谢 谢 收 藏 http://www.qqread.com/unix/h209529.html
3.1.6 系统日志
创建所有重要的日志文件的硬拷贝
保证在“/var/log”目录下的不同日志文件的完整性是保证系统安全所要考虑的非常重要的一个方面。如果我们在服务器上已经加上了很多安全措施,黑客还是能够成功入侵,那么日志文件就是我们最后的防范措施。因此,很有必要考虑一下用什么方法才能保证日志文件的完整性。如果服务器上或网络中的其它服务器上已经安装了打印机,就可以把重要的日志文件打印出来。这要求有一个可以连续打印的打印机,并用syslog把所有重要的日志文件传到“/dev/lp0”(打印设备)。黑客可以改变服务器上的文件、程序,等等,但是,把重要的日志文件打印出来之后,他就无能为力了。
例如,记录下服务器上所有的telnet、mail、引导信息和ssh连接,并打印到连接在这台服务器上的打印机。需要在“/etc/syslog.conf”文件中加入一行。编辑syslog.conf文件(vi /etc/syslog.conf),在文件末尾加入下面这一行:
authpriv.*;mail.*;local7.*;auth.*;daemon.info /dev/lp0“mail”是接收日志文件的计算机主机名。如果有人试图黑你的计算机并且威胁把所有重要的系统日志文件都删掉,你就不用怕了,因为你已经打印出来或者在别的地方还有一个拷贝。这样就可以根据这些日志文件分析出黑客在什么地方,然后出理这次入侵事件。
authpriv.*;mail.*;local7.*;auth.*;daemon.info@mail
3.1.7 Solaris ndd命令
ndd命令能容易的在不重新配置系统内核和重起系统的情况下,修改核心和TCP/IP的设备的一些参数。使用如下命令可看到相应的帮助。
[root@ /]> ndd /dev/arp \?
? (read only)
arp_cache_report (read only)
arp_debug (read and write)
arp_cleanup_interval (read and write)
[root@ /]> ndd /dev/icmp \?
? (read only)
icmp_wroff_extra (read and write)
icmp_def_ttl (read and write)
icmp_bsd_compat (read and write)
icmp_xmit_hiwat (read and write)
icmp_xmit_lowat (read and write)
icmp_recv_hiwat (read and write)
icmp_max_buf (read and write)
icmp_status (read only)
[root@ /]> ndd /dev/ip \?
? (read only)
ip_forwarding (read and write)
ip_respond_to_address_mask_broadcast(read and write)
ip_respond_to_echo_broadcast (read and write)
ip_respond_to_timestamp (read and write)
ip_respond_to_timestamp_broadcast(read and write)
ip_send_redirects (read and write)
ip_forward_directed_broadcasts(read and write)
ip_debug (read and write)
ip_mrtdebug (read and write)
ip_ire_cleanup_interval (read and write)
ip_ire_flush_interval (read and write)
ip_ire_redirect_interval (read and write)
ip_def_ttl (read and write)
ip_forward_src_routed (read and write)
ip_wroff_extra (read and write)
ip_ire_pathmtu_interval (read and write)
ip_icmp_return_data_bytes (read and write)
ip_send_source_quench (read and write)
ip_path_mtu_discovery (read and write)
ip_ignore_delete_time (read and write)
ip_ignore_redirect (read and write)
ip_output_queue (read and write)
ip_broadcast_ttl (read and write)
ip_icmp_err_interval (read and write)
ip_reass_queue_bytes (read and write)
ip_strict_dst_multihoming (read and write)
ip_addrs_per_if (read and write)
ip_ill_status (read only)
ip_ipif_status (read only)
ip_ire_status (read only)
ip_ipc_status (read only)
ip_rput_pullups (read and write)
ip_enable_group_ifs (read and write)
[root@ /]> ndd /dev/tcp \?
? (read only)
tcp_close_wait_interval (read and write)
tcp_conn_req_max_q (read and write)
tcp_conn_req_max_q0 (read and write)
tcp_conn_req_min (read and write)
tcp_conn_grace_period (read and write)
tcp_cwnd_max (read and write)
tcp_debug (read and write)
tcp_smallest_nonpriv_port (read and write)
tcp_ip_abort_cinterval (read and write)
tcp_ip_abort_linterval (read and write)
tcp_ip_abort_interval (read and write)
tcp_ip_notify_cinterval (read and write)
tcp_ip_notify_interval (read and write)
tcp_ip_ttl (read and write)
tcp_keepalive_interval (read and write)
tcp_maxpsz_multiplier (read and write)
tcp_mss_def (read and write)
tcp_mss_max (read and write)
tcp_mss_min (read and write)
tcp_naglim_def (read and write)
tcp_rexmit_interval_initial (read and write)
tcp_rexmit_interval_max (read and write)
tcp_rexmit_interval_min (read and write)
tcp_wroff_xtra (read and write)
tcp_deferred_ack_interval (read and write)
tcp_snd_lowat_fraction (read and write)
tcp_sth_rcv_hiwat (read and write)
tcp_sth_rcv_lowat (read and write)
tcp_dupack_fast_retransmit (read and write)
tcp_ignore_path_mtu (read and write)
tcp_rcv_push_wait (read and write)
tcp_smallest_anon_port (read and write)
tcp_largest_anon_port (read and write)
tcp_xmit_hiwat (read and write)
tcp_xmit_lowat (read and write)
tcp_recv_hiwat (read and write)
tcp_recv_hiwat_minmss (read and write)
tcp_fin_wait_2_flush_interval (read and write)
tcp_co_min (read and write)
tcp_max_buf (read and write)
tcp_zero_win_probesize (read and write)
tcp_strong_iss (read and write)
tcp_rtt_updates (read and write)
tcp_wscale_always (read and write)
tcp_tstamp_always (read and write)
tcp_tstamp_if_wscale (read and write)
tcp_rexmit_interval_extra (read and write)
tcp_deferred_acks_max (read and write)
tcp_slow_start_after_idle (read and write)
tcp_slow_start_initial (read and write)
tcp_co_timer_interval (read and write)
tcp_extra_priv_ports (read only)
tcp_extra_priv_ports_add (write only)
tcp_extra_priv_ports_del (write only)
tcp_status (read only)
tcp_bind_hash (read only)
tcp_listen_hash (read only)
tcp_conn_hash (read only)
tcp_queue_hash (read only)
tcp_host_param (read and write)
tcp_1948_phrase (write only)
显示当前值
#ndd /dev/arp arp_debug 0
0: 代表特性禁止
ndd -set /dev/arp arp_debug 1
1: 代表特性允许
由于这些参数一般是经过优化过的,而且一旦改变失误,可能导致系统的不正常工作。所以sun不提供文档供人随意调节。
更多内容请看路由安全配置专题、系统优化大全、系统安全设置专题,或进入讨论组讨论。
3.1.6 系统日志
创建所有重要的日志文件的硬拷贝
保证在“/var/log”目录下的不同日志文件的完整性是保证系统安全所要考虑的非常重要的一个方面。如果我们在服务器上已经加上了很多安全措施,黑客还是能够成功入侵,那么日志文件就是我们最后的防范措施。因此,很有必要考虑一下用什么方法才能保证日志文件的完整性。如果服务器上或网络中的其它服务器上已经安装了打印机,就可以把重要的日志文件打印出来。这要求有一个可以连续打印的打印机,并用syslog把所有重要的日志文件传到“/dev/lp0”(打印设备)。黑客可以改变服务器上的文件、程序,等等,但是,把重要的日志文件打印出来之后,他就无能为力了。
例如,记录下服务器上所有的telnet、mail、引导信息和ssh连接,并打印到连接在这台服务器上的打印机。需要在“/etc/syslog.conf”文件中加入一行。编辑syslog.conf文件(vi /etc/syslog.conf),在文件末尾加入下面这一行:
authpriv.*;mail.*;local7.*;auth.*;daemon.info /dev/lp0“mail”是接收日志文件的计算机主机名。如果有人试图黑你的计算机并且威胁把所有重要的系统日志文件都删掉,你就不用怕了,因为你已经打印出来或者在别的地方还有一个拷贝。这样就可以根据这些日志文件分析出黑客在什么地方,然后出理这次入侵事件。
authpriv.*;mail.*;local7.*;auth.*;daemon.info@mail
3.1.7 Solaris ndd命令
ndd命令能容易的在不重新配置系统内核和重起系统的情况下,修改核心和TCP/IP的设备的一些参数。使用如下命令可看到相应的帮助。
[root@ /]> ndd /dev/arp \?
? (read only)
arp_cache_report (read only)
arp_debug (read and write)
arp_cleanup_interval (read and write)
[root@ /]> ndd /dev/icmp \?
? (read only)
icmp_wroff_extra (read and write)
icmp_def_ttl (read and write)
icmp_bsd_compat (read and write)
icmp_xmit_hiwat (read and write)
icmp_xmit_lowat (read and write)
icmp_recv_hiwat (read and write)
icmp_max_buf (read and write)
icmp_status (read only)
[root@ /]> ndd /dev/ip \?
? (read only)
ip_forwarding (read and write)
ip_respond_to_address_mask_broadcast(read and write)
ip_respond_to_echo_broadcast (read and write)
ip_respond_to_timestamp (read and write)
ip_respond_to_timestamp_broadcast(read and write)
ip_send_redirects (read and write)
ip_forward_directed_broadcasts(read and write)
ip_debug (read and write)
ip_mrtdebug (read and write)
ip_ire_cleanup_interval (read and write)
ip_ire_flush_interval (read and write)
ip_ire_redirect_interval (read and write)
ip_def_ttl (read and write)
ip_forward_src_routed (read and write)
ip_wroff_extra (read and write)
ip_ire_pathmtu_interval (read and write)
ip_icmp_return_data_bytes (read and write)
ip_send_source_quench (read and write)
ip_path_mtu_discovery (read and write)
ip_ignore_delete_time (read and write)
ip_ignore_redirect (read and write)
ip_output_queue (read and write)
ip_broadcast_ttl (read and write)
ip_icmp_err_interval (read and write)
ip_reass_queue_bytes (read and write)
ip_strict_dst_multihoming (read and write)
ip_addrs_per_if (read and write)
ip_ill_status (read only)
ip_ipif_status (read only)
ip_ire_status (read only)
ip_ipc_status (read only)
ip_rput_pullups (read and write)
ip_enable_group_ifs (read and write)
[root@ /]> ndd /dev/tcp \?
? (read only)
tcp_close_wait_interval (read and write)
tcp_conn_req_max_q (read and write)
tcp_conn_req_max_q0 (read and write)
tcp_conn_req_min (read and write)
tcp_conn_grace_period (read and write)
tcp_cwnd_max (read and write)
tcp_debug (read and write)
tcp_smallest_nonpriv_port (read and write)
tcp_ip_abort_cinterval (read and write)
tcp_ip_abort_linterval (read and write)
tcp_ip_abort_interval (read and write)
tcp_ip_notify_cinterval (read and write)
tcp_ip_notify_interval (read and write)
tcp_ip_ttl (read and write)
tcp_keepalive_interval (read and write)
tcp_maxpsz_multiplier (read and write)
tcp_mss_def (read and write)
tcp_mss_max (read and write)
tcp_mss_min (read and write)
tcp_naglim_def (read and write)
tcp_rexmit_interval_initial (read and write)
tcp_rexmit_interval_max (read and write)
tcp_rexmit_interval_min (read and write)
tcp_wroff_xtra (read and write)
tcp_deferred_ack_interval (read and write)
tcp_snd_lowat_fraction (read and write)
tcp_sth_rcv_hiwat (read and write)
tcp_sth_rcv_lowat (read and write)
tcp_dupack_fast_retransmit (read and write)
tcp_ignore_path_mtu (read and write)
tcp_rcv_push_wait (read and write)
tcp_smallest_anon_port (read and write)
tcp_largest_anon_port (read and write)
tcp_xmit_hiwat (read and write)
tcp_xmit_lowat (read and write)
tcp_recv_hiwat (read and write)
tcp_recv_hiwat_minmss (read and write)
tcp_fin_wait_2_flush_interval (read and write)
tcp_co_min (read and write)
tcp_max_buf (read and write)
tcp_zero_win_probesize (read and write)
tcp_strong_iss (read and write)
tcp_rtt_updates (read and write)
tcp_wscale_always (read and write)
tcp_tstamp_always (read and write)
tcp_tstamp_if_wscale (read and write)
tcp_rexmit_interval_extra (read and write)
tcp_deferred_acks_max (read and write)
tcp_slow_start_after_idle (read and write)
tcp_slow_start_initial (read and write)
tcp_co_timer_interval (read and write)
tcp_extra_priv_ports (read only)
tcp_extra_priv_ports_add (write only)
tcp_extra_priv_ports_del (write only)
tcp_status (read only)
tcp_bind_hash (read only)
tcp_listen_hash (read only)
tcp_conn_hash (read only)
tcp_queue_hash (read only)
tcp_host_param (read and write)
tcp_1948_phrase (write only)
显示当前值
#ndd /dev/arp arp_debug 0
0: 代表特性禁止
ndd -set /dev/arp arp_debug 1
1: 代表特性允许
由于这些参数一般是经过优化过的,而且一旦改变失误,可能导致系统的不正常工作。所以sun不提供文档供人随意调节。
更多内容请看路由安全配置专题、系统优化大全、系统安全设置专题,或进入讨论组讨论。
相关图文阅读
频道图文推荐
健 康 咨 询
时 尚 咨 询
相关专题
- SCOUNIX基础讲座--第十一讲:TCP/IP 管理 (318次浏览)
- SCO UNIX基础讲座--第三讲vi editor (308次浏览)
- 基础知识: HP-Unix下Oracle9i的安装 (306次浏览)
- Unix系统中字符终端的管理 (306次浏览)
- 利用UNIX的TFTP和RCP功能配置CISCO路由器 (217次浏览)
- simp server for unix 配置教程 (144次浏览)
- UNIX和WINDOWS2000上的ORACLE的差异 PartIII (142次浏览)
- Apache For Unix 2.0.55 下载列表 (121次浏览)
- unix口令文件介绍 (107次浏览)
- 运用CrackLib构建安全的Unix口令 (105次浏览)
