Article Title: Configure an open-source security tool (I) for the Solaris server ). Linux is a technology channel of the IT lab in China. Includes basic categories such as desktop applications, Linux system management, kernel research, embedded systems, and open source.
With the rapid development of the Internet, the network is everywhere, but it may be attacked by all parties at any time. It is necessary for network administrators to know who is accessing resources, who is enjoying services, and who is sending a large amount of junk data. Using common network security analysis tools Tcpdump, Nmap and IP Filter, ethereal, and gftp in Solaris, you can make network management easier. Etherea and Tcpdump mainly intercept data through the local network interface for analysis. Nmap is a powerful port scanning tool that can scan any host or network. Lsof can be used to check the current service and status of the local machine. IP Filter is an open source firewall tool. These individuals have their own strengths. By combining these strengths, You can thoroughly understand the network conditions.
1. Use Tcpdump
Tcpdump can intercept all current packets through the local Nic. It has a flexible filtering mechanism to ensure the desired data is obtained. Since Tcpdump can only collect data from the local machine, its applications are limited, most of which are used for gateway or Server Self-detection.
1. Software Download and installation:
Libpcap can send and receive data independently through the host protocol, just like TCP/IP. This means that Libpcap cannot block, filter, or manipulate the communication of other applications on the same machine: it can simply "Monitor" packets transmitted over the network. Therefore, it cannot provide support such as network traffic control, service quality scheduling, and personal firewall.
# Wget http://mirrors.easynews.com/sunfreeware/i386/10/libpcap-0.8.3-sol10-intel-local.gz
# Pkgadd-d libpcap-0.8.3-sol10-intel-local.pkg
Install gftp using Solaris pkg-get
Pkg_get, a software package tool released by blastwave.org, is used to automatically obtain software packages on www.sunfreeware.com. It simulates the "apt-get tool" On Debian linux ". It is very convenient to install the CSW (Community SoftWare) SoftWare package.
# Wget http://www.blastwave.org/pkg_get.pkg
# Pkgadd-d pkg_get.pkg all
# Pkg_get? I tcpdump
2 software use
For example, if you want to know that the host with the IP address 192.168.0.2 in the local network is currently communicating with the outside world, you can use the following command:
Tcpdump-I pcn0 src host 192.168.0.2> 115.txt
1.
Redirect tcpdump to a file for analysis
By default, Tcpdump outputs data to the screen. If the data size is too large, you may not be able to see the specific content at all. In this case, we can redirect it to the file for analysis.
Open the 115.txt file to get a clear picture of the user's every move:
First, send an email to the SMTP server of 2911.net:
06:08:03. 434544 IP cjh.32899> mail.2911.net. smtp: S 800489075: 800489075 (0) win 49640
06:08:03. 454318 IP cjh.32899> mail.2911.net. smtp:. ack 3379070854 win 50400
06:08:03. 475770 IP cjh.32899> mail.2911.net. smtp:. ack 31 win 50400
06:08:03. 477207 IP cjh.32899> mail.2911.net. smtp: P (18) ack 31 win 50400
06:08:03. 497277 IP cjh.32899> mail.2911.net. smtp:. ack 163 win 50400
Then visit the home page of IT168:
06:08:39. 594065 IP cjh.32950> gjjdial.bta.net.cn. domain: 20696 + AAAA? Subject.it168.com. (35)
06:08:39. 635189 IP cjh.32901> 202.99.120.124.80: P 439: 941 (502) ack 621 win 50400
06:08:39. 635867 IP cjh.32900> 202.99.120.122.80:. ack 66554 win 50400
This information is sufficient for common network analysis. This is the basic function of Tcpdump. Other advanced functions are refined and enhanced on this basis.
For example, if I only want to know which Web sites 192.168.0.2 is currently accessing, run the following command:
./Tcpdump-I pcn0 src host 192.168.0.5 and dst port 80
The purpose of this command is to intercept all packets from the host (host) with the source address (src) 192.168.0.2, and the destination (dst) port (port) is 80. Obviously, specific data can be obtained through the logical combination of and or not. Tcpdump can also listen to different data types (such as TCP and UDP) to use different network ranges (such as Host and Net network), and even use Ether to directly specify the physical address.
Table 1 common command line options of Tcpdump
Using Tcpdump to get information in the network is so clear, is there a clear view. It is precisely because Tcpdump is too powerful, and the protection of personal privacy and sensitive data becomes a problem. Therefore, only root users can use this tool.
[1] [2] [3] Next page