Documente Academic
Documente Profesional
Documente Cultură
6
Servicii de securitate
12 noiembrie 2009
Moto
There are two types of encryption: one that will prevent your sister
from reading your diary and one that will prevent your government.
Bruce Schneier
Bruce Schneier's secure handshake is so strong, you won't be able
to exchange keys with anyone else for days. (Bruce Schneier Facts)
12.11.2009
Cuprins
Serviciul SSH
GPG
openssl
12.11.2009
Remote connection
telnet
rsh, rlogin
SSH
VNC
FreeNX
RDP
12.11.2009
SSH
Ce este SSH?
Client-server
TCP, portul 22
OpenSSH
This is a software monopoly but at least it was written by people who care
about security, so it's not like Microsoft's monopoly. (Theo de Raadt)
echipa OpenBSD
12.11.2009
Comenzi/componente OpenSSH
ssh
scp, sftp
serverul SSH
ssh-keygen
copierea de fiiere
sshd
clientul SSH
ssh-agent, ssh-add
12.11.2009
X Forwarding
SOCKS proxy
12.11.2009
Conectare la distan
ssh anaconda.cs.pub.ro
ssh razvan@anaconda.cs.pub.ro
12.11.2009
upload
scp razvan@anaconda.cs.pub.ro:code/test.c .
download
scp -r razvan@swarm.cs.pub.ro:local-swarm/
razvan@anaconda.cs.pub.ro:local-anaconda
Merge?
12.11.2009
depinde :-)
De ce?
automatizare
~/.ssh/known_hosts
/etc/sshd/ssh_host_*_key{,.pub}
clientul la server
RSA, DSA
mai rapid
12.11.2009
10
ssh-keygen
ssh-keygen -t rsa
fr passphrase
12.11.2009
11
12.11.2009
12
La fel ca pn acum
12.11.2009
13
ssh-agent
Agent de autentificare
Ruleaz ca un daemon
ssh-agent bash
12.11.2009
; un nou shell
14
ssh-agent (2)
ssh-add
ssh-add /tmp/my_key
ssh-add -d /tmp/my_key
ssh-add -D
Avantaje
12.11.2009
15
12.11.2009
16
SOCKS proxy
12.11.2009
17
X Forwarding
12.11.2009
18
/etc/ssh/sshd_config
/etc/init.d/ssh start|stop|restart|reload
Port 22
HostKey /etc/ssh/ssh_host_rsa_key
SyslogFacility AUTH
LogLevel INFO
logging n /var/log/auth.log
PubkeyAuthentication yes
PasswordAuthentication no
AllowUsers / DenyUsers
PermitRootLogin
man sshd_config
12.11.2009
19
Useful tools
corkscrew
dropbear
fr SSH-1, fr scp
SSHFS
Putty, WinSCP
WebShell
12.11.2009
20
Firewall-uri
Hardware
vitez mare
ofer i criptare
Software
flexibile
12.11.2009
21
iptables
filter
nat
mangle
Folosete tabele
12.11.2009
22
iptables (2)
12.11.2009
23
Sintaxa iptables
iptables -t filter -L
iptables -t filter -L -n
12.11.2009
24
Comenzi iptables
flush reguli
iptables -t filter -F
politica implicit
iptables -N mychain
iptables -X
iptables -X mychain
12.11.2009
25
Lucrul cu reguli
Inserare regul
tergere regul
iptables -t nat -D 1
nlocuire regul
iptables -t nat -R PREROUTING 1 -i eth1 -p tcp - -dport 8080 -j DNAT --todestination 10.38.5.6:80
12.11.2009
26
Persistena regulilor
#iptablessave>/etc/network/iptables.rules
#cat/etc/network/ifup.d/iptables
#!/bin/bash
iptablesrestore</etc/network/iptables.rules
exit0
12.11.2009
27
Firestarter (http://www.fs-security.com/)
12.11.2009
28
GPG
Semnarea mesajelor
Criptarea informaiei
12.11.2009
29
Operaii GPG
Listare chei
gpg --list-keys
gpg gen-key
Verificare fingerprint
gpg --fingerprint
12.11.2009
30
Operaii GPG
12.11.2009
31
GPG frontends
Seahorse (GNOME)
Kgpg
Mac GPG
12.11.2009
32
openssl
Cryptographic toolkit
SSL/TLS
12.11.2009
33
openssl x509 -req -days 365 -in server.csr -signkey server.key -out
server.crt
openssl x509 -req -days 365 -in www.gogu.com.csr -CA server.crt -CAkey
server.key -set_serial 01 -out www.gogu.com.crt
12.11.2009
34
12.11.2009
35
Cuvinte cheie
SSH
OpenSSH
ssh, scp
chei publice/private
ssh-keygen
ssh-agent, ssh-add
~/.ssh/known_hosts
~/.ssh/authorized_keys
tunelare, reverse tunneling
SOCKS proxy
X Forwarding
12.11.2009
sshd
/etc/ssh/sshd_confing
firewall
iptables, netfilter
iptables-save, iptables-restore
GPG, PGP
gpg
semnare, criptare
openssl
CSR, certificat
CA
36
Bibliografie
http://talks.rosedu.org/prezentari (SSH)
http://www.netfilter.org/
http://www.linuxhomenetworking.com/wiki/index.php/Quick_HOW
TO_:_Ch14_:_Linux_Firewalls_Using_iptables
http://www.shell-tips.com/sheets/linux_quickref.pdf
http://www.tc.umn.edu/~brams006/selfsign.html
12.11.2009
37
ntrebri
?
12.11.2009
38
Cursul 6
6
Servicii de securitate
12 noiembrie 2009
12.11.2009
Moto
There are two types of encryption: one that will prevent your sister
from reading your diary and one that will prevent your government.
Bruce Schneier
Bruce Schneier's secure handshake is so strong, you won't be able
to exchange keys with anyone else for days. (Bruce Schneier Facts)
12.11.2009
Cuprins
Serviciul SSH
GPG
openssl
12.11.2009
Remote connection
telnet
rsh, rlogin
SSH
VNC
FreeNX
RDP
12.11.2009
SSH
Ce este SSH?
Client-server
TCP, portul 22
OpenSSH
This is a software monopoly but at least it was written by people who care
about security, so it's not like Microsoft's monopoly. (Theo de Raadt)
echipa OpenBSD
12.11.2009
Comenzi/componente OpenSSH
ssh
scp, sftp
serverul SSH
ssh-keygen
copierea de fiiere
sshd
clientul SSH
ssh-agent, ssh-add
12.11.2009
X Forwarding
SOCKS proxy
12.11.2009
Conectare la distan
ssh anaconda.cs.pub.ro
ssh razvan@anaconda.cs.pub.ro
12.11.2009
upload
scp razvan@anaconda.cs.pub.ro:code/test.c .
download
scp -r razvan@swarm.cs.pub.ro:local-swarm/
razvan@anaconda.cs.pub.ro:local-anaconda
Merge?
12.11.2009
depinde :-)
De ce?
automatizare
~/.ssh/known_hosts
/etc/sshd/ssh_host_*_key{,.pub}
clientul la server
RSA, DSA
mai rapid
12.11.2009
10
ssh-keygen
ssh-keygen -t rsa
fr passphrase
12.11.2009
11
12.11.2009
12
La fel ca pn acum
12.11.2009
13
ssh-agent
Agent de autentificare
Ruleaz ca un daemon
ssh-agent bash
12.11.2009
; un nou shell
14
ssh-agent (2)
ssh-add
ssh-add /tmp/my_key
ssh-add -d /tmp/my_key
ssh-add -D
Avantaje
12.11.2009
15
12.11.2009
16
SOCKS proxy
12.11.2009
17
X Forwarding
12.11.2009
18
/etc/ssh/sshd_config
/etc/init.d/ssh start|stop|restart|reload
Port 22
HostKey /etc/ssh/ssh_host_rsa_key
SyslogFacility AUTH
LogLevel INFO
logging n /var/log/auth.log
PubkeyAuthentication yes
PasswordAuthentication no
AllowUsers / DenyUsers
PermitRootLogin
man sshd_config
12.11.2009
19
Useful tools
corkscrew
dropbear
fr SSH-1, fr scp
SSHFS
Putty, WinSCP
WebShell
12.11.2009
20
Firewall-uri
Hardware
vitez mare
ofer i criptare
Software
flexibile
12.11.2009
21
iptables
filter
nat
mangle
Folosete tabele
12.11.2009
22
iptables (2)
12.11.2009
23
Sintaxa iptables
iptables -t filter -L
iptables -t filter -L -n
12.11.2009
24
Comenzi iptables
flush reguli
iptables -t filter -F
politica implicit
iptables -N mychain
iptables -X
iptables -X mychain
12.11.2009
25
Lucrul cu reguli
Inserare regul
tergere regul
iptables -t nat -D 1
nlocuire regul
iptables -t nat -R PREROUTING 1 -i eth1 -p tcp - -dport 8080 -j DNAT --todestination 10.38.5.6:80
12.11.2009
26
Persistena regulilor
#iptablessave>/etc/network/iptables.rules
#cat/etc/network/ifup.d/iptables
#!/bin/bash
iptablesrestore</etc/network/iptables.rules
exit0
12.11.2009
27
Firestarter (http://www.fs-security.com/)
12.11.2009
28
GPG
Semnarea mesajelor
Criptarea informaiei
12.11.2009
29
Operaii GPG
Listare chei
gpg --list-keys
gpg gen-key
Verificare fingerprint
gpg --fingerprint
12.11.2009
30
Operaii GPG
12.11.2009
31
GPG frontends
Seahorse (GNOME)
Kgpg
Mac GPG
12.11.2009
32
openssl
Cryptographic toolkit
SSL/TLS
12.11.2009
33
openssl x509 -req -days 365 -in server.csr -signkey server.key -out
server.crt
openssl x509 -req -days 365 -in www.gogu.com.csr -CA server.crt -CAkey
server.key -set_serial 01 -out www.gogu.com.crt
12.11.2009
34
12.11.2009
35
Cuvinte cheie
SSH
OpenSSH
ssh, scp
chei publice/private
ssh-keygen
ssh-agent, ssh-add
~/.ssh/known_hosts
~/.ssh/authorized_keys
SOCKS proxy
X Forwarding
12.11.2009
sshd
/etc/ssh/sshd_confing
firewall
iptables, netfilter
iptables-save, iptables-restore
GPG, PGP
gpg
semnare, criptare
openssl
CSR, certificat
CA
36
Bibliografie
http://talks.rosedu.org/prezentari (SSH)
http://www.netfilter.org/
http://www.linuxhomenetworking.com/wiki/index.php/Quick_HOW
TO_:_Ch14_:_Linux_Firewalls_Using_iptables
http://www.shell-tips.com/sheets/linux_quickref.pdf
http://www.tc.umn.edu/~brams006/selfsign.html
12.11.2009
37
ntrebri
?
12.11.2009
38