o@DneObкwP¦@譱[PijAJMOPwADnΦbǿɪ TCP ʥ]NणDCo̴NnӰQפ@UA@ TCP/IP ʥ]niJzDtήɡA TCP ʥ]ӷ|gLdOIHDodA~|DǤJI޹DrIM~ાDphmLIOKI򭺥۵MNnAѤ@UAO TCP/IP oI
@


---

{ TCP/IPG
@
¦ Yڭ̥iHDثesuwH TCP/IP Dn[cAӨ𫟺۷nhO TCP ʥ]AԲӪ TCP ʥ]ЦA^¦ghݭӥJӡAڭ̳o̦A²檺Ʋߤ@UG
@
• D IP iHQOa}F
• ӥDҰʪ port iHQOfμӼhF
• ܩb IP ǰeƪ TCP ʥ]hiHQQO]qC
@
nFAJM TCP Oӥ]qAQMAuƬOb]q̭ Messages/Data AOѩnN]qǰe쥿TaIhAҥHNӪY (Header) AYb]qOݭngƪ@ܡHbo@WngTӷPتa}HθӦa}ӼhA~TNoӥ]qǰe쥿TaIMoAѩi|^HAҥH۵Mӥ]qWAHHa}PӼh]ݭngToI^_^CҥHOAziH²檺N TCP ʥ]QӥDnA@ӬOmƪ Messages/Data At@ӫhOY( Header )ƶgϡAbo Header ϰ줤A۷hơAziH^¦h@@@ TCP ʥ]榡Aڭ̳o̱N TCP ʥ] Header ²ƦӷPت IP ζǰe port IҥH򥻪 TCP ʥ]iHѤUϨӪoG
@ @
ѤWϧڭ̥iHMo{AzDण౵o TCP ʥ]ANݭnXG TCP ʥ] IP P port WwoI
@


---

² TCP ʥ]iJDy{G
@
nFA{bڭ̪DDƸ TCP WY( Header )OYI򰲦p TCP ʥ]niJzDɡAL|gLǨBJOH򥻤W|UoǤ򪺰աG
@
Ϥ@BTCP ʥ]iJnqLިBJ
@
1. A TCP ʥ]|gLҿתʥ]Lo ( IP Filtering κ٬ NetFilter )AoO Linux ѪĤ@hO@CIP Filter iHN TCP ʥ]iRAè̾ڱzҭqwLoWhӱNӫʥ]iBzC|ҨӻAڭ̪D TCP ʥ]Y Port P IP TApzDbȺA]cWLҥHzQn\ӺƶiJDܡAiHzL]w IP Filter ARO IP Filter unR TCP ʥ]OӦ۸bȺ IP ɡANN TCP ʥ] (Drop) Io]O Linux ̥~oC TCP ʥ]niJ쥻ANogL IP Filter o@ApGqLzҳ]wATCP ʥ]N|iJU@F

@
2. qL IP Filter ATCP ʥ]|}l Super daemons TCP_Wrappers AӬOOHIFNO /etc/hosts.allow P /etc/hosts.deny ]wɥ\oCoӥ\]Ow TCP Header iARAP˱ziH]w@ǾөY IP Port Anӷݪʥ]QγqLF

@
3. gLFWD򥻪]IAAUӫhOC@AȪӧO]w\I|ҨӻApGOH FTP suܡAb ftp ]wɮ׷Ai|g PAM Ҳ( Ӧbw|)өׯS users AM]|HSO]wө׬Y TCP ʥ]It~AH WWW A]wӬݡAb WWW ]w httpd.conf Y] deny \ILn`NOA TCP FoӨBJɡAwgOiJ쥻AȽd򤺤FAҥHAnp߱zMO_|}I

@
4. ϤWXD𳣳qLFA~iJDӵnJIɡA@gnJN|QtΰObynɡzAǥHAѥDv{I
@
`N@UAWBJO Linux w]㦳ƥ\AMz٥iHb IP Filter e~[w骡]ơILAbo̧ڭ̥DnH Linux tΥ㦳\Ӷi满InFApQ Linux ҴѪoǥ\ӨƧڭ̪DOHziHճo˰G
@
• ʥ]Lo( IP Filter )G

ʥ]LoO Linux ѪĤ@DIOP֤ߪ|@˪ʥ]LoIH 2.2.xx ֤ߪ Linux DnH ipchains @LoAܩثes 2.4.xx hH iptables IOKIJMڭ̪s Linux  kernel 2.4.xx AҥH۵MH iptables Ӷi IP תu@աIѩ TCP ʥ]Y IP port IҥHnרӷ IP Ϊ̬Oۨ port AKKI۵MNܮeӶiաIzثeunoA iptables iHg TCP ʥ] Header ƨӶiRu@Aó]wySʧ@zAҦpGŦXڭ iptables ]wWhANLiHgLAYO TCP ʥ]bڭ̪w IP CANNLALNSkiJ Linux DաI
@
• Super daemons P TCP_WrappersG

ثesX Linux ҨϥΪ super daemons OH xinet DAܩ׫ʥ]u@hiH TCP_Wrappers ӶiIWrappers O]qNA TCP_Wrappers ۵MNOn TCP oӥ]qiѪRuաIKKISALiHAR TCP ʥ]ڡIQΨCӪAȪSAӱN TCP ʥ]סAo TCP_Wrappers DnHy A , serviceszDפwAҦp FTP, Telnet, SSH iHgѥLӶi IP Rʧ@I
@
• AȹLoG

CӪA٦SOۭqAҦp Apache o WWW MYANty deny from IP zө׬YǤw諸 IP A ssh ]iHb]wɸYMwO_n} root nJvIFTP M]iHw@dzWhӾױw諸 IP աILAo@BɡAӫʥ]wgiJDAȤoAOgѪAȨ IP suIӥѩYǪAȤѥʹNǤp|}AA Cracker ۷eQγoǺ|}Ӷi}a欰Iѩӫʥ]wgiJDFAU@Aȯu|}AiNGF......ҥHAMڭ̥iHQΨCӦAnӳ]wת\AOpGӦAn饻N|}ܡAo@BN|椣qoI
@
• nJDG

W쪺jhObYǪAȸYӨΧڭ̥DtΪ귽ApGӫʥ]OQnnJڭ̪DO( login )HoӮɭԴNݭnoڭ̥DybPKX, ID & PasswdWordzvաIpGqL ID & pass word ҤANiHiJڭ̪DաI̱`NO SSH Ϊ̬O telnet H FTP nFAodznb Client ݪʥ]ƸgLWƹDӶiJAAӴN|nD client ݪϥΪ̿JbPKXAǥHR𫍧Ӷ}v Client ϥΪ̵nJCҥHաAboӤ̭A̭nNOKXաIpGzKX]w²AΪ̬OFKzϥΪ̡AL̥iHNKX]w۷²AҦpKX]w 123 AztΪKXNܮeQqXӡIܦMIoI
@
• nɰOG

yF@ɪ}a.....zIIӬO֥dCYaHx....o̭nͪOAyFD}a....iRSgH...zNO n աIFOv{AHK޲z̦bӪ~d߻PJIA}nRnߺDO@wnإߪAרO /var/log/messages P /var/log/secure oǭɮסIMUjDn Linux distribution jhXAXL̦ۤvnɤRMAҦp Red hat logwatch ALӮMäoAXҦ distributions AҥH VBird զۤvgF@ logfile.sh shell scriptAثeb Red Hat, Mandrake, Openlinux iHinɪROIziHbU}Uӵ{Ghttps://vbird.org.cn/download/index.php#logfile
@
nFAUڭ̨ӽͤ@ʹXӱ` Cracker kC

ʲAѤF TCP ʥ]piJ쥻AAӧڭ̥ѴXӥi઺JIkAM~Ӳ@˨Ƨڭ̪DOG
@
• ϥΤu{JIzDG

dUnháAثeWӦhJIAnFIunzDW@@nALNiHgѧn鸪Ѫ\AozDW root vAöi@BazDIåBAFȳQz@Ǥu{o{L PIDAҥH@ӻAL|hקzḒXɮסAҦpGwho, w, last, top, ps, netstat, find Azû䤣LO_bztηIȤFaHILAoǤu{DnOQΡyz Linux distribution ҴѪM󪺺|}zӳ]pAxIUDn distribution nѦDMڡIHIäOo˪աA]@ӷs Linux distribution XALN|}l Internet AܦhyլլLlz(xyASƷFN)N|R distribution ҴѪMO_|}L̦iXHIpGo{F distribution ѪM󦳺|}A\OjN|gbȳnAMunHӳnAKKIzo|oͤƤFҥHoAzwˤF Linux AߨжiMɯŰڡI~קKQo@u{Ү`I(ܦhH|ݨ컡GxI Linux oh|}ڡHIniȡHIAثeC@M@~tΤWܦh|}AҦpzi Windows |}qGhttp://www.microsoft.com/taiwan/download/ NાDFIҥHAwƨä Linux tΡApGz觹 Windows tΪwˡA̦n]Onߨ Windows ҴѪ update hs Windows MڡI)
@
• įΩΤ차{ ( Trojan horse )G

ۤ차OONA차{|DʪNzD}@ӫ ( iHQO port QҰʤF )ḀiHPPiXzDOI차{|bztΤWOH²rIpGѱzUF@Ӥ{AӥBNwˤFLALNi|`nbzOFIҥHnHNwˤӷɮסAΪ̬OnHNwˤɮקrIҦpe@}ӦWYӳnAbۮaWٳQmF차{bM󤤡rIuiȡ㨺qįάOHL]O@{AiHzLۧcިӷPVLκ줺DḀiȪOA]L|ۧcޡAåB|jqoeʥ]YӦahA]jqoeʥ]AҥHN|ΨӺC骺WeAzIN|yF`FIҦpe2001-2003~۷W Nimda P Code Red frA|zWeQYIInקKoANnHKUɮסAåBAUɮצpGl MD5 TANȥH md5sum oӫOӳnO_QקLAM~ߪw˳I
@
• DoS k ( Denial of Service )G

o½Ķy_zAoاk]ܭnRAӥBkܦhA̱`N SYN Flood kFIٰOoڭ̦b¦̭쪺ADF@ӱa SYN TCP ʥ]AN|ҥιnD port ӵݳsuAåBoeX^ʥ] (a SYNACK XЪ TCP ʥ])Aõ Client ݪA^CnFAboӨBJڭ̨ӷQ@QApG cient ݦboeX SYN ʥ]AoNӦ Server ݪT{ʥ]Az Server ݴN|@ŵAӥB Client ݥiHzLn\AbuuɶoeXo˪ SYN ʥ]Az Server N|_oeT{ʥ]AåB}Ҥjq port bŵID port ҥΧA.....tδNFIo DoS kyɥۭѵIzqALOJIztΡAӬOnztαIOI
@
• IP FG

oӬO񪺤HdXӪALezDʥ]YƧLFAëŧiz@lIpGzSױo˪ʥ]ܡAq`N|ܦyLzIGNOSiHө|iJzDF....Iu
@
• Port scanG

oӳ̰QFI]ثeܦh distribution Fۨqۤv|}A|W nmap o@˳nIoسnۤvۤvٵLҿסAiHˬd@UۤvD}F port IO@QϥΨӧOHDAiNnF....pGzoؾ|ܡA]nHNhOHDIܬOMIOI
@
MAk٤upAo̶ȤLCX@Ǥ`qӤwӥѤWqݰ_ӡAIM󪺤ɯӬO̭nwu@FI

bW( רO BBS )̱`ť쪺NOo˪sznGyIIϩRIڳQJIFInHzuO˸ܡIڤ]DnUzOI]ouO......yۧ@ۨzoI@ǦѤHa``bA[]@ӡyzܮeA]ثeuWоǹbOӦhFAWyоԤUzy]uOhpLVAMӡAjauDyڭn[]zoyڭn[]O@ӦwzAoNOڭ̦ѤHanI]y[]@ӦwAu....zI𫟺A@ߤOIOHѤW TCP/IP ʥ]uϡAڭ̥iHo{AKKIثeJIzD޹DbOӦhFIӤ@Ө}ntΤSOunWz𫟺@hNiHnIӬOƦXWAåBny_zʴzDtΡA~O@nzDOIٯuOeoIUڭ̨ӽͤ@͡ApGѥD~ӳWAn˨ӥ[jDwʩOH

1. إߧnJKXWhG

nnD@AĤ@BNOnإߧKXWhI]oөNN``O cracker դJIĤ@BIznإߦnDKXWhAаѦ linux pе--¦Dz߽gb޲z @g峹AY쪺 /etc/shadow ɮ׮榡A٦ /etc/login.defs oɮתeAO۷nKXWhqwҦbIt~A cracker n|QήM󪺺|}ӥDʪbztΤWsW@ӥiH cracker nJbAҥHApGzbʨä|WcɡAiHեH chattr ӱN /etc/passwd /etc/shadow iܧɮסIwաI
@
2. Dv]wG

ӨרӷQApGd}aHOztΤW㦳iHnJϥΪ̩OHIDv]wN㪺۷nFIٰOo SUID P SGID aIHpGztΤW㦳ܦhovɡA@먭ϥΪ̴NiHܻotκ޲zvFIܳ·ЪҥHADvݭnnn޲zAdUiHߡ
@
3. ɯŻP׸ɮM|}BβMIMG

oӯu۷nINO]zAȮM󪺦wʰաIҦpW wu-ftpd o ftp MAQFܦhAnwINnNnҰʥLAΪ̬OMҰʡAOLϥκAo˳̰_XiHF@IO@ĪGI~AwɪɯŻPwɤWdݦMIqiAOܭnAשOIq̪DoǦwTHUOon``[ݡG
• xWqMBzpաGhttp://www.cert.org.tw/
• Mandrake securityGhttp://www.mandrakesecure.net/en/docs.php
• Red Hat updateGhttps://#/apps/support/errata/
pGQntΦ۰ʤɯŮM󪺸ܡAe@gyLinux M󪺺szNणhݤ@ݡC
@
4. CtΪAȪw]wءG

CӦAn鳣ۤv}o\Aǥ\ܱjjAjjiH Client ݨo root vӾާ@Coǥ\ೣOKQ޲z̨ӶiD޲zALAo]iy@Ǭwü{C|ҨӻASSH oӴѻݵnJAnAiH root oӱbӵnJAOAѩC Linux tγ root oӱbAҥHAunHDztαҰʤF SSH ALNi|H root oӱbӲqzDWKXAþڥHnJztΡIܦMIAOܡHIҥHAi઺ܡAɶqNAn骺MI\AҦp SSH, FTP, Telnet n骺 root nJvIt~AjAn]|Ѧw]wءAҦp SSH N㦳 deny Y IP άOϥΪ̨]wةOIҥHAo{MIHhAN[JڵӦWaI
@
5. TCP_Wrappers ¦]wG

oO̰¦FIziHqwYǤMIAȶȰw鷺}AҦp FTP P Telnet oӷצMIAȡAL̶ȯbpϥΡA TCP_Wrappers NiHFo˪\ૣI] TCP_Wrappers DnOwAȨӳ]pALiHwYǪAȪA IP qӶiqLP_ˬdOIoӧڭ̷|bU@~򻡩C
@
6. iptables Wh]wG

oӬO Linux ֤ߤ䴩u@IiHQΤ@@檺WhqwAӳ]w𪺦wWhAphiHױjw諸 TCP ʥ]oIoڭ̤]|bUӳ`~򻡩C
@
7. D귽t( MRTG )G

D줣]ɡAq`|@Ǻݭ٥iH@XӡAҦp̩㪺O CPU loading |t 90 ~ 100% kI٦ALHhbjqUƮɡAyqWeQLFIoӮɭD귽tN㪺nFAڭ̤]iH² snmp tX MRTG ӮơAHYɪר[D{pI
@
8. nɮפRtΡG

٬OnA@MAnɪ}nRߺDAtκ޲zӻAOuܭn@ƱI

򥻤WAD@ܤֻݭnFWnDAhh[WwqOuܭnƱA~Aѩtκ޲zγ\LkѳbDe޲zAɦ۰ʤRtδNܭnFIҦpڭ̥iHzL apt urpmi M޲zi۰ʮMɯšBQ logwatch MӶinɪJӤRAiHUtκ޲zIJv޲zDoIOKItκ޲zDnȬOOH

qWpӬݡAKKKKIn@@Ӻ¾ޤHAٯuOrI򥻤WAzݭnƳoǯO~OG

• AѤOݭnO@eG

ڪѧoA٭nDOݭnO@rIHISANOpIѭڭ̪DDJIkAAѡAunHbzDeAƳi|o͡I]ApGzD۷nAСynHaIzziHѦҤ@UiJ|byi઺ȡz̭nѨ@qƪxסII ^_^""
• wGNaI
• nG٥]ṱnƩOII

• w«( Black hats )JIG

oiO}AO«ȧrIoO]쥻b赓qvAaHO¦UlAҥHeH̴Nٺ̬ Black hats աIbwo譱̮ɡAFYިnJ~AٻݭnSO쥻zDHINڭ̤pӻAnHnBʹNHKLաILnwKXOLbۦPnOAzNLIHaΥLKXnJzDAï}azDAiNovFIpGOj~ܡAuϥκɡA]nŪOI ^_^

• DҦwơG

SnAFhߡA٬OhߡIJӪRnɡA``Wݬݳ̷swqiAoO̰¦I٥]tFḨ֪tקsDMI]AV֧szMANV֥iH«ȪJII

• WhqwG

o·Ф@ǰաI]zݭn_մզAաIHǫΤƪw]wI򻡩OHnoOApGzWhqwoӦhɭԡA@Ӹƫʥ]NngLVhd~৹㪺qLAHiJDIKKIoiO۷OɶI|yDįणISOdNo@IOI

• Yɺ@zDG

N軡AzݭnHɺ@zDA]A𤣬O@g]wNΦbALFI]AAYKA]||}IoǺ|}]AWh]w}BQθsJI޳NBQαz³n骺AȺ|}IҥHAݭnYɺ@zDrIo譱FR log files ~A]iHǥѧYɰӶioӤu@IҦp PortSentry NOZ@MnOI

• }nШ|Vmҵ{G

OҦHOqAרM{bTzAOMܦh||JqèrIoӮɭԡAnoOAڭ̹󤺳q`SӦhWdApGLΤqhaƫHIɭ٬OLߪҥHAݭnSOШ|Vmҵ{rI

• ƥpeG

ѦAHi׺֧rIHDɭԷ|ja_Bڭ̤]DɭԷ|MwбhҥHAƥpeO۷nIIo@аѦҤ@U linux pе--¦Dz߽gLinux Dƥ eaI

ϥANOnZhߤObWNOFIMAu|@Ѩ߱zDޡBzΤBzȤzzjsI ^_^""IӬFzoӺ޲zu@iHPADz BASH Shell Hη|ϥΨ쪺{yAרO Linux WDΪ C Ah]OnoI

ҿסyʱK@zڡAHOA`|Ҽ{gpAU@zDN]oy@zɭPQJIFAӫHѤWAڭ̪Dy차zOYA]L|bztΤU}ӫ(Back door)̥iHnJzDAӥBٷ|«z Linux W{Az䤣Ӥ차{IHܦhBͳߺDyϥunN root KX^ӴNnFzo˪[IAƹWAˤ@D٬OQ~MIڡIҥHAU@zDQJIFA̦nk٬Oysw Linux z|bIӦp󭫷sw˩OHܦhBͤ@AawˡAo@AaQJI㬰OH]LSyOаVzڡIIUڭ̴Nӽͤ@͡A@QJIDӦp״_nH
@
1. ߧYްuG

JMo{QJIFAĤ@ƱNO\I\²檺@k۵MNOޱuFIƹWAu̥Dn\ణFO@ۤv~A٥iHO@P쪺LDC򻡩OH|ӳ̪ (2003/08) ofefrnFAL|PVP줧LDIҥHAްuAݪ̥ߧYNLkiJz Linux DAӥBz٥iHO@줺LDڡI
@
2. RnɸTAjMi઺JI~|G

QJIAMOunsw˴NnAٻݭnB~RyڪDo@|QJIAOpJIHzApGzXDIA򤣦z Linux \OߨWjFAD]|VӶVwIӦpGzDpXQJIi~|A򭫷sw˫AU٬OiQHP˪kJIڡI·ЪաInFAӦpXJI~|OH
• RnGCŪ Cracker q`ȬOQΤunӤJIztΡAҥHڭ̥iHǥѤR@ǥDnnɨӧX𫍧 IP HΥi঳D|}CiHR /var/log/messages, /var/log/secure ٦Q last OӧXWnJ̪TC
• ˬdD}񪺪AGܦh Linux ϥΪ̱``oۤvtΤW}Fh֪AȡHڭ̻LACӪAȳ|}Ϊ̬OӱҥΪWjΪ̬Oի\AҥHAXztΤWAȡAåBˬd@UCӪAȬO_|}AΪ̬Ob]wWFʥAM@Ӥ@ӪzaI
• d Internet WwqGzLwqAѤ@U̷s|}TAwzDNbWI
@
3. nƳƥG

DQJIAoD۷YAOH]DW۷nưڡIpGDWSnơA򪽱sw˴NnFIҥHAQJIAˬdFJI~|AAӴNOnƥnƤFCnFAݭӰDAOynzH who, ps, ls OOnƶܡH٬O httpd.conf ]wɬOnơHSΪ̬O /etc/passwd, /etc/shadow ~OnơHI򥻤WAnӬOyD Linux tΤW즳zAҦp /etc/passwd, /etc/shadow, WWW , /home ̭ϥΪ̭nɮ׵Aܩ /etc/*, /usr/, /var ؿUơANoݭnƥFC`NGnƥ@ binary ɡA] Linux tΦw˧᥻ӴNoɮסA~Aoɮפ]ܦiywgQ«LFzAƥoǸơAϦӳyUt٬ObI
@
4. sswˡG

ƥFơAAӴNOsw Linux tΤFCӦbowˤAz̦nܾAXzۤvwˮMYiAnM󳣵LwˤWhڡIMII
@
5. M󪺺|}׸ɡG

OoڡAsw˧AХߧYsztήMA_h٬O|QJIաIڳwbLbҤUN Internet W|}׸ɮMUUӡAMN_ӡAM᮳ۤvw˧tΤWAmount CD LsAsAåB]wFAPɶiU@BJyβݭnAzAڤ~NuWDdWI]ڤTwbw˧AsW Internet hsM󪺳oqɶA||SJI....
@
6. βݭnAȡG

oӭnʤݭnAFaHIҥζV֪AȡAtηMiHQJIiʴNCC
@
7. Ʀ^_P_Aȳ]wG

ƥƭn򪺽ƻs^ӨtΡAPɱNtΪAȦAs}AЪ`NAoǪAȪ]w̦nAT{@UAקK@Ǥ]wѼƦbYI
@
8. sW InternetG

Ҧu@i檺thFA~N讳uWӧaI_DB@FI
@
gLo@sꪺʧ@AzDӷ|_bҡA٤౼HߡA̦n٬OѦҨ𪺳]wAåBh譱Ѧ Internet W@ǦѤ⪺gAnzDiHw@ǡI

• nިnJD Client AonA TCP ʥ]C TCP ʥ] Header P Messages ⳡA𫟺A Header ̭̭nT]tتݻPӷݪ IP P Port A٦@ǺXСAҦp SYN/ACK F
• TCP ʥ]niJڭ Linux AܤֻݭnqL IP Filter, super daemon/TCP Wrappers, Daemons, KXҥ\ BJF
• @ǩҿת«ȳnAOzLz Linux WM|}ӧ Linux DF
• MɯŬOwQJI̦Ĥk@F
• }nnɤRߺDiHbuɶo{tΪ|}Aå[H״_C

• xWqMBzpաGhttp://www.cert.org.tw/
• Windows |}qGhttp://www.microsoft.com/taiwan/download/
• Mandrake securityGhttp://www.mandrakesecure.net/en/docs.php
• Red Hat updateGhttps://#/apps/support/errata/

• ڦѬOo{ڪtΩǩǪAGIyҼˡAhåiO CPU tӤjAҥHnhˬd@UtάTCаݡAڸӥHOhˬdڪtάTH
• hçڪtΤWLh㦳 SUID ɮצsbAɭP@ϥΪ̥iHHNo root vAаݡAڭnpXoǨ㦳 SUID vɮסH
• ڥѰꤺ@ ftp WUF Red Hat qXMAڷQw˥LASDӮMɮ׬O_QקLIаݧڸӦpTwoӮM󪺥iΩʡH
• }nKXWOƥDĤ@nȡAа Linux tηAKXɮ׻PWh]wbɮ׸̭H
• ²A@DQJIAӦpBzH

eѦҥθѵ