notas:seguridad
Diferencias
Muestra las diferencias entre dos versiones de la página.
Ambos lados, revisión anteriorRevisión previaPróxima revisión | Revisión previa | ||
notas:seguridad [2012/08/24 18:22] – cayu | notas:seguridad [Fecha desconocida] (actual) – borrado - editor externo (Fecha desconocida) 127.0.0.1 | ||
---|---|---|---|
Línea 1: | Línea 1: | ||
- | ====== Seguridad ====== | ||
- | |||
- | Notas cortas de seguridad e inseguridad informática que me sirvieron en mi trabajo | ||
- | |||
- | * [[notas: | ||
- | * [[notas: | ||
- | |||
- | |||
- | === Exploits === | ||
- | |||
- | Exploits útiles cuando vas a un lugar donde no se acuerdan el password de root | ||
- | |||
- | {{: | ||
- | |||
- | {{: | ||
- | |||
- | {{: | ||
- | ===== Understanding Bash fork() bomb ~ :(){ :|:& };: ===== | ||
- | |||
- | **Q.** Can you explain following bash code or bash fork() bomb? | ||
- | :(){ :|:& };: | ||
- | |||
- | **A.** This is a bash function. It gets called recursively (recursive function). This is most horrible code for any Unix / Linux box. It is often used by sys admin to test user processes limitations (Linux process limits can be configured via / | ||
- | |||
- | Once a successful fork bomb has been activated in a system it may not be possible to resume normal operation without rebooting, as the only solution to a fork bomb is to destroy all instances of it. | ||
- | [Warning examples may crash your computer] WARNING! These examples may crash your computer if executed. | ||
- | Understanding :(){ :|:& };: fork() bomb code | ||
- | |||
- | :() - It is a function name. It accepts no arguments at all. Generally, bash function is defined as follows: | ||
- | |||
- | <code bash> | ||
- | foo(){ | ||
- | | ||
- | echo '' | ||
- | # | ||
- | } | ||
- | </ | ||
- | |||
- | fork() bomb is defined as follows: | ||
- | |||
- | <code bash> | ||
- | :(){ | ||
- | : | ||
- | };: | ||
- | </ | ||
- | ** | ||
- | :|:** - Next it call itself using programming technique called recursion and pipes the output to another call of the function ':' | ||
- | |||
- | **&** - Puts the function call in the background so child cannot die at all and start eating system resources. | ||
- | |||
- | **;** - Terminate the function definition | ||
- | |||
- | **:** - Call (run) the function aka set the fork() bomb. | ||
- | |||
- | Here is more human readable code: | ||
- | |||
- | <code bash> | ||
- | bomb() { | ||
- | bomb | bomb & | ||
- | }; bomb | ||
- | </ | ||
- | |||
- | Properly configured Linux / UNIX box should not go down when fork() bomb sets off. | ||
- | |||
- | ==== Extra ==== | ||
- | |||
- | Perl exmaple: | ||
- | |||
- | <code perl> | ||
- | perl -e "fork while fork" & | ||
- | </ | ||
- | |||
- | Python example: | ||
- | |||
- | <code python> | ||
- | import os | ||
- | while(1): | ||
- | os.fork() | ||
- | </ | ||
- | |||
- | Windows XP / Vista bat file example: | ||
- | |||
- | < | ||
- | :bomb | ||
- | start %0 | ||
- | goto bomb | ||
- | </ | ||
- | |||
- | UNIX style for Windows: | ||
- | |||
- | < | ||
- | %0|%0 | ||
- | </ | ||
- | |||
- | C program example: | ||
- | |||
- | <code c> | ||
- | #include | ||
- | int main() { | ||
- | </ | ||
- | |||
- | Plz note that the fork bomb is a form of denial of service, so don’t run on production or unauthorized system. | ||
- | |||
- | |||
- | ==== Fuente ==== | ||
- | |||
- | |||
- | http:// | ||
- | |||
- | |||
- | ===== How to: Prevent a fork bomb by limiting user process ===== | ||
- | |||
- | Limiting user processes is important for running a stable system. To limit user process just add user name or group or all users to **/ | ||
- | |||
- | |||
- | ==== Understanding / | ||
- | |||
- | |||
- | Each line describes a limit for a user in the form: | ||
- | < | ||
- | Where: | ||
- | |||
- | |||
- | * **domain** can be: | ||
- | * an user name | ||
- | * a group name, with @group syntax | ||
- | * the wildcard *, for default entry | ||
- | * the wildcard %, can be also used with %group syntax, for maxlogin limit | ||
- | * **type** can have the two values: | ||
- | * " | ||
- | * " | ||
- | * **item** can be one of the following: | ||
- | * core - limits the core file size (KB) | ||
- | * **value** can be one of the following: | ||
- | * core - limits the core file size (KB) | ||
- | * data - max data size (KB) | ||
- | * fsize - maximum filesize (KB) | ||
- | * memlock - max locked-in-memory address space (KB) | ||
- | * nofile - max number of open files | ||
- | * rss - max resident set size (KB) | ||
- | * stack - max stack size (KB) | ||
- | * cpu - max CPU time (MIN) | ||
- | * **nproc - max number of processes** | ||
- | * as - address space limit | ||
- | * maxlogins - max number of logins for this user | ||
- | * maxsyslogins - max number of logins on the system | ||
- | * priority - the priority to run user process with | ||
- | * locks - max number of file locks the user can hold | ||
- | * sigpending - max number of pending signals | ||
- | * msgqueue - max memory used by POSIX message queues (bytes) | ||
- | * nice - max nice priority allowed to raise to | ||
- | * rtprio - max realtime priority | ||
- | * chroot - change root to directory (Debian-specific) | ||
- | |||
- | Login as the root and open configuration file: | ||
- | |||
- | < | ||
- | # vi / | ||
- | </ | ||
- | |||
- | Following will prevent a "fork bomb": | ||
- | |||
- | < | ||
- | vivek hard nproc 300 | ||
- | @student hard nproc 50 | ||
- | @faculty soft nproc 100 | ||
- | @pusers hard nproc 200 | ||
- | </ | ||
- | |||
- | Above will prevent anyone in the student group from having more than 50 processes, faculty and pusers group limit is set to 100 and 200. Vivek can create only 300 process. Please note that KDE and Gnome desktop system can launch many process. | ||
- | |||
- | Save and close the file. Test your new system by dropping a form bomb: | ||
- | |||
- | < | ||
- | $ :(){ :|:& };: | ||
- | </ | ||
- | |||
- | ==== Fuente ==== | ||
- | |||
- | http:// | ||
- | |||
- | |||
- | ===== Prevenir fingerprints ===== | ||
- | |||
- | Como ayudar a que los fingerprint que realizen nuestros atacantes sean un poco menos exactos, configurar las sysctl de nuestro sistema de la siguiente manera: | ||
- | |||
- | < | ||
- | net.ipv4.ip_default_ttl = 128 | ||
- | net.ipv4.tcp_timestamps = 0 | ||
- | net.ipv4.tcp_window_scaling = 0 | ||
- | net.ipv4.conf.all.accept_redirects = 0 | ||
- | net.ipv4.conf.all.send_redirects = 0 | ||
- | net.ipv4.icmp_echo_ignore_all = 1 | ||
- | |||
- | # Enable IP spoofing protection | ||
- | net.ipv4.conf.all.rp_filter=1 | ||
- | # Disable IP source routing | ||
- | net.ipv4.conf.all.accept_source_route=0 | ||
- | # Ignoring broadcasts request | ||
- | net.ipv4.icmp_echo_ignore_broadcasts=1 | ||
- | net.ipv4.icmp_ignore_bogus_error_responses=1 | ||
- | # Make sure spoofed packets get logged | ||
- | net.ipv4.conf.all.log_martians = 1 | ||
- | net.ipv4.conf.default.log_martians = 1 | ||
- | </ | ||
- | |||
- | |||
- | ===== Conocer que procesos bloquean tal cosa ===== | ||
- | |||
- | < | ||
- | Uso: fuser [-fMuv] [-a|-s] [-4|-6] [-c|-m|-n ESPACIO] [-k [-i] [-SIGNAL]] NOMBRE... | ||
- | fuser -l | ||
- | fuser -V | ||
- | Muestra que procesos usan los archivos, zócalos o sistemas de archivos indicados. | ||
- | |||
- | -a, | ||
- | -i, | ||
- | -k, | ||
- | -l, | ||
- | -m, | ||
- | -M, | ||
- | -n, | ||
- | -s, | ||
- | -SIGNAL | ||
- | -u, | ||
- | -v, | ||
- | -V, | ||
- | -4, | ||
- | -6, | ||
- | - | ||
- | |||
- | nombres udp/tcp: [local_port][, | ||
- | </ | ||
- | |||
- | Ejemplo si queremos ver que proceso nos bloquea el pendrive y no nos deja desmontarlo | ||
- | |||
- | < | ||
- | $ fuser -m /dev/sdb1 | ||
- | /dev/sdb1: 13542 | ||
- | </ | ||
- | |||
- | Que proceso bloquea el archivo / | ||
- | |||
- | < | ||
- | fuser / | ||
- | / | ||
- | </ | ||
- | |||
- | Si queremos ver que PID usa el puerto 80 tcp. | ||
- | |||
- | < | ||
- | fuser 80/tcp | ||
- | 80/ | ||
- | </ | ||
- | |||
- | |||
- | |||
- | Referencia útil como ver procesos escondidos: http:// | ||