by Jeffrey Boulier 翻译:stardust by Jeffrey Boulier translation: stardust
一个SUN系统就象和NT系统一样,容易受到来自internet的各种可恶的攻击。 A system like SUN and NT systems, vulnerable to a variety of nasty attacks internet. 幸运的是,不象NT,你可以用以下三个简单的手段把SUN变的相对安全些,它们是: Fortunately, unlike NT, you can use the following three simple means to change the relative safety of some SUN, they are:
1)防止堆栈溢出 1) to prevent stack overflow
2)关闭不用的服务 2) Turn off unused services
3)给系统打补丁 3) to patch the system
#1 防止堆栈溢出 # 1 to prevent stack overflow
至少90%以上的安全问题都是来自所谓的“堆栈溢出”。 At least 90% of the security issues are from the so-called "stack overflow." 攻击者通过给一个以root身份运行的程序提供比它所预期的输入多得多的东西,使被攻击程序无法处理而改变执行流程去执行攻击者指定的代码。 Attacker to run a program as root to provide much more than it expected input something, so that attack can not handle the change implementation process specified by the attacker to execute code.
Solaris 2.6和Solaris 7都具备把用户堆栈设成不可执行的能力,以使这种攻击不能得逞。 Solaris 2.6 and Solaris 7 are set to have the non-executable user stack the ability to make this attack will not succeed. 要使能这个特点: To enable this feature:
0)变成root 0) to root
1)对/etc/system文件做个拷贝 1) / etc / system file to be copied
cp /etc/system /etc/system.BACKUP cp / etc / system / etc / system.BACKUP
2)用你最钟爱的编辑器编辑/etc/system文件 2) Use your favorite editor to edit the / etc / system file
3)到文件的最后,插入以下几行: 3) to the end of the file, insert the following lines:
set noexec_user_stack=1 set noexec_user_stack = 1
set noexec_user_stack_log=1 set noexec_user_stack_log = 1
4)保存文件,退出编辑器 4) Save the file, exit the editor
一旦重启机器,这些改变就会生效。 Once the reboot, these changes will take effect. 如果这不是一个你可以关闭的系统,那么你用adb来改变一个运行中的系统的参数也是可能的,但这不是我个人乐意去干的事。 If this is not one you can turn off the system, then you use adb to change a running system parameters is possible, but this is not something I personally willing to buckle down.
当然会有些合法使用可执行堆栈的程序在你做出如上改变后而不能正常运行。 Of course, some legitimate use of the program executable stack after you make the above changes can not function properly. 所幸的是这样的程序的并不多,我所知的就只有GNU ada 编译器。 Fortunately, not many such programs, I know the only GNU ada compiler.
#2 在inetd.conf中关闭用不着的服务 # 2 off in inetd.conf services do not need
有许多用不着的服务自动的处于使能状态。 Many do not need the service is enabled automatically. 它们中可能存在的漏洞将使攻击者甚至不需要一个账户就能控制你的机器。 They may be loopholes would allow the attacker does not even need an account you can control your machine. 关闭这些不需要的服务来保护你的系统,你可以用如下方法来关闭: Closure of these services do not need to protect your system, you can use the following method to close:
0)变成root 0) to root
1)对inetd的配置文件/etc/inetd.conf做个拷贝 1) inetd configuration file / etc / inetd.conf to be a copy
cp /etc/inetd.conf /etc/inetd.conf.BACKUP cp / etc / inetd.conf / etc / inetd.conf.BACKUP
2)编辑/etc/inetd.conf文件未被激活的服务是在前面被“#“符号注释掉的,举个例子,你的部份inetd.conf可能是这样的: 2) Edit / etc / inetd.conf file service is not activated in the front is "#" symbol commented out, for example, you could be part of inetd.conf like this:
# Tnamed serves the obsolete IEN-116 name server protocol. # Tnamed serves the obsolete IEN-116 name server protocol.
# #
name dgram udp wait root /usr/sbin/in.tnamed in.tnamed name dgram udp wait root / usr / sbin / in.tnamed in.tnamed
不需要这个服务,因为你们中的99.999%不会用到这个“已经被废弃的IEN-116名字服务协议“,把这个注释掉以后,这行看起来会象是: Do not need this service, because 99.999% of you will not use this "has been abandoned IEN-116 name of the service agreement," after this comment, this line will look like:
# Tnamed serves the obsolete IEN-116 name server protocol. # Tnamed serves the obsolete IEN-116 name server protocol.
# #
#name dgram udp wait root /usr/sbin/in.tnamed in.tnamed # Name dgram udp wait root / usr / sbin / in.tnamed in.tnamed
^ ^
| |
看到这个新的“#” 符号了吧 See this new "#" symbol, right
我建议注释掉几乎所有的服务,只留下: I recommend commenting out almost all of the services, leaving only:
ftp stream tcp nowait root /usr/sbin/in.ftpd in.ftpd ftp stream tcp nowait root / usr / sbin / in.ftpd in.ftpd
telnet stream tcp nowait root /usr/sbin/in.telnetd in.telnetd telnet stream tcp nowait root / usr / sbin / in.telnetd in.telnetd
time stream tcp nowait root internal time stream tcp nowait root internal
time dgram udp wait root internal time dgram udp wait root internal
echo stream tcp nowait root internal echo stream tcp nowait root internal
echo dgram udp wait root internal echo dgram udp wait root internal
discard stream tcp nowait root internal discard stream tcp nowait root internal
discard dgram udp wait root internal discard dgram udp wait root internal
daytime stream tcp nowait root internal daytime stream tcp nowait root internal
daytime dgram udp wait root internal daytime dgram udp wait root internal
rstatd/2-4 tli rpc/datagram_v wait root /usr/lib/netsvc/rstat/rpc.rstatd rpc.rstatd rstatd/2-4 tli rpc / datagram_v wait root / usr / lib / netsvc / rstat / rpc.rstatd rpc.rstatd
fs stream tcp wait nobody /usr/openwin/lib/fs.auto fs fs stream tcp wait nobody / usr / openwin / lib / fs.auto fs
100083/1 tli rpc/tcp wait root /usr/dt/bin/rpc.ttdbserverd rpc.ttdbserverd 100083 / 1 tli rpc / tcp wait root / usr / dt / bin / rpc.ttdbserverd rpc.ttdbserverd
在只需要不多图形操作的服务器或是要保证相当的安全,你也许应该关掉字体服务fs,也可以关掉系统性能监视器rstatd和tooltalk服务器ttdbserverd。 Graphics operations in more than just a server, or rather to ensure the safety, you should probably turn off the font service fs, you can turn off the system performance monitor rstatd and tooltalk server ttdbserverd. 事实上在确实需要安全的机器上你甚至应该注释掉telnet和ftp。 In fact, in the safety of the machine really need you should even comment on the telnet and ftp.
你可以用grep找出机器能过inetd所提供的服务: You can use grep to find the machine to the services provided through inetd:
grep -v "^#" /etc/inetd.conf grep-v "^ #" / etc / inetd.conf
这将返回/etc/inetd.conf中所有没被注释掉的行。 This will return the / etc / inetd.conf is not commented out all lines.
3)在/etc/inetd.conf中做出改变之后,找到inetd进程的id号,用kill向它发送HUP信号来刷新它。 3) In the / etc / inetd.conf to make changes later, to find the inetd process id number, use kill to send it the HUP signal to refresh it. 一定要确保kill了inetd进程后,它还在运行,例如: Must kill the inetd process to ensure that after it is running, such as:
root@multics: ps -ef | grep inetd root @ multics: ps-ef | grep inetd
root 196 1 0 15:32:14 ? 0:00 /usr/sbin/inetd -s root 196 1 0 15:32:14? 0:00 / usr / sbin / inetd-s
root@multics: kill -HUP 196 root @ multics: kill-HUP 196
root@multics: ps -ef | grep inetd root @ multics: ps-ef | grep inetd
root 196 1 0 15:32:14 ? 0:00 /usr/sbin/inetd -s root 196 1 0 15:32:14? 0:00 / usr / sbin / inetd-s
#3 给系统打补丁 # 3 patch to the system
跟所有的复杂系统一样,SUN有它的漏洞,其中的一些从性质上来说是相当严重的。 Like all complex systems, like, SUN has its flaws, some of which their nature is very serious. SUN公司有向它的客户甚至是没有技术支持的客户提供补丁的优良传统。 SUN company has to its customers technical support or no fine tradition of providing the patch. 这些补丁或者以集合包或者以单个补丁的形式存在的。 These patches, or to a collection bag or in the form of a single patch. 不幸的是,要完全修补你的系统,既需要大的补丁集合包,又需要单个的补丁。 Unfortunately, to fully repair your system, which requires a large patch collection bag, and requires a single patch. 然而我们将介绍一种把补丁包和单个补丁结合起来使用的方法。 However, we will introduce a single patch to patch together and the method used.
1)变成root 1) to root
2)键入 2) Type
umask 022 umask 022
来设置你的许可模式--给系统打补丁不仅要求所有的补丁被"nobody"用户可读,而且包括补丁之前的所有目录(不要问为什么,反正是一般这么干的)。 To set up your license model - to patch the system not only requires that all patches are "nobody" user read and includes all prior patches directory (do not ask why, because it is usually so dry).
3)创建一个叫“patch“的目录,并进入它,我一般是这样做的: 3) create a folder called "patch" directory, and enter it, I usually do this:
mkdir /var/tmp/patch mkdir / var / tmp / patch
cd /var/tmp/patch cd / var / tmp / patch
在你建“patch“目录的文件系统中要保证有足够的磁盘空间(提示:你可以试着键入df -k来看看文件系统上可用的磁盘空间,不要用/tmp! You build "patch" directory in the file system to ensure there is enough disk space (Hint: you can try typing df-k to see if the file system available disk space, do not use / tmp!
4)用ftp连接sunsolve站 4) Use ftp to connect sunsolve station
ftp sunsolve.sun.com ftp sunsolve.sun.com
你的登录用户名是“anonymous“,口令是你的电子邮件地址。 Your login user name is "anonymous", password is your email address.
5)转到二进制模式,键入: 5) Go to binary mode, type:
bin bin
关闭提示,键入: Turn off the prompt, type:
prompt prompt
--你不需要为下载每个补丁回答”是,我需要下那个补丁“ 。 - You do not need to download each patch to answer "Yes, I need that patch next."
6)补丁位于sunsolve站的/pub/patches目录,所以键入: 6) The patch is located sunsolve station / pub / patches directory, type:
cd /pub/patches cd / pub / patches
7)得到对应于你操作系统版本的PatchReport文件,你可以用以下命令列出那些文件: 7) obtained corresponds to your operating system version PatchReport file, you can use the following command to list the documents:
ls *.PatchReport ls *. PatchReport
例如: For example:
-=+=-=+=-=+=-=+=-=+=-=+=-=+=-=+=-=+=-=+=-=+=-=+=-=+=-=+=-=+=-=+=-=+=-=+=- -=+=-=+=-=+=-=+=-=+=-=+=-=+=-=+=-=+=-=+=-=+=-=+=-= +=-=+=-=+=-=+=-=+=-=+=-
ftp> ls *.PatchReport ftp> ls *. PatchReport
200 PORT command successful. 200 PORT command successful.
150 Opening ASCII mode data connection for file list. 150 Opening ASCII mode data connection for file list.
Solaris1.1.1.PatchReport Solaris1.1.1.PatchReport
Solaris1.1.2.PatchReport Solaris1.1.2.PatchReport
Solaris1.1.PatchReport Solaris1.1.PatchReport
Solaris2.3.PatchReport Solaris2.3.PatchReport
Solaris2.4.PatchReport Solaris2.4.PatchReport
Solaris2.4_x86.PatchReport Solaris2.4_x86.PatchReport
Solaris2.5.1.PatchReport Solaris2.5.1.PatchReport
Solaris2.5.1_x86.PatchReport Solaris2.5.1_x86.PatchReport
Solaris2.5.PatchReport Solaris2.5.PatchReport
Solaris2.5_x86.PatchReport Solaris2.5_x86.PatchReport
Solaris2.6.PatchReport Solaris2.6.PatchReport
Solaris2.6_x86.PatchReport Solaris2.6_x86.PatchReport
Solaris7.PatchReport Solaris7.PatchReport
Solaris7_x86.PatchReport Solaris7_x86.PatchReport
226 Transfer complete. 226 Transfer complete.
remote: *.PatchReport remote: *. PatchReport
360 bytes received in 0.0044 seconds (79.16 Kbytes/s) 360 bytes received in 0.0044 seconds (79.16 Kbytes / s)
-=+=-=+=-=+=-=+=-=+=-=+=-=+=-=+=-=+=-=+=-=+=-=+=-=+=-=+=-=+=-=+=-=+=-=+=- -=+=-=+=-=+=-=+=-=+=-=+=-=+=-=+=-=+=-=+=-=+=-=+=-= +=-=+=-=+=-=+=-=+=-=+=-
对x86和sparc文件有不同的补丁报告文件,sparc版本的是那些没有“x86“字样的。 On x86 and sparc patch files have different report file, sparc version of those who do not "x86" word.
8)得到一份补丁报告文件,比如: 8) for a patch report file, such as:
get Solaris2.6.PatchReport get Solaris2.6.PatchReport
9)得到一份对应于你系统版本的推荐补丁集合包和它的README文件,可以用如下命令列出推荐的文件: 9) to get a version that corresponds to your system package and its set of recommended patch README file, you can use the following command lists the recommended file:
ls *Recommended* ls * Recommended *
输出可能是这样的: Output might look like this:
-=+=-=+=-=+=-=+=-=+=-=+=-=+=-=+=-=+=-=+=-=+=-=+=-=+=-=+=-=+=-=+=-=+=-=+=- -=+=-=+=-=+=-=+=-=+=-=+=-=+=-=+=-=+=-=+=-=+=-=+=-= +=-=+=-=+=-=+=-=+=-=+=-
ftp> ls *Recommended* ftp> ls * Recommended *
200 PORT command successful. 200 PORT command successful.
150 Opening ASCII mode data connection for file list. 150 Opening ASCII mode data connection for file list.
2.3_Recommended.README 2.3_Recommended.README
2.3_Recommended.tar.Z 2.3_Recommended.tar.Z
2.4_Recommended.README 2.4_Recommended.README
2.4_Recommended.tar.Z 2.4_Recommended.tar.Z
2.4_x86_Recommended.README 2.4_x86_Recommended.README
2.4_x86_Recommended.tar.Z 2.4_x86_Recommended.tar.Z
2.5.1_Recommended.README 2.5.1_Recommended.README
2.5.1_Recommended.tar.Z 2.5.1_Recommended.tar.Z
2.5.1_x86_Recommended.README 2.5.1_x86_Recommended.README
2.5.1_x86_Recommended.tar.Z 2.5.1_x86_Recommended.tar.Z
2.5_Recommended.README 2.5_Recommended.README
2.5_Recommended.tar.Z 2.5_Recommended.tar.Z
2.5_x86_Recommended.README 2.5_x86_Recommended.README
2.5_x86_Recommended.tar.Z 2.5_x86_Recommended.tar.Z
2.6_Recommended.README 2.6_Recommended.README
2.6_Recommended.tar.Z 2.6_Recommended.tar.Z
2.6_x86_Recommended.README 2.6_x86_Recommended.README
2.6_x86_Recommended.tar.Z 2.6_x86_Recommended.tar.Z
7_Recommended.README 7_Recommended.README
7_Recommended.zip 7_Recommended.zip
7_x86_Recommended.README 7_x86_Recommended.README
7_x86_Recommended.zip 7_x86_Recommended.zip
-=+=-=+=-=+=-=+=-=+=-=+=-=+=-=+=-=+=-=+=-=+=-=+=-=+=-=+=-=+=-=+=-=+=-=+=- -=+=-=+=-=+=-=+=-=+=-=+=-=+=-=+=-=+=-=+=-=+=-=+=-= +=-=+=-=+=-=+=-=+=-=+=-
你可以用mget命令把推荐文件和readme都拿下来,比如: You can use the mget command to the recommended file and readme are to win, such as:
mget 7_x86_Recommended* mget 7_x86_Recommended *
这可能要等上一会儿。 This may have to wait a while.
10)在下载推荐文件的时候,你可以打开补丁报告文件看看,里面会有关于安全修补的一节可能是这样的: 10) recommended in the download file, you can open the patch file to see the report, which will have a section on security patches may be like this:
-=+=-=+=-=+=-=+=-=+=-=+=-=+=-=+=-=+=-=+=-=+=-=+=-=+=-=+=-=+=-=+=-=+=- -=+=-=+=-=+=-=+=-=+=-=+=-=+=-=+=-=+=-=+=-=+=-=+=-= +=-=+=-=+=-=+=-=+=-
Solaris 2.5.1 Patches Containing Security Fixes: Solaris 2.5.1 Patches Containing Security Fixes:
------------------------------------------------ ------------------------------------------------
103594-19 SunOS 5.5.1: sendmail fixes 103594-19 SunOS 5.5.1: sendmail fixes
103603-10 SunOS 5.5.1: ftp, in.ftpd, in.rexecd and in.rshd patch 103603-10 SunOS 5.5.1: ftp, in.ftpd, in.rexecd and in.rshd patch
103627-11 SunOS 5.5.1: Linker patch 103627-11 SunOS 5.5.1: Linker patch
103630-14 SunOS 5.5.1: ip ifconfig arp udp icmp patch 103630-14 SunOS 5.5.1: ip ifconfig arp udp icmp patch
106689-01 * SunOS 5.5.1: /usr/sbin/in.uucpd patch 106689-01 * SunOS 5.5.1: / usr / sbin / in.uucpd patch
106905-01 * SunOS 5.5.1: apropos/catman/man/whatis patch 106905-01 * SunOS 5.5.1: apropos / catman / man / whatis patch
103566-43 OpenWindows 3.5.1: Xsun patch 103566-43 OpenWindows 3.5.1: Xsun patch
106411-06 * OpenWindows 3.5.1: xdm patch 106411-06 * OpenWindows 3.5.1: xdm patch
(& c.) (& C.)
-=+=-=+=-=+=-=+=-=+=-=+=-=+=-=+=-=+=-=+=-=+=-=+=-=+=-=+=-=+=-=+=-=+=- -=+=-=+=-=+=-=+=-=+=-=+=-=+=-=+=-=+=-=+=-=+=-=+=-= +=-=+=-=+=-=+=-=+=-
“*“标记的补丁没有包括在推荐补丁集合包里,我们要把它们包括进来。 "*" Mark of the patch is not included in the recommended patch collection bag, we want them included.
11)当推荐补丁集合包下载完后,你需要下载补丁报告中所标记的单个补丁,最快的方法是用mget,这样用: 11) When the recommended patch set packages downloaded, you need to download the patch marked in the report of a single patch, the fastest way is to use mget, so use:
mget 106689* 106905* 106411* mget 106689 * 106905 * 106411 *
重要:你可能想用一个mget命令得到所有的补丁,但mget的参数的个数是有限制的! Important: You may want to use a mget command to get all the patches, but the number of parameters mget is limited!
而且,我并没有指定版本号,这不仅仅是为了少输入字符和得到相关的README文件,也是因为在补丁报告发布过程中,版本号可能是会变化的。 And I did not specify a version number, not only for small input characters and get the README file associated with, but also because the process of publishing the report in the patch, the version number will probably change.
12)下载完所有的东西后,键入: 12) After downloading everything, type:
quit quit
来结束ftp会话。 To end the ftp session.
13)到现在,你已经下载了补丁集合包和单个补丁,因为继续下去打单个的补丁包太费体力,我们将先把补丁包和单个补丁合并起来。 13) to the present, a collection of patches you have downloaded the package and a single patch since continued to play a single patch is too strenuous, we will first patch and a single patch merged.
首先解压补丁包: First, extract the patch:
如果你用的是Solaris 2.6或更早的, If you are using Solaris 2.6 or earlier,
uncompress 2*Recommended.tar.Z uncompress 2 * Recommended.tar.Z
tar -xvf 2*Recommended.tar tar-xvf 2 * Recommended.tar
如果用的是Solaris 7, If you are using Solaris 7,
unzip 7*Recommended.zip unzip 7 * Recommended.zip
其次,把所有的单个补丁移到你的建立的Recommended目录: Secondly, all the individual patches to move your established Recommended directory:
mv 1* *Recommended mv 1 * * Recommended
然后,进到保存有全部补丁的Recommended目录: Then, all the patches into the preservation of the Recommended list:
cd *Recommended cd * Recommended
14)现在我们可以把所有单个的补丁加到patch_order文件中,在这个文件中列出了所有将被install_cluster脚本安装的补丁,你可以手工把它们加进去(提示:这是错误的选择)或者用UNIX的命令工具来帮你做这件事。 14) Now we can put all the patches added patch_order single file, in this file will be listed in all the patches installed install_cluster script, you can manually add them in. (Hint: This is the wrong choice) or use UNIX command tools to help you do this.
如果你是Solaris 7,用下面的命令: If you are a Solaris 7, use the following command:
ls *.zip | cut -d"." -f1 >> patch_order ls *. zip | cut-d "."-f1>> patch_order
如果是Solaris 2.6或以前的: If Solaris 2.6 or earlier:
ls *.tar.Z | cut -d"." -f1 >> patch_order ls *. tar.Z | cut-d "."-f1>> patch_order
15)现在是解压所有单个补丁包的时候了,因为它们还是压缩格式的。 15) is now a single patch extract all the time, because they are still compressed format.
A)如果你用Solaris 7,你可以用unzip一次解压一个文件: A) If you use Solaris 7, you can unzip a file once extracted:
unzip 108723.zip unzip 108723.zip
讨厌的是,你不能用“unzip *.zip“,因为unzip不能这样工作,为了避免多次地输入unzip,你可以用下面的UNIX命令让unzip为你解压所有的东西: Hate is that you can not use "unzip *. zip", unzip does not work like this because, in order to avoid repeatedly enter unzip, you can use the following UNIX command to unzip to extract all the things you:
ls *.zip | xargs -n1 unzip ls *. zip | xargs-n1 unzip
B)如果用的是Solaris 2.6或更低的,键入: B) If you are using Solaris 2.6 or lower, type:
uncompress *.tar.Z uncompress *. tar.Z
现在你必须用tar分离出单个的补丁,你可以用以下命令一次处理一个文件: Now you must use tar to isolate a single patch, you can use the following command to process one file:
tar -xvf 108723.tar tar-xvf 108723.tar
讨厌的是,你不能用“tar -xvf *.tar“,因为tar不能这样工作,为了避免多次地输入tar,你可以用下面的UNIX命令让tar为你分离所有的东西: Hate is that you can not use "tar-xvf *. tar", because tar can not do the work, in order to avoid multiple enter tar, you can use the following UNIX command to tar all of your separate things:
ls *.zip | xargs -n1 tar -xvf ls *. zip | xargs-n1 tar-xvf
16)到现在所有的补丁都准备好了,关闭计算机: 16) to now all the patches are ready, turn off your computer:
/usr/sbin/shutdown -y -g0 -i0 / Usr / sbin / shutdown-y-g0-i0
启到到单用户模式, Start to the single-user mode,
对sparc: On sparc:
boot -s boot-s
对x86, 启动时, 键入: On x86, boot, type:
b -s b-s
系统引导后,在提示符后输入root口令后,键入: After the system boots, enter the root password at the prompt, type:
mountall mountall
来mount所有的文件系统。 To mount all file systems.
然后输入: Then enter:
cd /var/tmp/patch/*Recommended cd / var / tmp / patch / * Recommended
进到保存所有补丁的目录,现在你可以键入以下命令来安装“所有”的补丁了: Save all the patch into the directory, now you can type the following command to install the "all" of the patch:
./install_cluster . / Install_cluster
跟着提示做就行了。 Follow the prompts to do on the line. 如果这是个Solaris 2.5.1或是个Solaris 2.6的系统,可以走开搞杯咖啡喝喝,因为要花点时间的。 If this is a Solaris 2.5.1 or Solaris 2.6 system, you can engage in a cup of coffee and drink away, because to take the time to. 不要太担心补丁安装过程中的错误,很多时候出现错误是因为你没有安装一个特定的软件或已经打了某个补丁。 Do not worry too much error in the patch installation process, often the error is because you do not have to install a particular software or have hit a patch.
打完补丁后,关机重启,输入: So after the patch, the shutdown restart, enter:
/usr/sbin/shutdown -y -g0 -i6 / Usr / sbin / shutdown-y-g0-i6
好了,现在你就有了一个修补过的系统了。 Well, now you have a patched system.
Tidak ada komentar:
Posting Komentar