linux_09------System scan and security policy on Linux

First Xie Mu class net
/**
* Linux System scanning technology
 *
* Host scan, route scan, batch service scan, system security Policy (anti-SYN and DDoS attack)
 */

/**
* Host Scan
* Ping fping hping
 *
* fping
* Fping Installation
* Download:
* (mkdir/services && cd/services)
* Wggethttp://www.fping.org/dist/fping-3.13.tar.gz
 * Unzip:
* TAR-ZXVF./fping-3.13.tar.gz
* Installation:
* CD fping-3.13
*./configure
* Make
* Make Install
 *
* fping Parameters
*-H
*-A only shows the surviving hosts
*-U only shows non-surviving hosts
*-G support for host segment mode
*-F Support File Way
 *
* fping +ip1 + IP2
* Fping-g 192.168.1.1 192.168.1.255
* Fping-g 192.168.1.1/24
* fping-f filename
* fping-a-G 120.77.140.1 120.77.140.10 > Alive.log
 *
 *
* hping
* Support TCP/IP packet assembly with hping when ICMP packet is blocked
* hping Installation
* Download:
* wgetHttps://github.com/antirez/hping/archive/master.zip
 * Unzip:
* Unzip Master.zip
* Installation:
* Error:pcap.h:no Such file or directory-dependent package required (PCAP)
* Yum List |grep Pcap
* yum-y Install "*pcap*"
* Error:net/bpf.h:no Such file or directory-> not found bpf.h
* Find/-name bpf.h
* ln-sf/usr/include/pcap/bpf.h/usr/include/net/bpf.h
*/usr/bin/ld:cannot find-ltcl-> need to be installed LTCL
* Yum List |grep tcl
* yum-y Install "*tcl*"
*./configure
* Make
* Make Strip
* Make Install
 *
* Hping Parameters
* Initiate a TCP probe for a specific target
*-P port probe port of target host
*-S set TCP mode SYN packet
*-A forged IP forgery source IP, simulated DDoS attack
 *
* Hping-p 22-s 121.43.156.66
* Ping 121.43.156.33
* can ping through,
* Connection on 121.43.156.66:sysctl-w net.ipv4.icmp_echo_ignore_all=1 Forbidden Ping
* Again through hping and ping find ping is not through, but hping still can pass.
 *
* Crawl 120.76.140.88 packets sent over 121.43.156.66 via tcpdump-np-ieth1 SRC host 120.76.140.88
* hping-p 22-s 121.43.156.66-a 121.76.140.88
 */

/**
* Route Scan
* Query A host to another host through the number of route hops, and data latency situation
* Tracert NTR
* MTR can test the connectivity of a host to each route
 *
* Tracerout
* The default already installed
* 1. The default is to use the UDP protocol (more than 30000 of the read the research port)
* 2. Using the TCP protocol-t-p
* 3. Using ICMP protocol-I.
 *
* Traceroute www.baidu.com
* Traceroute-n www.baidu.com
* traceroute-t-P 80-n www.baidu.com
*
* mtr
* default is installed
* mtr www.baidu.com
* Loss Items
 *
* View route hop count, drop packet condition.
 */

/**
* Bulk Host service Scan
* Purpose: Batch host survival Scan, scan for host service
* Fast access to the host's survival status in the network
* More detailed, only to obtain the Host service investigation situation
* Nmap NCAT
 *
* Nmap
*-P ICMP protocol type ping scan
*-ss TCP SYN Scan TCP semi-open scan
*-st TCP Connect () scan TCP full open scan
*-SU UDP scan UDP protocol scan
 *
* NMAP-SP 120.76.140.1/24 host segment scan to see the surviving hosts
* Name-ss 120.76.140.1/24 did not establish three handshake, only send SYN packets
 *
* NMAP-SS 121.43.156.66 View host-enabled ports (typically scanned to 1024 and common ports)
* nmap-ss-p 0-30000 121.43.156.66 Specify scan port range
 *
* nmap-st-p 0-30000 121.43.156.66 Build a full handshake to simulate real user requests
 *
* NMAP-SU 121.43.156.66 effective through the firewall, but relatively slow
*
* NCAT
* Tools for safety testing
*-W Set timeout time
*-Z one input/output mode
*-v shows the command execution process
 *
* * Yum-y Install NC
* Method One, based on TCP protocol (default)
* nc-v-z-w2 121.43.156.66 1-50
* Mode two, based on UDP protocol-U
* Nc-v-u-z-w2 121.43.156.66 1-50-> to wait a long time
 */

/**
* Prevention Strategy
* Common attack methods: SYN attack, DDoS attack, malicious scan
 *
* SYN attack:
* The use of TCP protocol defects, resulting in system services stopped, network bandwidth ran full or slow response
* The attacking machine forges a source IP (hping-a), the target machine responds to the spoofed IP, increases the record to the backlog, but the target machine cannot get a third response,
* will continue to retry, has been waiting, backlog can not be deleted, resulting in bandwidth run-up and so on.
* 1. Increase the backlog queue length
* 2. Adjust the number of retries
* 3. Refusal of the third handshake
* DDoS attacks:
* Distributed Access denial of service (multiple access, massive access results in service response)
 *
* (permanently effective need to modify the/etc/sysctl.config file, reduced to 3 times)
* Method One: Reduce the number of retries when sending Syn+ack packets
* Sysctl-w net.ipv4.tcp_synack_retries=3
* Sysctl-w net.ipv4.tcp_syn_retries=3
* Way Two: SYN Cookie Technology
* Sysctl-w Net.ipv4.tcp_syncookies=1
* Method Three: Increase the backlog queue length
* Sysctl-w net.ipv4.tcp_max_syn_backlog=2048
* This value is associated with memory.
 *
* Other Preventive strategies
* 1. Turn off ICMP protocol requests
* Sysctl-w net.ipv4.icmp_echo_ignore_all=1
* 2. Deny scan by iptables mode
* iptables-a forward-p tcp-syn-m limit-limit 1/s-limit-burst 5-j ACCEPT
* iptables-a forward-p tcp-tcp-flags syn,ack,fin,rst rst-m limit-limit 1/s-j ACCEPT
* iptables-a forward-p icmp-icmp-type echo-request-m limit-limit 1/s-j ACCEPT
* (iptables follow-up)
 */

linux_09------System scan and security policy on Linux