1. Encryption and decryption
1.1 Overview
Sender: plaintext -> ciphertext
recipient: ciphertext -> plaintext
encryption target mode and
- ensure the confidentiality of data:
- Symmetric encryption: encryption / decryption using the same key
- asymmetrical encryption: encryption / decryption with different key
- Protection of the integrity of information
- information summary: short, fixed number of bits to generate a hash value based on information of the length of the input
common encryption algorithm - Symmetric encryption
the DES, the Data Encryption Standard
the AES, Advanced Encryption Standard - Asymmetric encryption
the RSA, a Rivest Shamirh Adleman
the DSA, the Signature Algorithm Digital - Hash hashing technique for message digest
MD5, the Message Digest 5 Mathimatics-Numerical algorithms
SHA, Secure Hash Mathimatics-Numerical algorithms
MD5 integrity verification - Use md5sum check tool
- Check with software value than for official
1.2 GPG encryption / decryption tool
1.2.1 GnuPG Introduction
GnuPG,GNU Privacy Guard
- http://www.gnupg.org/
- The most popular data encryption, digital signature tool software
] # gpg --version
1.2.2 GPG symmetrical encryption / decryption
加密操作: --symmetric 或 -c
解密操作: --decrypt 或 -d
]# gpg -c test1.txt //弹出图形界面,设置密码
]# file test1.txt*
]# gpg -d test1.txt.gpg > dtest1.txt //根据提示验证密码
1.2.3 GPG asymmetric encryption / decryption
基本过程:
1.用户B把自己的公钥传给用户A;
2.用户A使用B的公钥加密数据,将加密后的数据给用户B;
3.用户B使用自己的私钥来解密数据
准备工作:
B用户创建密钥对: --gen-key
B用户导出公钥: --export, --armor 或 -a
A用户导入公钥: --import
注意:利用urandom随机数算法进行计算
mv /dev/random /dev/lodrandom
ln -s /dev/urandom /dev/random
b]# gpg --gen-key //设置用户信息,私钥口令
b]# gpg -list-keys
b]# gpg -a --export userb > /tmp/userb.pub
...
a]# gpg --import /tmp/userb.pub
基本用法
加密操作: --encrypt 或 -e
制定目标用户: --recipient 或 -r
解密操作: --decrypt 或 -d
2.AIDE Intrusion Detection System
2.1 system initialization
- Install the package yum -y install aide (Advanced instrusion detection environment)
- Modify the configuration file (/etc/aide.conf)
vim /etc/aide.conf
@@define DBDIR /car/lib/aide //数据库目录
@@define LOGDIR /var/log/aide //日志目录
database_out=file:@@{DBDIR}/aide.db.new.gz //数据库文件名
# These are the default rules.
#p: permissions
#i: inode:
#n: number of links
#u: user
#g: group
#s: size
#b: block count
#m: mtime
#a: atime
#c: ctime
#S: check for growing size
#acl: Access Control Lists
#selinux SELinux security context
#xattrs: Extended file attributes
#md5: md5 checksum
#sha1: sha1 checksum
#sha256: sha256 checksum
#sha512: sha512 checksum
#rmd160: rmd160 checksum
#tiger: tiger checksum
#haval: haval checksum (MHASH only)
#gost: gost checksum (MHASH only)
#crc32: crc32 checksum (MHASH only)
#whirlpool: whirlpool checksum (MHASH only)
FIPSR = p+i+n+u+g+s+m+c+acl+selinux+xattrs+sha256
- Check initialized
before the attack has not been compromised, according to the configuration file, the data verify operation.
]# aide --init
AIDE, version 0.15.1
###AIDE database at /var/lib/aide/aide.db.new.gz initialized.
- Backup of the database
before the invasion, the backup checksum database file to a safe place, such as USB flash drives, CD-ROM, removable hard disk or network storage.
]# mv /var/lib/aide/aide.db.new.gz /其他路径
2.2 intrusion detection
- Implementation of intrusion detection
will check the database files before the backup to restore
] # cp / other paths /var/lib/aide/aide.db.gz - According to the database to perform intrusion detection
] # aide --check
3. Scan and capture
3.1 Security Analysis Overview
- Why scan?
For some public / non-public information for the purpose
- to detect potential risks
- can find the target
- collection device / host / system / software information
- Discovery of exploitable security holes - Scanning and tools
typical scan
- Scan, active detection
- Sniff, passive listening / sniffing
- Capture, packet capture (capture)
Common Security Analysis Tool
- Scanner: NMAP
- protocol analysis: tcpdump WireShark
3.2 NMAP scans
Introduction 3.2.1 NMAP
- 一款强大的网络探测工具
- 支持多种探测技术: - ping扫描 ; - 多端口扫描; - TCP/IP指纹校验
- Basic Usage
- nmap [Scan Type] [options] <scan target ...>
- Scan type commonly used
- -sS, TCP SYN scan (half open)
- -sT, the TCP connection scan (full)
- the -sU, the UDP scan
- -sP, ICMP scan
- -A, a comprehensive analysis of the target system
application example
nmap -sP 172.40.59.1-254
nmap 172.40.59.189
nmap 172.40.59.182
nmap -p 172.40.59.189
nmap -p 80 172.40.59.189
nmap -A 172.40.59.189 // -A 是复合选项,相当于: -O(OS检测),-sV(版本检测),-sC(脚本检测),traceroute跟踪...
3.3 Network capture tool (the tcpdump package)
3.3.1 tcpdump command capture
- Basic usage tcpdemp [options] [filter conditions]
- Common monitoring options
- excuse -i designated network monitoring
- -A converted to ASC code for easy reading
- -w to save data packet information to the specified file
- -r reads the packet information from the specified file
- -c defined Ethereal The number of - tcpdump filters
- Type: Host, NET, Port, portrange
- direction: the src, DST
- protocol: TCP, UDP, IP, WLAN, ARP, ...
- a plurality of combinations of conditions: and or not - Application Examples
]# tcpdump -i br1 icmp
]# tcpdump -i br1 icmp and host 172.40.59.107
]# tcpdump -i br1 port 22
]# tcpdump -i br1 -c 4 port 22
]# tcpdump -i br1 port 22 or port 80
]# tcpdump -i br1 \(port 22 or port 80 \) and host 172.40.59.107
]# tcpdump -i br1 dst host www.taobao.com