ÔõÑùʹÓÃLinux¾ÙÐÐÇå¾²Îó²îɨÃèºÍÐÞ¸´
ÔõÑùʹÓÃlinux¾ÙÐÐÇå¾²Îó²îɨÃèºÍÐÞ¸´
ÔÚµ±½ñµÄÊý×Ö»¯Ê±´ú£¬ÍøÂçÇå¾²ÍþвÈÕÒæÑÏÖØ£¬Çå¾²Îó²îÒѾ³ÉΪÖÆÔ¼ÍøÂçϵͳÎȹÌÐԺͿɿ¿ÐÔµÄÒ»¸öÖ÷ÒªÒòËØ¡£¶ø×÷ΪÍøÂçϵͳµÄ½¹µã²Ù×÷ϵͳ֮һ£¬LinuxϵͳÔÚÇå¾²·½ÃæÒ»Ö±±¸ÊܹØ×¢¡£±¾ÎĽ«ÏÈÈÝÔõÑùʹÓÃlinux¾ÙÐÐÇå¾²Îó²îɨÃèºÍÐÞ¸´£¬×ÊÖúÓû§Ìá¸ßϵͳµÄÇå¾²ÐÔ¡£
Ò»¡¢Çå¾²Îó²îɨÃè
ʹÓÃOpenVAS¾ÙÐÐÎó²îɨÃè
OpenVASÊÇÒ»¿î¿ªÔ´µÄÎó²îɨÃèÆ÷£¬ÌṩÁËÒ»Ì×ÆÕ±éµÄÎó²îɨÃèºÍÐÞ¸´½â¾ö¼Æ»®¡£ÔÚLinuxϵͳÖУ¬¿ÉÒÔͨ¹ýÒÔÏ°취װÖúÍÉèÖÃOpenVAS£º
1£©ÔÚÖÕ¶ËÖÐÖ´ÐÐÒÔÏÂÏÂÁî×°ÖÃOpenVAS£º
sudo apt-get install openvas
µÇ¼ºó¸´ÖÆ
2£©×°ÖÃÍê³Éºó£¬Ö´ÐÐÒÔÏÂÏÂÁî³õʼ»¯OpenVAS£º
sudo openvas-setup
µÇ¼ºó¸´ÖÆ
3£©³õʼ»¯Íê³Éºó£¬Ö´ÐÐÒÔÏÂÏÂÁîÆô¶¯OpenVASЧÀÍ£º
sudo openvas-start
µÇ¼ºó¸´ÖÆ
4£©Æô¶¯Ð§Àͺó£¬ÔÚä¯ÀÀÆ÷ÖÐÊäÈëÒÔϵص㣺https://localhost:9392£¬Ê¹ÓÃĬÈÏÓû§ÃûºÍÃÜÂëµÇ¼OpenVASÖÎÀí½çÃæ¡£
5£©ÔÚOpenVASÖÎÀí½çÃæÖУ¬¿ÉÒÔÉèÖÃɨÃèÄ¿µÄºÍɨÃèÕ½ÂÔ£¬È»ºóÖ´ÐÐɨÃèʹÃü¡£É¨ÃèЧ¹û½«ÏÔʾϵͳÖб£´æµÄÇå¾²Îó²îÐÅÏ¢¡£
ʹÓÃNmap¾ÙÐÐÎó²îɨÃè
NmapÊÇÒ»¿îÖøÃûµÄ¿ªÔ´ÍøÂçɨÃ蹤¾ß£¬ËüÌṩÁ˸»ºñµÄɨÃ蹦Ч£¬¿ÉÒÔÓÃÓÚʶ±ðÍøÂçÖб£´æµÄÇå¾²Îó²î¡£ÔÚLinuxϵͳÖУ¬¿ÉÒÔͨ¹ýÒÔÏÂÏÂÁî×°ÖúÍʹÓÃNmap£º
1£©ÔÚÖÕ¶ËÖÐÖ´ÐÐÒÔÏÂÏÂÁî×°ÖÃNmap£º
sudo apt-get install nmap
µÇ¼ºó¸´ÖÆ
2£©×°ÖÃÍê³Éºó£¬Ö´ÐÐÒÔÏÂÏÂÁî¾ÙÐÐÎó²îɨÃ裺
sudo nmap -p 1-65535 -T4 -A -v <target>
µÇ¼ºó¸´ÖÆ
ÆäÖУ¬ ÊÇÄ¿µÄÖ÷»úµÄIPµØµã»òÓòÃû¡£
3£©Nmap½«»á¶ÔÄ¿µÄÖ÷»ú¾ÙÐж˿ÚɨÃèºÍЧÀÍ̽²â£¬Æ¾Ö¤É¨ÃèЧ¹ûÅжÏÊÇ·ñ±£´æÇå¾²Îó²î¡£
¶þ¡¢Çå¾²Îó²îÐÞ¸´
ʵʱ¸üÐÂϵͳ²¹¶¡
ϵͳ³§É̻ᰴÆÚÐû²¼ÏµÍ³²¹¶¡À´ÐÞ¸´ÒÑ·¢Ã÷µÄÇå¾²Îó²î¡£ÔÚLinuxϵͳÖУ¬¿ÉÒÔͨ¹ýÒÔÏÂÏÂÁîÀ´¸üÐÂϵͳ²¹¶¡£º
sudo apt-get update sudo apt-get upgrade
µÇ¼ºó¸´ÖÆ
ÉèÖ÷À»ðǽ
Linuxϵͳ×Ô´øÁËÒ»Ì×Ç¿Ê¢µÄ·À»ðǽ¹¤¾ßiptables£¬¿ÉÒÔͨ¹ýÉèÖÃiptables¹æÔòÀ´±ÜÃâδ¾ÊÚȨµÄ»á¼û¡£
1£©Éó²éÄ¿½ñiptables¹æÔò£º
sudo iptables -L
µÇ¼ºó¸´ÖÆ
2£©ÉèÖÃiptables¹æÔò£º
sudo iptables -A INPUT -i eth0 -p tcp --dport 22 -m state --state NEW,ESTABLISHED -j ACCEPT sudo iptables -A OUTPUT -o eth0 -p tcp --sport 22 -m state --state ESTABLISHED -j ACCEPT sudo iptables -A INPUT -i eth0 -p tcp --dport 80 -m state --state NEW,ESTABLISHED -j ACCEPT sudo iptables -A OUTPUT -o eth0 -p tcp --sport 80 -m state --state ESTABLISHED -j ACCEPT sudo iptables -A INPUT -i eth0 -j DROP
µÇ¼ºó¸´ÖÆ
ÒÔÉϹæÔò½ö¹©²Î¿¼£¬¿ÉÒÔƾ֤ÏÖʵÐèÇó¾ÙÐе÷½â¡£
½ûÓò»ÐëÒªµÄЧÀÍ
½ûÓÃϵͳÖв»ÐëÒªµÄЧÀÍ£¬¿ÉÒÔ½µµÍϵͳµÄ¹¥»÷Ãæ¡£¿ÉÒÔͨ¹ýÒÔÏÂÏÂÁîÀ´Éó²éϵͳÖÐÕýÔÚÔËÐеÄЧÀÍ£º
sudo systemctl list-unit-files --type=service | grep enabled
µÇ¼ºó¸´ÖÆ
È»ºóʹÓÃÒÔÏÂÏÂÁîÀ´½ûÓò»ÐèÒªµÄЧÀÍ£º
sudo systemctl disable <service>
µÇ¼ºó¸´ÖÆ
ÆäÖУ¬ ÊÇЧÀ͵ÄÃû³Æ¡£
ÔöÇ¿ÃÜÂëÕ½ÂÔ
ÉèÖÃÇ¿ÃÜÂëÕ½ÂÔ¿ÉÒÔÓÐÓñÜÃâÃÜÂë±»²Â½â»ò±©Á¦Æƽ⡣¿ÉÒÔͨ¹ýÒÔÏÂÏÂÁîÀ´ÐÞ¸ÄÃÜÂëÕ½ÂÔ£º
sudo nano /etc/pam.d/common-password
µÇ¼ºó¸´ÖÆ
ÕÒµ½ÒÔÏÂÐв¢Ð޸ģº
password requisite pam_pwquality.so retry=3 password sufficient pam_unix.so obscure sha512
µÇ¼ºó¸´ÖÆ
½«retryµÄÖµÉèΪ3£¬½«pam_unix.soÇ°ÃæµÄobscure¸ÄΪminlen=8 ucredit=-1 lcredit=-1 dcredit=-1 ocredit=-1¡£
ÈÕÖ¾¼à¿ØºÍÉó¼Æ
°´ÆÚ¼à¿ØºÍÉó¼ÆϵͳÈÕÖ¾ÊÇ·¢Ã÷ºÍÓ¦¶ÔÇå¾²Îó²îµÄÖ÷ÒªÊֶΡ£¿ÉÒÔͨ¹ýÒÔÏÂÏÂÁîÀ´Éó²éϵͳÈÕÖ¾£º
sudo tail -f /var/log/syslog
µÇ¼ºó¸´ÖÆ
¿ÉÒÔͨ¹ýÉèÖÃrsyslogdÀ´¶ÔϵͳÈÕÖ¾¾ÙÐг¤ÆÚ»¯´æ´¢ºÍ°´ÆÚ±¸·Ý¡£
×ܽ᣺
±¾ÎÄÏÈÈÝÁËÔõÑùʹÓÃlinux¾ÙÐÐÇå¾²Îó²îɨÃèºÍÐÞ¸´£¬Í¨¹ýʹÓÃOpenVASºÍNmapµÈ¹¤¾ß¾ÙÐÐÎó²îɨÃ裬ʵʱ¸üÐÂϵͳ²¹¶¡£¬ÉèÖ÷À»ðǽ¹æÔò£¬½ûÓò»ÐëÒªµÄЧÀÍ£¬ÔöÇ¿ÃÜÂëÕ½ÂÔ£¬ÒÔ¼°¼à¿ØºÍÉó¼ÆϵͳÈÕÖ¾£¬¿ÉÒÔÌá¸ßϵͳµÄÇå¾²ÐÔ£¬½µµÍÇå¾²Îó²î´øÀ´µÄΣº¦¡£È»¶ø£¬Çå¾²ÊÂÇéÓÀÎÞÖ¹¾³£¬Óû§Ó¦°´ÆÚ¾ÙÐÐÇ徲ɨÃèºÍÐÞ¸´£¬¼á³ÖϵͳµÄ¿µ½¡×´Ì¬¡£
ÒÔÉϾÍÊÇÔõÑùʹÓÃLinux¾ÙÐÐÇå¾²Îó²îɨÃèºÍÐÞ¸´µÄÏêϸÄÚÈÝ£¬¸ü¶àÇë¹Ø×¢±¾ÍøÄÚÆäËüÏà¹ØÎÄÕ£¡