxypassreverse/http://127.0.0.2:10001/proxypassreverse/http://www.reckless.tld:10001/proxypassreverse/http://reckless.tld:10001/is important to note here the ProxyPreserveHost directive. This instruction is provided by Apache2, it resolves to the correct HTTP header to the back-end server. Therefore, we strongly recommend that you use an instance as a facade Server Apache2. Run the sample configuration root user should run each configuration. Apache will be specified in the configuration file, and use it for all the processes associated with the host. Listing 5 illustrates the method to run the sample. 5. start the sample server/usr/sbin/apache-f/etc/apache/startup.tld.con/usr/sbin/apache-f/etc/apache/nimrod.tld.con/usr/sbin/apache2-f/etc/apache2/facade.tld.confmod_proxy method restrictions it is important to note that the method described in this article shall not apply to require SSL connections. This is because the SSL protocol does not allow the domain Web hosting. Because of this limitation, any SSL host must be implemented in an appropriate manner, so that each SSL domain using its own IP/port combination. This limit on all Apache configuration are present, use the solution of the Apache is no exception. Still in their owner's user ID to run SSL domain. Closing remarks in this article, using Apache's mod_proxy module builds an environment, in this context has a facade server forwards the request to the two back-end server. You can on a range of back-end server in the same way. This approach enables system administrators to reduce potential security risks, while maintaining PHP and other tools provide flexibility. Original link: http://www.ibm.com/developerworks/cn/web/wa-lampsec/index.html?ca=drs-

Linux system build SNORT Intrusion detection system

5. install snort tarzxvfsnort-(version number) into the extracted directory.

/Configure — with-mysql =/usr/local/mysql make makeinstall 6, install snort rules library tarzxvfsnortrules-(version number) to generate etc, doc, rules, so.rules four directory mkdir/etc/snort mkdir/etc/snort/rules mkdir/var/log/snort/etc/snort/cpetc cp-Rrules/*/*/etc/snort vi/etc/snort/snort.con 46 line should read: varHOME_NETXXX.XXX.XXX.0/24 111 line should read: varRules_PATH/etc/snort/rules 764 line should read: outputdatabase: log, mysql, password, user = root = XXXX (password, ibid.), dbname = snort host = localost 863-874 lines removed # 7, create snort database. Createdatabasesnort/mysql-uroot-pmysql >; > grantINSERT, SELECTonroot. * to snort @ localhost >/mydql-uroot-pusesnortmysql > showtables exit. 8, installing adodb tarzxvfadodb-(version number) cpadodb/usr/local/apache/htdocs 9, install jpgrap tarzxvfjpgraph-(version number) to move the extracted directory to/usr/local/apache/htdocs and renamed jpgrap 10, install acid tarzxvfacid-(version number) to move the extracted directory, and renamed the/usr/local/apache/htdocs acid vi/acid/acid_conf.pp $/usr/local/apache/htdocs/adodb DBlib_Path = ' '; $ alert_dbname = "snort"; $ alert_host = "localhost"; $ alert_port = ""; $ alert_user = "root"; $ alert_password = "xxxxx (ibid.)"; $ archive_dbname = "snort"; $ archive_host = "localhost"; $ archive_port = ""; $ archive_user = "root"; $ archive_password = "xxxxx (ibid.)"; $/usr/local/apache/htdocs/jpgraph/src charlLib_path = ""; $ charl_file_format = "png"; 11, http://xxx.xxx.xxx.xxx/acid test Note: before installation will compile tools installed.

Use the LiveCD restore compromised systems

Mayank's previous article "use LinuxLiveCD assessment system security" describes the LiveCD, also describes some can help you evaluate your computer system security tools.

But if the system is facing threats to security and is used for illegal or unauthorized activities, and what to do? option is a request for help computer security experts. You can download the tool used by the experts, learn how to use these tools to become integrity protection and data recovery expert. Totally don't have to worry about the tools installation – this is a LiveCD! on LiveCDLiveCD is stored on a bootable operating system on the CD-ROM (and other software), this CD-ROM to perform OS without the need for lengthy installation process. Most LiveCD are based on the Linux kernel (but there are also some LiveCD for other operating systems). LiveCD works is to place the file to the RAM disk (this reduces the application can use the RAM, so performance may degrade). Once you remove the LiveCD and restart the system after the system is restored. Some LiveCD also provides an installation tool, allowing you to mount the system hard disk or USB disk; most LiveCD can access internal/external hard drive, disk or Flash memory. Syslinux is used to boot the LiveCD based on Linux, as well as the Linux floppy disk. For PC, the bootable CD are usually comply with the specifications, will be ElTorito disk for a file on a (possibly hidden) as one of the floppy disk images. Many LiveCD uses compressed file system image, which normally use the cloop compressed loopback driver effectively double the storage capacity utilization. There are many emulators can be used to try out LiveCD, without the need to burn it into CD or started on the computer. Supports the most extensive i386 emulator is VMware. There are other emulator Qemu, Bochs, PearPC and they can be used to simulate the x 86 and PowerPC ® platform or both; but because of the use of simulation methods, therefore faster than some commercial Simulator. Another commercial Simulator is VirtualPC. Investigation of computer intrusion into computer and computer network and under cover for serious illegal activities is a very common behavior, even common to many people who have achieved such conduct necessary skill. However, the detection and the ability to capture the intruder is not as common. Great (although imaginary) detective Sherlock Holmes once said: "in the collection of all the evidence before it that reasoning is a great mistake. This will let the judge biased. "From the encounter security threats in the system to collect evidence is the computer" forensics "expert (digital era of Sherlock Holmes). They use specialized tools to gather, study and analysis of information about the system. For this kind of work, the best tool is open source tool, this is not surprising. TheCoroner'sToolkit (TCT), SleuthKit, AutopsyForensicBrowser and FLAG (ForensicsLogAnalysisGUI) are very popular tool that not only security experts like to use these tools, many computer security course lecturers are all like this tool. Helix and many specialized LiveCD, Helix is also produced on demand. AndrewFahey is e-fenseInc. a cooperative security expert, he to Knoppix as a basis, and add a lot of daily work in the use of tools. "Helix user very sense of participation. The world has a Helix of users who continue to provide feedback. Because the people are in different environments using Helix, therefore to ensure that all components in all cases to complete the work is an ongoing, time-consuming tasks. So I rely on the user feedback to improve and fix their Helix, finds fault. I would also like to rely on user complete language translation. "Andrew said. Helix has a Windows ® Terminal activity interface that allows image a LiveWindows system. This interface has been translated into German and will soon have a Portuguese version. In addition, many events/response tool was originally formed the idea of a design. Many organizations, educational institutions have begun to use Helix, including NationalWhiteCollarCrimeCenter (NW3C), SystemAdministratorNetworkSecurity Institute (SANS) and NationalConsortiumforJusticeInformationandStatistics. Helix is not installed on your hard disk, but future versions may have this feature. "I want to be able to have a similar to Fedora uses the hardware recognition hardware abstraction layer. Until recently, we've just added the union-fs module, this is what we need to overcome a major obstacle. "Andrew said. Although most of the tools in the Helix is Andrew himself chose, but some of the tools recommended by the community. Andrew face the biggest problems is that some of the tools requires a license. The next version will offer some update tool, the new Adepto programs, Retriever and Andrew had been using the program and provide SleuthKit and PyFLAG. Plan-BJeremyMcDaniel developed by Plan-B is a forensics LiveCD, inspiration comes from PeterAnVin SuperRescueCD. It is based in RedHat9, run BlackboxWindowManager, and use the zisofs filesystem will be about 1.4GB data compression to a CD. There are some forensic analysis tools, such as the Autopsy, TheSleuthKit, BCWipe, etc, there are many other daily use tools, such as e-mail client software, browsers, chat clients software and text editor. According to the project's Web site: (the next version of) the biggest change is the most current software (if not all) are updated, and also will add 2.6 Fedora kernel, roll back to. The master database to MySQL, to add a new application server. Create the eServer ™ based Security/Auditing/PlanningModule plans are already in operation. It ultimately as a standalone application for publishing. Plan-B will be used only as a mobile test solutions. This tool will be used to audit based on the team and have the ability to penetrate the report to create the test interface. Closing imagine, we can use a bootable LinuxCD directly to experienced computer forensic expert skills. This is not a dream. This article describes the LiveCD making dreams a reality. I wish your detective road! original link: http://www-128.ibm.com/developerworks/cn/linux/l-livecddiag/

Linux IPtables Wolf by and consultation to wine minds lease spectrum Choi Kyu Wei

Iptables.rule lv firewall de, praise and cut down sequence iptables.allow lv secret Conference so words and tone down Hui Lv iptables.deny Conference so words and iptables.allow and flag 鷹 ・ ・ #/bin/bas # Thisisanesayfirewall.

#theinsideinterface.ifyoudon'thavethisone　　#andyoumustletthisbeblackex>INIF=""　　INIF="et0"　　INNET="192.168.160.0/20"　　#2.0loadtherightmodule　　PATH=/sbin・/bin・/usr/sbin・/usr/bin　　exportPATHEXTIFINIFINNET　　modprobeip_tables>/dev/null2>&1　　modprobeiptable_nat>/dev/null2>&1　　modprobeip_nat_ftp>/dev/null2>&1　　modprobeip_nat_irc>/dev/null2>&1　　modprobeip_conntrack>/dev/null2>&1　　modprobeip_conntrack_ftp>/dev/null2>&1　　modprobeip_conntrack_irc>/dev/null2>&1　　#3.0cleariptablesrule　　/sbin/iptables- 　　/sbin/iptables-X　　/sbin/iptables-Z　　/sbin/iptables-F-tnat　　/sbin/iptables-X-tnat　　/sbin/iptables-Z-tnat　　/sbin/iptables-PINPUTDROP　　/sbin/iptables-POUTPUTACCEPT　　/sbin/iptables-PFORWARDACCEPT　　/sbin/iptables-tnat-PPREROUTINGACCEPT　　/sbin/iptables-tnat-PPOSTROUTINGACCEPT　　/sbin/iptables-tnat-POUTPUTACCEPT　　#4.0startloadingtrustedanddeniedfile. if[-f/usr/local/virus/iptables/iptables.allow]・ten　　sh/usr/local/virus/iptables/iptables.allow　　i　　if[-f/usr/local/virus/iptables/iptables.deny]・ten　　sh/usr/local/virus/iptables/iptables.deny　　i　　#5.0ifthefollowingfileexist・pleaseexecuted　　if[-f/usr/local/virus/httpd-err/iptables.http]・ten　　sh/usr/local/virus/httpd-err/iptables.ttp　　i　　#6.0allowicmpdatapacketandtheestablishddata　　/sbin/iptables-AINPUT-mstate！！stateESTABLISHED・RELATED-jACCEPT　　AICMP="033/441112141618"　　fortyicmpin$AICMP　　do　　/sbin/iptables-AINPUT-i$EXTIF="eth0"-picmp！！icmp-type$tyicmp-jACCEPT　　done

Linux IPtables firewall system that is simple to set method

# 7.0opentheotherserviceports/sbin/iptables-AINPUT-pTCP-i $ EXTIF = "eth0" — dport25-jACCEPT # SMTP/sbin/iptables-AINPUT-pTCP-i $ EXTIF = "eth0" — dport53-jACCEPT # DNS/sbin/iptables-AINPUT-pTCP-i $ EXTIF = "eth0" — dport80-jACCEPT # WWW/sbin/iptables-AINPUT-pTCP-i $ EXTIF = "eth0" — dport110-jACCEPT # POP3/sbin/iptables-AINPUT-pTCP-i $ EXTIF = "eth0" — dport113-jACCEPT # AUT/sbin/iptables-AINPUT-pTCP-i $ EXTIF = "eth0" — dport22222-jACCEPT # SS/sbin/iptables-AINPUT-pUDP-i $ EXTIF = "eth0" — dport138-jACCEPT # 138/sbin/iptables-AINPUT-pTCP-i $ EXTIF = "eth0" — dport139-jACCEPT # 139/sbin/iptables-AINPUT-pUDP-i $ EXTIF = "eth0" — dport137-jACCEPT # 137/sbin/iptables-AINPUT-pTCP-i $ EXTIF = "eth0" — dport445-jACCEPT # 445 iptables.allow code #!/bin/bas # thisprogramisusedtoallowsomeIPorhoststoaccessyourserver/sbin/iptables-AINPUT-i $ EXTIF = "eth0"-s192.168.161.242-jACCEPT/sbin/iptables-AINPUT-i $ EXTIF = "eth0"-s192.168.160.178-jACCEPT/sbin/iptables-AINPUT-i $ EXTIF = "eth0"-s192.168.160.218-jACCEPT iptables.deny code #!/bin/bas # ThisscriptwilldenysomeIPsthatIdon'twantinIN/sbin/iptables-AINPUT-i $ EXTIF = "eth0"-s192.168.160.242-jDROP above three files are placed in the directory, most/usr/local/virus/iptables in modifying this file/etc/rc.d/rc.local into the following code.

#！/bin/s 　　#　　#Thisscriptwillbeexecuted*after*alltheotherinitscripts. #Youcanputyourowninitializationstuffinhereifyoudon't　　#wanttodothefullSysVstyleinitstuf. Touch/var/lock/subsys/local # Startingfirewallsettings/usr/local/virus/iptables/iptables.rule above is a simple setting under linux firewall.

Use the Iptables firewall Linux

Linux's built-in firewall mechanism, through kernel netfilter modules in the implements (www.netfilter.ort).

Linuxkernel using netfilter packet to be filtered out, netfilter consists of three rules tables, each table also has many built-in chain. By using iptables command can watch for operations such as add, delete, and list the rules, etc. 1. Netfilter rule table — filter for routing filternatmangle network packets. Is the default, which means that if you do not specify the-t parameter, when you create a new rule, it will default to the table. INPUT OUTPUT network packets to the server from the server network packets flow out of the FORWARD network packets from the server routing table for nat, NAT .NAT (NetAddressTranslation) is an IP address translation method. PREROUTING network packet reaches the server OUTPUT can be modified by the server network packets flow out of the POSTROUTING network packets to be sent from the server can be modified when mangle, used to modify the network packets of sheets, such as TOS (TypeOfService), TTL (TimeToLive), and other INPUT network packets to the server OUTPUT network packets flow out of the server to FORWARD network packets from the server forwards the PREROUTING network packet reaches the server can be modified POSTROUTING network packets to be sent from the server can be modified when 1. configure Iptables when a packet enters the server, you will find the LinuxKernel chain until you find a rule matches with the packet. If the rule's target is to ACCEPT, you will skip the rest of the rules, the packet will be to continue to send. If the rule's target is to DROP the packets will be blocked off, the kernel does not refer to other rules. Note: If the beginning is not a rule and packet at the end of the match, but the table without dropall rules, then the packet will be accept. Cisco, on the contrary, the end of the table will contain denyall rules. 1.) Iptables command option iptables [-ttables] commandoptionparametertarget-add A tail in the chain rule-C add a rule to a user-defined chain before check-in from the chain D delete a rule-E to rename user-defined chain, does not change the chain itself-F flush chain, delete all of the rules on the chain-I in the chain into a rule-L to list a chain rules, such as iptables – LINPUT lists INPUT chain rule-n to create a new chain-P define a chain of default policy-R replace chain a rule-X delete a user-related chain-Z all tables of all chain of bytes and packets counters clear 2.) Iptables command parameters-p – protocol is applied to the packet's protocol type, can be TCPUDPICMP or ALL. ! You can also use. When you use-ptcp, also can use other options to allow further defined rules. Options include:-sport allows you to specify match the packet source port .port1: port, said port1 and all ports between port2--dport objectives port, and--the same sport. When you use the-p! udp, it also has special options for making include:--dport sport,-, and-the same, except for ptcp for UDP packets. When using the-picmp parameters, only one option available. — — Icmp-type, allows filtering icmp type specified in the rule. -S – source Specifies the source address for packets. This argument is followed by an IP address, a network address with sub-netmask, or a host name. (It is not recommended that you use hostname)-d,--destination destination address of packets, with-s. -J,--jump is used to specify a target, tell the matching rule will send the packet to the target. Target can be either ACCEPT, DROP, QUEUE, and RETURN without-j, you will not take any action on the packet, except that the counter is incremented. -I--in-interface, INPUTFORWARDPREROUTING chain, this parameter specifies the packet arrives at the server using the port. -O--out-interface, OUTPUTFORWARDPOSTROUTING chain, this parameter specifies the packet from the server using the port. 3.) the command target create Iptables rules the final step is to specify the action to the Iptables packet. As long as a certain rules match the packet, it will no longer have other rules of operation. Built-in target: ACCEPTDROPQUEUERETURN. ACCEPT: allows packets to pass through to reach their destination. DROP: reject packets to pass through, drop the package. QUEUE: packets sent back to the user application DepartmentReason. RETURN: no longer based on the current chain of other rules to check packets, but directly return, continue to be sent to their destination addresses, or the next chain.

Use the Iptables firewall Linux

2. application of rules for example allow WWW Iptables iptables – AINPUT – ptcp – dport80 – jACCEPT the rule is added to the filter table of INPUT chain that allows the destination port is 80.

On the internal interface allows DCP iptables – AINPUT – ieth0 – ptcp--sport68--dport67ACCEPT iptables – AINPUT – ieth0 – pucp--sport68--dport67ACCEPT above while allowing TCP and UDP protocols. 3. saving and restoring Iptables saved using Iptables iptables-save to existing iptables rules save that path to iptables-save > iptables-save, such as # iptables-save >/etc/iptables.up.rule recovery Iptables configuration using iptables-restore from iptables table to document the existing iptables table. Iptables-restore/etc/iptables.up.rule # restoretheiptablesrulewhenshutdowntheinterfaceet0 and then reactivate the eth0. In addition, you can make changes to the configuration file/etc/iptables.up.rule, to change the iptables rules. Iptables.up.rule format: # Generatedbyiptables-saveV1.3.3onTueJul3114: 18 442007 * filter: INPUTACCEPT [73: 8213]: FORWARDACCEPT [0: 0]: OUTPUTACCEPT [8: 825]-AINPUT – ilo – picmp – jDROP-AINPUT – ieth0 – picmp – jDROP COMMIT # CompletedonTueJul3114: 10 rows and rows between 442007 cannot have empty lines. Three .Summary iptables chain in each rule order is important, if the first is the acceptall, then all packets will be allowed through the firewall, so it should be appropriate arrangements for the rule. General rule is: deny all allow minority.

The depth of security hardening Linux system (2)

4. file system permissions to find out the system all the w s "bit of procedure, put unnecessary" s "bit removed, or never have to delete the direct, so you can prevent users from abuse and the possibility of an elevation of privilege, its commands are as follows: put the important file plus the immutable property: depending on the needs, some exploit overflow will write to the inetd.conf after one statement to bind shell in a port monitor, then this command will play a role, shallow intruder would think overflow was not successful.

Find out the system without the owner of the file: identify any has write permissions of files and directories: prevent intruders to write Trojans statement (such as a shell copy) or inherit owner permissions and illegal access; identify and reinforce those that have always been an intruder can use a file-such as .rhosts. Ftp upload directory cannot give execute permissions, such as the provision can run CGI Web hosting services, should do additional security configuration. preparation of etc/security/limits.conf, addition or change the following line: 5.Banner camouflaged intruders usually by operating system, service and application version to attack, leaking oil list and attack range is also classified according to this, so we need to make a point and to increase the difficulty of invasion. Change, because after reboot/etc/issue reload, so edit/etc/rc.d/rc.local: for Apache's configuration file, locate the ServerTokens and ServerSignature directive, both to modify their default attributes are as follows, using a non-echoing version: simultaneously modifying the uname file, search the source code, locate the uname.c as follows: be modified to: other services and programs to modify the configuration file can be viewed or source code, do not change too much, otherwise they will be to the system management in big trouble. Sit back and relax?