8.3. FreeBSD ¨t²Î¦w¥þ

¤U­±³o¸`±NÁ¿­z½T«O¨t²Î¦w¥þªº¤èªk¡Clast section

8.3.1. ½T«O root ¥Î¤á©M©Ò¦³¥Î¤á±b¤áªº¦w¥þ

­º¥ý¡A¦pªG¨S¦³½T«O root ±b¤áªº¦w¥þ¡A½Ð¤£­n¬°½T«O©Ò¦³¥Î¤áªº¦w¥þ¦Ó·Ð´o¡Cµ´¤j ¦h¼Æ¨t²Î³£·|«ü¬£¤@­Ó±K½Xµ¹ root ¥Î¤á±b¤á¡C²Ä¤@¥ó¨Æ¬O°²©w±K½XÁ`¬O¤£¤è«K¡C³o¨Ã¤£·N ¨ýµÛ­n§â±K½X§R±¼¡C±K½X³q±`¹ï¥Î±±¨î»O³X°Ý¾÷¾¹¬O¥²¶·ªº¡C¤]´N¬O»¡¡A¤£À³·íÅý©Ò¦³¥Î¤á»´©ö ¨ì±±¨î»O³X°Ý¾÷¾¹¡A§Y¨Ï¬O¨Ï¥Î su ©R¥O¡C¨Ò¦p¡A½T«H pty's §@¬°¤£¦w¥þªº¦]¯À¤w¸g³Q °O¿ý¦b /etc/ttys Àɤ¤¡A¥H¦Üª½±µ³q¹L telnet ©Î rlogin µn¤J root ·|¤£³Q±µ¨ü¡C¦pªG¨Ï¥Î(¦psshd) ªºµn¤JªA°È¡A½T»{ª½±µµn¤J root ®Ú¥»¤£¦æ¡C¦Ò¼{¨ì¨C¤@ºØ³X°Ý¤èªk¡]¦pFTP ªA°È¡^³q ¹L cracks ¸g±`¥¢±Ñ¡Cª½±µµn³° root À³·í¥u¦³³q¹L¨t²Î±±¨î»O³Q¤¹³\¡C

·íµM¡A§@¬°¤@­Ó¨t²ÎºÞ²z­û¡AÀ³·íÀò±o root ³\¥iÅv¡A©Ò¥H¤½¶}´X­Óº|¬}¡C¦ý ½T«H³o¨Çº|¬}»Ý­nÃB¥~ªº±K½X½T»{¤~¯à¾Þ§@¡C¦¨¬° root Åv­­¬O¼W¥[¾A·í¥Î¤áªº±b¤á ¨ì wheel ¸s²Õ¡]¦b/etc/group ¤¤¡^¡CWheel ¸s²Õ¤¤ªº¥Î¤á¥i¥H¨Ï¥Î su ©R¥O¨Ó¨ú±o root Åv­­¡C¦b±K ½Xµn¤J¤f¡A©ñ¸m¦b wheel ²Õ¤¤¡A§A´N¥Ã»·¤£·|µ¹¥Î¤á¦¨­û³X°Ý¥»¦a wheel ªº³\¥iÅv¡C ¥Î¤á±b¤áÀ³·í³Q©ñ¸m¦b staff ¸s²Õ¤¤¡AµM«á³q¹L /etc/group ÀÉ¥[¤J¨ì wheel ²Õ¡C¨Æ¹ê¤W¡A¨º¨Ç »Ý­n³X°Ý root ªº¥Î¤á¦¨­û±N·|³Q©ñ¸m¦b wheel ²Õ¤¤¡C·íµM¤]·|¦³¥i¯à¡A¥Î¤@­Ó¦p kerberos ªº»{ÃÒ¤èªk¡C¦b root ±b¤á¤¤¨Ï¥Î kerberos ªº.k5login ÀÉ¡A¥i¥H¤£»Ý­n§â¥ô¦ó¤H©ñ¸m¦bwheel ²Õ¤¤´N¤¹³\ ksu ³X°Ý root.¦pªG¤J«IªÌ¤w¸gÀò±o¤F±K½XÀÉ¡A©ÎªÌ¤w«I¤J¤F¤@­Ó¥Î¤á±b¤á¡A³o ¥i¯à¬O¤@­Ó¤ñ¸û¦nªº¸Ñ¨M¤èªk¡A¦]¬° wheel ¾÷¨î¤´µM¥i¯à·|¨Ï¤J«IªÌ break root¡CÁöµM wheel ¾÷¨î­n¤°»ò³£¨S¦³­n¦n±o¦h¡A¦ý¥¦¤]¤£¬O³Ì¦w¥þªº¿ï¾Ü¡C

­û¤u±b¸¹©M root ±b¸¹ªº±K½XÀɮצs¦b /etc/master.passwd ¡A ¦Ó¤@¯ë¨S¦³³]©w±K½X·|¥X²{ * ¥i¥H man vipw ¬d¬Ý³o­Ó³¡¥÷ªº¸ê®Æ¡C ¨Ï¥Î vipw ¥i¥H­×§ï§ó·s©Ò¦³¬ÛÃöÅv­­©M¨Ï¥ÎªÌªº¸ê®Æ®w¡C

¤@¯ë­û¤u±b¸¹¡G

    foobar:R9DT/Fa1/LV9U:1000:1000::0:0:Foo Bar:/home/foobar:/usr/local/bin/tcsh

¥i¥H­×§ï¬°¡G

    foobar:*:1000:1000::0:0:Foo Bar:/home/foobar:/usr/local/bin/tcsh

½T«O¶W¯Å¥Î¤á±b¤á¦w¥þªº¶¡±µ¤èªk¬O³q¹L¨Ï¥Î¤@­Ó¦³¿ï¾Ü©Êªºµn¤J³X°Ý¤èªk½T«O ¥Î¤á±b¤áªº¦w¥þ¡C³o¼Ë°µ¡A¤J«IªÌ¥i¯à·|°½ÅѨì±K½XÀÉ¡A¦ý¤£·|«I¤J¥ô¦ó¥Î¤á±b¤á¡C¥Î¤á ¦¨­û³q¹L¨Ï¥Î¤@¹ï¨p¦³©Î¤½¦@±K°Í¡]¦p kerberos ©Î ssh¡^ªº¦w¥þ¾÷¨î¨Ó¶i¤J¡C·í ¨Ï¥Îkerberos ®É¡A¥²¶·½T«O¨Ï¥Î kerberos ªº¦øªA¾¹©Î¤u§@¯¸ªº¦w¥þ¡C·í¨Ï¥Î¤@¹ïssh ªº¤½¦@/¨p¦³±K°Í¨t²Î¡A¥²¶·½T«O©Òµn¤Jªº¨º¥x¾÷¾¹ªº¦w¥þ¡A¦ý·í¥Î ssh-keygen ³Ð«Ø ®É¡A¥i¥H²K¥[¤@­ÓÃB¥~ªº«OÅ@¼h¨ìÆ_°Í¹ï¤¤¡C¥i¥H±j¨î©Ò¦³ªº¥Î¤á¦¨­û¨Ï¥Î¥[±K ªº¤èªk³s±µ¬¡°Ê¡A³o¼Ë´N¥i¥HÃö³¬¥i¯à·|³Q¤J«IªÌ¨Ï¥Îªº¤@­Ó­«­nº|¬}¡G±N¤@­Ó²@µL Ãö«Y¡A«Ü¤£¦w¥þªº¾÷¾¹»Pºô¸ô¹jÂ÷¡C

§ó¦h¶¡±µªº¦w¥þ¾÷¨î¯à°÷³Q¹ê²{¡C¥i¥H±q¤@­Ó±a¦³­­¨î©Êªº¦øªA¾¹¨ì¤@­Ó²@µL­­¨î©Ê ªº¦øªA¾¹¶i¦æµn¤J¡C¨Ò¦p¡A¦pªG¥D¶l½c¹B¦æ¦b©Ò¦³ºØÃþªº¦øªA¾¹¤W¡A¨º¤u§@¯¸´NµL ªk¹B¦æ¥ô¦óªF¦è¡C¬°¤F½T«O¤u§@¯¸ªº¦w¥þ¡AºÉ¥i¯à¤Ö¹B¦æ¦øªA¾¹¡Aª½¨ì®Ú¥»´N¨S¦³¦øªA¾¹ ¹B¦æ¡AµM«á¹B¦æ¤@­Ó¨ü±K½X«OÅ@¡C·íµM¡A¤@­Ó¤J«IªÌ±j¦æ³X°Ý¤u§@¯¸¡A´N·|§â ©Ò³]¸mªº©Ò¦³¦w¥þ¯S©Ê³£¯}Ãa±¼¡C¦³¤@­Ó°ÝÃD¥²¶·©ú½T¡A¥²¶·¦Ò¼{¨ì³o¼Ë¤@­Ó¨Æ¹ê¡Aµ´ ¤j¦h¼Æ¤J«I¬O±q¨º¨Ç¨S¦³ª«²z³X°Ý¤u§@¯¸©Î¦øªA¾¹³\¥iÅvªº¤H¨ºùØ¡A³q¹L¤@­Óºô¸ô¨Ó«I¤Jªº¡C ¨Ï¥Î¶H kerberos ³o¼Ëªº§Þ³N¡A¤]·|µLªk¨Ï¥Î¨t²Î¡A©ÎªÌ§ïÅܥΤá±b¤áªº±K½X¡A±q¦Ó¼vÅT ¨ì¾Ö¦³¤@­Ó±b¤áªº©Ò¦³¥Î¤á¦¨­û¡C¦pªG¤@­Ó¥Î¤á¦¨­ûªº±b¤á¤w¸g¥¢¥h¦w¥þ¡AÀ³·í§ïÅÜ¥¦¦b©Ò ¦³¾÷¾¹¤Wªº±K½X¡C¹ï©ó¤£³sÄòªº±K½X¡A¦b n ¥x¾÷¾¹¤W§ïÅܤ@­Ó±K½X¥i¯à¬O«Ü¶Ãªº¡C¥i¯à­n ¥Î kerberos ­««Ø±K½Xªº­­¨î¡G¤@±i kerberos ªº³\¥iÃÒ¥i¯à¤@¬q®É¶¡«á·|¹L´Á¡A¦ý kerberos ¨t ²Î¥i¯à­n¨D¥Î¤á¦b¤@¬q®É¶¡¥H«á¿ï¾Ü¤@­Ó·s±K½X¡]¤@¯ë¬O¤@­Ó¤ë¡^¡C

8.3.2. ½T«O¥H root ³\¥iÅv¹B¦æªº¦øªA¾¹©M suid/sgid ¤G¶i¦ìµ{¦¡ªº¦w¥þ

ÂÔ·Vªº¨t²ÎºÞ²z­û¥u¹B¦æ»Ý­nªº¦øªA¾¹¡A¤£¦h¤]¤£¤Ö¡C­n²M¿ô¦a»{ÃѨì²Ä¤T¤èªºªA °È¾¹¸g±`¦³«Ü¦hªº¿ù»~¡C¨Ò¦p¡A¹B¦æ¤@­Ó¦Ñª©¥»ªº imapd ©Î popper ,´N¹³¬Oµ¹¥X¤F¤@­Ó³q¥Î ªº root ±b¸¹¨Ó³X°Ý¥~³¡¥@¬É¡C¹B¦æ¨C¤@­Ó¦øªA¾¹¡A³£­n¥J²Ó¦aÀˬd¡C³\¦h¦øªA¾¹¤£¤@©w »Ý­n¥Î root ¨Ó¹B¦æ¡C¨Ò¦p¡Antalk, comsat, ©M finger ¦uÅ@µ{¦¡¥i¯à¹B¦æ¦b¤@­Ó¯S®íªº¥Î ¤á sandboxes ¤W¡C¤@­Ó sandbox ¬O¤£§¹¥þªº¡A°£«D¹J¨ì¤F³\¦h°ÝÃD¡A¦ý¦w¥þªº¼h¯Å¼Ò¦¡ ¤´µM¤ä«ù¡G¦pªG¯à°÷³q¹L¹B¦æ¦b¤@­Ó sandbox ¤Wªº¤@­Ó¦øªA¾¹«I¤J¡A¤´µM¥²¶·­n§ð¯} sandbox¡C§ðÀ»ªÌ¥²¶·³q¹L«Ü¦hªº¦w¥þ¼h¡A³o¼Ë«I¤Jªº¥i¯à©Ê´N«Ü¤p¤F¡C¹L¥h¤w¸g§ä¨ì¤F «Ü¦h root ªº¦w¥þº|¬}¡A¥]¬A°ò¥»ªº¨t²Î¦øªA¾¹¡C¦pªG¹B¦æµÛ¥Î¤á³q¹L sshd ¨Óµn¤J¦Ó±q ¤£¥Î telnetd ©Î rshd ©Î rlogind ¨Óµn¤Jªº¦øªA¾¹¡A³Ì¦n§â³o¨Ç¦øªA¾¹Ãö±¼¡C

²{¦b¡AFreeBSD Àq»{¦b sandbox ¤¤¹B¦æ ntalkd, comsat,©M finger¡CÁÙ¦³¤@­Ó¥s°µ named ªºµ{¦¡¡C/etc/defaults/rc.conf ¤¤¥]§t¤F¹B¦æ <named ªº¿ï¶µ¡A¦ý³Qª`·N±¼¤F¡CµL½×¬O¦b ¦w¸Ë¤@­Ó·sªº¨t²Î¡AÁÙ¬O¤É¯Å¤@­Ó¤w¦s¦bªº¨t²Î¡A³Q³o¨Ç sandboxes ¨Ï¥Îªº¯S®í¥Î¤á±b¸¹ ¥i¯à¨S¦³³Q¦w¸Ë¡CÂÔ·Vªº¨t²ÎºÞ²z­ûµL½×¦ó®É³£­n»{¯u¬ã¨s©M°õ¦æ sandboxes¡C ¦³³\¦hªº¦øªA¾¹³q±`¤£¯à¹B¦æ¦b sandboxes ¤¤¡Gsendmail, popper, imapd, ftpd, ©M¤@¨Ç¡C¥i¥H¿ï¤@¨Ç¡A¦ý¦w¸Ë¥i¯à»Ý­n°µ«Ü¦h¤u§@¡C¥i¯à¥²¶·¥H root ¨Ó¹B ¦æ³o¨Ç¦øªA¾¹¡AµM«á¨Ì¾a¥t¥~ªº¾÷¨î¨ÓÀË´ú¥i¯à³q¹L¶i¦æªº«I¤J¬¡°Ê¡C

¤ñ¸û¤jªº¼ç¦bªº root º|¬}¬O¦w¸Ë¦b¨t²Î¤¤ªº suid-root ©M sgid µ{¦¡¡C³o¨Çµ{¦¡¡A ¶H rlogin¡A³£©ñ¦b/bin, /sbin, /usr/bin,©Î /usr/sbin ¤¤¡C·íµM¡A¥@¤W¨S¦³100%ªº¦w¥þ¡A ¨t²ÎÀq»{ªº suid ©M sgid µ{¦¡¥i¯à»{¬°¬O¤ñ¸û¦w¥þªº¡C

¥t¥~¡Aroot º|¬}¦³®É­Ô¯à¦b³o¨Çµ{¦¡¤¤§ä¨ì¡C¦b1998 ¦~¦b xterm ªº Xlib ¤¤ªº¤@­Ó root º|¬}³Qµo²{¡CÂÔ·Vªº¨t²ÎºÞ²z­û»Ý­n­­¨î suid ªºµ{¦¡¡A¥u¦³«ü©wªº¤H¥i¥H¹B¦æ¡A«ü©w¤H©Ò ¦bªº¯S®í¸s²Õ¥i¥H³X°Ý¡A©Ò¦³¤H³£¤£¯à¨Ï¥Î¡C¤@¥x¨S¦³Åã¥Ü¾¹ªº¦øªA¾¹³q±`¤£»Ý­n¤@­Ó xterm µ{¦¡¡C Sgid µ{¦¡¥i¯à¤]·|¦³¦MÀI¡C¦pªG¤@­Ó¤J«IªÌ¯à°÷§ð¯} sgid-kmem µ{¦¡¡A¤J«IªÌ´N¥i¥H Ū¨ì /dev/kmem¡A¦]¦Ó¥i¥HŪ¨ì crypted ±K½XÀÉ¡A±q¦Ó¦M¤Î¨ì¨ü±K½X«OÅ@ªº±b¤áªº¦w¥þ¡C ¥t¥~¡A¤@­Ó«I¤J²Õ kmem ªº¤J«IªÌ¥i¥H³q¹L pty's ¨ÓºÊ´ú¨ìÀ»Á䪺±¡ªp¡A¥]¬A³q¹L¦w¥þ¤è ªkµn³°ªº¥Î¤áªº±¡ªp¡C¤@­Ó«I¤J tty ²Õªº¤J«IªÌ¥i¥H¼g¤J´X¥G¥ô¦ó¥Î¤áªº tty¡C¦pªG¥Î¤á¥¿ ¦b¹B¦æ¤@­Ó²×ºÝµ{¦¡©Î±a¦³Áä½LÃþ¤ñ¯S©Êªº¼ÒÀÀ¾¹¡A¤J«IªÌ¥i¥H°½°½¦aµo°e¤@­Ó¸ê®Æ¬yµ{¨Ó ¨Ï¥Î¤áªº²×ºÝÅã¥Ü¤@­Ó©R¥O¡AµM«á´N¥H¨º­Ó¥Î¤áªº¨­¥÷¨Ó¹B¦æ¡C

8.3.3. ½T«O¥Î¤á±b¤áªº¦w¥þ

¥Î¤áªº±b¤á³q±`¬O«ÜÃø½T«O¦w¥þªº¡C·í¥ÎÄY®æªº³X°Ý­­¨î¨Ó¬ù§ô¥Î¤á®É¡A¤£ ¥i¥H¨Ï¥Î´¶³q¥Î¤á±b¤á¨Ó³o¼Ë°µ¡C¦pªG¦³¥R¤Àªº±±¨î¡A¨º¥i¥H½T«O¥Î¤á±b¤áªº ¦w¥þ¡C¦pªG¨S¦³¡A¥²¶·®É¨èĵ±§¦aºÊµø¨º¨Ç±b¤á¡C¬°¥Î¤áªº±b¤á¨Ï¥Î ssh ©M kerberos ¥i ¯à·|¦³°ÝÃD¡A»Ý­nÃB¥~ªººÞ²z©M§Þ³N¤ä´©¡A¦ý»P crypted ±K½XÀɬۤñ¤´¬O¤@­Ó¤ñ¸û¦n¸Ñ¨M ¤è®×¡C

8.3.4. ½T«O±K½XÀɪº¦w¥þ

°ß¤@ªº½T«O¦w¥þªº¤èªk¬O¥Î * ¸¹¨Ó¥N´À¿é¤Jªº±K½X¡A¨Ï¥Î ssh ©Î kerberos ¨Ó³X°Ý¨º¨Ç±b ¤á¡C§Y¨Ï crypted ±K½XÀÉ(/etc/spwd.db)¥u¯à³Q root Ū¨ú¡A¤J«IªÌ¥i¯àµLªkÀò±o root ¼g ªº³\¥iÅv¡A¦ý¤]¥i¯à·|Àò±oŪªº³\¥iÅv¡C

¦w¥þ¸}¥»¥²¶·¸g±`Àˬd©M³ø§i±K½XÀɪº­×§ï±¡ªp¡C(¬ÝChecking file integrity³o¸Ì).

8.3.5. ½T«O¤º®Ö®Ö¤ß¡ARaw ³]³Æ©MÀɨt²Îªº¦w¥þ

¦pªG¤@­Ó¤J«IªÌ§ð¯} root¡A´N¥i¥H°µ¥ô¦ó¨Æ±¡¡C¨Ò¦p¡Aµ´¤j¦h¼Æ²{¥N¤º®Ö³£¦³¤@­Ó ¥]¨Ó±´´ú¤º«Øªº³]³Æ±Ò°Ê¾¹¡C¦b FreeBSD ¤U¡A¥¦³Q¥s°µ bpf ³]³Æ¡C¤@­Ó¤J«IªÌ³q±`·|¸Õ¹Ï ¦b¤@¥x¤£¦w¥þªº¾÷¾¹¤W¹B¦æ¤@­Ó¥]±´´ú¾¹¡C©Ò¥H¡Aµ´¤j¦h¼Æ¨t²Î³£¤£§â bpf ³]³Æ½sĶ¶i¤º ®Ö¡C

¦ý§Y¨ÏÃö³¬¤Fbpf ³]³Æ¡A¤´µM¥i¯à·|¹ï /dev/mem ©M /dev/kmem ¾á¤ß¡C¦]¬°¡A¤J«I ªÌ¤´¥i¥H¼g¨ì raw ºÏ¤ù³]³Æ¡C¥t¥~¡AÁÙ¦³¥t¤@­Ó¥s°µ module loader ªº¤º®Ö¯S©Ê¡Akldload¡C ¤@­Ó¤J«IªÌ¥i¥H¦b¹B¦æ¤º®Ö®É¨Ï¥Î¤@­Ó KLD module ¨Ó¦w¸Ë¥¦¦Û¤vªº bpf ³]³Æ¡A©Î¨ä¥LÀË´ú³]³Æ¡C ­nÁקK³o¨Ç°ÝÃD¡A¥²¶·¦b§ó°ª¦w¥þ¯Å§O¤W¹B¦æ¤º®Ö¡A¦Ü¤Ö¦b securelevel 1 ¤W¡C Securelevel ¥i¥H¦b kern.securelevel ÅܼƤW¥Î sysctl ¨Ó³]¸m¡C¤@¥¹§â securelevel ³] ¸m¦¨1¡A¹ï raw ³]³Æªº¼g¤J¾Þ§@±N³Q©Úµ´¡A¯S®íªº chflags ¼Ð°O¦p schg ±N³Q±j­¢°õ¦æ¡C ¥²¶·«OÃÒ schg ¼Ð°O³Q³]¸m¦b¯S©wªº±Ò°Êµ{¦¡¡A¥Ø¿ý©M¸}¥»ÀɤW¡C³o¼Ë°µ¥i¯à¦³ÂI¸Ø¤j¤F¡C ·í¦b¤@­Ó¦w¥þ©Ê¤ñ¸û°ªªº¤ô¥­¤W¾Þ§@®É¡A¤É¯Å¨t²Î¥i¯à¤ñ¸û§xÃø¡C ¥i¥H§é¤¤¤@¤U¡A±N¨t²Î¹B¦æ¦b¤@­Ó¦w¥þ©Ê§ó°ªªº¤ô¥­¤W¡A¦ý¤£¹ï¨C­Ó¨t²ÎÀÉ©M¥Ø ¿ý³]¸m schg ¼Ð°O¡C¥t¥~¤@­Ó¤èªk¬O²³æ¦a±N / ©M /usr ³]¬°°ßŪ¡C³o¼Ë´N¥i¥Hªý¤î©Ò¦³­«­n ªº«I¤JÀË´ú¤F¡C

8.3.6. ÀˬdÀɪº§¹¾ã©Ê¡Gµ{¦¡¡A°t¸mÀɵ¥

»Ý­n«OÅ@®Ö¤ß¨t²Î°t¸m©M±±¨îÀÉ¡C¨Ò¦p¡A¦b / ©M /usr ¤¤ªºµ´¤j¦h¼ÆÀɤW¨Ï¥Î chflag ¨Ó³]¸m schg ¦ì¥i¯à¹F¤£¨ì¹w´Áªº¥Ø¼Ð¡A¦]¬°·í«OÅ@Àɪº®É­Ô¡A¤]·|Ãö³¬¤@­Ó ÀË´úµ¡¤f¡C¦w¥þ¼hªº³Ì«á¤@¼h¤]³\¬O³Ì­«­nªºÀË´ú¼h¡C¦pªG¤£¯àÀË´ú¨ì¼ç¦bªº¤J«I¡A ¦w¥þ¼hªº¨ä¾l³¡¤À¥i¯à´N¨S¦³¥Î¤F¡C¤u§@¬O­nÅý¤J«IªÌºC¤U¨Ó¡A¦Ó¤£¬Oªý¤î¥¦¡A¥H «K´M§ä®É¾÷§ì¦í¥¦¡C

ÀË´ú¤J«Iªº³Ì¦n¤èªk¬O´M§ä¦³¨S¦³­×§ï¡A¥á¥¢©Î¤£»Ý­nªºÀÉ¡C´M§ä­×§ïÀɪº³Ì¦n ¤èªk¬O¨Ó¦Û¥t¤@­Ó³X°Ý¨ü­­¨îªº¨t²Î¡C¦b¤@­Ó¯S§Oªº³X°Ý¨ü¨ì­­¨îªº¨t²Î¤W¼g¤W¦w¥þ ¸}¥»¨Ï±o¤J«IªÌ¤£¥i¨£¡A³o¤@ÂI«Ü­«­n¡C¬°¤F¶°¤¤Àu¶Õ¡A³q±`¥²¶·¨Ï¥Î¦³­­³X°Ýªº¾÷¾¹ ¨Ó³X°Ý¥t¥~¾÷¾¹¡A³q±`¬O°õ¦æ¤@­Ó¥t¥~¾÷¾¹ªº°ßŪ NFS ¿é¥X¨ì¦³­­³X°Ýªº¾÷¾¹¡A©Î³q¹L³] ¸m ssh Æ_°Í¹ï¨Ó¤¹³\¦³­­³X°Ýªº¾÷¾¹ ssh ¨ì¥t¥~¾÷¾¹¡C°£¤Fºô¸ô¶Ç¿é¡ANFS ¬O«Ü¤Ö¥Îªº ¤èªk---¤¹³\ºÊµø¨C­Ó«È¤á¾÷ªºÀɨt²Î¡C

¦pªG¦³­­³X°Ý¦øªA¾¹³q¹L¤@­Ó switch ¨Ó³s±µ¨ì«È¤á¾÷¡ANFS ¤èªk¬O¤ñ¸û¦nªº¿ï¾Ü¡C ¦pªG¦³­­³X°Ý¦øªA¾¹¬O³q¹L¤@­Ó hub ©Î³q¹L´X¼hªº¸ô¥Ñ³s±µ¨ì«È¤á¾÷¡ANFS ¤èªk¥i¯à«Ü ¤£¦w¥þ¡A¨Ï¥Î ssh ¥i¯à¬O§ó¦nªº¿ï¾Ü¡C

¤@¥¹¨Ï¥Î¤@­Ó³X°Ý¨ü­­¨îªº¾÷¾¹¡A¦Ü¤Ö»Ý­n¯àŪ¨ú«È¤á¨t²Î¡A¥²¶·¼g¤@¨Ç¸}¥»¨Ó °õ¦æ§Y®ÉªºÀË´ú¡C±¾¤W NFS ¤§«á¡A¥i¥H¥Î find ©M md5 ³o¼Ëªº¤u¨ã¡C¦Ü¤Ö¨C¤Ñ¤@¦¸ª«²z¦a md5 «È¤á¾÷¤å¥ó¡C·íµo²{¤Ç°t¿ù»~®É¡A·|µo¥X"¦y¥sÁn"´£¥Ü¨t²ÎºÞ²z­û¥hÀˬd¡C¤@­Ó¦w¥þ ¸}¥»¤]·|Àˬd¤£¾A·íªº suid µ{¦¡©M¨t²Î¤À°Ï¤W·s¼W©Î§R°£ªºÀÉ¡C

·í¨Ï¥Î ssh ¦Ó¤£¬O NFS ®É¡A¼g¤J¦w¥þ¸}¥»¬O«Ü§xÃøªº¡C¬°¤F¹B¦æ¡A¥²¶· scp ¸} ¥»¨ì«È¤á¾÷¤W¡A¨Ï¬Ý±o¨£¡A¬°¤F¦w¥þ¤]¥²¶· scp ¨º¨Ç¸}¥»¨Ï¥Îªºµ{¦¡¡C¦b«È¤á¾÷¤W ªº ssh µ{¦¡¤w¸g¦³¦w¥þ°ÝÃD¤F¡CÁ`ªº¨ÓÁ¿¡A·í³q¹L¤£¦w¥þªº³s±µ¹B¦æ®É¡A¨Ï¥Î ssh ¥i¯à¬O ¥²¶·ªº¡A¦ý¤]¤ñ¸ûÃø³B²z¡C

¤@­Ó¦nªº¦w¥þ¸}¥»±N³q¹L³X°Ý°t¸mÀɨÓÀˬd¥Î¤áªºÅÜ ¤Æ¡G.rhosts, .shosts, .ssh/authorized_keys¡C¤w¸g¶W¥X¤F MD5 Àˬdªº½d³ò¡C ¦pªG¦³¤@­Ó¥¨¤jªººÏºÐªÅ¶¡¡A¥i¯à»Ý­nªá«Üªø®É¶¡¨ÓÀˬd¨C­ÓÀÉ¡C¦b³oºØ±¡ªp ¤U¡A³]¸m±¾¸ü¼Ð°O¨Ó¤£±µ¨ü suid µ{¦¡©M³]³Æ¦b¨º¨Ç¤À°Ï¤W¬O¤@­Ó¦n¥D·N¡Cnodev ¿ï¶µ nosuid ¿ï¶µ¥¿¬O©Ò¬Ý¨ìªº¡C¥i¥H±½´y¤@¤U¡A¦Ü¤Ö¤@­Ó¬P´Á¤@¦¸¡C

³B²z±b¤á¬O§@·~¨t²Îªº¤@­Ó¬ÛÃö¯S©Ê¡A¥i¥H§@¬°¤@­Ó post-break-in ªºµû»ù¾÷¨î¡C ¦b¸òÂܤJ«IªÌ¬O¦p¦ó«I¤J¨t²Îªº®É­Ô¯S§O¦³¥Î.

³Ì«á¡A¦w¥þ¸}¥»À³·í³B²z¤é»xÀÉ¡C¤@­Ó¤J«IªÌ³]ªk±»»\¦Û¤vªºÂܸñ¡A¤é»xÀÉ¥i¥H «ü¥Ü¨t²ÎºÞ²z­û³]ªk°lÂܨì³Ìªì«I¤Jªº®É¶¡©M¤èªk¡C½T«O¤é»xÀÉ«ù¤[°O¿ýªº¤é»xÀɪº ¤@­Ó¤èªk¬O¹B¦æ¨t²Î±±¨î»O¨ì¤@­Ó¦ê¦C¤f¡A³q¹L«ùÄò¤£Â_¦aÀË´ú±±¨î»O¨Ó¦¬¶°¸ê°T¡C

8.3.7. °¾°õ¨g

±aÂI°¾°õ¥i¯à¤£·|¦³¶Ë®`¡C§@¬°¤@­ÓºD¨Ò¡A¤@­Ó¨t²ÎºÞ²z­û»Ý­n²K¥[³\¦h¦w¥þ¯S©Ê¡A ¨Ã¥BºÉ¥i¯à¦a¤£¼vÅT¨ì¨Ï¥Îªº«K§Q©Ê¡C§ó­«­nªº¬O¤@­Ó¦w¥þ¨t²ÎºÞ²z­ûÀ³·í¸g±`­×´_º|¬}¡C

8.3.8. ©Úµ´¦¡ªA°È§ðÀ»¡]DoS¡^

³o¸`±N¤¶²Ð©Úµ´¦¡ªA°È§ðÀ»¡C¤@­Ó DoS §ðÀ»³q±`¬O¤@­Ó¥]§ðÀ»¡A¥¦¥i¥H¨Ïºô¸ôÅõ ºÈ¡CÀ³·í°µ¤@¨Ç­­¨î¡AÅý§ðÀ»¤£·|ÅõºÈ¦øªA¾¹¡C

  1. ­­¨î¦øªA¾¹ªºforks.

  2. ­­¨î¸õªOspringboard §ðÀ»(ICMP response attacks, ping broadcast, etc.)¡C

  3. ¤º®Ö³q¹Dªº½w¦s¡C

¤@­Ó´¶³qªº DoS §ðÀ»³q±`¸Õ¹ÏÅý¦øªA¾¹¦Y±¼©Ò¦³¶iµ{¡AÀÉ´y­z©M°O¾ÐÅé¡Aª½¨ì¾÷¾¹¦º ·í¡Cinetd ¦³¦n´X­Ó¿ï¶µ¥i¥H¨Ó­­¨î³oºØ§ðÀ»¡C»Ý­nª`·Nªº¬O·íµLªkªý¤î¤@­ÓªA°È³Q§ðÀ»©Ò ¥´Â_®É¡A¥i¥Hªý¤î¤@¥x¾÷¾¹·í¾÷¡C¾\Ū¤@¤U inetd ªº¤â¥U¡A¯S§O»Ý­nª`·N -c, -C, ©M -R ¿ï¶µ¡Cª`·N¡A«¡ÄF¦¡ªº IP §ðÀ»¥i¥HÄǹL inetd ªº-C ¿ï¶µ¡C©Ò¥H¡A³Ì¦n¤@°_¨Ï¥Î³o¨Ç¿ï¶µ¡C

Sendmail ¦³¤@­Ó -OMaxDaemonChildren ¿ï¶µ¡A©¹©¹­n¤ñ sendmail ªº­t¸ü­­¨î¿ï¶µ¤u §@±o¦n¡C¥²¶·«ü©w¤@­Ó MaxDaemonChildren °Ñ¼Æ¡A·í±Ò°Ê sendmail ®É¡A¥i¯à´Á±æ¦³ «Ü°ªªº­t¸ü¡A¦ý¹q¸£µLªk³B²z³o»ò°ªªº­t¸ü¡C¦b¦î¦C¼Ò¦¡¹B¦æ sendmail ®É­n«D±`ÂÔ·V (-ODeliveryMode=queued)¡C¦pªG¦b¤@­Ó«Üµuªº®É¶¡¶¡¹j¤º§Y®É¤Àµo¹B¦æªº¦î¦C¡A¦p -q1m¡A¤@©w­n¬° sendmail «ü©w¤@­Ó¦X¾Aªº MaxDaemonChildren ¿ï¶µ¥H§Kµo¥Í¿ù»~¡C Syslogd ¥i¯à·|³Qª½±µ§ðÀ»¡A±j¯P«Øij¨Ï¥Î -s ¿ï¶µ¡A©Î -a ¿ï¶µ¡C¤]À³·íª`·N¶H tcpwrapper ªº reverse-identd ³o¼Ëªº«á»O³s±µªA°È¡A¥i¥H³Qª½±µ§ðÀ»¡C¦]¬°³o­Ó­ì¦]¡A ³q±`¤£­n¨Ï¥Îtcpwrappers ªºreverse-ident ¯S©Ê¡C

¦b¸ô¥Ñ¾¹¤W³]¸m¤@¹D¨¾¤õÀð¨Ó¹jÂ÷¤º³¡ºô¸ô»P¥~³¡ºô¸ô¤§¶¡ªº³s±µ¬O«D±`¦nªº¦w ¥þ¤èªk¡C³o¼Ë¥i¥Hªý¤î¤º³¡ºô¸ô¨ü¨ì¨Ó¦Û¥~³¡ºô¸ôªº§ðÀ»¡C ³o­Ó¤èªk¥i¥HªýÂ_°£¤F«ü©wªº¦p named, ntalkd, sendmail ³o¼ËªºªA°È¥H¥~ªº§C¯Å °ð¡C¦pªG³]ªk¨Ï¥Î¥t¥~¤èªk¨Ó°t¸m¨¾¤õÀð¡A¥i¯à·|§Ñ°OÃö³¬¤@¹ïªA°È¡A©Î²K¥[¤F ¤@­Ó·sªº¤º³¡ªA°È¦Ó§Ñ°O¤F¤É¯Å¨¾¤õÀð¡C

¤]¥i¥H¦b¨¾¤õÀð¤W¥´¶}¤ñ¸û°ªªº°ð½d³ò¡A¤¹³\¦³³\¥i©Ê½èªº¾Þ§@¡A¦Ó¤£·|¦M¤Î §C¯Å°ðªº¦w¥þ¡CFreeBSD ¤¹³\±±¨î¥Î¨Ó°ÊºA¸j©wªº°ð¸¹½Xªº½d³ò¡A³q¹L¤£¦Pªº net.inet.ip.portrange sysctl's(sysctl -a | fgrep portrange)¡A±N·|´î»´¨¾¤õÀð °t¸mªº½ÆÂø©Ê¡C¨Ò¦p¡A¥i¥H¨Ï¥Î´¶³qªº4000 ¨ì5000 °ð½d³ò¡A¥H¤Î§ó°ªªº49152 ¨ì 65535 °ð½d³ò¡AµM«á¹jÂ_4000 ¥H¤Uªº°ð¡C

¥t¤@­Ó´¶³qªº DoS §ðÀ»¥s°µ springboard §ðÀ»-·|Åý¦øªA¾¹¤£Â_²£¥Í¦^À³¡A³Ì²×¾É ­P¦øªA¾¹¡A¥»¦aºô¸ô©Î¥t¥~¾÷¾¹¶W¸ü¡C³Ì´¶³qªº§ðÀ»¬O ICMP ping broadcast attack¡C §ðÀ»ªÌ´ÛÄF©Ê¦a¥Î·½ IP ¦ì§}¦V LAN ¼s¼½¦ì§}µo°e ping ¸ê®Æ¥]¨ì§Æ±æ§ðÀ»ªº ¹ê»Ú¾÷¾¹¡C¦pªG¸ô¥Ñ¾¹µLªkªý¤î ping ¼s¼½¦a§}¡A LAN ´N·|¹ï¨C­Ó´ÛÄF©Êªº½Ð ¨D²£¥Í¦^À³¡A±q¦Ó«I¦û¤j¶qªººô¸ô¸ê·½¡A¯S§O¬O·í§ðÀ»ªÌ¨Ï¥Î¦P¼Ëªº´ÛÄF¤â¬q¥Î´X¤Q­Ó¼s ¼½¦ì§}±q´X¤Q­Ó¤£¦Pªººô¸ô¶i§ð®É¡C

¶W¹L120MB ªº¼s¼½§ðÀ»¬O±`¥Îªº¡C¥t¥~¤@­Ó´¶³qªº§ðÀ»¬O°w¹ï ICMP ¿ù»~³ø§i¨t²Îªº¡C ³q¹L²£¥Í¸ê®Æ¥]¨Ó§Î¦¨ ICMP ¿ù»~½Ð¨D¡A¤@­Ó§ðÀ»ªÌ¥i¥H«I¦û¤@­Ó­Ó¦øªA¾¹ªº¿é¤Jºô¸ô¡A¨Ï ±o¦øªA¾¹¥Î ICMP ½Ð¨D¥eº¡¿é¥Xºô¸ô¡C¦pªG¦øªA¾¹¤£¯à«Ü§Ö¦a³B²z ICMP ½Ð¨Dªº¸Ü¡A³o ºØÃþ«¬ªº§ðÀ»¤]¥i¥H¨Ï¦øªA¾¹ÅõºÈ¡CFreeBSD ¤º®Ö¦³¤@­Ó¥s°µ ICMP_BANDLIM ªº·sªº¤º®Ö¿ï ¶µ¡A¥i¥H­­¨î³o¨Ç°ð§ðÀ»ªº®Ä²v¡C³oºØ¸õªOÃþªº§ðÀ»¬O»P¶H³o¼Ëªº udp echo ªA°Èªº¬Y ­Ó¤º³¡ inetd ªA°È¦³Ãöªº¡C

¤@­Ó§ðÀ»ªÌ¥u­n²³æ¦a¥Î¦¨¬°¦øªA¾¹ A ªº echo °ðªº·½¦ì§}©M¦¨¬°¦øªA¾¹ B ªº echo °ðªº¥Øªº¦a§}¨Ó«¡ÄF¤@­Ó UDP ¸ê®Æ¥]¡C¨â­Ó¦øªA¾¹´N¨Ó¦^¦a¼uµo¸ê®Æ¥]¡C§ðÀ»ªÌ¥u­nµo °e´X­Ó³oºØÃþ«¬ªº¸ê®Æ¥]´N¥i¥H¨Ï¦øªA¾¹©M¤º³¡ºôÅõºÈ¡CÃþ¦üªº°ÝÃD¤]¦s¦b©ó¤º³¡ chargen °ð¡C¤@­Ó¼ô½mªº¨t²ÎºÞ²z­û·|Ãö³¬©Ò¦³³o¨Ç¤º³¡ªº inetd ´ú¸ÕªA°È¡C «¡ÄF¦¡¸ê®Æ¥]§ðÀ»¤]¥i¥H³Q¥Î¨Ó¬O¤º®Ö¸ô¥Ñ½w¦s¶W¸ü¡C¥i¥H°Ñ¦Ò¤@¤U net.inet.ip.rtexpire, rtminexpire, ©M rtmaxcache sysctl °Ñ¼Æ¡CÀH·N¨Ï¥Î¤@­Ó·½ IP ¶i¦æªº«¡ÄF¦¡ªº¸ê®Æ¥]§ðÀ»±N¨Ï¤º®Ö¦b¸ô¥Ñªí¤¤²£¥Í¤@­ÓÁ{®Éªº°ª³t½w½Ä¸ô¥Ñ¡A¥i¥H¥Î netstat -rna | fgrep W3 Àˬd¤@¤U¡C³o¨Ç¸ô¥Ñ¤j¬ù·|¶W®É1600 ¬í¡C¦pªG¤º®ÖÀË´ú¨ì½w½Ä ¸ô¥Ñªí¤Ó¤j¡A¥¦±N°ÊºA¦a´î¤Ö rtexpire¡A¦ý¤£·|¤p©ó rtminexpire¡C¦³¨â­Ó°ÝÃD¡G

  1. ·í¤@­Ó­t¸ü¶q«Ü¤pªº¦øªA¾¹¬ðµM¨ü¨ì§ðÀ»®É¡A¤º®Ö¨S¦³«Ü§Ö¦a¦^À³¡C

  2. ¥Ñ©ó rtminexpire ¤Ó¤p¦ÓµLªk©è§Ü¦í¤@­Ó«ùÄò¤£Â_ªº§ðÀ»¡C

¦pªG§Aªº¦øªA¾¹³q¹L T3 ©Î§ó°ª³t«×ªº½u¸ô³s±µ¨ì internet¡A¥i¯à»Ý­n³q¹L¨Ï¥Î sysctl ¨Ó¤â°Ê¦a½Õ¾ã rtexpire ©M rtminexpire¡C¤d¸U¤£­n§â°Ñ¼Æ³]¬°0¡]°£«D·Q­nºR·´¾÷¾¹¡^¡C §â°Ñ¼Æ³]¬° 2 ¬í¹ï©ó«OÅ@¸ô¥Ñªí§K¨ü§ðÀ»¬O«D±`¦nªº¡C

8.3.9. ¨Ï¥Î Kerberos ©M SSH µn¤J°ÝÃD

¦pªG¥´ºâ¨Ï¥Îªº¸Ü¡A¦b kerberos ©M ssh ¤§¶¡¦³¦n´X­Ó°ÝÃD»Ý­n°O¦í¡CKerberos V ¬O¤@­Ó«D±`¨ô¶VªºÅçÃÒ¨óij¡A¦ý¦b¥[±K telnet ©M rlogin À³¥Îµ{¦¡®É·|¦³¤@¨Ç¿ù»~¡A¥i¯à ·|¤£¤Ó¾A¦X³B²z¤G¶i¦ì¸ê®Æ¬y¡C¥t¥~¡AÀq»{ªº kerberos ¤]µLªk¥[±K¤@­Ó·|¸Ü¡A°£«D ¨Ï¥Î-x ¿ï¶µ¡Cssh Àq»{¯à¥[±K¥ô¦óªF¦è¡C

«ØijµL½×¥Î¤á¤°»ò®É­Ôµn¤J¨t²Î¡A³£¥i¥Hµ²¦X kerberos ¨Ó¨Ï¥Î ssh¡Cssh ¥i¥H¦b ½sĶ®É¥[¤J¹ï kerberos ªº¤ä«ù¡C¤]«Øij¦b ssh °t¸m¤¤Ãö³¬ key-forwarding¡A©ÎªÌ¦b authorized_keys Àɤ¤¨Ï¥Î from=IP/DOMAIN ¿ï¶µ¨Ï±o¥u¦³¥Î§@¹êÅ骺±K°Í¥i¥H±q¯S®í ¾÷¾¹µn³°¶i¨t²Î¡C