Table of Contents
7.0 Introduction
7.1 Netstat and Host Application Firewalls
7.1.1 Netstat
7.1.2 Firewalls
7.1.3 Exercises
7.2 Packet Sniffers
7.2.1 Sniffing
7.2.2 Decoding Network Traffic
7.2.3 Sniffing Other Computers
7.2.4 Intrusion Detection Systems
7.2.5 Exercises
7.3 Honeypots and Honeynets
7.3.1 Types of Honeypots
7.3.2 Building a Honeypot
7.3.3 Exercises
Further Reading
Glossary
目录
7.0 简介
7.1 网络和主应用程序防火墙
7.1.1 网络状态
7.1.2 防火墙
7.1.3 练习
7.2 数据盗窃
7.2.1 数据盗窃
7.2.2 解码网络传输
7.2.3 从其它电脑上盗窃数据
7.2.4 入侵侦测系统
7.2.5 练习
7.3 诱捕系统
7.3.1 诱捕系统的种类
7.3.2 建立一个诱捕系统
7.3.3 练习
深入阅读
术语表
7.0 Introduction
There are a lot of programs on your computer that will want to open up network connections.
Some of these programs have valid reasons for connecting (your web browser won't work
nearly as well without access to a network connection as it will with one), others have been
written by people with motives ranging from questionable to criminal. If you want to protect
your computer, you'll have to learn how to detect network access, and identify the source
and intent. Not every attempt at network access is an attack, but if you don't know how to
identify friend from foe, you might as well just leave your door open.
7.0 简介
电脑上的很多程序都需要联网。一些程序的确需要联网才能运行(你的网页浏览器不联网是不能查询东西的),其它一些程序可能是由于写这些人的犯罪心理。如果你想保护你的电脑,就必须学会如何侦测网络连接情况,识别资料源和目的。并不是所有的网络连接都是受到了攻击,但如果你不知道如何识别朋友和敌人,你可能会将门户大开。
7.1 Netstat and Host Application Firewalls
To be able to identify an attack, you have to know what applications and processes normally
run on your computer. Just looking at a graphical interface, whether in Windows or Linux,
won't let you see what's going on underneath the surface. Netstat and a firewall can be used
to help you identify which programs should be allowed to connect with the network.
7.1 网络状态和主应用程序防火墙
为了识别电脑攻击,你需要知道电脑上究竟正在运行什么样的程序和应用软件。只查看图形接口,Windows和LInux操作系统都可以,是不能发现隐藏起来的程序。显示当前网络连接状态或者使用防火墙会帮助你识别那些需要联网的程序。
7.1.1 Netstat
(netstat is also discussed in section 5.2.3) The netstat command will display the status of the
network. Netstat can give you information about what ports are open and the IP addresses
that are accessing them, what protocols those ports are using, the state of the port, and
information about the process or program using the port.
At a command prompt enter:
netstat -aon (for Windows) or
netstat -apn (for Linux)
and netstat will produce a display similar to this:
7.1.1 查看当前网络连接连接状态
netstat命令可以显示当前网络状态。它会告诉你那些接口是开着的,这些接口连接的服务器的IP地址,这些接口使用了哪些协议,接口的状态以及使用这些接口的程序的信息。
在命令提示符中输入:
netstat -aon (Windows操作系统) 或者
netstat -apn (Linux操作系统)
会显示如下图格式类似的信息:
Now, you need to match the numbers in the PID column with names of the processes that are
running. In Windows, you should bring up the Windows Task Manager, by pressing
CTL+ALT+DEL. (If it doesn't show a PID column, click on View, then Select Columns, then select
PID.) In Linux, go to a command prompt and enter ps auxf to display the processor status.
In the case of our example results listed above, we find that PID 3400 belongs to our web
browser and PID 2740 belongs to our email client, both of which we have knowingly
executed, and both of which have valid reasons for establishing connections to the Internet.
However, PID 3838 belongs to a program named 6r1n.exe, and PID 1516 belongs to a
program named buscanv.exe, neither of which we are familiar with.
However, just because you don't recognize the name of a program, that doesn't mean that it
doesn't have a reason to be running on your system. The next step in this process is for us to go
to an Internet search engine and try to discover what these two programs do.
In our search, we discover that buscanv.exe is required by our virus scanner and should be
running. However, 6r1n.exe could be a trojan. Looking again at the display from netstat, we
can see that the port associated with the 6r1n.exe program is 6667, an IRC port commonly
used by trojans for remote access. At this point, we begin researching methods for removing
the trojan.
现在,你需要将PID栏的数字和正在运行的程序名配对。在Windows操作系统中,按CTL+ALT+DEL
打开Windows任务管理器。(如果不显示PID栏,在视图上点击,选择栏目,再选择PID),在Linux操作
系统中,打开运行窗口,运行ps auxf显示进程状态。以上图为例,我们发现PIDgin 3400 属于网页浏览器,
PID2740属于我们的邮件客户端。这两个我们是需要联网的,这两个也都必须联网才能都运行。但是PID3838
属于一个6r1n.exe的运行程序,PIDgin1516属于一个名叫buscanv.exe的运行程序,这两个我们都不熟悉。
然而,尽管你不认识这个程序的名字,并不是说就系统的运行就不需要这个程序。下一步我们就需要在搜索引擎中搜索
这两个程序干什么用的。
通过查询,我们发现buscanv.exe时病毒扫描器所需要的程序,一定要运行,但是6r1n.exe可能是一个木马。再次查看netstat
结果显示,我们发现和6r1n.exe链接的接口是6667,是木马远程连接最常用的IRC接口。这样,我们就要开始查找删除该木马的方法。
7.1.2 Firewalls
Now, you could sit at your computer and run netstat over and over and over and over,
keeping a constant vigil on the data moving in and out of your computer, or you could use a
firewall program to do it for you.
A firewall monitors network traffic on your computer and uses a number of rules or filters to
determine whether or not a program should be allowed to access the network. A firewall can
filter data according to IP addresses and domain names, ports and protocols, or even
transmitted data. This means that you can do things such as:
block or allow all data coming from a specific IP address
block or allow all data coming from a specific domain
close or open specific ports
block or allow specific protocols
block or allow packets which contain specific data strings.
You can also combine these filters to allow for careful control of the data that is allowed
through the network. For example, you could:
allow data from www.ibiblio.com through ports 20 or 21 only
allow data from www.google.com that uses the UDP protocol
allow data from www.yahoo.com only through port 80 and only if the packets contain
the text string “I will not waste bandwidth”.
7.1.2 防火墙
现在,你能够坐在电脑前不断的运行netstat命令,保持对电脑上数据流通的监测,或者你也可以用一个防火墙程序来替你做这些工作。
防火墙监测你电脑上的网络信息流通量,并通过一系列规则和过滤器来决定一个程序是否能联网。防火墙可以通过IP地址、域名、接口和协议来过滤数据和传输数据。这意味着你能做下列事情:
阻止或者允许接收从某个IP地址上传输的所有数据
阻止或者允许接收从某个域名传输的所有数据
关闭或者打开某个接口
阻止或者打开某个协议
阻止或者允许接收包含某个特殊数据串的数据包
你可以使用那些过滤器来对一些可以在网络上传输的数据进行控制。例如,你可以:
只从端口20或者21接受来自www.ibiblio.com 的信息
接收在www.google.com上使用了UDP协议的数据
只通过接口80从www.yahoo.com 上接收信息,或者只要数据包包含了字符串“我不会浪费字节”。
357
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
