Thông tin tài liệu
From the authors
of the bes-selling
HACK PROOFING
™
YOUR NETWORK
™
1YEAR UPGRADE
BUYER PROTECTION PLAN
From the authors
of the bestselling
HACK PROOFING
™
YOUR NETWORK
Protect Your Solaris Network from Attack
• Complete Coverage of Solaris 8 C2 and Trusted Solaris 8
• Hundreds of Damage & Defense,Tools & Traps,and Notes from the
Underground Sidebars,Security Alerts,and FAQs
• Step-by-Step Instructions for Making the Most of Solaris 8 Security
Enhancements
Wyman Miles
Ed Mitchell
F. William Lynch
Randy Cook
Technical Editor
158_hack_sun_FC 11/11/01 2:46 PM Page 1
solutions@syngress.com
With more than 1,500,000 copies of our MCSE, MCSD, CompTIA, and Cisco
study guides in print, we continue to look for ways we can better serve the
information needs of our readers. One way we do that is by listening.
Readers like yourself have been telling us they want an Internet-based ser-
vice that would extend and enhance the value of our books. Based on
reader feedback and our own strategic plan, we have created a Web site
that we hope will exceed your expectations.
Solutions@syngress.com is an interactive treasure trove of useful infor-
mation focusing on our book topics and related technologies. The site
offers the following features:
■
One-year warranty against content obsolescence due to vendor
product upgrades. You can access online updates for any affected
chapters.
■
“Ask the Author”™ customer query forms that enable you to post
questions to our authors and editors.
■
Exclusive monthly mailings in which our experts provide answers to
reader queries and clear explanations of complex material.
■
Regularly updated links to sites specially selected by our editors for
readers desiring additional reliable information on key topics.
Best of all, the book you’re now holding is your key to this amazing site.
Just go to www.syngress.com/solutions, and keep this book handy when
you register to verify your purchase.
Thank you for giving us the opportunity to serve your needs. And be sure
to let us know if there’s anything else we can do to help you get the
maximum value from your investment. We’re listening.
www.syngress.com/solutions
158_HPsun_FM 10/5/01 5:07 PM Page i
158_HPsun_FM 10/5/01 5:07 PM Page ii
Wyman Miles
Ed Mitchell
F. William Lynch
Randy Cook
Technical Editor
™
1YEAR UPGRADE
BUYER PROTECTION PLAN
158_HPsun_FM 10/5/01 5:08 PM Page iii
Syngress Publishing, Inc., the author(s), and any person or firm involved in the writing, editing, or
production (collectively “Makers”) of this book (“the Work”) do not guarantee or warrant the results to be
obtained from the Work.
There is no guarantee of any kind, expressed or implied, regarding the Work or its contents.The Work is
sold AS IS and WITHOUT WARRANTY. You may have other legal rights, which vary from state to state.
In no event will Makers be liable to you for damages, including any loss of profits, lost savings, or other
incidental or consequential damages arising out from the Work or its contents. Because some states do not
allow the exclusion or limitation of liability for consequential or incidental damages, the above limitation
may not apply to you.
You should always use reasonable care, including backup and other appropriate precautions, when working
with computers, networks, data, and files.
Syngress Media®, Syngress®, and “Career Advancement Through Skill Enhancement®,” are registered
trademarks of Syngress Media, Inc. “Ask the Author UPDATE™,” “Mission Critical™,”“Hack Proofing™,”
and “The Only Way to Stop a Hacker is to Think Like One™” are trademarks of Syngress Publishing, Inc.
Brands and product names mentioned in this book are trademarks or service marks of their respective
companies.
KEY SERIAL NUMBER
001 EAFRET4KDG
002 23PVFDAT5Q
003 VZPE43GHBA
004 MNFT6Y456F
005 QL3R3BNM65
006 KMXV94367H
007 NSE4T63M5A
008 P3JR9DF9GD
009 XP93QNFTY6
010 VK495YDR45
PUBLISHED BY
Syngress Publishing, Inc.
800 Hingham Street
Rockland, MA 02370
Hack Proofing Sun Solaris 8
Copyright © 2001 by Syngress Publishing, Inc.All rights reserved. Printed in the United States of America.
Except as permitted under the Copyright Act of 1976, no part of this publication may be reproduced or
distributed in any form or by any means, or stored in a database or retrieval system, without the prior
written permission of the publisher, with the exception that the program listings may be entered, stored,
and executed in a computer system, but they may not be reproduced for publication.
Printed in the United States of America
1 2 3 4 5 6 7 8 9 0
ISBN: 1-928994-44-X
Technical Editor: Randy Cook Freelance Editorial Manager: Maribeth Corona-Evans
Technical Reviewer: Ryan Ordway Cover Designer: Michael Kavish
Co-Publisher: Richard Kristof Page Layout and Art by: Shannon Tozier
Acquisitions Editor: Catherine B. Nolan Copy Editors: Alexandra Kent and Darlene Bordwell
Developmental Editor: Jonathan Babcock Indexer: Claire A. Splan
Distributed by Publishers Group West in the United States and Jaguar Book Group in Canada.
158_HPsun_FM 10/5/01 5:08 PM Page iv
v
Acknowledgments
v
We would like to acknowledge the following people for their kindness and support
in making this book possible.
Richard Kristof and Duncan Anderson of Global Knowledge, for their generous
access to the IT industry’s best courses, instructors, and training facilities.
Ralph Troupe, Rhonda St. John, and the team at Callisma for their invaluable insight
into the challenges of designing, deploying, and supporting world-class enterprise
networks.
Karen Cross, Lance Tilford, Meaghan Cunningham, Kim Wylie, Harry Kirchner,
Kevin Votel, Kent Anderson, and Frida Yara of Publishers Group West for sharing
their incredible marketing experience and expertise.
Mary Ging, Caroline Hird, Simon Beale, Caroline Wheeler,Victoria Fuller, Jonathan
Bunkell, and Klaus Beran of Harcourt International for making certain that our
vision remains worldwide in scope.
Anneke Baeten and Annabel Dent of Harcourt Australia for all their help.
David Buckland,Wendi Wong, Daniel Loh, Marie Chieng, Lucy Chong, Leslie Lim,
Audrey Gan, and Joseph Chan of Transquest Publishers for the enthusiasm with
which they receive our books.
Kwon Sung June at Acorn Publishing for his support.
Ethan Atkin at Cranbury International for his help in expanding the Syngress
program.
158_HPsun_FM 10/5/01 5:08 PM Page v
158_HPsun_FM 10/5/01 5:08 PM Page vi
vii
Contributors
Hal Flynn is a Threat Analyst at SecurityFocus, the leading provider of
Security Intelligence Services for Business. Hal functions as a Senior
Analyst, performing research and analysis of vulnerabilities, malicious
code, and network attacks. He provides the SecurityFocus team with
UNIX and network expertise. He is also the manager of the UNIX Focus
Area and moderator of the Focus-Sun, Focus-Linux, Focus-BSD, and
Focus-GeneralUnix mailing lists.
Hal has worked the field in jobs as varied as the Senior Systems and
Network Administrator of an Internet Service Provider, to contracting the
United States Defense Information Systems Agency, to Enterprise-level
consulting for Sprint. He is also a proud veteran of the United States
Navy Hospital Corps, having served a tour with the 2nd Marine Division
at Camp Lejeune, NC as a Fleet Marine Force Corpsman. Hal is mobile,
living between sunny Phoenix,AZ and wintry Calgary,Alberta, Canada.
Rooted in the South, he currently calls Montgomery,AL home.
Ido Dubrawsky (CCNA, SCSA) is a Network Security Engineer and a
member of Cisco’s Secure Consulting Services in Austin,TX. He cur-
rently conducts security posture assessments for clients as well as provides
technical consulting for security design reviews. His strengths include
Cisco routers and switches, PIX firewall, Solaris systems, and freeware
intrusion detection systems. Ido holds a bachelor’s and a master’s degree
from the University of Texas at Austin and is a member of USENIX and
SAGE. He has written several articles covering Solaris security and net-
work security for Sysadmin magazine as well as SecurityFocus.com. He
lives in Austin,TX with his family.
Drew Simonis (CCNA, SCSA, SCNA, CCSA, CCSE, IBM CS) is co-
author of Hack Proofing Your Web Applications (ISBN: 1-928994-31-8) and
is a Senior Security Engineer with the RL Phillips Group, LLC. He cur-
rently provides senior level security consulting to the United States Navy,
working on large enterprise networks. He considers himself a security
158_HPsun_FM 10/5/01 5:08 PM Page vii
viii
generalist, with a strong background in system administration, Internet
application development, intrusion detection and prevention, and penetra-
tion testing. Drew’s background includes a consulting position with
Fiderus, serving as a Security Architect with AT&T and as a Technical
Team Lead with IBM. Drew has a bachelor’s degree from the University
of South Florida and is also a member of American MENSA. Drew cur-
rently lives in Suffolk,VA with his wife Kym and daughters Cailyn and
Delaney.
Mike Lickey is a Senior Engineer for IPC Technologies in Richmond,
VA. He has 20 years experience in systems administration working with
the real-time production server environment, specializing in critical up-
time systems. He has worked for IPC Technologies for almost ten years,
providing broad support for all platforms.As a consultant, he has worked
almost exclusively with Fortune 100 companies working with multiple
systems and networking architectures. He has extensive experience with
system security starting in 1985 when he got his first systems administra-
tion position. Mike has lived in Richmond with his wife Deborah for
almost 25 years. He received his bachelor’s degree in English from
Virginia Commonwealth University.
F. William Lynch (SCSA, CCNA, MCSE, MCP,A+) is an Independent
Security and Systems Administration consultant in Denver, CO. His spe-
cialties include firewalls,VPNs, security auditing, documentation, systems
performance analysis, Solaris and open source operating systems such as
OpenBSD, FreeBSD, and Linux. He has served as a consultant to multina-
tional corporations and the Federal government including the Centers for
Disease Control and Prevention headquarters in Atlanta, GA as well as
various airbases of the United States Air Force.William is also the founder
and director of the MRTG-PME project, which uses the MRTG engine
to track systems performance of various UNIX operating systems.William
holds a bachelor’s degree in Chemical Engineering from the University of
Dayton in Dayton, OH and a master’s degree in Business Administration
from Regis University in Denver, CO.
158_HPsun_FM 10/5/01 5:08 PM Page viii
ix
Edward Mitchell is the Network Operations Manager for ADC
Telecommunication’s Enhanced Services Division in San Jose, CA. He
oversees a large multi-platform UNIX environment with a Cisco-based
infrastructure and is responsible for all aspects of network and system
security. Prior to ADC, Edward spent time with the State of California as
an independent consultant for a variety of network security projects.
Edward also provides security and disaster recovery consulting services for
a variety of clients and actively participates in various incident response
teams and events. He currently resides in California’s Central Valley and
appreciates the patience and understanding his wife displayed during his
contribution to this book.
Wyman Miles is the Senior Systems Administrator and Technical
Manager for Educational Technology at Rice University. In this role,
Wyman handles Solaris security for a large, distributed network. He also
advises on security matters for other divisions within Information
Technology. Some of his developments in security technology, including
Kerberos deployment tools, SSL proxies, and wireless network security
have been presented at academic conferences around the country.Though
the focus of his work has been cryptography,Wyman handles all aspects of
network and host-based security for the academic network.Wyman holds
a bachelor’s degree in Physics with a minor in English. He resides in
Houston,TX with his wife Erica.
158_HPsun_FM 10/5/01 5:08 PM Page ix
[...]... Content-Length Header Summary Solutions Fast Track Frequently Asked Questions 265 266 266 266 267 267 269 271 272 274 274 274 275 276 277 Chapter 10 Dissecting Hacks Introduction Securing against Denial of Service Hacks Ping of Death Syn Flood E-Mail Flood 287 288 288 289 290 294 277 2 78 279 279 281 281 282 282 283 284 284 286 1 58_ HPsun_toc xviii 10 /8/ 01 10:56 AM Contents Securing against Brute Force Hacks... DNS Services on Solaris 173 Using BIND 174 Setting Up a chroot Jail for BIND 174 Securing Zone Transfers in BIND 8 180 Configuring Solaris to Provide Anonymous FTP Services 181 Using X-Server Services Securely 182 Using Host-Based Authentication 183 Using User-Based Authentication 183 Using X-Windows Securely with SSH 186 Using Remote Commands 187 Using Built-In Remote Access Methods 187 Using SSH for... Analyzing Trusted Solaris 8 Solaris 8 Security Enhancements Using SunScreen Secure Net Utilizing SunScreen SKIP Utilizing SKIP’s VPN Capabilities Using the Solaris Security Toolkit Working with the Solaris Security Toolkit’s System Files Using OpenSSH Summary Solutions Fast Track Frequently Asked Questions 33 34 35 38 40 42 43 44 45 47 48 50 53 54 55 55 56 56 58 58 59 61 61 63 1 58_ HPsun_toc 10 /8/ 01 10:56... variants, including Solaris Figure 1.3 details an Nmap scan of a default Solaris host from a Linux-based host (Scanning from a Solaris host would yield an identical output.) Figure 1.3 An Nmap Scan of a Default Solaris Host from a Linux-Based Host www.syngress.com 9 1 58_ HPsun_01 10 10/4/01 5:06 PM Page 10 Chapter 1 • Introducing Solaris Security: Evaluating Your Risk As you can see, Solaris includes a... truth:The hackers are out there and they want your sun ower seeds —Randy Cook, SCSA Technical Editor www.syngress.com 1 58_ HPsun_fore 10/4/01 5: 38 PM Page xxiv 1 58_ HPsun_01 10/4/01 5:06 PM Page 1 Chapter 1 Introducing Solaris Security: Evaluating Your Risk Solutions in this chapter: s Exposing Default Solaris Security Levels s Evaluating Current Solaris Security Configurations s Monitoring Solaris Systems... Fast Track Frequently Asked Questions Chapter 5 Securing Your Files Introduction Establishing Permissions and Ownership Access Control Lists Role-Based Access Control /etc/user_attr user:qualifier:res1:res2:attr xiii 67 68 71 76 77 79 81 82 83 86 88 93 94 96 99 100 101 103 104 107 109 115 122 122 125 127 1 28 129 132 135 136 1 58_ HPsun_toc xiv 10 /8/ 01 10:56 AM Page xiv Contents /etc/security/auth_attr... Frequently Asked Questions xix 347 347 349 349 350 350 351 351 352 353 357 3 58 359 Hack Proofing Sun Solaris 8 Fast Track 361 Index 381 1 58_ HPsun_toc 10 /8/ 01 10:56 AM Page xx 1 58_ HPsun_fore 10/4/01 5: 38 PM Page xxi Foreword Many years ago, my father decided to put a birdfeeder in our backyard It was great From our breakfast table we could see all kinds of birds visiting our yard However, it soon became... installed Solaris 8 system.We also go over the basics of testing, monitoring, and documenting security procedures Next, in Chapter 2, we cover the standard security tools available from Sun Microsystems.This includes an overview of Sun s BSM product and a look at the features of Sun s Trusted Solaris 8 In Chapter 3, we introduce third-party security tools which are commonly used to secure and monitor Solaris. .. authorized users and still deny unauthorized access? xxi 1 58_ HPsun_fore xxii 10/4/01 5: 38 PM Page xxii Foreword Luckily, as Solaris System Administrators, we have some excellent tools available to us Sun Microsystems has spent a great deal of effort in designing Solaris to be both stable and secure.This book is your reference guide for not only securing your Solaris systems, but also for securing the environment... system indicates your consent LOG OFF IMMEDIATELY if you do not agree to these conditions www.syngress.com 1 58_ HPsun_01 10/4/01 5:06 PM Page 9 Introducing Solaris Security: Evaluating Your Risk • Chapter 1 Evaluating Current Solaris Security Configurations When hardening a default Solaris installation, it is crucial to examine services running both on the network and on the local host itself .Your goal during . From the authors of the bes-selling HACK PROOFING ™ YOUR NETWORK ™ 1YEAR UPGRADE BUYER PROTECTION PLAN From the authors of the bestselling HACK PROOFING ™ YOUR NETWORK Protect Your Solaris. BIND 8 180 Configuring Solaris to Provide Anonymous FTP Services 181 Using X-Server Services Securely 182 Using Host-Based Authentication 183 Using User-Based Authentication 183 Using X-Windows. 284 Frequently Asked Questions 286 Chapter 10 Dissecting Hacks 287 Introduction 288 Securing against Denial of Service Hacks 288 Ping of Death 289 Syn Flood 290 E-Mail Flood 294 Configuring Squid Services Q:
Ngày đăng: 25/03/2014, 11:18
Xem thêm: hack proofing sun solaris 8 - protect your solaris network from attack, hack proofing sun solaris 8 - protect your solaris network from attack