2009年7月15日 星期三

Linux Networking Security

網路攻擊簡介
http://www.iii.org.tw/adc/papers/thesis/00B02.htm

鳥哥的私房菜
 Linux 防火牆與 NAT 主機

Linux CLDP文件,說明各種受到攻擊時的對策
http://www.linux.org.tw/CLDP/OLD/Adv-Routing-HOWTO-16.html

目前linux kernel對大部分的攻擊應該都已經有防禦能力.
以下是linux的一些防禦對策.

1.TCP Sync Attack

Enable kernel feature - TCP Syncookies
echo "1" > /proc/sys/net/ipv4/tcp_syncookies

2.Smurf

不回應broadcast ICMP封包
echo "1" >
/proc/sys/net/ipv4/icmp_echo_ignore_broadcasts

3.防止惡意竄改的封包

echo "1" > /proc/sys/net/ipv4/rp_filter

4.用iptables建立一些基礎防禦

阻擋異樣ICMP封包

iptables -A INPUT -p icmp --icmp-type echo-request -j REJECT

或是

iptables -I INPUT -p
icmp --icmp-type echo-request -m limit --limit 6/min --limit-burst 4 -j ACCEPT

阻擋port scan

iptables -A INPUT -i eth0 -p tcp --tcp-flags ALL FIN,URG,PSH -j DROP
iptables -A INPUT -i eth0 -p tcp --tcp-flags ALL ALL -j DROP
iptables -A INPUT -i eth0 -p tcp --tcp-flags ALL SYN,RST,ACK,FIN,URG -j DROP
iptables -A INPUT -i eth0 -p tcp --tcp-flags ALL NONE -j DROP
iptables -A INPUT -i eth0 -p tcp --tcp-flags SYN,RST SYN,RST -j DROP
iptables -A INPUT -i eth0 -p tcp --tcp-flags SYN,FIN SYN,FIN -j DROP




2009年7月3日 星期五

Patch for dillo cross compile friendly

--- VT300/dillo2/configure.in    2009-07-03 21:08:27.000000000 +0800
+++ S3C2440/dillo2/configure.in    2009-07-03 20:53:30.000000000 +0800
@@ -95,10 +95,10 @@
 dnl (this is somewhat a religious problem)
 dnl --------------------------------------
 dnl
-if test "`$CPP -v < /dev/null 2>&1 | grep '/usr/local/include' 2>&1`" = ""; then
-  CPPFLAGS="$CPPFLAGS -I/usr/local/include"
-  LDFLAGS="$LDFLAGS -L/usr/local/lib"
-fi
+dnl if test "`$CPP -v < /dev/null 2>&1 | grep '/usr/local/include' 2>&1`" = ""; then
+dnl   CPPFLAGS="$CPPFLAGS -I/usr/local/include"
+dnl   LDFLAGS="$LDFLAGS -L/usr/local/lib"
+dnl fi
 
 dnl ------------------------------------
 dnl Check for socket libs (AIX, Solaris)
@@ -145,12 +145,18 @@
 dnl ----------------------
 dnl
 dnl For debugging and to be user friendly
+
+dnl Check if the user hasn't set the variable $FLTK2_CONFIG
+  if test -z "$FLTK2_CONFIG"; then
+    PNG_CONFIG=`which fltk2-config`
+  fi
+
 AC_MSG_CHECKING([FLTK2])
 if sh -c "fltk2-config --version" >/dev/null 2>&1
 then AC_MSG_RESULT(yes)
-     LIBFLTK_CXXFLAGS=`fltk2-config --cxxflags`
-     LIBFLTK_CFLAGS=`fltk2-config --cflags`
-     LIBFLTK_LIBS=`fltk2-config --use-images --ldflags`
+     LIBFLTK_CXXFLAGS=`$FLTK2_CONFIG --cxxflags`
+     LIBFLTK_CFLAGS=`$FLTK2_CONFIG --cflags`
+     LIBFLTK_LIBS=`$FLTK2_CONFIG --use-images --ldflags`
 else AC_MSG_RESULT(no)
      AC_ERROR(FLTK2 must be installed!)
 fi