2009年7月30日 星期四
2009年7月15日 星期三
Linux Networking Security
網路攻擊簡介
http://www.iii.org.tw/adc/papers/thesis/00B02.htm
鳥哥的私房菜
Linux 防火牆與 NAT 主機
Linux CLDP文件,說明各種受到攻擊時的對策
http://www.linux.org.tw/CLDP/OLD/Adv-Routing-HOWTO-16.html
目前linux kernel對大部分的攻擊應該都已經有防禦能力.
以下是linux的一些防禦對策.
1.TCP Sync Attack
Enable kernel feature - TCP Syncookies
echo "1" > /proc/sys/net/ipv4/tcp_syncookies
2.Smurf
不回應broadcast ICMP封包
echo "1" > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts
3.防止惡意竄改的封包
echo "1" > /proc/sys/net/ipv4/rp_filter
4.用iptables建立一些基礎防禦
阻擋異樣ICMP封包
iptables -A INPUT -p icmp --icmp-type echo-request -j REJECT
或是
iptables -I INPUT -p icmp --icmp-type echo-request -m limit --limit 6/min --limit-burst 4 -j ACCEPT
阻擋port scan
iptables -A INPUT -i eth0 -p tcp --tcp-flags ALL FIN,URG,PSH -j DROP
iptables -A INPUT -i eth0 -p tcp --tcp-flags ALL ALL -j DROP
iptables -A INPUT -i eth0 -p tcp --tcp-flags ALL SYN,RST,ACK,FIN,URG -j DROP
iptables -A INPUT -i eth0 -p tcp --tcp-flags ALL NONE -j DROP
iptables -A INPUT -i eth0 -p tcp --tcp-flags SYN,RST SYN,RST -j DROP
iptables -A INPUT -i eth0 -p tcp --tcp-flags SYN,FIN SYN,FIN -j DROP
http://www.iii.org.tw/adc/papers/thesis/00B02.htm
鳥哥的私房菜
Linux 防火牆與 NAT 主機
Linux CLDP文件,說明各種受到攻擊時的對策
http://www.linux.org.tw/CLDP/OLD/Adv-Routing-HOWTO-16.html
目前linux kernel對大部分的攻擊應該都已經有防禦能力.
以下是linux的一些防禦對策.
1.TCP Sync Attack
Enable kernel feature - TCP Syncookies
echo "1" > /proc/sys/net/ipv4/tcp_syncookies
2.Smurf
不回應broadcast ICMP封包
echo "1" > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts
3.防止惡意竄改的封包
echo "1" > /proc/sys/net/ipv4/rp_filter
4.用iptables建立一些基礎防禦
阻擋異樣ICMP封包
iptables -A INPUT -p icmp --icmp-type echo-request -j REJECT
或是
iptables -I INPUT -p icmp --icmp-type echo-request -m limit --limit 6/min --limit-burst 4 -j ACCEPT
阻擋port scan
iptables -A INPUT -i eth0 -p tcp --tcp-flags ALL FIN,URG,PSH -j DROP
iptables -A INPUT -i eth0 -p tcp --tcp-flags ALL ALL -j DROP
iptables -A INPUT -i eth0 -p tcp --tcp-flags ALL SYN,RST,ACK,FIN,URG -j DROP
iptables -A INPUT -i eth0 -p tcp --tcp-flags ALL NONE -j DROP
iptables -A INPUT -i eth0 -p tcp --tcp-flags SYN,RST SYN,RST -j DROP
iptables -A INPUT -i eth0 -p tcp --tcp-flags SYN,FIN SYN,FIN -j DROP
2009年7月3日 星期五
Patch for dillo cross compile friendly
--- VT300/dillo2/configure.in 2009-07-03 21:08:27.000000000 +0800
+++ S3C2440/dillo2/configure.in 2009-07-03 20:53:30.000000000 +0800
@@ -95,10 +95,10 @@
dnl (this is somewhat a religious problem)
dnl --------------------------------------
dnl
-if test "`$CPP -v < /dev/null 2>&1 | grep '/usr/local/include' 2>&1`" = ""; then
- CPPFLAGS="$CPPFLAGS -I/usr/local/include"
- LDFLAGS="$LDFLAGS -L/usr/local/lib"
-fi
+dnl if test "`$CPP -v < /dev/null 2>&1 | grep '/usr/local/include' 2>&1`" = ""; then
+dnl CPPFLAGS="$CPPFLAGS -I/usr/local/include"
+dnl LDFLAGS="$LDFLAGS -L/usr/local/lib"
+dnl fi
dnl ------------------------------------
dnl Check for socket libs (AIX, Solaris)
@@ -145,12 +145,18 @@
dnl ----------------------
dnl
dnl For debugging and to be user friendly
+
+dnl Check if the user hasn't set the variable $FLTK2_CONFIG
+ if test -z "$FLTK2_CONFIG"; then
+ PNG_CONFIG=`which fltk2-config`
+ fi
+
AC_MSG_CHECKING([FLTK2])
if sh -c "fltk2-config --version" >/dev/null 2>&1
then AC_MSG_RESULT(yes)
- LIBFLTK_CXXFLAGS=`fltk2-config --cxxflags`
- LIBFLTK_CFLAGS=`fltk2-config --cflags`
- LIBFLTK_LIBS=`fltk2-config --use-images --ldflags`
+ LIBFLTK_CXXFLAGS=`$FLTK2_CONFIG --cxxflags`
+ LIBFLTK_CFLAGS=`$FLTK2_CONFIG --cflags`
+ LIBFLTK_LIBS=`$FLTK2_CONFIG --use-images --ldflags`
else AC_MSG_RESULT(no)
AC_ERROR(FLTK2 must be installed!)
fi
+++ S3C2440/dillo2/configure.in 2009-07-03 20:53:30.000000000 +0800
@@ -95,10 +95,10 @@
dnl (this is somewhat a religious problem)
dnl --------------------------------------
dnl
-if test "`$CPP -v < /dev/null 2>&1 | grep '/usr/local/include' 2>&1`" = ""; then
- CPPFLAGS="$CPPFLAGS -I/usr/local/include"
- LDFLAGS="$LDFLAGS -L/usr/local/lib"
-fi
+dnl if test "`$CPP -v < /dev/null 2>&1 | grep '/usr/local/include' 2>&1`" = ""; then
+dnl CPPFLAGS="$CPPFLAGS -I/usr/local/include"
+dnl LDFLAGS="$LDFLAGS -L/usr/local/lib"
+dnl fi
dnl ------------------------------------
dnl Check for socket libs (AIX, Solaris)
@@ -145,12 +145,18 @@
dnl ----------------------
dnl
dnl For debugging and to be user friendly
+
+dnl Check if the user hasn't set the variable $FLTK2_CONFIG
+ if test -z "$FLTK2_CONFIG"; then
+ PNG_CONFIG=`which fltk2-config`
+ fi
+
AC_MSG_CHECKING([FLTK2])
if sh -c "fltk2-config --version" >/dev/null 2>&1
then AC_MSG_RESULT(yes)
- LIBFLTK_CXXFLAGS=`fltk2-config --cxxflags`
- LIBFLTK_CFLAGS=`fltk2-config --cflags`
- LIBFLTK_LIBS=`fltk2-config --use-images --ldflags`
+ LIBFLTK_CXXFLAGS=`$FLTK2_CONFIG --cxxflags`
+ LIBFLTK_CFLAGS=`$FLTK2_CONFIG --cflags`
+ LIBFLTK_LIBS=`$FLTK2_CONFIG --use-images --ldflags`
else AC_MSG_RESULT(no)
AC_ERROR(FLTK2 must be installed!)
fi
2009年7月1日 星期三
訂閱:
文章 (Atom)