臨到下班,突然冒出來一個任務,說是甲方驗收需要提供主機安全測試報告,我滴娘呀,這東西從來都沒有做過呀,唉,苦逼的乙方呀。就像《辣手神探》中梁朝偉跟發哥說的臺詞一樣:“槍在你手上,你就是要我抓頭牛過來擠奶給你喝我也得照做啊。”真還不如去抓頭奶牛呢。得,牢騷發完了,想法子吧。
最初搜到一個方法:OpenVAS。看看介紹:OpenVAS是開放式漏洞評估系統,也可以說它是一個包含着相關工具的網絡掃描器。其核心部件是一個服務器,包括一套網絡漏洞測試程序,可以檢測遠程系統和應用程序中的安全問題
用戶需要一種自動測試的方法,並確保正在運行一種最恰當的最新測試。OpenVAS包括一箇中央服務器和一個圖形化的前端。這個服務器准許用戶運行幾種不同的網絡漏洞測試(以Nessus攻擊腳本語言編寫),而且OpenVAS可以經常對其進行更新。OpenVAS所有的代碼都符合GPL規範。
下載:http://www.openvas.org/install-packages.html#openvas_windows_gb
再仔細看看,需要客戶端和服務器端,最省事的方案是先裝一個backtrack5,然後apt-get install一個openvas,然後再去做那堆配置,但是現在沒硬件沒backtrack5,配置看起來也很折騰人,搞完都不知道啥時候了。兩天後就要出報告,這個方法不行,光是走流程申請硬件就不知道什麼時候能夠到位。
立刻搜索其他方法,找到了一個簡易的法子。
看簡介:
Project information
Rootkit scanner is scanning tool to ensureyou for about 99.9%* you're clean of nasty tools. This tool scans for rootkits,backdoors and local exploits by running tests like:
- MD5 hash compare
- Look for default files used by rootkits
- Wrong file permissions for binaries
- Look for suspected strings in LKM and KLDmodules
- Look for hidden files
- Optional scan within plaintext and binaryfiles
Rootkit Hunter is released as GPL licensedproject and free for everyone to use.
* No, not really 99.9%.. It's just anothersecurity layer
解釋:簡單的說就是安全掃描的,做系統中重要文件的MD5值比對、檢查rootkit經常攻擊的檔案、檢查可執行文件的權限是否正常、檢查隱藏檔案、檢查可疑的核心模組(LKM/KLD)、作業系統的特殊檢測、檢查已啓動的監聽埠號和特定分析等等功能。
System requirements:
- Compatible operating system (see'Supported operating systems')
- Bourne Again Shell (BASH)
Supported operating systems
Supported:
- Most Linux distributions
- Most *BSD distributions
Currently unsupported:
- NetBSD
Tested on:
- AIX 4.1.5 / 4.3.3
- ALT Linux
- Aurora Linux
- CentOS 3.1 / 4.0
- Conectiva Linux 6.0
- Debian 3.x
- FreeBSD 4.3 / 4.4 / 4.7 / 4.8 / 4.9 /4.10
- FreeBSD 5.0 / 5.1 / 5.2 / 5.2.1 / 5.3
- Fedora Core 1 / Core 2 / Core 3
- Gentoo 1.4, 2004.0, 2004.1
- Macintosh OS 10.3.4-10.3.8
- Mandrake 8.1 / 8.2 / 9.0-9.2 / 10.0 /10.1
- OpenBSD 3.4 / 3.5
- Red Hat Linux 7.0-7.3 / 8 / 9
- Red Hat Enterprise Linux 2.1 / 3.0
- Slackware 9.0 / 9.1 / 10.0 / 10.1
- SME 6.0
- Solaris (SunOS)
- SuSE 7.3 / 8.0-8.2 / 9.0-9.2
- Ubuntu
- Yellow Dog Linux 3.0 / 3.01
Confirmed to work also on:
- CLFS
- DaNix (Debian clone)
- PCLinuxOS
- VectorLinux SOHO 3.2 / 4.0
- CPUBuilders Linux
- Virtuozzo (VPS)
看看系統需求,還好我這次是測試的ubuntu系統的主機,bash?當然有啦。嘿嘿,那看來可以開工了。
rkhunter 下載點:
http://download.csdn.net/detail/testingba/5102767
安裝和使用示例:
安裝步驟: mkdir hostscan cd /home/myname/hostscan sudo tar -zxvf rkhunter-1.4.0.tar.gz cd rkhunter-1.4.0 #看看/usr/local是否存在,通常都有的 ls -l /usr/local sudo ./installer.sh --layout /usr/local –install
使用方法示例: sudo /usr/local/bin/rkhunter --check --logfile /home/myname/hostscan/rkhunter-1.4.0/logfile.txt |
參考信息:
安裝參考: Usage: ./installer.sh <parameters>
Ordered valid parameters: --help (-h) : Show this help. --examples : Show layout examples. --layout <value> : Choose installation template. The templates are: - default: (FHS compliant; the default) - /usr - /usr/local - oldschool: old version file locations - custom: supply your own installation directory - RPM: for building RPM's. Requires $RPM_BUILD_ROOT. - DEB: for building DEB's. Requires $DEB_BUILD_ROOT. - TGZ: for building Slackware TGZ's. Requires $TGZ_BUILD_ROOT. - TXZ: for building Slackware TXZ's. Requires $TXZ_BUILD_ROOT. --striproot : Strip path from custom layout (for package maintainers). --install : Install according to chosen layout. --overwrite : Overwrite the existing configuration file. (Default is to create a separate configuration file.) --show : Show chosen layout. --remove : Uninstall according to chosen layout. --version : Show the installer version. |
安裝和卸載的示例: sudo ./installer.sh --examples Rootkit Hunter installer
Examples: 1. Show layout, files in /usr: installer.sh --layout /usr --show
2. Install in /usr/local: installer.sh --layout /usr/local --install
3. Install in chosen (custom) directory /opt: installer.sh --layout custom /opt --install
4. Install in temporary directory /tmp/rkhunter/usr/local, with files in /usr/local (for package maintainers): mkdir -p /tmp/rkhunter/usr/local installer.sh --layout custom /tmp/rkhunter/usr/local \ --striproot /tmp/rkhunter --install
5. Remove files, layout /usr/local: installer.sh --layout /usr/local –remove
|
掃描工具參考:
Usage: rkhunter {--check | --unlock | --update | --versioncheck | --propupd [{filename | directory | package name},...] | --list [{tests | {lang | languages} | rootkits | perl | propfiles}] | --config-check | --version | --help} [options]
Current options are: --append-log Append to the logfile, do not overwrite --bindir <directory>... Use the specified command directories -c, --check Check the local system -C, --config-check Check the configuration file(s), then exit --cs2, --color-set2 Use the second color set for output --configfile <file> Use the specified configuration file --cronjob Run as a cron job (implies -c, --sk and --nocolors options) --dbdir <directory> Use the specified database directory --debug Debug mode (Do not use unless asked to do so) --disable <test>[,<test>...] Disable specific tests (Default is to disable no tests) --display-logfile Display the logfile at the end --enable <test>[,<test>...] Enable specific tests (Default is to enable all tests) --hash {MD5 | SHA1 | SHA224 | SHA256 | SHA384 | SHA512 | NONE | <command>} Use the specified file hash function (Default is SHA1, then MD5) -h, --help Display this help menu, then exit --lang, --language <language> Specify the language to use (Default is English) --list [tests | languages | List the available test names, languages, rootkits | perl | rootkit names, perl module status propfiles] or file properties database, then exit -l, --logfile [file] Write to a logfile (Default is /var/log/rkhunter.log) --noappend-log Do not append to the logfile, overwrite it --nocf Do not use the configuration file entries for disabled tests (only valid with --disable) --nocolors Use black and white output --nolog Do not write to a logfile --nomow, --no-mail-on-warning Do not send a message if warnings occur --ns, --nosummary Do not show the summary of check results --novl, --no-verbose-logging No verbose logging --pkgmgr {RPM | DPKG | BSD | Use the specified package manager to obtain or SOLARIS | NONE} verify file property values. (Default is NONE) --propupd [file | directory | Update the entire file properties database, package]... or just for the specified entries -q, --quiet Quiet mode (no output at all) --rwo, --report-warnings-only Show only warning messages --sk, --skip-keypress Don't wait for a keypress after each test --summary Show the summary of system check results (This is the default) --syslog [facility.priority] Log the check start and finish times to syslog (Default level is authpriv.notice) --tmpdir <directory> Use the specified temporary directory --unlock Unlock (remove) the lock file --update Check for updates to database files --vl, --verbose-logging Use verbose logging (on by default) -V, --version Display the version number, then exit --versioncheck Check for latest version of program -x, --autox Automatically detect if X is in use -X, --no-autox Do not automatically detect if X is in use |
非常簡單吧,至於那些警告,就慢慢翻資料吧。先對付過去再說,下次有空搭建一個openvas環境。
安全測試絕對是個吃力不討好的活,防守始終被動,而且說不定對方是個大牛,你就算學了兩年也未必扛得住。且不說要學習的東西特別多,就算你真做好了安全防禦,不出事的話領導就覺得你是不是整天在玩呢,你要真那麼強,領導說不定還怕你萬一不爽了黑公司呢,出了事你鐵定要背鍋。所以同學們,可以多學,但是一定要少show,一定要低調。這個領域最好找個專業公司來背鍋纔是王道,離遠點,安全第一。