Защита и безопасность в сетях Linux

............................................................................................................................................................................. 8 1. ............................................................................................................................................................. 9 2. ........................................................................................................................................................... 9 3. ............................................................................... 9 4. ........................................................................................................................... 9 ...................................................................................................................................................................... 9 ..................................................................................................................................................................... 9 ................................................................................................................................................................................. 11 ..................................................................................................................................................... 12 ............................................................................................................................................... 12 .................................................................................................................................. 13 I ....................................................................................................................................................................... 15 , ................................................................................................................................. 16 ....................................................................................................................................... 16 ......................................................................................... 17 /etc/passwd................................................................................................................................................................. 18 /etc/passwd ................................................................................................................................................ 18 /etc/shadow ............................................................................................................................................................ 20 /etc/shadow................................................................................................................................................ 21 ..................................................................................................................................................... 22 /etc/groups ................................................................................................................................................................. 22 /etc/group................................................................................................................................................... 23 /etc/gshadow .............................................................................................................................................................. 23 /etc/login.defs ............................................................................................................................................................ 24 ............................................................................................................ 24 .............................................................................................................................................. 25 ........................................................................................................................................................... 27 .......................................................................................................................................................... 28 ...................................................................................................................................................................... 28 ........................................................................................................................................................ 29 .......................................................................................................................................................... 32 ...................................................................................................................................... 33 ......................................................................................................................................................................... 34 ............................................................................................................. 35 ....................................................................................................................................................... 35 ........................................................................................................................................ 36 / ..................................................................................................................................... 37 X .................................................................................................................................................................... 38 ................................................................................................................................................... 38 ............................................................................................................................................ 40 ...................................................................................................................................................... 41 .................................................................................................................................................................... 45 ......................................................................................................................................................................... 46 ......................................................................................................................................................... 47 Linux: ................................................................................................................................................... 47 ...................................................................................................................................................................... 47 .......................................................................................................................... 50 .......................................................................................................................................... 53 ..................................................................................................................... 53 ......................................................................................................................................................................... 54 SUID/SGID .................................................................................................................. 55 SUID/SGID ....................................................................................................................................................... 55 SUID/SGID............................................................................................................... 56 SUID/SGID ................................................................................................................................. 57 ......................................................................................................................................................... 58 ext2 ................................................................................................................................... 59 chattr ......................................................................................................................................... 60 Isattr .......................................................................................................................................... 60 ......................................................................................................................................................................... 61 ............................................................................................................................................... 62 ......................................................................................................................................................... 62 ........................................................................................... 65 Amiga affs ....................................................................................................................................................................... 66 Linux ext2........................................................................................................................................................................ 66

FAT, MSDOS, UMSDOS, VFAT ................................................................................................................................... 67 OS/2 HPFS ...................................................................................................................................................................... 67 CD-ROM ISO9660.......................................................................................................................................................... 68 PROC............................................................................................................................................................................... 68 ......................................................................................................................................................................... 68 /proc ......................................................................................................................................................... 69 /..................................................................................................................................................... 69 /proc/sys ................................................................................................................................................................ 73 /dev/pts................................................................................................................................................. 74 / .............................................................................................................................. 74 ......................................................................................................................................................................... 75 ................................................................................................................................................................... 76 ............................................................................................................................................................... 76 init , ............................................................................................. 77 inittab ................................................................................................................................................................ 79 inittab ............................................................................................................................................... 80 r, ................................................................................................................................................. 81 r, ................................................................................................................................................. 83 ......................................................................................................................................................................... 88 ................................................................................................................... 90 ................................................................................................................................................................ 90 LILO .................................................................................................................................................................................... 91 ...................................................................................................... 92 root.............................................................................................................................................. 94 ..................................................................................................................................................... 94 Linux.............................................................................................................................................................. 95 ......................................................................................................................................................................... 96 II .................................................................................................................................................................... 97 .................................................................................................................................................... 98 ............................................................................................................................................. 99 IP ................................................................................................................................................... 100 IP ..................................................................................................................................................... 101 IP........................................................................................................................................................... 102 ICMP ............................................................................................................................................................. 103 ............................................................................................................................... 104 CIDR ................................................................................................................................................................ 105 ................................................................................................................................................................ 105 IP.......................................................................................................................... 106 CIDR VLSM .................................................................................................................. 107 ipconfig ................................................................................................................................................... 109 route ........................................................................................................................................................ 111 ....................................................................................................................................................................... 112 ........................................................................................................................................................... 113 ............................................................................................................................................................ 113 netstat ................................................................................................................................................................. 118 ........................................................................................................................................ 118 ....................................................................................................................................................................... 121 inetd, inetd.conf ......................................................................................................................................... 123 inetd ................................................................................................................................................................................... 123 inetd.conf........................................................................................................................................................ 125 ................................................................................................................................................... 128 ?............................................................................................................................................. 130 ....................................................................................................................................................................... 131 ......................................................................................................................................... 132 FTP, 21 20........................................................................................................................................................... 132 telnet, 23 ................................................................................................................................................................... 136 smtp, 25..................................................................................................................................................................... 136 domain 53 ................................................................................................................................................................. 139 tftp, 69....................................................................................................................................................................... 140 finger, 79................................................................................................................................................................... 140 www, 80.................................................................................................................................................................... 140 2, 109 , 110...................................................................................................................................... 140 sunrpc, 11.................................................................................................................................................................. 141 auth, 113 ................................................................................................................................................................... 142 netbios, 137-139 ..................................................................................................................................................... 142 imap2, 143 imap3, 220.................................................................................................................................. 142

xdmcp, 177 (UDP) .................................................................................................................................................... 143 printer, 515................................................................................................................................................................ 143 r (rsh, rexec, rlogin), 512, 513, 514 ................................................................................................... 144 ................................................................................................................................................................. 145 ....................................................................................................................................................................... 146 DoS ........................................................................................................................................... 147 ping flooding .................................................................................................................................................... 147 SYN DoS ......................................................................................................... 149 .......................................................................................................................................................... 150 DoS .................................................................................................................................. 151 ....................................................................................................................................................................... 152 ................................................................................................................................................. 153 ............................................................................................................................................. 154 ..................................................................................................................................................................... 158 ........................................................................................................................................... 158 ............................................................................................................................................. 161 ....................................................................................................................................................................... 162 TCP (TCP Wrappers) ................................................................................................................. 163 TCP Wrappers ............................................................................................................................................... 165 ....................................................................................................... 166 , ................................................................................................................................... 167 ......................................................................................................................................................... 167 ............................................................................................................................................................................. 167 ................................................................................................................................................ 169 ........................................................................................................................................... 170 tcpdchk............................................................................................................................................................................... 170 tcpdmatch........................................................................................................................................................................... 171 ....................................................................................................................................................................... 172 III ...................................................................................... 173 , .......................................................................................................... 174 .......................................................................................................................... 174 ....................................................................................................................................................... 174 ? ............................................................................................................................................ 175 ............................................................................................................................................. 176 , ................................................................................................ 176 ............................................................................................................................... 177 ...................................................................................................................................................... 178 ........................................................................................................................... 183 ........................................................................................................................................................ 183 .................................................................................................................... 183 ............................................................................................................................................................... 184 ipchains........................................................................................................................................ 184 ipchains...................................................................................................................................................... 185 .................................................................................................................................................... 187 , .................................................................................................................... 188 ipchains....................................................................................................................................................... 188 ..................................................................................................................................... 189 ................................................................................................................................................. 189 ............................................................................................................................... 189 .......................................................................................................................................................... 190 ..................................................................................................................................................... 191 ...................................................................................................................................................................... 191 ................................................................................................................................................. 192 Linux 2.4.x netfilter............................................................................................................................. 192 2.2.x ................................................................................. 192 netfilter................................................................................................................................................. 193 netfilter.......................................................................................................................... 194 ....................................................................................................................................................................... 196 proxy Squid ............................................................................................. 197 ......................................................................................................................................... 198 NETWORK OPTIONS.................................................................................................................................................. 201 ............................................................................................................................................. 202 .................................................................................................................................................................. 202 LOGFILE PATHNAMES AND CACHE DIRECTORIES........................................................................................... 203 EXTERNAL SUPPORT PROGRAMS......................................................................................................................... 203 TUNING THE CACHE................................................................................................................................................. 203

TIMEOUTS ................................................................................................................................................................... 203 ACCESS CONTROLS .................................................................................................................................................. 204 ADMINISTRATIVE PARAMETERS .......................................................................................................................... 205 CACHE REGISTRATION SERVICE .......................................................................................................................... 206 HTTPD-ACCELERATOR OPTIONS .......................................................................................................................... 206 MISCELLANEOUS ...................................................................................................................................................... 206 DELAY POOL PARAMETERS ................................................................................................................................... 206 ................................................................................................................................. 206 squid ............................................................................................................................................ 207 squid .............................................................................................................................. 207 ............................................................................................................................................................................. 208 .......................................................................................................................................................... 208 squid............................................................................................................................................................. 208 ....................................................................................................................................................................... 209 IP ........................................................................................................................ 210 ........................................................................................................................................................ 214 IP .................................................................................................................................................................. 217 ................................................................................................................................................. 218 Linux 2.4.x ............................................................................................................................................................... 220 ....................................................................................................................................................................... 221 Samba............................................................................................................................................................. 223 Samba ................................................................................................................................................................................ 223 SWAT Samba ............................................................................................................ 224 SWAT ...................................................................................................................................... 224 SWAT inetd ....................................................................................................................... 224 SWAT Apache ................................................................................................................... 226 SWAT ..................................................................................................................................................... 226 Microsoft .................................................................................................................................... 228 NT D ................................................................................................................ 228 NT ............................................................................................................................................... 229 D, .................................................................................. 229 Samba Microsoft (NT / Windows 9x) .................................................................... 230 Linux D .............................................................................................................. 230 ............................................................................................................................................. 231 Base options................................................................................................................................................................... 231 Security options ............................................................................................................................................................. 232 Logging options ............................................................................................................................................................. 232 Tuning options ............................................................................................................................................................... 232 Filename handling ......................................................................................................................................................... 232 Browse options .............................................................................................................................................................. 232 Locking options ............................................................................................................................................................. 233 Miscellaneous options.................................................................................................................................................... 233 Homes..................................................................................................................................................... 234 .................................................................................................................................... 234 , Samba ............................................................................................................................. 235 Global .............................................................................................................................. 236 Samba .................................................................................................... 239 Samba ................................................................................. 240 ....................................................................................................................................................................... 240 web- Apache ........................................................................................................................... 241 Apache.................................................................................................................................................................. 241 .............................................................................................................................. 242 ...................................................................................................................................... 242 .................................................................................................................................................... 243 Apache ............................................................................................................................................. 246 SSL ....................................................................................................................................................................... 251 Apache ........................................................................................................................... 252 .htaccess..................................................................................................................................... 253 , ........................................................................................... 253 , suEXEC .................................................................................................................................... 254 Linux 2.4.x khttpd................................................................................................................................................. 255 ....................................................................................................................................................................... 256 Secure Shell VPN ......................................................................................................... 258 Secure Shell ....................................................................................................................................................................... 259 SSH..................................................................................................................................... 259 SSH ..................................................................................................................................................... 261

SSH SSHD........................................................................................................................................ 262 FreeS/WAN ....................................................................................................................................................................... 263 FreeS/WAN ........................................................................................................................ 264 FreeS/WAN ................................................................................................................................. 265 .......................................................................................................................................................... 265 ........................................................................................................................... 266 OpenSSH ........................................................................................................................................................................... 267 ....................................................................................................................................................................... 267 IV ................................................................................................................................. 268 syslog ................................................................................................................................................... 269 syslog.......................................................................................................................................... 270 syslogd............................................................................................................................................................... 274 ? ..................................................................................................................................... 276 ....................................................................................................................................................................... 277 syslog .................................................................................................................................. 278 , /var/log ................................................................................................................... 278 ...................................................................................................................... 280 ................................................................................................................................................ 281 utmp, wtmp last log............................................................................................................................................ 282 ....................................................................................................................................................................... 285 ...................................................................................................... 286 ................................................................................................................................................ 286 ...................................................................................................................................................... 287 ipchains...................................................................................................................................... 288 // ................................................... 288 ............................................................................................................................................ 293 ....................................................................................................................................................................... 294 .......................................................................................................................................... 295 courtney ......................................................................................................................................................... 295 nmap .............................................................................................................................................................. 298 nmap.................................................................................................................................. 300 nmap .............................................................................................................................................. 301 nmap .............................................................................................................................................. 303 nmap netstat................................................................................................................................................. 304 ....................................................................................................................................................................... 305 ................................................................................................................................... 306 ?................................................................................................................................................ 306 ............................................................................................................................................................. 307 Web-, ............................................................................................... 307 ............................................................................................................................. 312 ....................................................................................................................................................... 313 ....................................................................................................................................................................... 313 ....................................................................................... 314 ........................................................................................................................................................ 319

,

, , , 24 . , Road Runner, adsl/ xdsl, . , Web , web- , . , , . Linux , . . , . , , NASA , , , , , , ; , . , , , , . -, NASA . , , , , , . -, . , , . , , . . . , . , , , . , , , . , Caldera OpenLinux , Caldera OpenLinux, Linux. , , Linux , 1988 , : MS-DOS DR-DOS. . Linux, , Linux. telnet Linux, . Linux , . Linux , , , , Linux . , Linux, , , , ,

. , , .

.

1. . , , , . , , , , .

2. , , , . , , , . , .

3. , .

4. , . , , , , , . , . , , . , , .

. , , ( -). , -.

, : - , , (+), , Ctrl+P; - , , ; - , , , , . . : , , .

, .

, .

, , .

Linux. , . . , , . , . : ( Denial of Service ) . , , Linux , . , , , . , , ? , , , , , . , , , . , . . , . , , : , , . , , . . , - , - . , , , . 1999 Microsoft IIS . . PowerPC Linux. : web- Apache. . , , . , , , . , , . , . , . . , , . . , . . , ( Amazon.com). , . , , , .

Caldera OpenLinux ( -), Linux. Caldera Linux, .

, . , . , -. , , , . -, . , , . . . : , . . , ? , ? , : , , .

, , . , . . , : , . : , . . , , . , , . . , , . , - . , . , . (EEPROM) . Linux , IH (), Windows , , root, , . , . , Ethernet . , . , ( , , ), - . , , , . , . FTP Web - , - . , . . , . , ,

. , , , . . . , , . , . . . , , , . . , , , . , , . , . , , . , . , . , , , , .

, , . , . , : , , , . , . , , : . . , , , , , . , , . , , . , , , . . . , , , . Linux . , . , . , . , , , , . , , , . , . , , . . , . .

? ? , , . , ? ? , ? ? ? . , ? , ? , , ( . .), ( ?). , , , , , , , . RFC-2196 RFC-2504.

I

1. 2. 3. 4. 5. 6. 7. 8.

, SUID/SGID /

1-

,

: - ; ; ; /etc/passwd; /etc/shadow; /etc/gshadow; /etc/login.defs; ; .

Linux - , , , . - , . , . , . Linux . , , , .

Linux . , , . , , telnet, ftp, http . . . . , , , , . ( ). , . . , , , , . , . (user ID, UID). , UID , , UID .

. . . , , . . , , .

, (user ID, UID). Caldera OpenLinux 500 , 65 534. 500 . Linux : , 1000, 500. , , Linux. , 500, . 1 65 534 - . , 500 , . . . . , . 0 65 535. UID 0 UID. . . . , root ( , UID 0), , , . UID, , . , , . root, . . UID, 65 535. . UID nobody (). , . ( ), OpenLinux UID nobody 65 534. 65 535 UID, . , useradd: useradd -m -u 65535 noone . : , ( useradd, , ), a root? su -noone, , , . 65 535, nobody 65 534, 65 535 . ( : userdel ; rm -Rf /home/noone.) - 65 536, . , UID , , 0, 1. , . UID , , UID nobody, 65535 16 , 1111111111111111. 65 536 16 17 . (1), (0). 17 10000000000000000? , : 16 , 17 , . , , , , , , . , Linux , UID 65 536. . ? , , UID, , . , , .

, 65 536, , /bin/login .

. , . , , , , , , , . , , , . web- , . , . ? , , , ? , .

/etc/passwd , , /etc/passwd. , , ( , ). , , , , . , . , , passwd. /etc . , , . - , . 1.1. passwd . . 1.1. /etc/passwd

root::1i DYwrOmhmEBU: 0:0: root:: /root: /bin/bash bin:*:1:1:bin:/bin: daemon:*:2:2:daemon:/sbin:

adm:*:3:4:adm:/var/adm: lp:*:4:7:lp:/var/spool/lpd: sync:*:5:0:sync:/sbin:/bin/sync shutdown:*:6:11:shutdown:/sbin:/sbin/shutdown halt:*:7:0:halt:/sbin:/sbin/halt mail:*:8:12:mail:/var/spool/mail: news:*:9:13:news:/var/spool/news: uucp:*:10:14:uucp:/var/spool/uucp: operator:*:11:0:operator:/root: games:*:12:100:games:/usr/games: gopher:*:13:30:gopher:/usr/1ib/gopher-data:ftp:*:14:50:FTP User:/home/ftp:

man:*:15:15:Manuals Owner:/:majordom:*:16:16:Majordomo:/:/bin/false postgres:*:17:17:Postgres User:/home/postgres:/bin/bash mysql:*:18:18:MySQL User:/usr/local/var:/bin/false silvia:1iDYwrOmhmEBU:501:501:Silvia Bandel:/home/silvia:/bin/bash nobody:*:65534:65534:Nobody:/:/bi n/false david:1iDYwrOmhmEBU:500:500:David A. Bandel :/home/david:/bin/bash

. , . . . passwd, Unix, , . : , , , , GECOS ( ), .

/etc/passwd

. , . ( , useradd, coastool LISA ), , , . , , UID . , . , . . , . - . Linux DES (Data Encryption Standard). - 13 , , , (. /etc/shadow). , 13- , , : . , /etc/passwd :david::500:500:David A. Bandel:/home/david:/bin/bash

, , , . , , . , , . /etc/passwd . , , - , , , . , 14- . , . /etc/shadow ( ), . , , , ( , , - ), root, . , , , toor tuber. . , . (salt). ( , . .) , , -, . , . , , , . - - . (dictionary attack) . , . , , , ( 0-9) . .

1.1 , root, silvia david - . , . : silvia. ( silvia) . 3 , , , .

06 2.

. , . , . , root, , . , , , ( toor, tuber, ) . . , : root . root, . , , , . , , . , UID , , . root. root . , , . , NFS, . (Group ID, GID). , , (primary group). , . . , GECOS, GE Consolidated Operating System. finger . . . . , , , , . , . , ftp , ftp, . . . . OpenLinux /etc/shells (. ). , , /etc/passwd, . , , passwd, , , , . . . .

/etc/shadow /etc/shadow root . - passwd shadow, passwd . passwd , , . , , /etc/shadow. . pwck. passwd , - . pwck, pwconv /etc/shadow. /etc/passwd. pwuncov. . ,

. , , , . 1.2. /etc/shadow. 1.2. /etc/shadow root:1iDYwrOmhmEBU:10792:0:: 7:7:: bin:*:10547:0::7:7:: daemon:*:10547:0::7:7:: adm:*:10547:0::7:7:: lp:*:10547:0::7:7:: sync:*:10547:0::7:7::

shutdown:U:10811:0:-1:7:7:-1:134531940 halt:*:10547:0::7:7:: mail:*:10547:0::7:7:: news:*:10547:0::7:7:: uucp:*:10547:0::7:7:: operator:*:10547:0::7:7::

games:*: 10547:0: :7:7::gopher:*:10547:0::7:7:: ftp:*:10547:0::7:7:: man:*:10547:0::7:7::

majordom:*:10547:0::7:7::postgres:*:10547:0::7:7::

mysql:*:10547:0::7:7:: si1via:1iDYwrOmhmEBU:10792:0:30:7:-l:: nobody:*:10547:0::7:7:: david:1iDYwrOmhmEBU:10792:0::7:7::

/etc/shadow shadow , passwd. . OpenLinux 13 24 , crypt 13-- . , , , 52 ( ), 0-9, (/). 64 , - . , , , , , 4096 (64x64). DES 56 , 256 , 72 057 590 000 000 000 72 . , . , , 56- . ( , , , , .) , , , c, , ( ), . , , , . (. ). , 1 1970 . . 1.1. , 2000-2005 . 1.1. , shadow,

/ (31) (28/29) (31) (30) (31) (30) (31) (31)

200010957 10988 11017 11048 11078 11109 11139 11170

200111323 11354 11382 11413 11443 11474 11504 11535

200211688 11719 11747 11778 11808 11839 11869 11900

200312053 12084 12112 12143 12173 12204 12234 12265

200412418 12449 12478 12509 12539 12570 12600 12631

200512784 12815 12843 12874 12904 12935 12965 12996

(30) (31) (30)

11201 11231 11262

11566 11596 11627

11931 11961 11992

12296 12326 12357

12622 12692 12723

13027 13057 13088

(31)

11292

11657

12022

12387

12753

13118

, , . , , . , , . , password , . , . , , . , , . , , , , . . .

, . passwd shadow , :+::0:0:::

+:*:0:0::-1:-1::

, . NIS (Network Information Services, Yellow Pages, - British Telecom), . , NIS, , NIS . NIS+ , NIS+ Linux () . NIS , . NIS, .

/etc/groups . , . 1.3. 1.3. /etc/group root::0: wheel::10: bin::1:bin,daemon daemon::2:bin,daemon sys::3:bin,adm adm::4:adm,daemon tty::5: disk::6: lp::7:daemon,lp mem::8: kmem::9: operator::11: mail::12:mail news:: 13: news uucp::14:uucp man::15: majordom::16: database::17:

mysql::18: games::20: gopher::30: dip::40: utmp::45: ftp::50: silvia::501:silvia nobody::65534: users::100:david,silvia david::500:david

/etc/group /etc/group , . . , ( ). , , , . newgrp , . , : , . root , , , . ? . , , (. ). (Group ID, GID). , . , , . , ( , ). . , . ( ) passwd . , passwd, .

/etc/gshadow OpenLinux . , . : . , , . , . , , . , , . , . gshadow. ( gshadow) ( gshadow) , passwd. grpck, /etc/group , . grpconv. /etc/group , /etc/gshadow. gshadow , . , ( ). . . shadow, grpuncov.

/etc/login.defs . Open-Linux : coastooL, LISA, useradd. . COAS , . useradd LISA passwd shadow /etc/login.defs. 1.4 ( ). 1.4. /etc/login.defs # , : # (-1 ) PASS_MAX_DAYS -1

: PASS_MIN_DAYS # : PASS_WARN_AGE 7 # # , : PASS_INACTIVE -1

# :# ( PASS_EXPIRE -1 ### 70/1/1, -1 = )

# useradd # : GROUP 100 # : %s = ) M /home/%s # : SHELL /bin/bash # , : SKEL /etc/skel # GID_MIN 100 GID_MAX 60000

gid

groupadd

passwd shadow. , . , , . , -1, . . ? . COAS Caldera ( , ). System Administration ( ) > Account Administration ( ) .

chage (change aging ). chage -l , . ( ) , . chage . 1.5. , . 1.5. david # chage -1 david Minimum: 2 Maximum: 90

Warning: 7 Inactive: 14 Last Change: Password Expires: Password Inactive: Account Expires:

Aug 11, 1999 Nov 09, 1999 Nov 23, 1999 Never

1.5 , david . , , 90. . 14- , , , ( ). , . -, 1 . , , . , ( ) . , , . 2.

COAS . . . expiry.

, , , () , . Sun , Solaris 2.3, Linux. (Pluggable Authentication Modules) . , , , , . . , , : (SUCCESS), (FAILURE) (IGNORE). , , (SUCCESS) (FAILURE) . , , , , , : . , . , , . , , : (SUCCESS), (IGNORE) (FAILURE) . , - . . . . , . : , , - . . . 1.6. OpenLinux 2.3 ( ) login. /etc/pam.d , su, passwd .

., , . (restricted service) . , other, other.d. ( , . , , .) 1.6. login auth required pam_securetty.so auth required pam_pwdb.so auth required pam_nologin.so #auth required pam_dialup.so auth optional pam_mail.so account required pam_pwdb.so session required pam_pwdb.so session optional pam_lastlog.so password required pam_pwdb.so

, . , . , . , (#), . , pam_dialup ( 1.6.) . , . 1.1. , pam_pwd.so, auth. (stacking) ( ), .

. : auth, account, session password. , . - auth (authentication ) , , . , , . , - - , . - account ( ) , , . . - password () . , /etc/shadow , passwd chauthok ( ) , , (SUCCESS).

- session () . , , , . .

, , , (SUCCESS), (IGNORE) (FAILURE). : requisite, required, sufficient optional. , . , , sufficient (), (SUCCESS), . (FAILURE) , requisite (), (FAILURE). . - requisite () . requisite, (FAILURE), (FAILURE). . , . , , , , required (). - required () . : (SUCCESS), (IGNORE) (FAILURE), . , , , , , , . . - sufficient () (SUCCESS) , (SUCCESS) required, (FAILURE). , sufficient . (IGNORE) (FAILURE), sufficient optional (. ). - optional () , , (SUCCESS). . , . , , requisite required, (FAILURE). , optional , , (SUCCESS).

, . , , , , . OpenLinux /lib/security. . , , . . 1.7 , OpenLinux. 1.7. , OpenLinux pam_access.so pam_cracklib.so pam_deny.so pam_dialup.so

pam_env.so pam_ftp.so pam_group.so pam_lastlog.so pam_limits.so pam_listfile.so pam_mail.so pam_nologin.so pam_permit.so pam_pwdb.so pam_radius.so pam_rhosts_auth.so pam_rootok.so pam_securetty.so pam_shells.so pam_stress.so pam_tally.so pam_time.so pam_unix_acct.so pam_unix_auth.so pam_unix_passwd.so pam_unix_session.so pam_warn.so pam_wheel.so

, (module stacking).

pam_access.so / /etc/security/access.conf. :: :

: - + (), - () - ALL, @, , . - ( /dev/), , ( ), IP ( , , 192.168.0. 192.168.0.), ALL LOCAL. OpenLinux , ( ) . . pam_cracklib.so . , , , , . : debug, type= retry=. debug . type, , New Unix password: Unix . retry , , ( ). 1.8. /etc/ pam.d/other. , , /etc/pam.d. , , . , , auth, account, password session, required pam_deny.so. , .

, - - , FTP, /etc/pam.d/ftp /etc/pam.d/ftp.orig . 1.8. /etc/pam.d/other auth required pam_deny.so auth required pam_warn.so account required pam_deny.so password required pam_deny.so password required pam_warn.so session required pam_deny.so

pam_dialup.so , , /etc/security/ ttys.dialup. , ttyS, tty-. , /etc/ security/passwd.dialup. passwd.dialup dpasswd ( ). pam_group.so /etc/security/group.conf. , . , , . , . , . OpenLinux /etc/security/ group.conf, . . pam_lastlog.so lastlog , . session optional. pam_limits.so , . root ( ). OpenLinux /etc/security/limits.conf. , . pam_lastfile.so (item), (SUCCESS) (FAILURE). :item=[ | _ | _ | | ]

- sense=[allow|deny] ( ; , , ) fil=////_ - onerr=[succeed|fail] ( ) - 1=[|@] ( , . item=[ | _ | ], item=[ | _ | ] ) pam_nologin.so auth required. , /etc/nologin, , (SUCCESS), (FAILURE). , , . pam_permit.so pam_deny.so. (SUCCESS). . pam_pwdb.so passwd shadow. :- debug ;

- audit , ; - use_first_pass , ; - try_first_pass , ; - use_authtok (FAILURE) , pam_authtok

, , ( password); - not_set_pass ; - shadow ; - unix /etc/passwd; - md5 md5; - bigcrypt DEC C2; - nodelay . OpenLinux md5 bygcrypt , . , , u nix. pam_rhosts_auth.so / .rhosts hosts.equiv. , / . : - no_hosts_equiv /etc/hosts.equiv; - no_rhosts /etc/rhosts ~/.rhosts; - debug ; - nowarn ; - suppress ; - promiscuous + ( ). pam_rootok.so (SUCCESS) . sufficient, . . sufficient auth login, , , , . : debug. pam_securetty.so . /etc/securetty, . telnet ( ttyp), ttyp0-255, pam_securetty.so login. , , . pam_shells.so (SUCCESS), , /etc/passwd, /etc/shells. /etc/passwd , /bin/sh. /etc/passwd , /etc/shells, (FAILURE). /etc/shells . pam_stress.so . , debug, : - rootok ; - expired , . , . . , , . OpenLinux pam_tally.so /etc/pam.d , - . . . , . /var/log/ faillog ( ). : - onerr=[succeed|fail] , , ; - fil=////_ , . auth: - no_magic_root (

). , telnet. account: - deny=n . reset/no_reset (. ) no_reset reset. , root (UID 0), no_magic_root; - no_magic_root deny , root. deny= (. ) root reset, ; - even_deny_root_account no_magic_root. . no_magic_root , , , ; - reset ; - no_reset ; , deny=. pam_time.so . /etc/security/ time.conf. : . pam_unix Unix ( pam_pwdb.so). , : pam_unix_auth.so, pam_unix_session.so, pam_unix_acct.so pam_unix_passwd.so. account auth . passwd : strict=false. , , ( ) . session : debug trace. debug , syslog.conf, trace - authpriv. pam_warn.so syslog. . pam_wheel.so wheel. wheel , , , , . , wheel . , , telnet , , wheel. , . : - debug ; - use_uid , , ; - trust wheel (SUCCESS), (IGNORE); - group=xxx GID , GID wheel; - deny ( ). group= . , , , /etc/security /etc/pam.d, , /etc/pam.d.

, , 1.6. , auth, securetty required. , ,

/etc/securetty. . /etc/nologin. , (SUCCESS). , , , tty.dialup passwd.dialup /etc/security. auth optional, , - . account , . session . pwdb , . , lastlog, optional, , lastlog . , lastlog , (SUCCESS), (FAILURE) (IGNORE) - , . password required , . /etc/pam.d . chfn, , pam_pwdb.so, required auth, account passwd. chsh. imap pop : pwdb session, nologin auth. , , nullok . , - , , . -, ftp. listfile. , , /etc/ftpusers, , ftp ( , ftp, , ). , , . rlogin. , , ( , ). , /etc/securetty. /etc/hosts.equiv ~/rhosts . , . , , cracklib.so, , , , , . , , su. : auth sufficient pam_rootok.so su , , , , . , . - /etc/pam.d , , , , , . , , , . , , .

syslogd, /var/log/secure ( 1.9). 1.9. /var/log/secure Jan 11 16:45:14 chiriqui PAM_pwdb[30022]: (su) session opened for user root by david(uid=0) Jan 11 16:45:25 chiriqui PAM_pwdb[30022]: (su) session closed for user root Jan 11 17:18:06 chiriqui login[13217]: FAILED LOGIN 1 FROM (null) FOR david, Authentication failure

Jan 11 17:18:13 chiriqui login[13217]: FAILED LOGIN 2 FROM (null) FOR david. Authentication failure Jan 11 17:18:17 chiriqui PAM_pwdb[13217]: (login) session opened for user david by (uid=0) Jan 11 17:18:06 chiriqui login[13217]: FAILED LOGIN 1 FROM (null) FOR david. Authentication failure Jan 11 17:18:13 chiriqui login[13217]: FAILED LOGIN 2 FROM (null) FOR david, Authentication failure Jan 11 17:18:17 chiriqui PAM_pwdb[13217]: (login) session opened for user david by (uid=0) Jan 11 17:18:17 chiriqui -- david[13217]: LOGIN ON ttyl BY david Jan 11 17:18:20 chiriqui PAM_pwdb[13217]: (login) session closed for user david

, . , . , , . 1.9 su, login. session opened ( ), session closed ( ). , session opened, , , . , /var/log/secure , .

. , /etc/passwd, . /etc/shadow, /etc/passwd. , /etc/group. /etc/login.defs , useradd . . , , /etc/securetty, /etc/ shells, /etc/security/, . , , . , Linux , , .

2

: - ; - /; - / ; - ; - ; - ; - ; - .

: . . , ( ). : . , .

, Unix, , Unix ( Linux), , . , . , . . , , . , (, ), newgrp. ( , ). . . . , . OpenLinux, , ( ), . newgrp , (login group). , , newgrp. , ( ) , . 4,

. (

) . , , . , , . , , . : , , , . , , ( ). OpenLinux , gshadow /etc . , , 1. OpenLinux , . useradd LISA . COAS . , . , , , . , /etc/ login.defs, COAS. - , . , , , , . , . useradd, LISA COAS, .

, , . , . 3 4 .

, , - , , , , . , . , . OpenLinux users. , , .

, . , , , - . , david david, - . , : . OpenLinux,

. , . , , . , umask, , , - , , . umask 3.

, . , , , . , . , /etc/passwd, /etc/shadow, /etc/groups, /etc/gshadow .

/ , / , , , . . newgrp. , newgrp . , , . , . newgrp , . newgrp . : , . , - , , . 4 , - .

newgrp chown chgrp. , , newgrp, chown chgrp . , , silvia GIF. silvia, , gifs ( ). silvia newgrp, chown chgrp. . , (*.gif), GIF, silvia . , GIF, silvia sg. sg , newgrp. sg, , . substitute group ( ). , , . readers, users, readers. , xv, users, sg. , , xv, users,

:sg - users - xv

:sg - users - "xv my.gif"

, X Window xhost. newgrp X Window xterm, : , , , , . , , , .

X X Window . X, /etc/groups /etc/gshadow. , , . X , , , , , . :#!/bin/bash sg - gifs - /usr/X11R6/bin/xv &

xv, gifs. . , , . /etc/groups , . /etc/gshadow, , newgrp - sg. , X ( , X) . :#!/bin/bash xhosts +llhost sg - gifs -c /usr/X11R6/bin/xv &

(gifs). - , ( X xhost Linux). - ( xdm kdm) , , , .

: . ? . , root, root . ,

. , . , , ( , ) . .

su. substitute user ( ), , , , super user (). - . su, , , ( , ) root. , /etc/pam.d/su. , root, root, . /etc/pam.d/su 1.

su root , - su, ( , , ). , . , , (-) su . , , , . su , . , PATH PATH , . , . su ( ) root.

su, , . , root ? . sudo. , , . sudo sg. sudo __, , , . , root, . ? , . , . , , , , , 15 . , , - ? , . /etc . sudo , . . 4.

- : . , , , . , , , . , . . . , , . , . , , , . , , , . ( ) , , . , , , , , . , , . , . , . , , . , root. , , . . , . . , . , - , , ( users ), . , , , . 0 , , , 4.

, OpenLinux. : , , . . OpenLinux , . Linux , , . , , /etc/skel. /etc/skel :/bin /src /docs /misc

() , , . . , ,

- . ~/bin , PATH . , Linux.

, , , , . , , , Linux- ( web-, telnet . .). , . , . , . . ( ) , . , , , . , , . , . , .

. , . , . , , . , . , , . , . , , . , , . , , , , , . , , , . - ( , , ). ( ). ? . , . , , , , , , , . : . PIN- , . , , , , , , , ( , ,

). - , , . , , (social engineering). , . , , . . . , , , , - ( Enter , , - ), , , . , -, . . , . , , , , , , . . , , , . , , , .

, . , , ( RFC 2196 , ). - ? , , , - ? - ? , , , , (, , ). - , ? - ( ) ? , ( Ethernet )? , , , , , , . , , ( ) , . ? , . , . , , . , . . 1. makepasswd ( tech.ilp.physik.uni-essen.de/www.debian.org/Packages/stable/admin/makepasswd.html). makepasswd -, .

http://

2. , . 3. . 4. . . . , . , makepasswd, , ? , . , : - (!@#$%^&*, ) ; - , ; - ; - , . , : - ( ): party, fiesta, party5, fi3sta . .; - - : , , . . - : 610930, 300961 . .; - : , . .; - . . ( , , , , ). , , , . , , - . , , . (rose, oak, ivy . .) - , , (red, blu, blk) , , , : blk*ros3 .. blu!ivyred#oak4

, , . . makepasswd. , , . , . , , , . . makepasswd Perl, , , . :# makepasswd --char 8 --count 8 --crypt ecuraCdK aFP4Fy.p/K9bY dLeiVWVd Flqcui.9L3xQI 7FSBJEFH MkHjkpOIdSmLc ORA2vLsv !QYuK3Fw5Ih8U DuSbFxDj bB.thDEpz7Zi. wCPOIX6v Xe3ntRWjABCnM SowKUgvg Z485y6UQyMEdE xPViT6AU X9gm2NtZc.hK6

makepasswd , . , , (, studentl student100), , ,

.

-, , , , , ( ) . : ( UID/GID), /etc/shadow.

, : root, UID . . , 1 . , , , , , . , . , cut. , , , . - , . . , , expect, expect--. , , expect , , (, ftp rogue). , , . : . . ( , , ).1 #!/bin/bash 2 # (D.Bandel) 3 99; GPL # 4 # /etc/shadow 5 6 prog=/usr/bin/makepasswd 7 names=/root/newusernames 8 1ogins=/root/newlogins 9 tmpshadow=/root/shadow.tmp 10 startid=1000 11 12 if [ $UID != 0 ] ; then echo " $0, root" 14 exit 1 15 fi 16 17 if [ ! - /etc/shadow ] ; then 18 echo " shadow" 19 exit 2 20 fi 21 if [ ! -x $prog ] ; then 22 23 echo " $prog" exit 3

24 fi 25 if [ 'grep ":${startid}:" /etc/passwd' ] ; then 26 echo ", " 27 exit 4 28 fi 29 echo : echo " ..."

startid

(

UID/GID)

, makepasswd 1.07, (1.10 ) --clear. . .

1

30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50

for i in 'cat $names' do j='$prog --char 8' echo "${i}:${j}" >>$logins ; echo " . " done k=$startid;cp /etc/shadow /etc/shadow.orig echo ; echo " ..." for i in 'cat $logins' do j='echo $i | cut -d : -f 1 -' l='echo $i | cut -d : -f 2 -' groupadd -g $k $j useradd -m -u $k -g $j $j k=$[$k+l] m='$prog --clear=$l --crypt | cut -b 12 --' sed "s|$j:\*not set\*|$j:$m|" /etc/shadow > $tmpshadow mv $tmpshadow /etc/shadow ; echo " . " done exit 0

. /etc/newusernames, , . . - 6-10 , , , . , , /root. , /root . , , , (UID/GUID). - 12-28 . , . - 30-34 , . - 38-48 , , /etc/shadow. . makepasswd .

, , , . , , , - , - , , ( , , - ). , , , , - . , , - (screen saver), , ? . .

, . , , , , .

, . : . , . , , . , , , . . , .

3

: - Linux; - ; - ; - ; - .

. , 1 2, .

Linux: Linux . , Linux- , , . ., . , , . , . , . , , (, , , . .), Linux . . - , , . (UID), , (GID), . , .

Linux . . . ls -la, , , . , :drwxr-xr-x24 root drwxr-xr-x20 root drwxr-xr-x3 root crw-rw-r--1 root brw-rw-rw-1 root -rw-r--r-- 1 root srwxrwxrwx1 root prw------- 1 root lrwxrwxrwx1 root root root root root root root root root root 2048 Sep 4 00:01 . 1024 Aug 26 19:09 .. 1024 Jul 22 22:17 .civctp 29, 0 Aug 5 09:12 fbO 2, 0 Jul 27 19:14 fdO 694 Sep 2 21:02 foo 0 Sep 3 19:18 mysql.sock 0 Sep 3 19:14 initctl 4 Aug 5 08:49 sh -> bash

. d, d, d, , b, -, s, p, l. (. . 3.1). d ( directory). ,

. , . .., . , . (/), .. , . .. Linux, cd ... . .. , , . , . cd .. , , , . , , debugfs. , .., , , . . , , . 3.1. _____________________________ ___________ ___________________ , , d __________________________/bin b _______________/dev/hda ( _________________________________ IDE-) ____________/dev/ttyS1 ( com2 DOS) s ___________________________/dev/log (named pipe) ____/dev/inictl ( _________________________________ |) I _____________/dev/modem -> /dev/ttyS1

. , (.). , (- dot files), ls . , ls -. , . , . , ( , bash), . , , , . , - . - , . ( b) . , . /dev. , , , , ( ). , , () , , . , , , , 8 , , . . , , , , . . . . . , root ( , ) mknod. , , ( ), . /home.

:find /home -type b -print find /home -type -print

5.

, , . , , . , -, . Linux. , ( ASCII, , . .). s, . mysql , netstat -, :unix [] STREAM LISTENING 12210 /tmp/mysql.sock

, , ( LISTENING). . netstat 10.

, (named pipe). . , : , , . (symbolic link). (soft link). , . , , (target file). , , . , . - , , . Macintosh (alias), Windows (shortcut). , inode (information node). , , . , , , , , , , (atime), (ctime), (mtime), , , . debugfs.

Linux , (hard link) (link). , , -i -I:20512 -rwxr-xr-x 3 root root 20512 -rwxr-xr-x 3 root root 20512 -rwxr-xr-x 3 root root 49280 Jul 27 19:37 gunzip 49280 Jul 27 19:37 gzip 49280 Jul 27 19:37 zcat

, ls , ,

, 20512. (inode) . , . , , ls, . , ( ). , . , , , 49 280 . , ls , . , (inode). , - , , . , . , . , root, , . , zcat, gunzip gzip , 3 2. . . . . , . , , , , . . , . .., . (inode), , , . , , , . , . , , , , . . , , , , , , , , . .

:-rwxr-xr-x -rwxr-xr-x -rwxr-xr-x rwxr-x---rwxr-xr-x Irwxrwxrwx Irwxrwxrwx -rwxr-xr-x -rwxr-xr-x -rwxr-xr-x -rwxr-xr-x -rwxr-xr-x -rwxr-xr-x -rwxr-xr-x -rwxr-xr-x Irwxrwxrwx -rwxr-xr-x I root 1 root 1 root 1 root 1 root 1 root 1 root 1 root 1 root 1 root 1 root 1 root 1 root 1 root 1 root 1 root 1 root root root root root root root root root root root root root root root root root root 3164 Jul 27 20:27 arch 317504 Jul 27 22:22 bash 464564 Jul 28 02:54 bash2 34236 Jul 28 09:37 box 11856 Jul 28 09:37 build_menu 5 Aug 5 08:50 bunzip2 -> bzip2 5 Aug 5 08:50 bzcat -> bzip2 57404 Jul 27 20:11 bzip2 7152 Jul 27 20:11 bzip2recover 9240 Jul 27 21:12 cat 11692 Jul 27 21:38 chgrp 11820 Jul 27 21:38 chmod 12164 Jul 27 21:38 chown 28204 Jul 27 21:38 cp 47448 Jul 27 19:32 cpio 4 Aug 5 09:02 csh -> tcsh 38132 Jul 27 22:59 ctags

, ( - l) . . . . Linux

(mode) . , , , . (Read), w (Write), x (eXecute). , : , (rwx), , , (r-), (-). (inode) . 0 7, , , 000 111. : rwx. ( ) , , . , , (1), , (2), (4). 0 7. , ( ) 000 777. , , . rwxr-xr-x 755. , . , chmod 755 _. . 3.2. 3.2. -------000 - -- - -w - -w - - w -wx-wx-wx r--r--r-r-xr-xr-x rw-rw-rwrwxrwxrwx 111 222 333 444 555 666 777 (4, 2 1), rwxr-x--x = 751

, ( , , ). , , UID , . UID ( ) , , . UID UID , GID , GID , . , , , . UID, GID , , , . , . . : , , ; , ; ( ). , 750. root, box UID (, root), , . UID , GID. GID , , . UID, GID , , . .

, . , UID UID 055, , , . 055 , , , (, ), . , , , , . , , , . . Delete file overriding mode 0055? (y/n), : 0055 (/). . . , , . , . , , - . , , , . , . , , :perl myperlsript.pl sh myshellscript.sh

.sh, Perl .pl. , , Perl.

, , , - , file. , , /usr/ share/misc/magic. /etc/magic. , . , . , , , . , , , / . , , , , . , , , . , , . , , - . , , . , . . cd. , , . , , . , , incoming ftp-. :drwx-wx-wx 2 root ftp 1024 Jul 8 12:47 incoming

ftp- , . . ftp-, ,

(, , , ). . , , , / , . , - .

, . . . , , . , , umask (user mask) . umask , 0777, 0666 ( ), , . , , : umask, , 0777, 0666, . . : file , , umask 0777, umask 0666. OpenLinux /etc/config.d/ shells ( bashrc), umask . 022, 002. , , , 755 (rwxr-x-r-x), 644 (rw-r--r--). , , 775 (rwxrwxr-x), 664 (rw-rw-r--). umask , umask . umask (, umask 222).

chown chmod. , . , . , . chown / , , . . , , foo silvia silvia. root gifs, :chown root.gifs foo

, root .gifs. chmod . , , . , . , umask 002, 664. permission denied ( ). , , , . 664 755 (rwxr-xr-x). , :

chmod 755 filename

, , . : chmode , . : , , , . u, g, , , , g , , . : +, = -. + , - , =

Documents

Защита и безопасность в сетях Linux